remove dead code

another workflowid pass through
fix resolve values fallback
2026-03-15 03:00:33 -04:00 · 2026-03-06 18:37:32 -08:00 · 2026-03-06 18:25:36 -08:00 · 2026-03-06 18:18:25 -08:00 · 2026-03-06 18:03:40 -08:00 · 2026-03-06 17:08:25 -08:00
180 changed files with 10509 additions and 3035 deletions
--- a/.claude/commands/add-block.md
+++ b/.claude/commands/add-block.md
@@ -20,6 +20,7 @@ When the user asks you to create a block:
 import { {ServiceName}Icon } from '@/components/icons'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
+import { getScopesForService } from '@/lib/oauth/utils'

 export const {ServiceName}Block: BlockConfig = {
  type: '{service}',                    // snake_case identifier
@@ -115,12 +116,17 @@ export const {ServiceName}Block: BlockConfig = {
  id: 'credential',
  title: 'Account',
  type: 'oauth-input',
-  serviceId: '{service}',  // Must match OAuth provider
+  serviceId: '{service}',  // Must match OAuth provider service key
+  requiredScopes: getScopesForService('{service}'),  // Import from @/lib/oauth/utils
  placeholder: 'Select account',
  required: true,
 }
 ```

+**Scopes:** Always use `getScopesForService(serviceId)` from `@/lib/oauth/utils` for `requiredScopes`. Never hardcode scope arrays — the single source of truth is `OAUTH_PROVIDERS` in `lib/oauth/oauth.ts`.
+
+**Scope descriptions:** When adding a new OAuth provider, also add human-readable descriptions for all scopes in `SCOPE_DESCRIPTIONS` within `lib/oauth/utils.ts`.
+
 ### Selectors (with dynamic options)
 ```typescript
 // Channel selector (Slack, Discord, etc.)
@@ -624,6 +630,7 @@ export const registry: Record<string, BlockConfig> = {
 import { ServiceIcon } from '@/components/icons'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
+import { getScopesForService } from '@/lib/oauth/utils'

 export const ServiceBlock: BlockConfig = {
  type: 'service',
@@ -654,6 +661,7 @@ export const ServiceBlock: BlockConfig = {
      title: 'Service Account',
      type: 'oauth-input',
      serviceId: 'service',
+      requiredScopes: getScopesForService('service'),
      placeholder: 'Select account',
      required: true,
    },
@@ -792,7 +800,8 @@ All tool IDs referenced in `tools.access` and returned by `tools.config.tool` MU
 - [ ] Conditions use correct syntax (field, value, not, and)
 - [ ] DependsOn set for fields that need other values
 - [ ] Required fields marked correctly (boolean or condition)
- [ ] OAuth inputs have correct `serviceId`
+- [ ] OAuth inputs have correct `serviceId` and `requiredScopes: getScopesForService(serviceId)`
+- [ ] Scope descriptions added to `SCOPE_DESCRIPTIONS` in `lib/oauth/utils.ts` for any new scopes
 - [ ] Tools.access lists all tool IDs (snake_case)
 - [ ] Tools.config.tool returns correct tool ID (snake_case)
 - [ ] Outputs match tool outputs
--- a/.claude/commands/add-integration.md
+++ b/.claude/commands/add-integration.md
@@ -114,6 +114,7 @@ export const {service}{Action}Tool: ToolConfig<Params, Response> = {
 import { {Service}Icon } from '@/components/icons'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
+import { getScopesForService } from '@/lib/oauth/utils'

 export const {Service}Block: BlockConfig = {
  type: '{service}',
@@ -144,6 +145,7 @@ export const {Service}Block: BlockConfig = {
      title: '{Service} Account',
      type: 'oauth-input',
      serviceId: '{service}',
+      requiredScopes: getScopesForService('{service}'),
      required: true,
    },
    // Conditional fields per operation
@@ -409,7 +411,7 @@ If creating V2 versions (API-aligned outputs):
 ### Block
 - [ ] Created `blocks/blocks/{service}.ts`
 - [ ] Defined operation dropdown with all operations
- [ ] Added credential field (oauth-input or short-input)
+- [ ] Added credential field with `requiredScopes: getScopesForService('{service}')`
 - [ ] Added conditional fields per operation
 - [ ] Set up dependsOn for cascading selectors
 - [ ] Configured tools.access with all tool IDs
@@ -419,6 +421,12 @@ If creating V2 versions (API-aligned outputs):
 - [ ] If triggers: set `triggers.enabled` and `triggers.available`
 - [ ] If triggers: spread trigger subBlocks with `getTrigger()`

+### OAuth Scopes (if OAuth service)
+- [ ] Defined scopes in `lib/oauth/oauth.ts` under `OAUTH_PROVIDERS`
+- [ ] Added scope descriptions in `SCOPE_DESCRIPTIONS` within `lib/oauth/utils.ts`
+- [ ] Used `getCanonicalScopesForProvider()` in `auth.ts` (never hardcode)
+- [ ] Used `getScopesForService()` in block `requiredScopes` (never hardcode)
+
 ### Icon
 - [ ] Asked user to provide SVG
 - [ ] Added icon to `components/icons.tsx`
@@ -717,6 +725,25 @@ Use `wandConfig` for fields that are hard to fill out manually:
 }
 ```

+### OAuth Scopes (Centralized System)
+
+Scopes are maintained in a single source of truth and reused everywhere:
+
+1. **Define scopes** in `lib/oauth/oauth.ts` under `OAUTH_PROVIDERS[provider].services[service].scopes`
+2. **Add descriptions** in `SCOPE_DESCRIPTIONS` within `lib/oauth/utils.ts` for the OAuth modal UI
+3. **Reference in auth.ts** using `getCanonicalScopesForProvider(providerId)` from `@/lib/oauth/utils`
+4. **Reference in blocks** using `getScopesForService(serviceId)` from `@/lib/oauth/utils`
+
+**Never hardcode scope arrays** in `auth.ts` or block `requiredScopes`. Always import from the centralized source.
+
+```typescript
+// In auth.ts (Better Auth config)
+scopes: getCanonicalScopesForProvider('{service}'),
+
+// In block credential sub-block
+requiredScopes: getScopesForService('{service}'),
+```
+
 ### Common Gotchas

 1. **OAuth serviceId must match** - The `serviceId` in oauth-input must match the OAuth provider configuration
@@ -729,3 +756,5 @@ Use `wandConfig` for fields that are hard to fill out manually:
 8. **Always handle legacy file params** - Keep hidden `fileContent` params for backwards compatibility
 9. **Optional fields use advanced mode** - Set `mode: 'advanced'` on rarely-used optional fields
 10. **Complex inputs need wandConfig** - Timestamps, JSON arrays, and other hard-to-type values should have `wandConfig` enabled
+11. **Never hardcode scopes** - Use `getScopesForService()` in blocks and `getCanonicalScopesForProvider()` in auth.ts
+12. **Always add scope descriptions** - New scopes must have entries in `SCOPE_DESCRIPTIONS` within `lib/oauth/utils.ts`
--- a/.claude/commands/validate-integration.md
+++ b/.claude/commands/validate-integration.md
@@ -26,8 +26,9 @@ apps/sim/blocks/blocks/{service}.ts # Block definition
 apps/sim/tools/registry.ts          # Tool registry entries for this service
 apps/sim/blocks/registry.ts         # Block registry entry for this service
 apps/sim/components/icons.tsx        # Icon definition
-apps/sim/lib/auth/auth.ts           # OAuth scopes (if OAuth service)
-apps/sim/lib/oauth/oauth.ts         # OAuth provider config (if OAuth service)
+apps/sim/lib/auth/auth.ts           # OAuth config — should use getCanonicalScopesForProvider()
+apps/sim/lib/oauth/oauth.ts         # OAuth provider config — single source of truth for scopes
+apps/sim/lib/oauth/utils.ts               # Scope utilities, SCOPE_DESCRIPTIONS for modal UI
 ```

 ## Step 2: Pull API Documentation
@@ -199,11 +200,14 @@ For **each tool** in `tools.access`:

 ## Step 5: Validate OAuth Scopes (if OAuth service)

- [ ] `auth.ts` scopes include ALL scopes needed by ALL tools in the integration
- [ ] `oauth.ts` provider config scopes match `auth.ts` scopes
- [ ] Block `requiredScopes` (if defined) matches `auth.ts` scopes
+Scopes are centralized — the single source of truth is `OAUTH_PROVIDERS` in `lib/oauth/oauth.ts`.
+
+- [ ] Scopes defined in `lib/oauth/oauth.ts` under `OAUTH_PROVIDERS[provider].services[service].scopes`
+- [ ] `auth.ts` uses `getCanonicalScopesForProvider(providerId)` — NOT a hardcoded array
+- [ ] Block `requiredScopes` uses `getScopesForService(serviceId)` — NOT a hardcoded array
+- [ ] No hardcoded scope arrays in `auth.ts` or block files (should all use utility functions)
+- [ ] Each scope has a human-readable description in `SCOPE_DESCRIPTIONS` within `lib/oauth/utils.ts`
 - [ ] No excess scopes that aren't needed by any tool
- [ ] Each scope has a human-readable description in `oauth-required-modal.tsx`'s `SCOPE_DESCRIPTIONS`

 ## Step 6: Validate Pagination Consistency

@@ -244,7 +248,8 @@ Group findings by severity:
 - Missing `.trim()` on ID fields in request URLs
 - Missing `?? null` on nullable response fields
 - Block condition array missing an operation that uses that field
- Missing scope description in `oauth-required-modal.tsx`
+- Hardcoded scope arrays instead of using `getScopesForService()` / `getCanonicalScopesForProvider()`
+- Missing scope description in `SCOPE_DESCRIPTIONS` within `lib/oauth/utils.ts`

 **Suggestion** (minor improvements):
 - Better description text
@@ -273,7 +278,8 @@ After fixing, confirm:
 - [ ] Validated wandConfig on timestamps and complex inputs
 - [ ] Validated tools.config mapping, tool selector, and type coercions
 - [ ] Validated block outputs match what tools return, with typed JSON where possible
- [ ] Validated OAuth scopes alignment across auth.ts, oauth.ts, block, and modal (if OAuth)
+- [ ] Validated OAuth scopes use centralized utilities (getScopesForService, getCanonicalScopesForProvider) — no hardcoded arrays
+- [ ] Validated scope descriptions exist in `SCOPE_DESCRIPTIONS` within `lib/oauth/utils.ts` for all scopes
 - [ ] Validated pagination consistency across tools and block
 - [ ] Validated error handling (error checks, meaningful messages)
 - [ ] Validated registry entries (tools and block, alphabetical, correct imports)
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -1,4 +1,4 @@
-FROM oven/bun:1.3.9-alpine
+FROM oven/bun:1.3.10-alpine

 # Install necessary packages for development
 RUN apk add --no-cache \
--- a/.github/workflows/docs-embeddings.yml
+++ b/.github/workflows/docs-embeddings.yml
@@ -20,7 +20,7 @@ jobs:
      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
-          bun-version: 1.3.9
+          bun-version: 1.3.10

      - name: Setup Node
        uses: actions/setup-node@v4
--- a/.github/workflows/i18n.yml
+++ b/.github/workflows/i18n.yml
@@ -23,7 +23,7 @@ jobs:
      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
-          bun-version: 1.3.9
+          bun-version: 1.3.10

      - name: Cache Bun dependencies
        uses: actions/cache@v4
@@ -122,7 +122,7 @@ jobs:
      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
-          bun-version: 1.3.9
+          bun-version: 1.3.10

      - name: Cache Bun dependencies
        uses: actions/cache@v4
--- a/.github/workflows/migrations.yml
+++ b/.github/workflows/migrations.yml
@@ -19,7 +19,7 @@ jobs:
      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
-          bun-version: 1.3.9
+          bun-version: 1.3.10

      - name: Cache Bun dependencies
        uses: actions/cache@v4
--- a/.github/workflows/publish-cli.yml
+++ b/.github/workflows/publish-cli.yml
@@ -19,7 +19,7 @@ jobs:
      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
-          bun-version: 1.3.9
+          bun-version: 1.3.10

      - name: Setup Node.js for npm publishing
        uses: actions/setup-node@v4
--- a/.github/workflows/publish-ts-sdk.yml
+++ b/.github/workflows/publish-ts-sdk.yml
@@ -19,7 +19,7 @@ jobs:
      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
-          bun-version: 1.3.9
+          bun-version: 1.3.10

      - name: Setup Node.js for npm publishing
        uses: actions/setup-node@v4
--- a/.github/workflows/test-build.yml
+++ b/.github/workflows/test-build.yml
@@ -19,7 +19,7 @@ jobs:
      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
-          bun-version: 1.3.9
+          bun-version: 1.3.10

      - name: Setup Node
        uses: actions/setup-node@v4
@@ -90,6 +90,16 @@ jobs:

          echo "✅ All feature flags are properly configured"

+      - name: Check subblock ID stability
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            BASE_REF="origin/${{ github.base_ref }}"
+            git fetch --depth=1 origin "${{ github.base_ref }}" 2>/dev/null || true
+          else
+            BASE_REF="HEAD~1"
+          fi
+          bun run apps/sim/scripts/check-subblock-id-stability.ts "$BASE_REF"
+
      - name: Lint code
        run: bun run lint:check

--- a/apps/docs/content/docs/en/tools/reddit.mdx
+++ b/apps/docs/content/docs/en/tools/reddit.mdx
@@ -24,7 +24,7 @@ These operations let your agents access and analyze Reddit content as part of yo

 ## Usage Instructions

-Integrate Reddit into workflows. Read posts, comments, and search content. Submit posts, vote, reply, edit, and manage your Reddit account.
+Integrate Reddit into workflows. Read posts, comments, and search content. Submit posts, vote, reply, edit, manage messages, and access user and subreddit info.



@@ -39,14 +39,15 @@ Fetch posts from a subreddit with different sorting options
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `subreddit` | string | Yes | The subreddit to fetch posts from \(e.g., "technology", "news"\) |
-| `sort` | string | No | Sort method for posts \(e.g., "hot", "new", "top", "rising"\). Default: "hot" |
+| `sort` | string | No | Sort method for posts \(e.g., "hot", "new", "top", "rising", "controversial"\). Default: "hot" |
 | `limit` | number | No | Maximum number of posts to return \(e.g., 25\). Default: 10, max: 100 |
-| `time` | string | No | Time filter for "top" sorted posts: "day", "week", "month", "year", or "all" \(default: "day"\) |
+| `time` | string | No | Time filter for "top" sorted posts: "day", "week", "month", "year", or "all" \(default: "all"\) |
 | `after` | string | No | Fullname of a thing to fetch items after \(for pagination\) |
 | `before` | string | No | Fullname of a thing to fetch items before \(for pagination\) |
 | `count` | number | No | A count of items already seen in the listing \(used for numbering\) |
 | `show` | string | No | Show items that would normally be filtered \(e.g., "all"\) |
 | `sr_detail` | boolean | No | Expand subreddit details in the response |
+| `g` | string | No | Geo filter for posts \(e.g., "GLOBAL", "US", "AR", etc.\) |

 #### Output

@@ -55,6 +56,7 @@ Fetch posts from a subreddit with different sorting options
 | `subreddit` | string | Name of the subreddit where posts were fetched from |
 | `posts` | array | Array of posts with title, author, URL, score, comments count, and metadata |
 |   ↳ `id` | string | Post ID |
+|   ↳ `name` | string | Thing fullname \(t3_xxxxx\) |
 |   ↳ `title` | string | Post title |
 |   ↳ `author` | string | Author username |
 |   ↳ `url` | string | Post URL |
@@ -66,6 +68,8 @@ Fetch posts from a subreddit with different sorting options
 |   ↳ `selftext` | string | Text content for self posts |
 |   ↳ `thumbnail` | string | Thumbnail URL |
 |   ↳ `subreddit` | string | Subreddit name |
+| `after` | string | Fullname of the last item for forward pagination |
+| `before` | string | Fullname of the first item for backward pagination |

 ### `reddit_get_comments`

@@ -83,12 +87,9 @@ Fetch comments from a specific Reddit post
 | `context` | number | No | Number of parent comments to include |
 | `showedits` | boolean | No | Show edit information for comments |
 | `showmore` | boolean | No | Include "load more comments" elements in the response |
-| `showtitle` | boolean | No | Include submission title in the response |
 | `threaded` | boolean | No | Return comments in threaded/nested format |
 | `truncate` | number | No | Integer to truncate comment depth |
-| `after` | string | No | Fullname of a thing to fetch items after \(for pagination\) |
-| `before` | string | No | Fullname of a thing to fetch items before \(for pagination\) |
-| `count` | number | No | A count of items already seen in the listing \(used for numbering\) |
+| `comment` | string | No | ID36 of a comment to focus on \(returns that comment thread\) |

 #### Output

@@ -96,6 +97,7 @@ Fetch comments from a specific Reddit post
 | --------- | ---- | ----------- |
 | `post` | object | Post information including ID, title, author, content, and metadata |
 |   ↳ `id` | string | Post ID |
+|   ↳ `name` | string | Thing fullname \(t3_xxxxx\) |
 |   ↳ `title` | string | Post title |
 |   ↳ `author` | string | Post author |
 |   ↳ `selftext` | string | Post text content |
@@ -104,6 +106,7 @@ Fetch comments from a specific Reddit post
 |   ↳ `permalink` | string | Reddit permalink |
 | `comments` | array | Nested comments with author, body, score, timestamps, and replies |
 |   ↳ `id` | string | Comment ID |
+|   ↳ `name` | string | Thing fullname \(t1_xxxxx\) |
 |   ↳ `author` | string | Comment author |
 |   ↳ `body` | string | Comment text |
 |   ↳ `score` | number | Comment score |
@@ -135,6 +138,7 @@ Fetch controversial posts from a subreddit
 | `subreddit` | string | Name of the subreddit where posts were fetched from |
 | `posts` | array | Array of controversial posts with title, author, URL, score, comments count, and metadata |
 |   ↳ `id` | string | Post ID |
+|   ↳ `name` | string | Thing fullname \(t3_xxxxx\) |
 |   ↳ `title` | string | Post title |
 |   ↳ `author` | string | Author username |
 |   ↳ `url` | string | Post URL |
@@ -146,6 +150,8 @@ Fetch controversial posts from a subreddit
 |   ↳ `selftext` | string | Text content for self posts |
 |   ↳ `thumbnail` | string | Thumbnail URL |
 |   ↳ `subreddit` | string | Subreddit name |
+| `after` | string | Fullname of the last item for forward pagination |
+| `before` | string | Fullname of the first item for backward pagination |

 ### `reddit_search`

@@ -165,6 +171,8 @@ Search for posts within a subreddit
 | `before` | string | No | Fullname of a thing to fetch items before \(for pagination\) |
 | `count` | number | No | A count of items already seen in the listing \(used for numbering\) |
 | `show` | string | No | Show items that would normally be filtered \(e.g., "all"\) |
+| `type` | string | No | Type of search results: "link" \(posts\), "sr" \(subreddits\), or "user" \(users\). Default: "link" |
+| `sr_detail` | boolean | No | Expand subreddit details in the response |

 #### Output

@@ -173,6 +181,7 @@ Search for posts within a subreddit
 | `subreddit` | string | Name of the subreddit where search was performed |
 | `posts` | array | Array of search result posts with title, author, URL, score, comments count, and metadata |
 |   ↳ `id` | string | Post ID |
+|   ↳ `name` | string | Thing fullname \(t3_xxxxx\) |
 |   ↳ `title` | string | Post title |
 |   ↳ `author` | string | Author username |
 |   ↳ `url` | string | Post URL |
@@ -184,6 +193,8 @@ Search for posts within a subreddit
 |   ↳ `selftext` | string | Text content for self posts |
 |   ↳ `thumbnail` | string | Thumbnail URL |
 |   ↳ `subreddit` | string | Subreddit name |
+| `after` | string | Fullname of the last item for forward pagination |
+| `before` | string | Fullname of the first item for backward pagination |

 ### `reddit_submit_post`

@@ -200,6 +211,9 @@ Submit a new post to a subreddit (text or link)
 | `nsfw` | boolean | No | Mark post as NSFW |
 | `spoiler` | boolean | No | Mark post as spoiler |
 | `send_replies` | boolean | No | Send reply notifications to inbox \(default: true\) |
+| `flair_id` | string | No | Flair template UUID for the post \(max 36 characters\) |
+| `flair_text` | string | No | Flair text to display on the post \(max 64 characters\) |
+| `collection_id` | string | No | Collection UUID to add the post to |

 #### Output

@@ -264,6 +278,21 @@ Save a Reddit post or comment to your saved items
 | `posts` | json | Posts data |
 | `post` | json | Single post data |
 | `comments` | json | Comments data |
+| `success` | boolean | Operation success status |
+| `message` | string | Result message |
+| `data` | json | Response data |
+| `after` | string | Pagination cursor \(next page\) |
+| `before` | string | Pagination cursor \(previous page\) |
+| `id` | string | Entity ID |
+| `name` | string | Entity fullname |
+| `messages` | json | Messages data |
+| `display_name` | string | Subreddit display name |
+| `subscribers` | number | Subscriber count |
+| `description` | string | Description text |
+| `link_karma` | number | Link karma |
+| `comment_karma` | number | Comment karma |
+| `total_karma` | number | Total karma |
+| `icon_img` | string | Icon image URL |

 ### `reddit_reply`

@@ -275,6 +304,7 @@ Add a comment reply to a Reddit post or comment
 | --------- | ---- | -------- | ----------- |
 | `parent_id` | string | Yes | Thing fullname to reply to \(e.g., "t3_abc123" for post, "t1_def456" for comment\) |
 | `text` | string | Yes | Comment text in markdown format \(e.g., "Great post! Here is my **reply**"\) |
+| `return_rtjson` | boolean | No | Return response in Rich Text JSON format |

 #### Output

@@ -345,4 +375,138 @@ Subscribe or unsubscribe from a subreddit
 | `success` | boolean | Whether the subscription action was successful |
 | `message` | string | Success or error message |

+### `reddit_get_me`
+
+Get information about the authenticated Reddit user
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `id` | string | User ID |
+| `name` | string | Username |
+| `created_utc` | number | Account creation time in UTC epoch seconds |
+| `link_karma` | number | Total link karma |
+| `comment_karma` | number | Total comment karma |
+| `total_karma` | number | Combined total karma |
+| `is_gold` | boolean | Whether user has Reddit Premium |
+| `is_mod` | boolean | Whether user is a moderator |
+| `has_verified_email` | boolean | Whether email is verified |
+| `icon_img` | string | User avatar/icon URL |
+
+### `reddit_get_user`
+
+Get public profile information about any Reddit user by username
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `username` | string | Yes | Reddit username to look up \(e.g., "spez", "example_user"\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `id` | string | User ID |
+| `name` | string | Username |
+| `created_utc` | number | Account creation time in UTC epoch seconds |
+| `link_karma` | number | Total link karma |
+| `comment_karma` | number | Total comment karma |
+| `total_karma` | number | Combined total karma |
+| `is_gold` | boolean | Whether user has Reddit Premium |
+| `is_mod` | boolean | Whether user is a moderator |
+| `has_verified_email` | boolean | Whether email is verified |
+| `icon_img` | string | User avatar/icon URL |
+
+### `reddit_send_message`
+
+Send a private message to a Reddit user
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `to` | string | Yes | Recipient username \(e.g., "example_user"\) or subreddit \(e.g., "/r/subreddit"\) |
+| `subject` | string | Yes | Message subject \(max 100 characters\) |
+| `text` | string | Yes | Message body in markdown format |
+| `from_sr` | string | No | Subreddit name to send the message from \(requires moderator mail permission\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `success` | boolean | Whether the message was sent successfully |
+| `message` | string | Success or error message |
+
+### `reddit_get_messages`
+
+Retrieve private messages from your Reddit inbox
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `where` | string | No | Message folder to retrieve: "inbox" \(all\), "unread", "sent", "messages" \(direct messages only\), "comments" \(comment replies\), "selfreply" \(self-post replies\), or "mentions" \(username mentions\). Default: "inbox" |
+| `limit` | number | No | Maximum number of messages to return \(e.g., 25\). Default: 25, max: 100 |
+| `after` | string | No | Fullname of a thing to fetch items after \(for pagination\) |
+| `before` | string | No | Fullname of a thing to fetch items before \(for pagination\) |
+| `mark` | boolean | No | Whether to mark fetched messages as read |
+| `count` | number | No | A count of items already seen in the listing \(used for numbering\) |
+| `show` | string | No | Show items that would normally be filtered \(e.g., "all"\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `messages` | array | Array of messages with sender, recipient, subject, body, and metadata |
+|   ↳ `id` | string | Message ID |
+|   ↳ `name` | string | Thing fullname \(t4_xxxxx\) |
+|   ↳ `author` | string | Sender username |
+|   ↳ `dest` | string | Recipient username |
+|   ↳ `subject` | string | Message subject |
+|   ↳ `body` | string | Message body text |
+|   ↳ `created_utc` | number | Creation time in UTC epoch seconds |
+|   ↳ `new` | boolean | Whether the message is unread |
+|   ↳ `was_comment` | boolean | Whether the message is a comment reply |
+|   ↳ `context` | string | Context URL for comment replies |
+|   ↳ `distinguished` | string | Distinction: null/"moderator"/"admin" |
+| `after` | string | Fullname of the last item for forward pagination |
+| `before` | string | Fullname of the first item for backward pagination |
+
+### `reddit_get_subreddit_info`
+
+Get metadata and information about a subreddit
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `subreddit` | string | Yes | The subreddit to get info about \(e.g., "technology", "programming", "news"\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `id` | string | Subreddit ID |
+| `name` | string | Subreddit fullname \(t5_xxxxx\) |
+| `display_name` | string | Subreddit name without prefix |
+| `title` | string | Subreddit title |
+| `description` | string | Full subreddit description \(markdown\) |
+| `public_description` | string | Short public description |
+| `subscribers` | number | Number of subscribers |
+| `accounts_active` | number | Number of currently active users |
+| `created_utc` | number | Creation time in UTC epoch seconds |
+| `over18` | boolean | Whether the subreddit is NSFW |
+| `lang` | string | Primary language of the subreddit |
+| `subreddit_type` | string | Subreddit type: public, private, restricted, etc. |
+| `url` | string | Subreddit URL path \(e.g., /r/technology/\) |
+| `icon_img` | string | Subreddit icon URL |
+| `banner_img` | string | Subreddit banner URL |
+

--- a/apps/docs/content/docs/en/tools/servicenow.mdx
+++ b/apps/docs/content/docs/en/tools/servicenow.mdx
@@ -69,7 +69,9 @@ Read records from a ServiceNow table
 | `number` | string | No | Record number \(e.g., INC0010001\) |
 | `query` | string | No | Encoded query string \(e.g., "active=true^priority=1"\) |
 | `limit` | number | No | Maximum number of records to return \(e.g., 10, 50, 100\) |
+| `offset` | number | No | Number of records to skip for pagination \(e.g., 0, 10, 20\) |
 | `fields` | string | No | Comma-separated list of fields to return \(e.g., sys_id,number,short_description,state\) |
+| `displayValue` | string | No | Return display values for reference fields: "true" \(display only\), "false" \(sys_id only\), or "all" \(both\) |

 #### Output

--- a/apps/docs/content/docs/en/tools/slack.mdx
+++ b/apps/docs/content/docs/en/tools/slack.mdx
@@ -1,6 +1,6 @@
 ---
 title: Slack
-description: Send, update, delete messages, send ephemeral messages, add reactions in Slack or trigger workflows from Slack events
+description: Send, update, delete messages, manage views and modals, add or remove reactions, manage canvases, get channel info and user presence in Slack
 ---

 import { BlockInfoCard } from "@/components/ui/block-info-card"
@@ -39,7 +39,7 @@ If you encounter issues with the Slack integration, contact us at [help@sim.ai](

 ## Usage Instructions

-Integrate Slack into the workflow. Can send, update, and delete messages, send ephemeral messages visible only to a specific user, create canvases, read messages, and add reactions. Requires Bot Token instead of OAuth in advanced mode. Can be used in trigger mode to trigger a workflow when a message is sent to a channel.
+Integrate Slack into the workflow. Can send, update, and delete messages, send ephemeral messages visible only to a specific user, open/update/push modal views, publish Home tab views, create canvases, read messages, and add or remove reactions. Requires Bot Token instead of OAuth in advanced mode. Can be used in trigger mode to trigger a workflow when a message is sent to a channel.



@@ -799,4 +799,313 @@ Add an emoji reaction to a Slack message
 |   ↳ `timestamp` | string | Message timestamp |
 |   ↳ `reaction` | string | Emoji reaction name |

+### `slack_remove_reaction`
+
+Remove an emoji reaction from a Slack message
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `authMethod` | string | No | Authentication method: oauth or bot_token |
+| `botToken` | string | No | Bot token for Custom Bot |
+| `channel` | string | Yes | Channel ID where the message was posted \(e.g., C1234567890\) |
+| `timestamp` | string | Yes | Timestamp of the message to remove reaction from \(e.g., 1405894322.002768\) |
+| `name` | string | Yes | Name of the emoji reaction to remove \(without colons, e.g., thumbsup, heart, eyes\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `content` | string | Success message |
+| `metadata` | object | Reaction metadata |
+|   ↳ `channel` | string | Channel ID |
+|   ↳ `timestamp` | string | Message timestamp |
+|   ↳ `reaction` | string | Emoji reaction name |
+
+### `slack_get_channel_info`
+
+Get detailed information about a Slack channel by its ID
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `authMethod` | string | No | Authentication method: oauth or bot_token |
+| `botToken` | string | No | Bot token for Custom Bot |
+| `channel` | string | Yes | Channel ID to get information about \(e.g., C1234567890\) |
+| `includeNumMembers` | boolean | No | Whether to include the member count in the response |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `channelInfo` | object | Detailed channel information |
+|   ↳ `id` | string | Channel ID \(e.g., C1234567890\) |
+|   ↳ `name` | string | Channel name without # prefix |
+|   ↳ `is_channel` | boolean | Whether this is a channel |
+|   ↳ `is_private` | boolean | Whether channel is private |
+|   ↳ `is_archived` | boolean | Whether channel is archived |
+|   ↳ `is_general` | boolean | Whether this is the general channel |
+|   ↳ `is_member` | boolean | Whether the bot/user is a member |
+|   ↳ `is_shared` | boolean | Whether channel is shared across workspaces |
+|   ↳ `is_ext_shared` | boolean | Whether channel is externally shared |
+|   ↳ `is_org_shared` | boolean | Whether channel is org-wide shared |
+|   ↳ `num_members` | number | Number of members in the channel |
+|   ↳ `topic` | string | Channel topic |
+|   ↳ `purpose` | string | Channel purpose/description |
+|   ↳ `created` | number | Unix timestamp when channel was created |
+|   ↳ `creator` | string | User ID of channel creator |
+|   ↳ `updated` | number | Unix timestamp of last update |
+
+### `slack_get_user_presence`
+
+Check whether a Slack user is currently active or away
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `authMethod` | string | No | Authentication method: oauth or bot_token |
+| `botToken` | string | No | Bot token for Custom Bot |
+| `userId` | string | Yes | User ID to check presence for \(e.g., U1234567890\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `presence` | string | User presence status: "active" or "away" |
+| `online` | boolean | Whether user has an active client connection \(only available when checking own presence\) |
+| `autoAway` | boolean | Whether user was automatically set to away due to inactivity \(only available when checking own presence\) |
+| `manualAway` | boolean | Whether user manually set themselves as away \(only available when checking own presence\) |
+| `connectionCount` | number | Total number of active connections for the user \(only available when checking own presence\) |
+| `lastActivity` | number | Unix timestamp of last detected activity \(only available when checking own presence\) |
+
+### `slack_edit_canvas`
+
+Edit an existing Slack canvas by inserting, replacing, or deleting content
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `authMethod` | string | No | Authentication method: oauth or bot_token |
+| `botToken` | string | No | Bot token for Custom Bot |
+| `canvasId` | string | Yes | Canvas ID to edit \(e.g., F1234ABCD\) |
+| `operation` | string | Yes | Edit operation: insert_at_start, insert_at_end, insert_after, insert_before, replace, delete, or rename |
+| `content` | string | No | Markdown content for the operation \(required for insert/replace operations\) |
+| `sectionId` | string | No | Section ID to target \(required for insert_after, insert_before, replace, and delete\) |
+| `title` | string | No | New title for the canvas \(only used with rename operation\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `content` | string | Success message |
+
+### `slack_create_channel_canvas`
+
+Create a canvas pinned to a Slack channel as its resource hub
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `authMethod` | string | No | Authentication method: oauth or bot_token |
+| `botToken` | string | No | Bot token for Custom Bot |
+| `channel` | string | Yes | Channel ID to create the canvas in \(e.g., C1234567890\) |
+| `title` | string | No | Title for the channel canvas |
+| `content` | string | No | Canvas content in markdown format |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `canvas_id` | string | ID of the created channel canvas |
+
+### `slack_open_view`
+
+Open a modal view in Slack using a trigger_id from an interaction payload. Used to display forms, confirmations, and other interactive modals.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `authMethod` | string | No | Authentication method: oauth or bot_token |
+| `botToken` | string | No | Bot token for Custom Bot |
+| `triggerId` | string | Yes | Exchange a trigger to post to the user. Obtained from an interaction payload \(e.g., slash command, button click\) |
+| `interactivityPointer` | string | No | Alternative to trigger_id for posting to user |
+| `view` | json | Yes | A view payload object defining the modal. Must include type \("modal"\), title, and blocks array |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `view` | object | The opened modal view object |
+|   ↳ `id` | string | Unique view identifier |
+|   ↳ `team_id` | string | Workspace/team ID |
+|   ↳ `type` | string | View type \(e.g., "modal"\) |
+|   ↳ `title` | json | Plain text title object with type and text fields |
+|     ↳ `type` | string | Text object type \(plain_text\) |
+|     ↳ `text` | string | Title text content |
+|   ↳ `submit` | json | Plain text submit button object |
+|     ↳ `type` | string | Text object type \(plain_text\) |
+|     ↳ `text` | string | Submit button text |
+|   ↳ `close` | json | Plain text close button object |
+|     ↳ `type` | string | Text object type \(plain_text\) |
+|     ↳ `text` | string | Close button text |
+|   ↳ `blocks` | array | Block Kit blocks in the view |
+|     ↳ `type` | string | Block type \(section, divider, image, actions, etc.\) |
+|     ↳ `block_id` | string | Unique block identifier |
+|   ↳ `private_metadata` | string | Private metadata string passed with the view |
+|   ↳ `callback_id` | string | Custom identifier for the view |
+|   ↳ `external_id` | string | Custom external identifier \(max 255 chars, unique per workspace\) |
+|   ↳ `state` | json | Current state of the view with input values |
+|   ↳ `hash` | string | View version hash for updates |
+|   ↳ `clear_on_close` | boolean | Whether to clear all views in the stack when this view is closed |
+|   ↳ `notify_on_close` | boolean | Whether to send a view_closed event when this view is closed |
+|   ↳ `root_view_id` | string | ID of the root view in the view stack |
+|   ↳ `previous_view_id` | string | ID of the previous view in the view stack |
+|   ↳ `app_id` | string | Application identifier |
+|   ↳ `bot_id` | string | Bot identifier |
+
+### `slack_update_view`
+
+Update an existing modal view in Slack. Identify the view by view_id or external_id, and provide the updated view payload.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `authMethod` | string | No | Authentication method: oauth or bot_token |
+| `botToken` | string | No | Bot token for Custom Bot |
+| `viewId` | string | No | Unique identifier of the view to update. Either viewId or externalId is required |
+| `externalId` | string | No | Developer-set unique identifier of the view to update \(max 255 chars\). Either viewId or externalId is required |
+| `hash` | string | No | View state hash to protect against race conditions. Obtained from a previous views response |
+| `view` | json | Yes | A view payload object defining the updated modal. Must include type \("modal"\), title, and blocks array. Use identical block_id and action_id values to preserve input data |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `view` | object | The updated modal view object |
+|   ↳ `id` | string | Unique view identifier |
+|   ↳ `team_id` | string | Workspace/team ID |
+|   ↳ `type` | string | View type \(e.g., "modal"\) |
+|   ↳ `title` | json | Plain text title object with type and text fields |
+|     ↳ `type` | string | Text object type \(plain_text\) |
+|     ↳ `text` | string | Title text content |
+|   ↳ `submit` | json | Plain text submit button object |
+|     ↳ `type` | string | Text object type \(plain_text\) |
+|     ↳ `text` | string | Submit button text |
+|   ↳ `close` | json | Plain text close button object |
+|     ↳ `type` | string | Text object type \(plain_text\) |
+|     ↳ `text` | string | Close button text |
+|   ↳ `blocks` | array | Block Kit blocks in the view |
+|     ↳ `type` | string | Block type \(section, divider, image, actions, etc.\) |
+|     ↳ `block_id` | string | Unique block identifier |
+|   ↳ `private_metadata` | string | Private metadata string passed with the view |
+|   ↳ `callback_id` | string | Custom identifier for the view |
+|   ↳ `external_id` | string | Custom external identifier \(max 255 chars, unique per workspace\) |
+|   ↳ `state` | json | Current state of the view with input values |
+|   ↳ `hash` | string | View version hash for updates |
+|   ↳ `clear_on_close` | boolean | Whether to clear all views in the stack when this view is closed |
+|   ↳ `notify_on_close` | boolean | Whether to send a view_closed event when this view is closed |
+|   ↳ `root_view_id` | string | ID of the root view in the view stack |
+|   ↳ `previous_view_id` | string | ID of the previous view in the view stack |
+|   ↳ `app_id` | string | Application identifier |
+|   ↳ `bot_id` | string | Bot identifier |
+
+### `slack_push_view`
+
+Push a new view onto an existing modal stack in Slack. Limited to 2 additional views after the initial modal is opened.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `authMethod` | string | No | Authentication method: oauth or bot_token |
+| `botToken` | string | No | Bot token for Custom Bot |
+| `triggerId` | string | Yes | Exchange a trigger to post to the user. Obtained from an interaction payload \(e.g., button click within an existing modal\) |
+| `interactivityPointer` | string | No | Alternative to trigger_id for posting to user |
+| `view` | json | Yes | A view payload object defining the modal to push. Must include type \("modal"\), title, and blocks array |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `view` | object | The pushed modal view object |
+|   ↳ `id` | string | Unique view identifier |
+|   ↳ `team_id` | string | Workspace/team ID |
+|   ↳ `type` | string | View type \(e.g., "modal"\) |
+|   ↳ `title` | json | Plain text title object with type and text fields |
+|     ↳ `type` | string | Text object type \(plain_text\) |
+|     ↳ `text` | string | Title text content |
+|   ↳ `submit` | json | Plain text submit button object |
+|     ↳ `type` | string | Text object type \(plain_text\) |
+|     ↳ `text` | string | Submit button text |
+|   ↳ `close` | json | Plain text close button object |
+|     ↳ `type` | string | Text object type \(plain_text\) |
+|     ↳ `text` | string | Close button text |
+|   ↳ `blocks` | array | Block Kit blocks in the view |
+|     ↳ `type` | string | Block type \(section, divider, image, actions, etc.\) |
+|     ↳ `block_id` | string | Unique block identifier |
+|   ↳ `private_metadata` | string | Private metadata string passed with the view |
+|   ↳ `callback_id` | string | Custom identifier for the view |
+|   ↳ `external_id` | string | Custom external identifier \(max 255 chars, unique per workspace\) |
+|   ↳ `state` | json | Current state of the view with input values |
+|   ↳ `hash` | string | View version hash for updates |
+|   ↳ `clear_on_close` | boolean | Whether to clear all views in the stack when this view is closed |
+|   ↳ `notify_on_close` | boolean | Whether to send a view_closed event when this view is closed |
+|   ↳ `root_view_id` | string | ID of the root view in the view stack |
+|   ↳ `previous_view_id` | string | ID of the previous view in the view stack |
+|   ↳ `app_id` | string | Application identifier |
+|   ↳ `bot_id` | string | Bot identifier |
+
+### `slack_publish_view`
+
+Publish a static view to a user
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `authMethod` | string | No | Authentication method: oauth or bot_token |
+| `botToken` | string | No | Bot token for Custom Bot |
+| `userId` | string | Yes | The user ID to publish the Home tab view to \(e.g., U0BPQUNTA\) |
+| `hash` | string | No | View state hash to protect against race conditions. Obtained from a previous views response |
+| `view` | json | Yes | A view payload object defining the Home tab. Must include type \("home"\) and blocks array |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `view` | object | The published Home tab view object |
+|   ↳ `id` | string | Unique view identifier |
+|   ↳ `team_id` | string | Workspace/team ID |
+|   ↳ `type` | string | View type \(e.g., "modal"\) |
+|   ↳ `title` | json | Plain text title object with type and text fields |
+|     ↳ `type` | string | Text object type \(plain_text\) |
+|     ↳ `text` | string | Title text content |
+|   ↳ `submit` | json | Plain text submit button object |
+|     ↳ `type` | string | Text object type \(plain_text\) |
+|     ↳ `text` | string | Submit button text |
+|   ↳ `close` | json | Plain text close button object |
+|     ↳ `type` | string | Text object type \(plain_text\) |
+|     ↳ `text` | string | Close button text |
+|   ↳ `blocks` | array | Block Kit blocks in the view |
+|     ↳ `type` | string | Block type \(section, divider, image, actions, etc.\) |
+|     ↳ `block_id` | string | Unique block identifier |
+|   ↳ `private_metadata` | string | Private metadata string passed with the view |
+|   ↳ `callback_id` | string | Custom identifier for the view |
+|   ↳ `external_id` | string | Custom external identifier \(max 255 chars, unique per workspace\) |
+|   ↳ `state` | json | Current state of the view with input values |
+|   ↳ `hash` | string | View version hash for updates |
+|   ↳ `clear_on_close` | boolean | Whether to clear all views in the stack when this view is closed |
+|   ↳ `notify_on_close` | boolean | Whether to send a view_closed event when this view is closed |
+|   ↳ `root_view_id` | string | ID of the root view in the view stack |
+|   ↳ `previous_view_id` | string | ID of the previous view in the view stack |
+|   ↳ `app_id` | string | Application identifier |
+|   ↳ `bot_id` | string | Bot identifier |
+

--- a/apps/sim/app/api/auth/oauth/connections/route.test.ts
+++ b/apps/sim/app/api/auth/oauth/connections/route.test.ts
@@ -6,40 +6,33 @@
 import { createMockRequest } from '@sim/testing'
 import { beforeEach, describe, expect, it, vi } from 'vitest'

-const {
-  mockGetSession,
-  mockDb,
-  mockLogger,
-  mockParseProvider,
-  mockEvaluateScopeCoverage,
-  mockJwtDecode,
-  mockEq,
-} = vi.hoisted(() => {
-  const db = {
-    select: vi.fn().mockReturnThis(),
-    from: vi.fn().mockReturnThis(),
-    where: vi.fn().mockReturnThis(),
-    limit: vi.fn(),
+const { mockGetSession, mockDb, mockLogger, mockParseProvider, mockJwtDecode, mockEq } = vi.hoisted(
+  () => {
+    const db = {
+      select: vi.fn().mockReturnThis(),
+      from: vi.fn().mockReturnThis(),
+      where: vi.fn().mockReturnThis(),
+      limit: vi.fn(),
+    }
+    const logger = {
+      info: vi.fn(),
+      warn: vi.fn(),
+      error: vi.fn(),
+      debug: vi.fn(),
+      trace: vi.fn(),
+      fatal: vi.fn(),
+      child: vi.fn(),
+    }
+    return {
+      mockGetSession: vi.fn(),
+      mockDb: db,
+      mockLogger: logger,
+      mockParseProvider: vi.fn(),
+      mockJwtDecode: vi.fn(),
+      mockEq: vi.fn((field: unknown, value: unknown) => ({ field, value, type: 'eq' })),
+    }
  }
-  const logger = {
-    info: vi.fn(),
-    warn: vi.fn(),
-    error: vi.fn(),
-    debug: vi.fn(),
-    trace: vi.fn(),
-    fatal: vi.fn(),
-    child: vi.fn(),
-  }
-  return {
-    mockGetSession: vi.fn(),
-    mockDb: db,
-    mockLogger: logger,
-    mockParseProvider: vi.fn(),
-    mockEvaluateScopeCoverage: vi.fn(),
-    mockJwtDecode: vi.fn(),
-    mockEq: vi.fn((field: unknown, value: unknown) => ({ field, value, type: 'eq' })),
-  }
-})
+)

 vi.mock('@/lib/auth', () => ({
  getSession: mockGetSession,
@@ -66,7 +59,6 @@ vi.mock('@sim/logger', () => ({

 vi.mock('@/lib/oauth/utils', () => ({
  parseProvider: mockParseProvider,
-  evaluateScopeCoverage: mockEvaluateScopeCoverage,
 }))

 import { GET } from '@/app/api/auth/oauth/connections/route'
@@ -83,16 +75,6 @@ describe('OAuth Connections API Route', () => {
      baseProvider: providerId.split('-')[0] || providerId,
      featureType: providerId.split('-')[1] || 'default',
    }))
-
-    mockEvaluateScopeCoverage.mockImplementation(
-      (_providerId: string, _grantedScopes: string[]) => ({
-        canonicalScopes: ['email', 'profile'],
-        grantedScopes: ['email', 'profile'],
-        missingScopes: [],
-        extraScopes: [],
-        requiresReauthorization: false,
-      })
-    )
  })

  it('should return connections successfully', async () => {
--- a/apps/sim/app/api/auth/oauth/connections/route.ts
+++ b/apps/sim/app/api/auth/oauth/connections/route.ts
@@ -6,7 +6,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 import type { OAuthProvider } from '@/lib/oauth'
-import { evaluateScopeCoverage, parseProvider } from '@/lib/oauth'
+import { parseProvider } from '@/lib/oauth'

 const logger = createLogger('OAuthConnectionsAPI')

@@ -49,8 +49,7 @@ export async function GET(request: NextRequest) {

    for (const acc of accounts) {
      const { baseProvider, featureType } = parseProvider(acc.providerId as OAuthProvider)
-      const grantedScopes = acc.scope ? acc.scope.split(/\s+/).filter(Boolean) : []
-      const scopeEvaluation = evaluateScopeCoverage(acc.providerId, grantedScopes)
+      const scopes = acc.scope ? acc.scope.split(/\s+/).filter(Boolean) : []

      if (baseProvider) {
        // Try multiple methods to get a user-friendly display name
@@ -96,10 +95,6 @@ export async function GET(request: NextRequest) {
        const accountSummary = {
          id: acc.id,
          name: displayName,
-          scopes: scopeEvaluation.grantedScopes,
-          missingScopes: scopeEvaluation.missingScopes,
-          extraScopes: scopeEvaluation.extraScopes,
-          requiresReauthorization: scopeEvaluation.requiresReauthorization,
        }

        if (existingConnection) {
@@ -108,20 +103,8 @@ export async function GET(request: NextRequest) {
          existingConnection.accounts.push(accountSummary)

          existingConnection.scopes = Array.from(
-            new Set([...(existingConnection.scopes || []), ...scopeEvaluation.grantedScopes])
+            new Set([...(existingConnection.scopes || []), ...scopes])
          )
-          existingConnection.missingScopes = Array.from(
-            new Set([...(existingConnection.missingScopes || []), ...scopeEvaluation.missingScopes])
-          )
-          existingConnection.extraScopes = Array.from(
-            new Set([...(existingConnection.extraScopes || []), ...scopeEvaluation.extraScopes])
-          )
-          existingConnection.canonicalScopes =
-            existingConnection.canonicalScopes && existingConnection.canonicalScopes.length > 0
-              ? existingConnection.canonicalScopes
-              : scopeEvaluation.canonicalScopes
-          existingConnection.requiresReauthorization =
-            existingConnection.requiresReauthorization || scopeEvaluation.requiresReauthorization

          const existingTimestamp = existingConnection.lastConnected
            ? new Date(existingConnection.lastConnected).getTime()
@@ -138,11 +121,7 @@ export async function GET(request: NextRequest) {
            baseProvider,
            featureType,
            isConnected: true,
-            scopes: scopeEvaluation.grantedScopes,
-            canonicalScopes: scopeEvaluation.canonicalScopes,
-            missingScopes: scopeEvaluation.missingScopes,
-            extraScopes: scopeEvaluation.extraScopes,
-            requiresReauthorization: scopeEvaluation.requiresReauthorization,
+            scopes,
            lastConnected: acc.updatedAt.toISOString(),
            accounts: [accountSummary],
          })
--- a/apps/sim/app/api/auth/oauth/credentials/route.test.ts
+++ b/apps/sim/app/api/auth/oauth/credentials/route.test.ts
@@ -7,7 +7,7 @@
 import { NextRequest } from 'next/server'
 import { beforeEach, describe, expect, it, vi } from 'vitest'

-const { mockCheckSessionOrInternalAuth, mockEvaluateScopeCoverage, mockLogger } = vi.hoisted(() => {
+const { mockCheckSessionOrInternalAuth, mockLogger } = vi.hoisted(() => {
  const logger = {
    info: vi.fn(),
    warn: vi.fn(),
@@ -19,7 +19,6 @@ const { mockCheckSessionOrInternalAuth, mockEvaluateScopeCoverage, mockLogger }
  }
  return {
    mockCheckSessionOrInternalAuth: vi.fn(),
-    mockEvaluateScopeCoverage: vi.fn(),
    mockLogger: logger,
  }
 })
@@ -28,10 +27,6 @@ vi.mock('@/lib/auth/hybrid', () => ({
  checkSessionOrInternalAuth: mockCheckSessionOrInternalAuth,
 }))

-vi.mock('@/lib/oauth', () => ({
-  evaluateScopeCoverage: mockEvaluateScopeCoverage,
-}))
-
 vi.mock('@/lib/core/utils/request', () => ({
  generateRequestId: vi.fn().mockReturnValue('mock-request-id'),
 }))
@@ -87,16 +82,6 @@ describe('OAuth Credentials API Route', () => {

  beforeEach(() => {
    vi.clearAllMocks()
-
-    mockEvaluateScopeCoverage.mockImplementation(
-      (_providerId: string, grantedScopes: string[]) => ({
-        canonicalScopes: grantedScopes,
-        grantedScopes,
-        missingScopes: [],
-        extraScopes: [],
-        requiresReauthorization: false,
-      })
-    )
  })

  it('should handle unauthenticated user', async () => {
--- a/apps/sim/app/api/auth/oauth/credentials/route.ts
+++ b/apps/sim/app/api/auth/oauth/credentials/route.ts
@@ -7,7 +7,6 @@ import { z } from 'zod'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { syncWorkspaceOAuthCredentialsForUser } from '@/lib/credentials/oauth'
-import { evaluateScopeCoverage } from '@/lib/oauth'
 import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'

@@ -39,8 +38,7 @@ function toCredentialResponse(
  scope: string | null
 ) {
  const storedScope = scope?.trim()
-  const grantedScopes = storedScope ? storedScope.split(/[\s,]+/).filter(Boolean) : []
-  const scopeEvaluation = evaluateScopeCoverage(providerId, grantedScopes)
+  const scopes = storedScope ? storedScope.split(/[\s,]+/).filter(Boolean) : []
  const [_, featureType = 'default'] = providerId.split('-')

  return {
@@ -49,11 +47,7 @@ function toCredentialResponse(
    provider: providerId,
    lastUsed: updatedAt.toISOString(),
    isDefault: featureType === 'default',
-    scopes: scopeEvaluation.grantedScopes,
-    canonicalScopes: scopeEvaluation.canonicalScopes,
-    missingScopes: scopeEvaluation.missingScopes,
-    extraScopes: scopeEvaluation.extraScopes,
-    requiresReauthorization: scopeEvaluation.requiresReauthorization,
+    scopes,
  }
 }

--- a/apps/sim/app/api/tools/airtable/bases/route.ts
+++ b/apps/sim/app/api/tools/airtable/bases/route.ts
@@ -0,0 +1,79 @@
+import { createLogger } from '@sim/logger'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+
+const logger = createLogger('AirtableBasesAPI')
+
+export const dynamic = 'force-dynamic'
+
+export async function POST(request: Request) {
+  const requestId = generateRequestId()
+  try {
+    const body = await request.json()
+    const { credential, workflowId } = body
+
+    if (!credential) {
+      logger.error('Missing credential in request')
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
+    }
+
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    }
+
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credential,
+      authz.credentialOwnerUserId,
+      requestId
+    )
+    if (!accessToken) {
+      logger.error('Failed to get access token', {
+        credentialId: credential,
+        userId: authz.credentialOwnerUserId,
+      })
+      return NextResponse.json(
+        { error: 'Could not retrieve access token', authRequired: true },
+        { status: 401 }
+      )
+    }
+
+    const response = await fetch('https://api.airtable.com/v0/meta/bases', {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        'Content-Type': 'application/json',
+      },
+    })
+
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({}))
+      logger.error('Failed to fetch Airtable bases', {
+        status: response.status,
+        error: errorData,
+      })
+      return NextResponse.json(
+        { error: 'Failed to fetch Airtable bases', details: errorData },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    const bases = (data.bases || []).map((base: { id: string; name: string }) => ({
+      id: base.id,
+      name: base.name,
+    }))
+
+    return NextResponse.json({ bases })
+  } catch (error) {
+    logger.error('Error processing Airtable bases request:', error)
+    return NextResponse.json(
+      { error: 'Failed to retrieve Airtable bases', details: (error as Error).message },
+      { status: 500 }
+    )
+  }
+}
--- a/apps/sim/app/api/tools/airtable/tables/route.ts
+++ b/apps/sim/app/api/tools/airtable/tables/route.ts
@@ -0,0 +1,95 @@
+import { createLogger } from '@sim/logger'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { validateAirtableId } from '@/lib/core/security/input-validation'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+
+const logger = createLogger('AirtableTablesAPI')
+
+export const dynamic = 'force-dynamic'
+
+export async function POST(request: Request) {
+  const requestId = generateRequestId()
+  try {
+    const body = await request.json()
+    const { credential, workflowId, baseId } = body
+
+    if (!credential) {
+      logger.error('Missing credential in request')
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
+    }
+
+    if (!baseId) {
+      logger.error('Missing baseId in request')
+      return NextResponse.json({ error: 'Base ID is required' }, { status: 400 })
+    }
+
+    const baseIdValidation = validateAirtableId(baseId, 'app', 'baseId')
+    if (!baseIdValidation.isValid) {
+      logger.error('Invalid baseId', { error: baseIdValidation.error })
+      return NextResponse.json({ error: baseIdValidation.error }, { status: 400 })
+    }
+
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    }
+
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credential,
+      authz.credentialOwnerUserId,
+      requestId
+    )
+    if (!accessToken) {
+      logger.error('Failed to get access token', {
+        credentialId: credential,
+        userId: authz.credentialOwnerUserId,
+      })
+      return NextResponse.json(
+        { error: 'Could not retrieve access token', authRequired: true },
+        { status: 401 }
+      )
+    }
+
+    const response = await fetch(
+      `https://api.airtable.com/v0/meta/bases/${baseIdValidation.sanitized}/tables`,
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          'Content-Type': 'application/json',
+        },
+      }
+    )
+
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({}))
+      logger.error('Failed to fetch Airtable tables', {
+        status: response.status,
+        error: errorData,
+        baseId,
+      })
+      return NextResponse.json(
+        { error: 'Failed to fetch Airtable tables', details: errorData },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    const tables = (data.tables || []).map((table: { id: string; name: string }) => ({
+      id: table.id,
+      name: table.name,
+    }))
+
+    return NextResponse.json({ tables })
+  } catch (error) {
+    logger.error('Error processing Airtable tables request:', error)
+    return NextResponse.json(
+      { error: 'Failed to retrieve Airtable tables', details: (error as Error).message },
+      { status: 500 }
+    )
+  }
+}
--- a/apps/sim/app/api/tools/asana/workspaces/route.ts
+++ b/apps/sim/app/api/tools/asana/workspaces/route.ts
@@ -0,0 +1,79 @@
+import { createLogger } from '@sim/logger'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+
+const logger = createLogger('AsanaWorkspacesAPI')
+
+export const dynamic = 'force-dynamic'
+
+export async function POST(request: Request) {
+  const requestId = generateRequestId()
+  try {
+    const body = await request.json()
+    const { credential, workflowId } = body
+
+    if (!credential) {
+      logger.error('Missing credential in request')
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
+    }
+
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    }
+
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credential,
+      authz.credentialOwnerUserId,
+      requestId
+    )
+    if (!accessToken) {
+      logger.error('Failed to get access token', {
+        credentialId: credential,
+        userId: authz.credentialOwnerUserId,
+      })
+      return NextResponse.json(
+        { error: 'Could not retrieve access token', authRequired: true },
+        { status: 401 }
+      )
+    }
+
+    const response = await fetch('https://app.asana.com/api/1.0/workspaces', {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        Accept: 'application/json',
+      },
+    })
+
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({}))
+      logger.error('Failed to fetch Asana workspaces', {
+        status: response.status,
+        error: errorData,
+      })
+      return NextResponse.json(
+        { error: 'Failed to fetch Asana workspaces', details: errorData },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    const workspaces = (data.data || []).map((workspace: { gid: string; name: string }) => ({
+      id: workspace.gid,
+      name: workspace.name,
+    }))
+
+    return NextResponse.json({ workspaces })
+  } catch (error) {
+    logger.error('Error processing Asana workspaces request:', error)
+    return NextResponse.json(
+      { error: 'Failed to retrieve Asana workspaces', details: (error as Error).message },
+      { status: 500 }
+    )
+  }
+}
--- a/apps/sim/app/api/tools/attio/lists/route.ts
+++ b/apps/sim/app/api/tools/attio/lists/route.ts
@@ -0,0 +1,79 @@
+import { createLogger } from '@sim/logger'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+
+const logger = createLogger('AttioListsAPI')
+
+export const dynamic = 'force-dynamic'
+
+export async function POST(request: Request) {
+  const requestId = generateRequestId()
+  try {
+    const body = await request.json()
+    const { credential, workflowId } = body
+
+    if (!credential) {
+      logger.error('Missing credential in request')
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
+    }
+
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    }
+
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credential,
+      authz.credentialOwnerUserId,
+      requestId
+    )
+    if (!accessToken) {
+      logger.error('Failed to get access token', {
+        credentialId: credential,
+        userId: authz.credentialOwnerUserId,
+      })
+      return NextResponse.json(
+        { error: 'Could not retrieve access token', authRequired: true },
+        { status: 401 }
+      )
+    }
+
+    const response = await fetch('https://api.attio.com/v2/lists', {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        Accept: 'application/json',
+      },
+    })
+
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({}))
+      logger.error('Failed to fetch Attio lists', {
+        status: response.status,
+        error: errorData,
+      })
+      return NextResponse.json(
+        { error: 'Failed to fetch Attio lists', details: errorData },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    const lists = (data.data || []).map((list: { api_slug: string; name: string }) => ({
+      id: list.api_slug,
+      name: list.name,
+    }))
+
+    return NextResponse.json({ lists })
+  } catch (error) {
+    logger.error('Error processing Attio lists request:', error)
+    return NextResponse.json(
+      { error: 'Failed to retrieve Attio lists', details: (error as Error).message },
+      { status: 500 }
+    )
+  }
+}
--- a/apps/sim/app/api/tools/attio/objects/route.ts
+++ b/apps/sim/app/api/tools/attio/objects/route.ts
@@ -0,0 +1,79 @@
+import { createLogger } from '@sim/logger'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+
+const logger = createLogger('AttioObjectsAPI')
+
+export const dynamic = 'force-dynamic'
+
+export async function POST(request: Request) {
+  const requestId = generateRequestId()
+  try {
+    const body = await request.json()
+    const { credential, workflowId } = body
+
+    if (!credential) {
+      logger.error('Missing credential in request')
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
+    }
+
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    }
+
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credential,
+      authz.credentialOwnerUserId,
+      requestId
+    )
+    if (!accessToken) {
+      logger.error('Failed to get access token', {
+        credentialId: credential,
+        userId: authz.credentialOwnerUserId,
+      })
+      return NextResponse.json(
+        { error: 'Could not retrieve access token', authRequired: true },
+        { status: 401 }
+      )
+    }
+
+    const response = await fetch('https://api.attio.com/v2/objects', {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        Accept: 'application/json',
+      },
+    })
+
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({}))
+      logger.error('Failed to fetch Attio objects', {
+        status: response.status,
+        error: errorData,
+      })
+      return NextResponse.json(
+        { error: 'Failed to fetch Attio objects', details: errorData },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    const objects = (data.data || []).map((obj: { api_slug: string; singular_noun: string }) => ({
+      id: obj.api_slug,
+      name: obj.singular_noun,
+    }))
+
+    return NextResponse.json({ objects })
+  } catch (error) {
+    logger.error('Error processing Attio objects request:', error)
+    return NextResponse.json(
+      { error: 'Failed to retrieve Attio objects', details: (error as Error).message },
+      { status: 500 }
+    )
+  }
+}
--- a/apps/sim/app/api/tools/calcom/event-types/route.ts
+++ b/apps/sim/app/api/tools/calcom/event-types/route.ts
@@ -0,0 +1,83 @@
+import { createLogger } from '@sim/logger'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+
+const logger = createLogger('CalcomEventTypesAPI')
+
+export const dynamic = 'force-dynamic'
+
+export async function POST(request: Request) {
+  const requestId = generateRequestId()
+  try {
+    const body = await request.json()
+    const { credential, workflowId } = body
+
+    if (!credential) {
+      logger.error('Missing credential in request')
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
+    }
+
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    }
+
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credential,
+      authz.credentialOwnerUserId,
+      requestId
+    )
+    if (!accessToken) {
+      logger.error('Failed to get access token', {
+        credentialId: credential,
+        userId: authz.credentialOwnerUserId,
+      })
+      return NextResponse.json(
+        { error: 'Could not retrieve access token', authRequired: true },
+        { status: 401 }
+      )
+    }
+
+    const response = await fetch('https://api.cal.com/v2/event-types', {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        'Content-Type': 'application/json',
+        'cal-api-version': '2024-06-14',
+      },
+    })
+
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({}))
+      logger.error('Failed to fetch Cal.com event types', {
+        status: response.status,
+        error: errorData,
+      })
+      return NextResponse.json(
+        { error: 'Failed to fetch Cal.com event types', details: errorData },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    const eventTypes = (data.data || []).map(
+      (eventType: { id: number; title: string; slug: string }) => ({
+        id: String(eventType.id),
+        title: eventType.title,
+        slug: eventType.slug,
+      })
+    )
+
+    return NextResponse.json({ eventTypes })
+  } catch (error) {
+    logger.error('Error processing Cal.com event types request:', error)
+    return NextResponse.json(
+      { error: 'Failed to retrieve Cal.com event types', details: (error as Error).message },
+      { status: 500 }
+    )
+  }
+}
--- a/apps/sim/app/api/tools/calcom/schedules/route.ts
+++ b/apps/sim/app/api/tools/calcom/schedules/route.ts
@@ -0,0 +1,80 @@
+import { createLogger } from '@sim/logger'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+
+const logger = createLogger('CalcomSchedulesAPI')
+
+export const dynamic = 'force-dynamic'
+
+export async function POST(request: Request) {
+  const requestId = generateRequestId()
+  try {
+    const body = await request.json()
+    const { credential, workflowId } = body
+
+    if (!credential) {
+      logger.error('Missing credential in request')
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
+    }
+
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    }
+
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credential,
+      authz.credentialOwnerUserId,
+      requestId
+    )
+    if (!accessToken) {
+      logger.error('Failed to get access token', {
+        credentialId: credential,
+        userId: authz.credentialOwnerUserId,
+      })
+      return NextResponse.json(
+        { error: 'Could not retrieve access token', authRequired: true },
+        { status: 401 }
+      )
+    }
+
+    const response = await fetch('https://api.cal.com/v2/schedules', {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        'Content-Type': 'application/json',
+        'cal-api-version': '2024-06-11',
+      },
+    })
+
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({}))
+      logger.error('Failed to fetch Cal.com schedules', {
+        status: response.status,
+        error: errorData,
+      })
+      return NextResponse.json(
+        { error: 'Failed to fetch Cal.com schedules', details: errorData },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    const schedules = (data.data || []).map((schedule: { id: number; name: string }) => ({
+      id: String(schedule.id),
+      name: schedule.name,
+    }))
+
+    return NextResponse.json({ schedules })
+  } catch (error) {
+    logger.error('Error processing Cal.com schedules request:', error)
+    return NextResponse.json(
+      { error: 'Failed to retrieve Cal.com schedules', details: (error as Error).message },
+      { status: 500 }
+    )
+  }
+}
--- a/apps/sim/app/api/tools/confluence/selector-spaces/route.ts
+++ b/apps/sim/app/api/tools/confluence/selector-spaces/route.ts
@@ -0,0 +1,96 @@
+import { createLogger } from '@sim/logger'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { validateJiraCloudId } from '@/lib/core/security/input-validation'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { getConfluenceCloudId } from '@/tools/confluence/utils'
+
+const logger = createLogger('ConfluenceSelectorSpacesAPI')
+
+export const dynamic = 'force-dynamic'
+
+export async function POST(request: Request) {
+  const requestId = generateRequestId()
+  try {
+    const body = await request.json()
+    const { credential, workflowId, domain } = body
+
+    if (!credential) {
+      logger.error('Missing credential in request')
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
+    }
+
+    if (!domain) {
+      return NextResponse.json({ error: 'Domain is required' }, { status: 400 })
+    }
+
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    }
+
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credential,
+      authz.credentialOwnerUserId,
+      requestId
+    )
+    if (!accessToken) {
+      logger.error('Failed to get access token', {
+        credentialId: credential,
+        userId: authz.credentialOwnerUserId,
+      })
+      return NextResponse.json(
+        { error: 'Could not retrieve access token', authRequired: true },
+        { status: 401 }
+      )
+    }
+
+    const cloudId = await getConfluenceCloudId(domain, accessToken)
+
+    const cloudIdValidation = validateJiraCloudId(cloudId, 'cloudId')
+    if (!cloudIdValidation.isValid) {
+      return NextResponse.json({ error: cloudIdValidation.error }, { status: 400 })
+    }
+
+    const url = `https://api.atlassian.com/ex/confluence/${cloudIdValidation.sanitized}/wiki/api/v2/spaces?limit=250`
+
+    const response = await fetch(url, {
+      method: 'GET',
+      headers: {
+        Accept: 'application/json',
+        Authorization: `Bearer ${accessToken}`,
+      },
+    })
+
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => null)
+      logger.error('Confluence API error:', {
+        status: response.status,
+        statusText: response.statusText,
+        error: errorData,
+      })
+      const errorMessage =
+        errorData?.message || `Failed to list Confluence spaces (${response.status})`
+      return NextResponse.json({ error: errorMessage }, { status: response.status })
+    }
+
+    const data = await response.json()
+    const spaces = (data.results || []).map((space: { id: string; name: string; key: string }) => ({
+      id: space.id,
+      name: space.name,
+      key: space.key,
+    }))
+
+    return NextResponse.json({ spaces })
+  } catch (error) {
+    logger.error('Error listing Confluence spaces:', error)
+    return NextResponse.json(
+      { error: (error as Error).message || 'Internal server error' },
+      { status: 500 }
+    )
+  }
+}
--- a/apps/sim/app/api/tools/google_bigquery/datasets/route.ts
+++ b/apps/sim/app/api/tools/google_bigquery/datasets/route.ts
@@ -0,0 +1,100 @@
+import { createLogger } from '@sim/logger'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+
+const logger = createLogger('GoogleBigQueryDatasetsAPI')
+
+export const dynamic = 'force-dynamic'
+
+/**
+ * POST /api/tools/google_bigquery/datasets
+ *
+ * Fetches the list of BigQuery datasets for a given project using the caller's OAuth credential.
+ *
+ * @param request - Incoming request containing `credential`, `workflowId`, and `projectId` in the JSON body
+ * @returns JSON response with a `datasets` array, each entry containing `datasetReference` and optional `friendlyName`
+ */
+export async function POST(request: Request) {
+  const requestId = generateRequestId()
+  try {
+    const body = await request.json()
+    const { credential, workflowId, projectId } = body
+
+    if (!credential) {
+      logger.error('Missing credential in request')
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
+    }
+
+    if (!projectId) {
+      logger.error('Missing project ID in request')
+      return NextResponse.json({ error: 'Project ID is required' }, { status: 400 })
+    }
+
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    }
+
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credential,
+      authz.credentialOwnerUserId,
+      requestId
+    )
+    if (!accessToken) {
+      logger.error('Failed to get access token', {
+        credentialId: credential,
+        userId: authz.credentialOwnerUserId,
+      })
+      return NextResponse.json(
+        { error: 'Could not retrieve access token', authRequired: true },
+        { status: 401 }
+      )
+    }
+
+    const response = await fetch(
+      `https://bigquery.googleapis.com/bigquery/v2/projects/${encodeURIComponent(projectId)}/datasets?maxResults=200`,
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          'Content-Type': 'application/json',
+        },
+      }
+    )
+
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({}))
+      logger.error('Failed to fetch BigQuery datasets', {
+        status: response.status,
+        error: errorData,
+      })
+      return NextResponse.json(
+        { error: 'Failed to fetch BigQuery datasets', details: errorData },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    const datasets = (data.datasets || []).map(
+      (ds: {
+        datasetReference: { datasetId: string; projectId: string }
+        friendlyName?: string
+      }) => ({
+        datasetReference: ds.datasetReference,
+        friendlyName: ds.friendlyName,
+      })
+    )
+
+    return NextResponse.json({ datasets })
+  } catch (error) {
+    logger.error('Error processing BigQuery datasets request:', error)
+    return NextResponse.json(
+      { error: 'Failed to retrieve BigQuery datasets', details: (error as Error).message },
+      { status: 500 }
+    )
+  }
+}
--- a/apps/sim/app/api/tools/google_bigquery/tables/route.ts
+++ b/apps/sim/app/api/tools/google_bigquery/tables/route.ts
@@ -0,0 +1,94 @@
+import { createLogger } from '@sim/logger'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+
+const logger = createLogger('GoogleBigQueryTablesAPI')
+
+export const dynamic = 'force-dynamic'
+
+export async function POST(request: Request) {
+  const requestId = generateRequestId()
+  try {
+    const body = await request.json()
+    const { credential, workflowId, projectId, datasetId } = body
+
+    if (!credential) {
+      logger.error('Missing credential in request')
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
+    }
+
+    if (!projectId) {
+      logger.error('Missing project ID in request')
+      return NextResponse.json({ error: 'Project ID is required' }, { status: 400 })
+    }
+
+    if (!datasetId) {
+      logger.error('Missing dataset ID in request')
+      return NextResponse.json({ error: 'Dataset ID is required' }, { status: 400 })
+    }
+
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    }
+
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credential,
+      authz.credentialOwnerUserId,
+      requestId
+    )
+    if (!accessToken) {
+      logger.error('Failed to get access token', {
+        credentialId: credential,
+        userId: authz.credentialOwnerUserId,
+      })
+      return NextResponse.json(
+        { error: 'Could not retrieve access token', authRequired: true },
+        { status: 401 }
+      )
+    }
+
+    const response = await fetch(
+      `https://bigquery.googleapis.com/bigquery/v2/projects/${encodeURIComponent(projectId)}/datasets/${encodeURIComponent(datasetId)}/tables?maxResults=200`,
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          'Content-Type': 'application/json',
+        },
+      }
+    )
+
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({}))
+      logger.error('Failed to fetch BigQuery tables', {
+        status: response.status,
+        error: errorData,
+      })
+      return NextResponse.json(
+        { error: 'Failed to fetch BigQuery tables', details: errorData },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    const tables = (data.tables || []).map(
+      (t: { tableReference: { tableId: string }; friendlyName?: string }) => ({
+        tableReference: t.tableReference,
+        friendlyName: t.friendlyName,
+      })
+    )
+
+    return NextResponse.json({ tables })
+  } catch (error) {
+    logger.error('Error processing BigQuery tables request:', error)
+    return NextResponse.json(
+      { error: 'Failed to retrieve BigQuery tables', details: (error as Error).message },
+      { status: 500 }
+    )
+  }
+}
--- a/apps/sim/app/api/tools/google_tasks/task-lists/route.ts
+++ b/apps/sim/app/api/tools/google_tasks/task-lists/route.ts
@@ -0,0 +1,79 @@
+import { createLogger } from '@sim/logger'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+
+const logger = createLogger('GoogleTasksTaskListsAPI')
+
+export const dynamic = 'force-dynamic'
+
+export async function POST(request: Request) {
+  const requestId = generateRequestId()
+  try {
+    const body = await request.json()
+    const { credential, workflowId } = body
+
+    if (!credential) {
+      logger.error('Missing credential in request')
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
+    }
+
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    }
+
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credential,
+      authz.credentialOwnerUserId,
+      requestId
+    )
+    if (!accessToken) {
+      logger.error('Failed to get access token', {
+        credentialId: credential,
+        userId: authz.credentialOwnerUserId,
+      })
+      return NextResponse.json(
+        { error: 'Could not retrieve access token', authRequired: true },
+        { status: 401 }
+      )
+    }
+
+    const response = await fetch('https://tasks.googleapis.com/tasks/v1/users/@me/lists', {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        'Content-Type': 'application/json',
+      },
+    })
+
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({}))
+      logger.error('Failed to fetch Google Tasks task lists', {
+        status: response.status,
+        error: errorData,
+      })
+      return NextResponse.json(
+        { error: 'Failed to fetch Google Tasks task lists', details: errorData },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    const taskLists = (data.items || []).map((list: { id: string; title: string }) => ({
+      id: list.id,
+      title: list.title,
+    }))
+
+    return NextResponse.json({ taskLists })
+  } catch (error) {
+    logger.error('Error processing Google Tasks task lists request:', error)
+    return NextResponse.json(
+      { error: 'Failed to retrieve Google Tasks task lists', details: (error as Error).message },
+      { status: 500 }
+    )
+  }
+}
--- a/apps/sim/app/api/tools/jsm/selector-requesttypes/route.ts
+++ b/apps/sim/app/api/tools/jsm/selector-requesttypes/route.ts
@@ -0,0 +1,103 @@
+import { createLogger } from '@sim/logger'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { validateAlphanumericId, validateJiraCloudId } from '@/lib/core/security/input-validation'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { getJiraCloudId, getJsmApiBaseUrl, getJsmHeaders } from '@/tools/jsm/utils'
+
+const logger = createLogger('JsmSelectorRequestTypesAPI')
+
+export const dynamic = 'force-dynamic'
+
+export async function POST(request: Request) {
+  const requestId = generateRequestId()
+  try {
+    const body = await request.json()
+    const { credential, workflowId, domain, serviceDeskId } = body
+
+    if (!credential) {
+      logger.error('Missing credential in request')
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
+    }
+
+    if (!domain) {
+      return NextResponse.json({ error: 'Domain is required' }, { status: 400 })
+    }
+
+    if (!serviceDeskId) {
+      return NextResponse.json({ error: 'Service Desk ID is required' }, { status: 400 })
+    }
+
+    const serviceDeskIdValidation = validateAlphanumericId(serviceDeskId, 'serviceDeskId')
+    if (!serviceDeskIdValidation.isValid) {
+      return NextResponse.json({ error: serviceDeskIdValidation.error }, { status: 400 })
+    }
+
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    }
+
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credential,
+      authz.credentialOwnerUserId,
+      requestId
+    )
+    if (!accessToken) {
+      logger.error('Failed to get access token', {
+        credentialId: credential,
+        userId: authz.credentialOwnerUserId,
+      })
+      return NextResponse.json(
+        { error: 'Could not retrieve access token', authRequired: true },
+        { status: 401 }
+      )
+    }
+
+    const cloudId = await getJiraCloudId(domain, accessToken)
+
+    const cloudIdValidation = validateJiraCloudId(cloudId, 'cloudId')
+    if (!cloudIdValidation.isValid) {
+      return NextResponse.json({ error: cloudIdValidation.error }, { status: 400 })
+    }
+
+    const baseUrl = getJsmApiBaseUrl(cloudIdValidation.sanitized!)
+    const url = `${baseUrl}/servicedesk/${serviceDeskIdValidation.sanitized}/requesttype?limit=100`
+
+    const response = await fetch(url, {
+      method: 'GET',
+      headers: getJsmHeaders(accessToken),
+    })
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      logger.error('JSM API error:', {
+        status: response.status,
+        statusText: response.statusText,
+        error: errorText,
+      })
+      return NextResponse.json(
+        { error: `JSM API error: ${response.status} ${response.statusText}` },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    const requestTypes = (data.values || []).map((rt: { id: string; name: string }) => ({
+      id: rt.id,
+      name: rt.name,
+    }))
+
+    return NextResponse.json({ requestTypes })
+  } catch (error) {
+    logger.error('Error listing JSM request types:', error)
+    return NextResponse.json(
+      { error: (error as Error).message || 'Internal server error' },
+      { status: 500 }
+    )
+  }
+}
--- a/apps/sim/app/api/tools/jsm/selector-servicedesks/route.ts
+++ b/apps/sim/app/api/tools/jsm/selector-servicedesks/route.ts
@@ -0,0 +1,94 @@
+import { createLogger } from '@sim/logger'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { validateJiraCloudId } from '@/lib/core/security/input-validation'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { getJiraCloudId, getJsmApiBaseUrl, getJsmHeaders } from '@/tools/jsm/utils'
+
+const logger = createLogger('JsmSelectorServiceDesksAPI')
+
+export const dynamic = 'force-dynamic'
+
+export async function POST(request: Request) {
+  const requestId = generateRequestId()
+  try {
+    const body = await request.json()
+    const { credential, workflowId, domain } = body
+
+    if (!credential) {
+      logger.error('Missing credential in request')
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
+    }
+
+    if (!domain) {
+      return NextResponse.json({ error: 'Domain is required' }, { status: 400 })
+    }
+
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    }
+
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credential,
+      authz.credentialOwnerUserId,
+      requestId
+    )
+    if (!accessToken) {
+      logger.error('Failed to get access token', {
+        credentialId: credential,
+        userId: authz.credentialOwnerUserId,
+      })
+      return NextResponse.json(
+        { error: 'Could not retrieve access token', authRequired: true },
+        { status: 401 }
+      )
+    }
+
+    const cloudId = await getJiraCloudId(domain, accessToken)
+
+    const cloudIdValidation = validateJiraCloudId(cloudId, 'cloudId')
+    if (!cloudIdValidation.isValid) {
+      return NextResponse.json({ error: cloudIdValidation.error }, { status: 400 })
+    }
+
+    const baseUrl = getJsmApiBaseUrl(cloudIdValidation.sanitized!)
+    const url = `${baseUrl}/servicedesk?limit=100`
+
+    const response = await fetch(url, {
+      method: 'GET',
+      headers: getJsmHeaders(accessToken),
+    })
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      logger.error('JSM API error:', {
+        status: response.status,
+        statusText: response.statusText,
+        error: errorText,
+      })
+      return NextResponse.json(
+        { error: `JSM API error: ${response.status} ${response.statusText}` },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    const serviceDesks = (data.values || []).map((sd: { id: string; projectName: string }) => ({
+      id: sd.id,
+      name: sd.projectName,
+    }))
+
+    return NextResponse.json({ serviceDesks })
+  } catch (error) {
+    logger.error('Error listing JSM service desks:', error)
+    return NextResponse.json(
+      { error: (error as Error).message || 'Internal server error' },
+      { status: 500 }
+    )
+  }
+}
--- a/apps/sim/app/api/tools/microsoft_planner/plans/route.ts
+++ b/apps/sim/app/api/tools/microsoft_planner/plans/route.ts
@@ -0,0 +1,72 @@
+import { createLogger } from '@sim/logger'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+
+const logger = createLogger('MicrosoftPlannerPlansAPI')
+
+export const dynamic = 'force-dynamic'
+
+export async function POST(request: Request) {
+  const requestId = generateRequestId()
+
+  try {
+    const body = await request.json()
+    const { credential, workflowId } = body
+
+    if (!credential) {
+      logger.error(`[${requestId}] Missing credential in request`)
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
+    }
+
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    }
+
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credential,
+      authz.credentialOwnerUserId,
+      requestId
+    )
+    if (!accessToken) {
+      logger.error(`[${requestId}] Failed to obtain valid access token`)
+      return NextResponse.json(
+        { error: 'Failed to obtain valid access token', authRequired: true },
+        { status: 401 }
+      )
+    }
+
+    const response = await fetch('https://graph.microsoft.com/v1.0/me/planner/plans', {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+      },
+    })
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      logger.error(`[${requestId}] Microsoft Graph API error:`, errorText)
+      return NextResponse.json(
+        { error: 'Failed to fetch plans from Microsoft Graph' },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    const plans = data.value || []
+
+    const filteredPlans = plans.map((plan: { id: string; title: string }) => ({
+      id: plan.id,
+      title: plan.title,
+    }))
+
+    return NextResponse.json({ plans: filteredPlans })
+  } catch (error) {
+    logger.error(`[${requestId}] Error fetching Microsoft Planner plans:`, error)
+    return NextResponse.json({ error: 'Failed to fetch plans' }, { status: 500 })
+  }
+}
--- a/apps/sim/app/api/tools/microsoft_planner/tasks/route.ts
+++ b/apps/sim/app/api/tools/microsoft_planner/tasks/route.ts
@@ -1,38 +1,29 @@
-import { randomUUID } from 'crypto'
-import { db } from '@sim/db'
-import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { eq } from 'drizzle-orm'
-import { type NextRequest, NextResponse } from 'next/server'
-import { getSession } from '@/lib/auth'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
 import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
-import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 import type { PlannerTask } from '@/tools/microsoft_planner/types'

 const logger = createLogger('MicrosoftPlannerTasksAPI')

-export async function GET(request: NextRequest) {
-  const requestId = randomUUID().slice(0, 8)
+export const dynamic = 'force-dynamic'
+
+export async function POST(request: Request) {
+  const requestId = generateRequestId()

  try {
-    const session = await getSession()
+    const body = await request.json()
+    const { credential, workflowId, planId } = body

-    if (!session?.user?.id) {
-      logger.warn(`[${requestId}] Unauthenticated request rejected`)
-      return NextResponse.json({ error: 'User not authenticated' }, { status: 401 })
-    }
-
-    const { searchParams } = new URL(request.url)
-    const credentialId = searchParams.get('credentialId')
-    const planId = searchParams.get('planId')
-
-    if (!credentialId) {
-      logger.error(`[${requestId}] Missing credentialId parameter`)
-      return NextResponse.json({ error: 'Credential ID is required' }, { status: 400 })
+    if (!credential) {
+      logger.error(`[${requestId}] Missing credential in request`)
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
    }

    if (!planId) {
-      logger.error(`[${requestId}] Missing planId parameter`)
+      logger.error(`[${requestId}] Missing planId in request`)
      return NextResponse.json({ error: 'Plan ID is required' }, { status: 400 })
    }

@@ -42,52 +33,35 @@ export async function GET(request: NextRequest) {
      return NextResponse.json({ error: planIdValidation.error }, { status: 400 })
    }

-    const resolved = await resolveOAuthAccountId(credentialId)
-    if (!resolved) {
-      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
    }

-    if (resolved.workspaceId) {
-      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
-      const perm = await getUserEntityPermissions(
-        session.user.id,
-        'workspace',
-        resolved.workspaceId
-      )
-      if (perm === null) {
-        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-      }
-    }
-
-    const credentials = await db
-      .select()
-      .from(account)
-      .where(eq(account.id, resolved.accountId))
-      .limit(1)
-
-    if (!credentials.length) {
-      logger.warn(`[${requestId}] Credential not found`, { credentialId })
-      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
-    }
-
-    const accountRow = credentials[0]
-
    const accessToken = await refreshAccessTokenIfNeeded(
-      resolved.accountId,
-      accountRow.userId,
+      credential,
+      authz.credentialOwnerUserId,
      requestId
    )
-
    if (!accessToken) {
      logger.error(`[${requestId}] Failed to obtain valid access token`)
-      return NextResponse.json({ error: 'Failed to obtain valid access token' }, { status: 401 })
+      return NextResponse.json(
+        { error: 'Failed to obtain valid access token', authRequired: true },
+        { status: 401 }
+      )
    }

-    const response = await fetch(`https://graph.microsoft.com/v1.0/planner/plans/${planId}/tasks`, {
-      headers: {
-        Authorization: `Bearer ${accessToken}`,
-      },
-    })
+    const response = await fetch(
+      `https://graph.microsoft.com/v1.0/planner/plans/${planIdValidation.sanitized}/tasks`,
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+        },
+      }
+    )

    if (!response.ok) {
      const errorText = await response.text()
--- a/apps/sim/app/api/tools/notion/databases/route.ts
+++ b/apps/sim/app/api/tools/notion/databases/route.ts
@@ -0,0 +1,86 @@
+import { createLogger } from '@sim/logger'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { extractTitleFromItem } from '@/tools/notion/utils'
+
+const logger = createLogger('NotionDatabasesAPI')
+
+export const dynamic = 'force-dynamic'
+
+export async function POST(request: Request) {
+  const requestId = generateRequestId()
+  try {
+    const body = await request.json()
+    const { credential, workflowId } = body
+
+    if (!credential) {
+      logger.error('Missing credential in request')
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
+    }
+
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    }
+
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credential,
+      authz.credentialOwnerUserId,
+      requestId
+    )
+    if (!accessToken) {
+      logger.error('Failed to get access token', {
+        credentialId: credential,
+        userId: authz.credentialOwnerUserId,
+      })
+      return NextResponse.json(
+        { error: 'Could not retrieve access token', authRequired: true },
+        { status: 401 }
+      )
+    }
+
+    const response = await fetch('https://api.notion.com/v1/search', {
+      method: 'POST',
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        'Content-Type': 'application/json',
+        'Notion-Version': '2022-06-28',
+      },
+      body: JSON.stringify({
+        filter: { value: 'database', property: 'object' },
+        page_size: 100,
+      }),
+    })
+
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({}))
+      logger.error('Failed to fetch Notion databases', {
+        status: response.status,
+        error: errorData,
+      })
+      return NextResponse.json(
+        { error: 'Failed to fetch Notion databases', details: errorData },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    const databases = (data.results || []).map((db: Record<string, unknown>) => ({
+      id: db.id as string,
+      name: extractTitleFromItem(db),
+    }))
+
+    return NextResponse.json({ databases })
+  } catch (error) {
+    logger.error('Error processing Notion databases request:', error)
+    return NextResponse.json(
+      { error: 'Failed to retrieve Notion databases', details: (error as Error).message },
+      { status: 500 }
+    )
+  }
+}
--- a/apps/sim/app/api/tools/notion/pages/route.ts
+++ b/apps/sim/app/api/tools/notion/pages/route.ts
@@ -0,0 +1,86 @@
+import { createLogger } from '@sim/logger'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { extractTitleFromItem } from '@/tools/notion/utils'
+
+const logger = createLogger('NotionPagesAPI')
+
+export const dynamic = 'force-dynamic'
+
+export async function POST(request: Request) {
+  const requestId = generateRequestId()
+  try {
+    const body = await request.json()
+    const { credential, workflowId } = body
+
+    if (!credential) {
+      logger.error('Missing credential in request')
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
+    }
+
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    }
+
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credential,
+      authz.credentialOwnerUserId,
+      requestId
+    )
+    if (!accessToken) {
+      logger.error('Failed to get access token', {
+        credentialId: credential,
+        userId: authz.credentialOwnerUserId,
+      })
+      return NextResponse.json(
+        { error: 'Could not retrieve access token', authRequired: true },
+        { status: 401 }
+      )
+    }
+
+    const response = await fetch('https://api.notion.com/v1/search', {
+      method: 'POST',
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        'Content-Type': 'application/json',
+        'Notion-Version': '2022-06-28',
+      },
+      body: JSON.stringify({
+        filter: { value: 'page', property: 'object' },
+        page_size: 100,
+      }),
+    })
+
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({}))
+      logger.error('Failed to fetch Notion pages', {
+        status: response.status,
+        error: errorData,
+      })
+      return NextResponse.json(
+        { error: 'Failed to fetch Notion pages', details: errorData },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    const pages = (data.results || []).map((page: Record<string, unknown>) => ({
+      id: page.id as string,
+      name: extractTitleFromItem(page),
+    }))
+
+    return NextResponse.json({ pages })
+  } catch (error) {
+    logger.error('Error processing Notion pages request:', error)
+    return NextResponse.json(
+      { error: 'Failed to retrieve Notion pages', details: (error as Error).message },
+      { status: 500 }
+    )
+  }
+}
--- a/apps/sim/app/api/tools/pipedrive/pipelines/route.ts
+++ b/apps/sim/app/api/tools/pipedrive/pipelines/route.ts
@@ -0,0 +1,79 @@
+import { createLogger } from '@sim/logger'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+
+const logger = createLogger('PipedrivePipelinesAPI')
+
+export const dynamic = 'force-dynamic'
+
+export async function POST(request: Request) {
+  const requestId = generateRequestId()
+  try {
+    const body = await request.json()
+    const { credential, workflowId } = body
+
+    if (!credential) {
+      logger.error('Missing credential in request')
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
+    }
+
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    }
+
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credential,
+      authz.credentialOwnerUserId,
+      requestId
+    )
+    if (!accessToken) {
+      logger.error('Failed to get access token', {
+        credentialId: credential,
+        userId: authz.credentialOwnerUserId,
+      })
+      return NextResponse.json(
+        { error: 'Could not retrieve access token', authRequired: true },
+        { status: 401 }
+      )
+    }
+
+    const response = await fetch('https://api.pipedrive.com/v1/pipelines', {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        'Content-Type': 'application/json',
+      },
+    })
+
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({}))
+      logger.error('Failed to fetch Pipedrive pipelines', {
+        status: response.status,
+        error: errorData,
+      })
+      return NextResponse.json(
+        { error: 'Failed to fetch Pipedrive pipelines', details: errorData },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    const pipelines = (data.data || []).map((pipeline: { id: number; name: string }) => ({
+      id: String(pipeline.id),
+      name: pipeline.name,
+    }))
+
+    return NextResponse.json({ pipelines })
+  } catch (error) {
+    logger.error('Error processing Pipedrive pipelines request:', error)
+    return NextResponse.json(
+      { error: 'Failed to retrieve Pipedrive pipelines', details: (error as Error).message },
+      { status: 500 }
+    )
+  }
+}
--- a/apps/sim/app/api/tools/sharepoint/lists/route.ts
+++ b/apps/sim/app/api/tools/sharepoint/lists/route.ts
@@ -0,0 +1,91 @@
+import { createLogger } from '@sim/logger'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { validateSharePointSiteId } from '@/lib/core/security/input-validation'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+
+export const dynamic = 'force-dynamic'
+
+const logger = createLogger('SharePointListsAPI')
+
+interface SharePointList {
+  id: string
+  displayName: string
+  description?: string
+  webUrl?: string
+  list?: {
+    hidden?: boolean
+  }
+}
+
+export async function POST(request: Request) {
+  const requestId = generateRequestId()
+
+  try {
+    const body = await request.json()
+    const { credential, workflowId, siteId } = body
+
+    if (!credential) {
+      logger.error(`[${requestId}] Missing credential in request`)
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
+    }
+
+    const siteIdValidation = validateSharePointSiteId(siteId)
+    if (!siteIdValidation.isValid) {
+      logger.error(`[${requestId}] Invalid siteId: ${siteIdValidation.error}`)
+      return NextResponse.json({ error: siteIdValidation.error }, { status: 400 })
+    }
+
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    }
+
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credential,
+      authz.credentialOwnerUserId,
+      requestId
+    )
+    if (!accessToken) {
+      logger.error(`[${requestId}] Failed to obtain valid access token`)
+      return NextResponse.json(
+        { error: 'Failed to obtain valid access token', authRequired: true },
+        { status: 401 }
+      )
+    }
+
+    const url = `https://graph.microsoft.com/v1.0/sites/${siteIdValidation.sanitized}/lists?$select=id,displayName,description,webUrl&$expand=list($select=hidden)&$top=100`
+
+    const response = await fetch(url, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+      },
+    })
+
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({ error: { message: 'Unknown error' } }))
+      return NextResponse.json(
+        { error: errorData.error?.message || 'Failed to fetch lists from SharePoint' },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    const lists = (data.value || [])
+      .filter((list: SharePointList) => list.list?.hidden !== true)
+      .map((list: SharePointList) => ({
+        id: list.id,
+        displayName: list.displayName,
+      }))
+
+    logger.info(`[${requestId}] Successfully fetched ${lists.length} SharePoint lists`)
+    return NextResponse.json({ lists }, { status: 200 })
+  } catch (error) {
+    logger.error(`[${requestId}] Error fetching lists from SharePoint`, error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
--- a/apps/sim/app/api/tools/sharepoint/sites/route.ts
+++ b/apps/sim/app/api/tools/sharepoint/sites/route.ts
@@ -1,79 +1,45 @@
-import { randomUUID } from 'crypto'
-import { db } from '@sim/db'
-import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { eq } from 'drizzle-orm'
-import { type NextRequest, NextResponse } from 'next/server'
-import { getSession } from '@/lib/auth'
-import { validateAlphanumericId } from '@/lib/core/security/input-validation'
-import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 import type { SharepointSite } from '@/tools/sharepoint/types'

 export const dynamic = 'force-dynamic'

 const logger = createLogger('SharePointSitesAPI')

-/**
- * Get SharePoint sites from Microsoft Graph API
- */
-export async function GET(request: NextRequest) {
-  const requestId = randomUUID().slice(0, 8)
+export async function POST(request: Request) {
+  const requestId = generateRequestId()

  try {
-    const session = await getSession()
-    if (!session?.user?.id) {
-      return NextResponse.json({ error: 'User not authenticated' }, { status: 401 })
+    const body = await request.json()
+    const { credential, workflowId, query } = body
+
+    if (!credential) {
+      logger.error(`[${requestId}] Missing credential in request`)
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
    }

-    const { searchParams } = new URL(request.url)
-    const credentialId = searchParams.get('credentialId')
-    const query = searchParams.get('query') || ''
-
-    if (!credentialId) {
-      return NextResponse.json({ error: 'Credential ID is required' }, { status: 400 })
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
    }

-    const credentialIdValidation = validateAlphanumericId(credentialId, 'credentialId', 255)
-    if (!credentialIdValidation.isValid) {
-      logger.warn(`[${requestId}] Invalid credential ID`, { error: credentialIdValidation.error })
-      return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })
-    }
-
-    const resolved = await resolveOAuthAccountId(credentialId)
-    if (!resolved) {
-      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
-    }
-
-    if (resolved.workspaceId) {
-      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
-      const perm = await getUserEntityPermissions(
-        session.user.id,
-        'workspace',
-        resolved.workspaceId
-      )
-      if (perm === null) {
-        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-      }
-    }
-
-    const credentials = await db
-      .select()
-      .from(account)
-      .where(eq(account.id, resolved.accountId))
-      .limit(1)
-    if (!credentials.length) {
-      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
-    }
-
-    const accountRow = credentials[0]
-
    const accessToken = await refreshAccessTokenIfNeeded(
-      resolved.accountId,
-      accountRow.userId,
+      credential,
+      authz.credentialOwnerUserId,
      requestId
    )
    if (!accessToken) {
-      return NextResponse.json({ error: 'Failed to obtain valid access token' }, { status: 401 })
+      logger.error(`[${requestId}] Failed to obtain valid access token`)
+      return NextResponse.json(
+        { error: 'Failed to obtain valid access token', authRequired: true },
+        { status: 401 }
+      )
    }

    const searchQuery = query || '*'
--- a/apps/sim/app/api/tools/slack/remove-reaction/route.ts
+++ b/apps/sim/app/api/tools/slack/remove-reaction/route.ts
@@ -0,0 +1,87 @@
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
+
+export const dynamic = 'force-dynamic'
+
+const SlackRemoveReactionSchema = z.object({
+  accessToken: z.string().min(1, 'Access token is required'),
+  channel: z.string().min(1, 'Channel is required'),
+  timestamp: z.string().min(1, 'Message timestamp is required'),
+  name: z.string().min(1, 'Emoji name is required'),
+})
+
+export async function POST(request: NextRequest) {
+  try {
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+
+    if (!authResult.success) {
+      return NextResponse.json(
+        {
+          success: false,
+          error: authResult.error || 'Authentication required',
+        },
+        { status: 401 }
+      )
+    }
+
+    const body = await request.json()
+    const validatedData = SlackRemoveReactionSchema.parse(body)
+
+    const slackResponse = await fetch('https://slack.com/api/reactions.remove', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        Authorization: `Bearer ${validatedData.accessToken}`,
+      },
+      body: JSON.stringify({
+        channel: validatedData.channel,
+        timestamp: validatedData.timestamp,
+        name: validatedData.name,
+      }),
+    })
+
+    const data = await slackResponse.json()
+
+    if (!data.ok) {
+      return NextResponse.json(
+        {
+          success: false,
+          error: data.error || 'Failed to remove reaction',
+        },
+        { status: slackResponse.status }
+      )
+    }
+
+    return NextResponse.json({
+      success: true,
+      output: {
+        content: `Successfully removed :${validatedData.name}: reaction`,
+        metadata: {
+          channel: validatedData.channel,
+          timestamp: validatedData.timestamp,
+          reaction: validatedData.name,
+        },
+      },
+    })
+  } catch (error) {
+    if (error instanceof z.ZodError) {
+      return NextResponse.json(
+        {
+          success: false,
+          error: 'Invalid request data',
+          details: error.errors,
+        },
+        { status: 400 }
+      )
+    }
+
+    return NextResponse.json(
+      {
+        success: false,
+        error: error instanceof Error ? error.message : 'Unknown error occurred',
+      },
+      { status: 500 }
+    )
+  }
+}
--- a/apps/sim/app/api/tools/stt/route.ts
+++ b/apps/sim/app/api/tools/stt/route.ts
@@ -150,6 +150,7 @@ export async function POST(request: NextRequest) {
        method: 'GET',
      })
      if (!response.ok) {
+        await response.text().catch(() => {})
        throw new Error(`Failed to download audio from URL: ${response.statusText}`)
      }

--- a/apps/sim/app/api/tools/textract/parse/route.ts
+++ b/apps/sim/app/api/tools/textract/parse/route.ts
@@ -135,6 +135,7 @@ async function fetchDocumentBytes(url: string): Promise<{ bytes: string; content
    method: 'GET',
  })
  if (!response.ok) {
+    await response.text().catch(() => {})
    throw new Error(`Failed to fetch document: ${response.statusText}`)
  }

--- a/apps/sim/app/api/tools/trello/boards/route.ts
+++ b/apps/sim/app/api/tools/trello/boards/route.ts
@@ -0,0 +1,87 @@
+import { createLogger } from '@sim/logger'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+
+const logger = createLogger('TrelloBoardsAPI')
+
+export const dynamic = 'force-dynamic'
+
+export async function POST(request: Request) {
+  const requestId = generateRequestId()
+  try {
+    const apiKey = process.env.TRELLO_API_KEY
+    if (!apiKey) {
+      logger.error('Trello API key not configured')
+      return NextResponse.json({ error: 'Trello API key not configured' }, { status: 500 })
+    }
+    const body = await request.json()
+    const { credential, workflowId } = body
+
+    if (!credential) {
+      logger.error('Missing credential in request')
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
+    }
+
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    }
+
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credential,
+      authz.credentialOwnerUserId,
+      requestId
+    )
+    if (!accessToken) {
+      logger.error('Failed to get access token', {
+        credentialId: credential,
+        userId: authz.credentialOwnerUserId,
+      })
+      return NextResponse.json(
+        { error: 'Could not retrieve access token', authRequired: true },
+        { status: 401 }
+      )
+    }
+
+    const response = await fetch(
+      `https://api.trello.com/1/members/me/boards?key=${apiKey}&token=${accessToken}&fields=id,name,closed`,
+      {
+        headers: {
+          Accept: 'application/json',
+        },
+      }
+    )
+
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({}))
+      logger.error('Failed to fetch Trello boards', {
+        status: response.status,
+        error: errorData,
+      })
+      return NextResponse.json(
+        { error: 'Failed to fetch Trello boards', details: errorData },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    const boards = (data || []).map((board: { id: string; name: string; closed: boolean }) => ({
+      id: board.id,
+      name: board.name,
+      closed: board.closed,
+    }))
+
+    return NextResponse.json({ boards })
+  } catch (error) {
+    logger.error('Error processing Trello boards request:', error)
+    return NextResponse.json(
+      { error: 'Failed to retrieve Trello boards', details: (error as Error).message },
+      { status: 500 }
+    )
+  }
+}
--- a/apps/sim/app/api/tools/tts/route.ts
+++ b/apps/sim/app/api/tools/tts/route.ts
@@ -65,6 +65,7 @@ export async function POST(request: NextRequest) {
    })

    if (!response.ok) {
+      await response.body?.cancel().catch(() => {})
      logger.error(`Failed to generate TTS: ${response.status} ${response.statusText}`)
      return NextResponse.json(
        { error: `Failed to generate TTS: ${response.status} ${response.statusText}` },
--- a/apps/sim/app/api/tools/vision/analyze/route.ts
+++ b/apps/sim/app/api/tools/vision/analyze/route.ts
@@ -184,6 +184,7 @@ export async function POST(request: NextRequest) {
          method: 'GET',
        })
        if (!response.ok) {
+          await response.text().catch(() => {})
          return NextResponse.json(
            { success: false, error: 'Failed to fetch image for Gemini' },
            { status: 400 }
--- a/apps/sim/app/api/tools/zoom/meetings/route.ts
+++ b/apps/sim/app/api/tools/zoom/meetings/route.ts
@@ -0,0 +1,82 @@
+import { createLogger } from '@sim/logger'
+import { NextResponse } from 'next/server'
+import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+
+const logger = createLogger('ZoomMeetingsAPI')
+
+export const dynamic = 'force-dynamic'
+
+export async function POST(request: Request) {
+  const requestId = generateRequestId()
+  try {
+    const body = await request.json()
+    const { credential, workflowId } = body
+
+    if (!credential) {
+      logger.error('Missing credential in request')
+      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
+    }
+
+    const authz = await authorizeCredentialUse(request as any, {
+      credentialId: credential,
+      workflowId,
+    })
+    if (!authz.ok || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
+    }
+
+    const accessToken = await refreshAccessTokenIfNeeded(
+      credential,
+      authz.credentialOwnerUserId,
+      requestId
+    )
+    if (!accessToken) {
+      logger.error('Failed to get access token', {
+        credentialId: credential,
+        userId: authz.credentialOwnerUserId,
+      })
+      return NextResponse.json(
+        { error: 'Could not retrieve access token', authRequired: true },
+        { status: 401 }
+      )
+    }
+
+    const response = await fetch(
+      'https://api.zoom.us/v2/users/me/meetings?page_size=300&type=scheduled',
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          'Content-Type': 'application/json',
+        },
+      }
+    )
+
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({}))
+      logger.error('Failed to fetch Zoom meetings', {
+        status: response.status,
+        error: errorData,
+      })
+      return NextResponse.json(
+        { error: 'Failed to fetch Zoom meetings', details: errorData },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    const meetings = (data.meetings || []).map((meeting: { id: number; topic: string }) => ({
+      id: String(meeting.id),
+      name: meeting.topic,
+    }))
+
+    return NextResponse.json({ meetings })
+  } catch (error) {
+    logger.error('Error processing Zoom meetings request:', error)
+    return NextResponse.json(
+      { error: 'Failed to retrieve Zoom meetings', details: (error as Error).message },
+      { status: 500 }
+    )
+  }
+}
--- a/apps/sim/app/api/workflows/[id]/execute/route.ts
+++ b/apps/sim/app/api/workflows/[id]/execute/route.ts
@@ -964,7 +964,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
              logger.error(`[${requestId}] Error streaming block content:`, error)
            } finally {
              try {
-                reader.releaseLock()
+                await reader.cancel().catch(() => {})
              } catch {}
            }
          }
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/chat/chat.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/chat/chat.tsx
@@ -501,17 +501,6 @@ export function Chat() {
    }
  }, [])

-  useEffect(() => {
-    if (!isExecuting && isStreaming) {
-      const lastMessage = workflowMessages[workflowMessages.length - 1]
-      if (lastMessage?.isStreaming) {
-        streamReaderRef.current?.cancel()
-        streamReaderRef.current = null
-        finalizeMessageStream(lastMessage.id)
-      }
-    }
-  }, [isExecuting, isStreaming, workflowMessages, finalizeMessageStream])
-
  const handleStopStreaming = useCallback(() => {
    streamReaderRef.current?.cancel()
    streamReaderRef.current = null
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal.tsx
@@ -15,6 +15,7 @@ import {
 import { client } from '@/lib/auth/auth-client'
 import {
  getProviderIdFromServiceId,
+  getScopeDescription,
  OAUTH_PROVIDERS,
  type OAuthProvider,
  parseProvider,
@@ -33,318 +34,6 @@ export interface OAuthRequiredModalProps {
  onConnect?: () => Promise<void> | void
 }

-const SCOPE_DESCRIPTIONS: Record<string, string> = {
-  'https://www.googleapis.com/auth/gmail.send': 'Send emails',
-  'https://www.googleapis.com/auth/gmail.labels': 'View and manage email labels',
-  'https://www.googleapis.com/auth/gmail.modify': 'View and manage email messages',
-  'https://www.googleapis.com/auth/drive.file': 'View and manage Google Drive files',
-  'https://www.googleapis.com/auth/drive': 'Access all Google Drive files',
-  'https://www.googleapis.com/auth/calendar': 'View and manage calendar',
-  'https://www.googleapis.com/auth/contacts': 'View and manage Google Contacts',
-  'https://www.googleapis.com/auth/tasks': 'Create, read, update, and delete Google Tasks',
-  'https://www.googleapis.com/auth/userinfo.email': 'View email address',
-  'https://www.googleapis.com/auth/userinfo.profile': 'View basic profile info',
-  'https://www.googleapis.com/auth/forms.body': 'View and manage Google Forms',
-  'https://www.googleapis.com/auth/forms.responses.readonly': 'View responses to Google Forms',
-  'https://www.googleapis.com/auth/bigquery': 'View and manage data in Google BigQuery',
-  'https://www.googleapis.com/auth/ediscovery': 'Access Google Vault for eDiscovery',
-  'https://www.googleapis.com/auth/devstorage.read_only': 'Read files from Google Cloud Storage',
-  'https://www.googleapis.com/auth/admin.directory.group': 'Manage Google Workspace groups',
-  'https://www.googleapis.com/auth/admin.directory.group.member':
-    'Manage Google Workspace group memberships',
-  'https://www.googleapis.com/auth/admin.directory.group.readonly': 'View Google Workspace groups',
-  'https://www.googleapis.com/auth/admin.directory.group.member.readonly':
-    'View Google Workspace group memberships',
-  'https://www.googleapis.com/auth/meetings.space.created':
-    'Create and manage Google Meet meeting spaces',
-  'https://www.googleapis.com/auth/meetings.space.readonly':
-    'View Google Meet meeting space details',
-  'https://www.googleapis.com/auth/cloud-platform':
-    'Full access to Google Cloud resources for Vertex AI',
-  'read:confluence-content.all': 'Read all Confluence content',
-  'read:confluence-space.summary': 'Read Confluence space information',
-  'read:space:confluence': 'View Confluence spaces',
-  'read:space-details:confluence': 'View detailed Confluence space information',
-  'write:confluence-content': 'Create and edit Confluence pages',
-  'write:confluence-space': 'Manage Confluence spaces',
-  'write:confluence-file': 'Upload files to Confluence',
-  'read:content:confluence': 'Read Confluence content',
-  'read:page:confluence': 'View Confluence pages',
-  'write:page:confluence': 'Create and update Confluence pages',
-  'read:comment:confluence': 'View comments on Confluence pages',
-  'write:comment:confluence': 'Create and update comments',
-  'delete:comment:confluence': 'Delete comments from Confluence pages',
-  'read:attachment:confluence': 'View attachments on Confluence pages',
-  'write:attachment:confluence': 'Upload and manage attachments',
-  'delete:attachment:confluence': 'Delete attachments from Confluence pages',
-  'delete:page:confluence': 'Delete Confluence pages',
-  'read:label:confluence': 'View labels on Confluence content',
-  'write:label:confluence': 'Add and remove labels',
-  'search:confluence': 'Search Confluence content',
-  'readonly:content.attachment:confluence': 'View attachments',
-  'read:blogpost:confluence': 'View Confluence blog posts',
-  'write:blogpost:confluence': 'Create and update Confluence blog posts',
-  'read:content.property:confluence': 'View properties on Confluence content',
-  'write:content.property:confluence': 'Create and manage content properties',
-  'read:hierarchical-content:confluence': 'View page hierarchy (children and ancestors)',
-  'read:content.metadata:confluence': 'View content metadata (required for ancestors)',
-  'read:user:confluence': 'View Confluence user profiles',
-  'read:task:confluence': 'View Confluence inline tasks',
-  'write:task:confluence': 'Update Confluence inline tasks',
-  'delete:blogpost:confluence': 'Delete Confluence blog posts',
-  'write:space:confluence': 'Create and update Confluence spaces',
-  'delete:space:confluence': 'Delete Confluence spaces',
-  'read:space.property:confluence': 'View Confluence space properties',
-  'write:space.property:confluence': 'Create and manage space properties',
-  'read:space.permission:confluence': 'View Confluence space permissions',
-  'read:me': 'Read profile information',
-  'database.read': 'Read database',
-  'database.write': 'Write to database',
-  'projects.read': 'Read projects',
-  offline_access: 'Access account when not using the application',
-  repo: 'Access repositories',
-  workflow: 'Manage repository workflows',
-  'read:user': 'Read public user information',
-  'user:email': 'Access email address',
-  'tweet.read': 'Read tweets and timeline',
-  'tweet.write': 'Post and delete tweets',
-  'tweet.moderate.write': 'Hide and unhide replies to tweets',
-  'users.read': 'Read user profiles and account information',
-  'follows.read': 'View followers and following lists',
-  'follows.write': 'Follow and unfollow users',
-  'bookmark.read': 'View bookmarked tweets',
-  'bookmark.write': 'Add and remove bookmarks',
-  'like.read': 'View liked tweets and liking users',
-  'like.write': 'Like and unlike tweets',
-  'block.read': 'View blocked users',
-  'block.write': 'Block and unblock users',
-  'mute.read': 'View muted users',
-  'mute.write': 'Mute and unmute users',
-  'offline.access': 'Access account when not using the application',
-  'data.records:read': 'Read records',
-  'data.records:write': 'Write to records',
-  'schema.bases:read': 'View bases and tables',
-  'webhook:manage': 'Manage webhooks',
-  'page.read': 'Read Notion pages',
-  'page.write': 'Write to Notion pages',
-  'workspace.content': 'Read Notion content',
-  'workspace.name': 'Read Notion workspace name',
-  'workspace.read': 'Read Notion workspace',
-  'workspace.write': 'Write to Notion workspace',
-  'user.email:read': 'Read email address',
-  'read:jira-user': 'Read Jira user',
-  'read:jira-work': 'Read Jira work',
-  'write:jira-work': 'Write to Jira work',
-  'manage:jira-webhook': 'Register and manage Jira webhooks',
-  'read:webhook:jira': 'View Jira webhooks',
-  'write:webhook:jira': 'Create and update Jira webhooks',
-  'delete:webhook:jira': 'Delete Jira webhooks',
-  'read:issue-event:jira': 'Read Jira issue events',
-  'write:issue:jira': 'Write to Jira issues',
-  'read:project:jira': 'Read Jira projects',
-  'read:issue-type:jira': 'Read Jira issue types',
-  'read:issue-meta:jira': 'Read Jira issue meta',
-  'read:issue-security-level:jira': 'Read Jira issue security level',
-  'read:issue.vote:jira': 'Read Jira issue votes',
-  'read:issue.changelog:jira': 'Read Jira issue changelog',
-  'read:avatar:jira': 'Read Jira avatar',
-  'read:issue:jira': 'Read Jira issues',
-  'read:status:jira': 'Read Jira status',
-  'read:user:jira': 'Read Jira user',
-  'read:field-configuration:jira': 'Read Jira field configuration',
-  'read:issue-details:jira': 'Read Jira issue details',
-  'read:field:jira': 'Read Jira field configurations',
-  'read:jql:jira': 'Use JQL to filter Jira issues',
-  'read:comment.property:jira': 'Read Jira comment properties',
-  'read:issue.property:jira': 'Read Jira issue properties',
-  'delete:issue:jira': 'Delete Jira issues',
-  'write:comment:jira': 'Add and update comments on Jira issues',
-  'read:comment:jira': 'Read comments on Jira issues',
-  'delete:comment:jira': 'Delete comments from Jira issues',
-  'read:attachment:jira': 'Read attachments from Jira issues',
-  'delete:attachment:jira': 'Delete attachments from Jira issues',
-  'write:issue-worklog:jira': 'Add and update worklog entries on Jira issues',
-  'read:issue-worklog:jira': 'Read worklog entries from Jira issues',
-  'delete:issue-worklog:jira': 'Delete worklog entries from Jira issues',
-  'write:issue-link:jira': 'Create links between Jira issues',
-  'delete:issue-link:jira': 'Delete links between Jira issues',
-  'User.Read': 'Read Microsoft user',
-  'Chat.Read': 'Read Microsoft chats',
-  'Chat.ReadWrite': 'Write to Microsoft chats',
-  'Chat.ReadBasic': 'Read Microsoft chats',
-  'ChatMessage.Send': 'Send chat messages',
-  'Channel.ReadBasic.All': 'Read Microsoft channels',
-  'ChannelMessage.Send': 'Write to Microsoft channels',
-  'ChannelMessage.Read.All': 'Read Microsoft channels',
-  'ChannelMessage.ReadWrite': 'Read and write to Microsoft channels',
-  'ChannelMember.Read.All': 'Read team channel members',
-  'Group.Read.All': 'Read Microsoft groups',
-  'Group.ReadWrite.All': 'Write to Microsoft groups',
-  'Team.ReadBasic.All': 'Read Microsoft teams',
-  'TeamMember.Read.All': 'Read team members',
-  'Mail.ReadWrite': 'Write to Microsoft emails',
-  'Mail.ReadBasic': 'Read Microsoft emails',
-  'Mail.Read': 'Read Microsoft emails',
-  'Mail.Send': 'Send emails',
-  'Files.Read': 'Read OneDrive files',
-  'Files.ReadWrite': 'Read and write OneDrive files',
-  'Tasks.ReadWrite': 'Read and manage Planner tasks',
-  'Sites.Read.All': 'Read Sharepoint sites',
-  'Sites.ReadWrite.All': 'Read and write Sharepoint sites',
-  'Sites.Manage.All': 'Manage Sharepoint sites',
-  openid: 'Standard authentication',
-  profile: 'Access profile information',
-  email: 'Access email address',
-  identify: 'Read Discord user',
-  bot: 'Read Discord bot',
-  'messages.read': 'Read Discord messages',
-  guilds: 'Read Discord guilds',
-  'guilds.members.read': 'Read Discord guild members',
-  identity: 'Access Reddit identity',
-  submit: 'Submit posts and comments',
-  vote: 'Vote on posts and comments',
-  save: 'Save and unsave posts and comments',
-  edit: 'Edit posts and comments',
-  subscribe: 'Subscribe and unsubscribe from subreddits',
-  history: 'Access Reddit history',
-  privatemessages: 'Access inbox and send private messages',
-  account: 'Update account preferences and settings',
-  mysubreddits: 'Access subscribed and moderated subreddits',
-  flair: 'Manage user and post flair',
-  report: 'Report posts and comments for rule violations',
-  modposts: 'Approve, remove, and moderate posts in moderated subreddits',
-  modflair: 'Manage flair in moderated subreddits',
-  modmail: 'Access and respond to moderator mail',
-  login: 'Access Wealthbox account',
-  data: 'Access Wealthbox data',
-  read: 'Read access to workspace',
-  write: 'Write access to Linear workspace',
-  'channels:read': 'View public channels',
-  'channels:history': 'Read channel messages',
-  'groups:read': 'View private channels',
-  'groups:history': 'Read private messages',
-  'chat:write': 'Send messages',
-  'chat:write.public': 'Post to public channels',
-  'im:write': 'Send direct messages',
-  'im:history': 'Read direct message history',
-  'im:read': 'View direct message channels',
-  'users:read': 'View workspace users',
-  'files:write': 'Upload files',
-  'files:read': 'Download and read files',
-  'canvases:write': 'Create canvas documents',
-  'reactions:write': 'Add emoji reactions to messages',
-  'sites:read': 'View Webflow sites',
-  'sites:write': 'Manage webhooks and site settings',
-  'cms:read': 'View CMS content',
-  'cms:write': 'Manage CMS content',
-  'crm.objects.contacts.read': 'Read HubSpot contacts',
-  'crm.objects.contacts.write': 'Create and update HubSpot contacts',
-  'crm.objects.companies.read': 'Read HubSpot companies',
-  'crm.objects.companies.write': 'Create and update HubSpot companies',
-  'crm.objects.deals.read': 'Read HubSpot deals',
-  'crm.objects.deals.write': 'Create and update HubSpot deals',
-  'crm.objects.owners.read': 'Read HubSpot object owners',
-  'crm.objects.users.read': 'Read HubSpot users',
-  'crm.objects.users.write': 'Create and update HubSpot users',
-  'crm.objects.marketing_events.read': 'Read HubSpot marketing events',
-  'crm.objects.marketing_events.write': 'Create and update HubSpot marketing events',
-  'crm.objects.line_items.read': 'Read HubSpot line items',
-  'crm.objects.line_items.write': 'Create and update HubSpot line items',
-  'crm.objects.quotes.read': 'Read HubSpot quotes',
-  'crm.objects.quotes.write': 'Create and update HubSpot quotes',
-  'crm.objects.appointments.read': 'Read HubSpot appointments',
-  'crm.objects.appointments.write': 'Create and update HubSpot appointments',
-  'crm.objects.carts.read': 'Read HubSpot shopping carts',
-  'crm.objects.carts.write': 'Create and update HubSpot shopping carts',
-  'crm.import': 'Import data into HubSpot',
-  'crm.lists.read': 'Read HubSpot lists',
-  'crm.lists.write': 'Create and update HubSpot lists',
-  tickets: 'Manage HubSpot tickets',
-  api: 'Access Salesforce API',
-  refresh_token: 'Maintain long-term access to Salesforce account',
-  default: 'Access Asana workspace',
-  base: 'Basic access to Pipedrive account',
-  'deals:read': 'Read Pipedrive deals',
-  'deals:full': 'Full access to manage Pipedrive deals',
-  'contacts:read': 'Read Pipedrive contacts',
-  'contacts:full': 'Full access to manage Pipedrive contacts',
-  'leads:read': 'Read Pipedrive leads',
-  'leads:full': 'Full access to manage Pipedrive leads',
-  'activities:read': 'Read Pipedrive activities',
-  'activities:full': 'Full access to manage Pipedrive activities',
-  'mail:read': 'Read Pipedrive emails',
-  'mail:full': 'Full access to manage Pipedrive emails',
-  'projects:read': 'Read Pipedrive projects',
-  'projects:full': 'Full access to manage Pipedrive projects',
-  'webhooks:read': 'Read Pipedrive webhooks',
-  'webhooks:full': 'Full access to manage Pipedrive webhooks',
-  w_member_social: 'Access LinkedIn profile',
-  // Box scopes
-  root_readwrite: 'Read and write all files and folders in Box account',
-  root_readonly: 'Read all files and folders in Box account',
-  // Shopify scopes (write_* implicitly includes read access)
-  write_products: 'Read and manage Shopify products',
-  write_orders: 'Read and manage Shopify orders',
-  write_customers: 'Read and manage Shopify customers',
-  write_inventory: 'Read and manage Shopify inventory levels',
-  read_locations: 'View store locations',
-  write_merchant_managed_fulfillment_orders: 'Create fulfillments for orders',
-  // Zoom scopes
-  'user:read:user': 'View Zoom profile information',
-  'meeting:write:meeting': 'Create Zoom meetings',
-  'meeting:read:meeting': 'View Zoom meeting details',
-  'meeting:read:list_meetings': 'List Zoom meetings',
-  'meeting:update:meeting': 'Update Zoom meetings',
-  'meeting:delete:meeting': 'Delete Zoom meetings',
-  'meeting:read:invitation': 'View Zoom meeting invitations',
-  'meeting:read:list_past_participants': 'View past meeting participants',
-  'cloud_recording:read:list_user_recordings': 'List Zoom cloud recordings',
-  'cloud_recording:read:list_recording_files': 'View recording files',
-  'cloud_recording:delete:recording_file': 'Delete cloud recordings',
-  // Dropbox scopes
-  'account_info.read': 'View Dropbox account information',
-  'files.metadata.read': 'View file and folder names, sizes, and dates',
-  'files.metadata.write': 'Modify file and folder metadata',
-  'files.content.read': 'Download and read Dropbox files',
-  'files.content.write': 'Upload, copy, move, and delete files in Dropbox',
-  'sharing.read': 'View shared files and folders',
-  'sharing.write': 'Share files and folders with others',
-  // WordPress.com scopes
-  global: 'Full access to manage WordPress.com sites, posts, pages, media, and settings',
-  // Spotify scopes
-  'user-read-private': 'View Spotify account details',
-  'user-read-email': 'View email address on Spotify',
-  'user-library-read': 'View saved tracks and albums',
-  'user-library-modify': 'Save and remove tracks and albums from library',
-  'playlist-read-private': 'View private playlists',
-  'playlist-read-collaborative': 'View collaborative playlists',
-  'playlist-modify-public': 'Create and manage public playlists',
-  'playlist-modify-private': 'Create and manage private playlists',
-  'user-read-playback-state': 'View current playback state',
-  'user-modify-playback-state': 'Control playback on Spotify devices',
-  'user-read-currently-playing': 'View currently playing track',
-  'user-read-recently-played': 'View recently played tracks',
-  'user-top-read': 'View top artists and tracks',
-  'user-follow-read': 'View followed artists and users',
-  'user-follow-modify': 'Follow and unfollow artists and users',
-  'user-read-playback-position': 'View playback position in podcasts',
-  'ugc-image-upload': 'Upload images to Spotify playlists',
-  // Attio
-  'record_permission:read-write': 'Read and write CRM records',
-  'object_configuration:read-write': 'Read and manage object schemas',
-  'list_configuration:read-write': 'Read and manage list configurations',
-  'list_entry:read-write': 'Read and write list entries',
-  'note:read-write': 'Read and write notes',
-  'task:read-write': 'Read and write tasks',
-  'comment:read-write': 'Read and write comments and threads',
-  'user_management:read': 'View workspace members',
-  'webhook:read-write': 'Manage webhooks',
-}
-
-function getScopeDescription(scope: string): string {
-  return SCOPE_DESCRIPTIONS[scope] || scope
-}
-
 export function OAuthRequiredModal({
  isOpen,
  onClose,
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/credential-selector.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/credential-selector.tsx
@@ -15,6 +15,7 @@ import {
  type OAuthProvider,
  parseProvider,
 } from '@/lib/oauth'
+import { getMissingRequiredScopes } from '@/lib/oauth/utils'
 import { OAuthRequiredModal } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
@@ -25,7 +26,6 @@ import { useOAuthCredentials } from '@/hooks/queries/oauth-credentials'
 import { useOrganizations } from '@/hooks/queries/organization'
 import { useSubscriptionData } from '@/hooks/queries/subscription'
 import { useCredentialRefreshTriggers } from '@/hooks/use-credential-refresh-triggers'
-import { getMissingRequiredScopes } from '@/hooks/use-oauth-scope-status'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'

 const isBillingEnabled = isTruthy(getEnv('NEXT_PUBLIC_BILLING_ENABLED'))
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/tools/credential-selector.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/tools/credential-selector.tsx
@@ -12,10 +12,10 @@ import {
  type OAuthService,
  parseProvider,
 } from '@/lib/oauth'
+import { getMissingRequiredScopes } from '@/lib/oauth/utils'
 import { OAuthRequiredModal } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal'
 import { useOAuthCredentials } from '@/hooks/queries/oauth-credentials'
 import { useCredentialRefreshTriggers } from '@/hooks/use-credential-refresh-triggers'
-import { getMissingRequiredScopes } from '@/hooks/use-oauth-scope-status'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'

 const getProviderIcon = (providerName: OAuthProvider) => {
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/tool-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/tool-input.tsx
@@ -1969,9 +1969,8 @@ export const ToolInput = memo(function ToolInput({
                    }

                    if (useSubBlocks && displaySubBlocks.length > 0) {
-                      const allBlockSubBlocks = toolBlock?.subBlocks || []
                      const coveredParamIds = new Set(
-                        allBlockSubBlocks.flatMap((sb) => {
+                        displaySubBlocks.flatMap((sb) => {
                          const ids = [sb.id]
                          if (sb.canonicalParamId) ids.push(sb.canonicalParamId)
                          const cId = toolCanonicalIndex?.canonicalIdBySubBlockId[sb.id]
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-selector-setup.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-selector-setup.ts
@@ -2,8 +2,11 @@

 import { useMemo } from 'react'
 import { useParams } from 'next/navigation'
+import { SELECTOR_CONTEXT_FIELDS } from '@/lib/workflows/subblocks/context'
 import type { SubBlockConfig } from '@/blocks/types'
+import { extractEnvVarName, isEnvVarReference, isReference } from '@/executor/constants'
 import type { SelectorContext, SelectorKey } from '@/hooks/selectors/types'
+import { useEnvironmentStore } from '@/stores/settings/environment'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
 import { useDependsOnGate } from './use-depends-on-gate'

@@ -12,8 +15,7 @@ import { useDependsOnGate } from './use-depends-on-gate'
 *
 * Builds a `SelectorContext` by mapping each `dependsOn` entry through the
 * canonical index to its `canonicalParamId`, which maps directly to
- * `SelectorContext` field names (e.g. `siteId`, `teamId`, `collectionId`).
- * The one special case is `oauthCredential` which maps to `credentialId`.
+ * `SelectorContext` field names (e.g. `siteId`, `teamId`, `oauthCredential`).
 *
 * @param blockId - The block containing the selector sub-block
 * @param subBlock - The sub-block config (must have `selectorKey` set)
@@ -29,53 +31,58 @@ export function useSelectorSetup(
  const activeWorkflowId = useWorkflowRegistry((s) => s.activeWorkflowId)
  const workflowId = (params?.workflowId as string) || activeWorkflowId || ''

+  const envVariables = useEnvironmentStore((s) => s.variables)
+
  const { finalDisabled, dependencyValues, canonicalIndex } = useDependsOnGate(
    blockId,
    subBlock,
    opts
  )

+  const resolvedDependencyValues = useMemo(() => {
+    const resolved: Record<string, unknown> = {}
+    for (const [key, value] of Object.entries(dependencyValues)) {
+      if (value === null || value === undefined) {
+        resolved[key] = value
+        continue
+      }
+      const str = String(value)
+      if (isEnvVarReference(str)) {
+        const varName = extractEnvVarName(str)
+        resolved[key] = envVariables[varName]?.value || undefined
+      } else {
+        resolved[key] = value
+      }
+    }
+    return resolved
+  }, [dependencyValues, envVariables])
+
  const selectorContext = useMemo<SelectorContext>(() => {
    const context: SelectorContext = {
      workflowId,
      mimeType: subBlock.mimeType,
    }

-    for (const [depKey, value] of Object.entries(dependencyValues)) {
+    for (const [depKey, value] of Object.entries(resolvedDependencyValues)) {
      if (value === null || value === undefined) continue
      const strValue = String(value)
      if (!strValue) continue
+      if (isReference(strValue)) continue

      const canonicalParamId = canonicalIndex.canonicalIdBySubBlockId[depKey] ?? depKey
-
-      if (canonicalParamId === 'oauthCredential') {
-        context.credentialId = strValue
-      } else if (canonicalParamId in CONTEXT_FIELD_SET) {
-        ;(context as Record<string, unknown>)[canonicalParamId] = strValue
+      if (SELECTOR_CONTEXT_FIELDS.has(canonicalParamId as keyof SelectorContext)) {
+        context[canonicalParamId as keyof SelectorContext] = strValue
      }
    }

    return context
-  }, [dependencyValues, canonicalIndex, workflowId, subBlock.mimeType])
+  }, [resolvedDependencyValues, canonicalIndex, workflowId, subBlock.mimeType])

  return {
    selectorKey: (subBlock.selectorKey ?? null) as SelectorKey | null,
    selectorContext,
    allowSearch: subBlock.selectorAllowSearch ?? true,
    disabled: finalDisabled || !subBlock.selectorKey,
-    dependencyValues,
+    dependencyValues: resolvedDependencyValues,
  }
 }
-
-const CONTEXT_FIELD_SET: Record<string, true> = {
-  credentialId: true,
-  domain: true,
-  teamId: true,
-  projectId: true,
-  knowledgeBaseId: true,
-  planId: true,
-  siteId: true,
-  collectionId: true,
-  spreadsheetId: true,
-  fileId: true,
-}
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/sub-block.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/sub-block.tsx
@@ -57,9 +57,9 @@ import { useWebhookManagement } from '@/hooks/use-webhook-management'
 const SLACK_OVERRIDES: SelectorOverrides = {
  transformContext: (context, deps) => {
    const authMethod = deps.authMethod as string
-    const credentialId =
+    const oauthCredential =
      authMethod === 'bot_token' ? String(deps.botToken ?? '') : String(deps.credential ?? '')
-    return { ...context, credentialId }
+    return { ...context, oauthCredential }
  },
 }

--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/editor.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/editor.tsx
@@ -40,6 +40,10 @@ import { LoopTool } from '@/app/workspace/[workspaceId]/w/[workflowId]/component
 import { ParallelTool } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/subflows/parallel/parallel-config'
 import { getSubBlockStableKey } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/utils'
 import { useCurrentWorkflow } from '@/app/workspace/[workspaceId]/w/[workflowId]/hooks'
+import {
+  isAncestorProtected,
+  isBlockProtected,
+} from '@/app/workspace/[workspaceId]/w/[workflowId]/utils/block-protection-utils'
 import { PreviewWorkflow } from '@/app/workspace/[workspaceId]/w/components/preview'
 import { getBlock } from '@/blocks/registry'
 import type { SubBlockType } from '@/blocks/types'
@@ -107,12 +111,11 @@ export function Editor() {

  const userPermissions = useUserPermissionsContext()

-  // Check if block is locked (or inside a locked container) and compute edit permission
+  // Check if block is locked (or inside a locked ancestor) and compute edit permission
  // Locked blocks cannot be edited by anyone (admins can only lock/unlock)
  const blocks = useWorkflowStore((state) => state.blocks)
-  const parentId = currentBlock?.data?.parentId as string | undefined
-  const isParentLocked = parentId ? (blocks[parentId]?.locked ?? false) : false
-  const isLocked = (currentBlock?.locked ?? false) || isParentLocked
+  const isLocked = currentBlockId ? isBlockProtected(currentBlockId, blocks) : false
+  const isAncestorLocked = currentBlockId ? isAncestorProtected(currentBlockId, blocks) : false
  const canEditBlock = userPermissions.canEdit && !isLocked

  const activeWorkflowId = useWorkflowRegistry((state) => state.activeWorkflowId)
@@ -247,10 +250,7 @@ export function Editor() {
    const block = blocks[blockId]
    if (!block) return

-    const parentId = block.data?.parentId as string | undefined
-    const isParentLocked = parentId ? (blocks[parentId]?.locked ?? false) : false
-    const isLocked = (block.locked ?? false) || isParentLocked
-    if (!userPermissions.canEdit || isLocked) return
+    if (!userPermissions.canEdit || isBlockProtected(blockId, blocks)) return

    renamingBlockIdRef.current = blockId
    setEditedName(block.name || '')
@@ -364,11 +364,11 @@ export function Editor() {
          )}
        </div>
        <div className='flex shrink-0 items-center gap-[8px]'>
-          {/* Locked indicator - clickable to unlock if user has admin permissions, block is locked, and parent is not locked */}
+          {/* Locked indicator - clickable to unlock if user has admin permissions, block is locked directly, and not locked by an ancestor */}
          {isLocked && currentBlock && (
            <Tooltip.Root>
              <Tooltip.Trigger asChild>
-                {userPermissions.canAdmin && currentBlock.locked && !isParentLocked ? (
+                {userPermissions.canAdmin && currentBlock.locked && !isAncestorLocked ? (
                  <Button
                    variant='ghost'
                    className='p-0'
@@ -385,8 +385,8 @@ export function Editor() {
              </Tooltip.Trigger>
              <Tooltip.Content side='top'>
                <p>
-                  {isParentLocked
-                    ? 'Parent container is locked'
+                  {isAncestorLocked
+                    ? 'Ancestor container is locked'
                    : userPermissions.canAdmin && currentBlock.locked
                      ? 'Unlock block'
                      : 'Block is locked'}
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/subflows/subflow-node.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/subflows/subflow-node.tsx
@@ -1,4 +1,4 @@
-import { memo, useMemo, useRef } from 'react'
+import { memo, useMemo } from 'react'
 import { RepeatIcon, SplitIcon } from 'lucide-react'
 import { Handle, type NodeProps, Position, useReactFlow } from 'reactflow'
 import { Badge } from '@/components/emcn'
@@ -28,6 +28,28 @@ export interface SubflowNodeData {
  executionStatus?: 'success' | 'error' | 'not-executed'
 }

+const HANDLE_STYLE = {
+  top: `${HANDLE_POSITIONS.DEFAULT_Y_OFFSET}px`,
+  transform: 'translateY(-50%)',
+} as const
+
+/**
+ * Reusable class names for Handle components.
+ * Matches the styling pattern from workflow-block.tsx.
+ */
+const getHandleClasses = (position: 'left' | 'right') => {
+  const baseClasses = '!z-[10] !cursor-crosshair !border-none !transition-[colors] !duration-150'
+  const colorClasses = '!bg-[var(--workflow-edge)]'
+
+  const positionClasses = {
+    left: '!left-[-8px] !h-5 !w-[7px] !rounded-l-[2px] !rounded-r-none hover:!left-[-11px] hover:!w-[10px] hover:!rounded-l-full',
+    right:
+      '!right-[-8px] !h-5 !w-[7px] !rounded-r-[2px] !rounded-l-none hover:!right-[-11px] hover:!w-[10px] hover:!rounded-r-full',
+  }
+
+  return cn(baseClasses, colorClasses, positionClasses[position])
+}
+
 /**
 * Subflow node component for loop and parallel execution containers.
 * Renders a resizable container with a header displaying the block name and icon,
@@ -38,7 +60,6 @@ export interface SubflowNodeData {
 */
 export const SubflowNodeComponent = memo(({ data, id, selected }: NodeProps<SubflowNodeData>) => {
  const { getNodes } = useReactFlow()
-  const blockRef = useRef<HTMLDivElement>(null)
  const userPermissions = useUserPermissionsContext()

  const currentWorkflow = useCurrentWorkflow()
@@ -52,7 +73,6 @@ export const SubflowNodeComponent = memo(({ data, id, selected }: NodeProps<Subf
  const isLocked = currentBlock?.locked ?? false
  const isPreview = data?.isPreview || false

-  // Focus state
  const setCurrentBlockId = usePanelEditorStore((state) => state.setCurrentBlockId)
  const currentBlockId = usePanelEditorStore((state) => state.currentBlockId)
  const isFocused = currentBlockId === id
@@ -84,7 +104,7 @@ export const SubflowNodeComponent = memo(({ data, id, selected }: NodeProps<Subf
    }

    return level
-  }, [id, data?.parentId, getNodes])
+  }, [data?.parentId, getNodes])

  const startHandleId = data.kind === 'loop' ? 'loop-start-source' : 'parallel-start-source'
  const endHandleId = data.kind === 'loop' ? 'loop-end-source' : 'parallel-end-source'
@@ -92,27 +112,6 @@ export const SubflowNodeComponent = memo(({ data, id, selected }: NodeProps<Subf
  const blockIconBg = data.kind === 'loop' ? '#2FB3FF' : '#FEE12B'
  const blockName = data.name || (data.kind === 'loop' ? 'Loop' : 'Parallel')

-  /**
-   * Reusable styles and positioning for Handle components.
-   * Matches the styling pattern from workflow-block.tsx.
-   */
-  const getHandleClasses = (position: 'left' | 'right') => {
-    const baseClasses = '!z-[10] !cursor-crosshair !border-none !transition-[colors] !duration-150'
-    const colorClasses = '!bg-[var(--workflow-edge)]'
-
-    const positionClasses = {
-      left: '!left-[-8px] !h-5 !w-[7px] !rounded-l-[2px] !rounded-r-none hover:!left-[-11px] hover:!w-[10px] hover:!rounded-l-full',
-      right:
-        '!right-[-8px] !h-5 !w-[7px] !rounded-r-[2px] !rounded-l-none hover:!right-[-11px] hover:!w-[10px] hover:!rounded-r-full',
-    }
-
-    return cn(baseClasses, colorClasses, positionClasses[position])
-  }
-
-  const getHandleStyle = () => {
-    return { top: `${HANDLE_POSITIONS.DEFAULT_Y_OFFSET}px`, transform: 'translateY(-50%)' }
-  }
-
  /**
   * Determine the ring styling based on subflow state priority:
   * 1. Focused (selected in editor), selected (shift-click/box), or preview selected - blue ring
@@ -127,46 +126,37 @@ export const SubflowNodeComponent = memo(({ data, id, selected }: NodeProps<Subf
    diffStatus === 'new' ||
    diffStatus === 'edited' ||
    !!runPathStatus
+
  /**
-   * Compute the outline color for the subflow ring.
-   * Uses CSS outline instead of box-shadow ring because in ReactFlow v11,
-   * child nodes are DOM children of parent nodes and paint over the parent's
-   * internal ring overlay. Outline renders on the element's own compositing
-   * layer, so it stays visible above nested child nodes.
+   * Compute the ring color for the subflow selection indicator.
+   * Uses boxShadow (not CSS outline) to match the ring styling of regular workflow blocks.
+   * This works because ReactFlow renders child nodes as sibling divs at the viewport level
+   * (not as DOM children), so children at zIndex 1000 don't clip the parent's boxShadow.
   */
-  const outlineColor = hasRing
-    ? isFocused || isSelected || isPreviewSelected
-      ? 'var(--brand-secondary)'
-      : diffStatus === 'new'
-        ? 'var(--brand-tertiary-2)'
-        : diffStatus === 'edited'
-          ? 'var(--warning)'
-          : runPathStatus === 'success'
-            ? executionStatus
-              ? 'var(--brand-tertiary-2)'
-              : 'var(--border-success)'
-            : runPathStatus === 'error'
-              ? 'var(--text-error)'
-              : undefined
-    : undefined
+  const getRingColor = (): string | undefined => {
+    if (!hasRing) return undefined
+    if (isFocused || isSelected || isPreviewSelected) return 'var(--brand-secondary)'
+    if (diffStatus === 'new') return 'var(--brand-tertiary-2)'
+    if (diffStatus === 'edited') return 'var(--warning)'
+    if (runPathStatus === 'success') {
+      return executionStatus ? 'var(--brand-tertiary-2)' : 'var(--border-success)'
+    }
+    if (runPathStatus === 'error') return 'var(--text-error)'
+    return undefined
+  }
+  const ringColor = getRingColor()

  return (
    <div className='group pointer-events-none relative'>
      <div
-        ref={blockRef}
-        className={cn(
-          'relative select-none rounded-[8px] border border-[var(--border-1)]',
-          'transition-block-bg'
-        )}
+        className='relative select-none rounded-[8px] border border-[var(--border-1)] transition-block-bg'
        style={{
          width: data.width || 500,
          height: data.height || 300,
-          position: 'relative',
          overflow: 'visible',
          pointerEvents: 'none',
-          ...(outlineColor && {
-            outline: `1.75px solid ${outlineColor}`,
-            outlineOffset: '-1px',
+          ...(ringColor && {
+            boxShadow: `0 0 0 1.75px ${ringColor}`,
          }),
        }}
        data-node-id={id}
@@ -181,9 +171,7 @@ export const SubflowNodeComponent = memo(({ data, id, selected }: NodeProps<Subf
        {/* Header Section — only interactive area for dragging */}
        <div
          onClick={() => setCurrentBlockId(id)}
-          className={cn(
-            'workflow-drag-handle flex cursor-grab items-center justify-between rounded-t-[8px] border-[var(--border)] border-b bg-[var(--surface-2)] py-[8px] pr-[12px] pl-[8px] [&:active]:cursor-grabbing'
-          )}
+          className='workflow-drag-handle flex cursor-grab items-center justify-between rounded-t-[8px] border-[var(--border)] border-b bg-[var(--surface-2)] py-[8px] pr-[12px] pl-[8px] [&:active]:cursor-grabbing'
          style={{ pointerEvents: 'auto' }}
        >
          <div className='flex min-w-0 flex-1 items-center gap-[10px]'>
@@ -209,6 +197,17 @@ export const SubflowNodeComponent = memo(({ data, id, selected }: NodeProps<Subf
          </div>
        </div>

+        {/*
+         * Click-catching background — selects this subflow when the body area is clicked.
+         * No event bubbling concern: ReactFlow renders child nodes as viewport-level siblings,
+         * not as DOM children of this component, so child clicks never reach this div.
+         */}
+        <div
+          className='absolute inset-0 top-[44px] rounded-b-[8px]'
+          style={{ pointerEvents: isPreview ? 'none' : 'auto' }}
+          onClick={() => setCurrentBlockId(id)}
+        />
+
        {!isPreview && (
          <div
            className='absolute right-[8px] bottom-[8px] z-20 flex h-[32px] w-[32px] cursor-se-resize items-center justify-center text-muted-foreground'
@@ -217,12 +216,9 @@ export const SubflowNodeComponent = memo(({ data, id, selected }: NodeProps<Subf
        )}

        <div
-          className='h-[calc(100%-50px)] pt-[16px] pr-[80px] pb-[16px] pl-[16px]'
+          className='relative h-[calc(100%-50px)] pt-[16px] pr-[80px] pb-[16px] pl-[16px]'
          data-dragarea='true'
-          style={{
-            position: 'relative',
-            pointerEvents: 'none',
-          }}
+          style={{ pointerEvents: 'none' }}
        >
          {/* Subflow Start */}
          <div
@@ -255,7 +251,7 @@ export const SubflowNodeComponent = memo(({ data, id, selected }: NodeProps<Subf
          position={Position.Left}
          className={getHandleClasses('left')}
          style={{
-            ...getHandleStyle(),
+            ...HANDLE_STYLE,
            pointerEvents: 'auto',
          }}
        />
@@ -266,7 +262,7 @@ export const SubflowNodeComponent = memo(({ data, id, selected }: NodeProps<Subf
          position={Position.Right}
          className={getHandleClasses('right')}
          style={{
-            ...getHandleStyle(),
+            ...HANDLE_STYLE,
            pointerEvents: 'auto',
          }}
          id={endHandleId}
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/workflow-block.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/workflow-block.tsx
@@ -527,7 +527,8 @@ const SubBlockRow = memo(function SubBlockRow({
  const { displayName: credentialName } = useCredentialName(
    credentialSourceId,
    credentialProviderId,
-    workflowId
+    workflowId,
+    workspaceId
  )

  const credentialId = dependencyValues.credential
@@ -548,21 +549,48 @@ const SubBlockRow = memo(function SubBlockRow({
    return typeof option === 'string' ? option : option.label
  }, [subBlock, rawValue])

-  const domainValue = getStringValue('domain')
-  const teamIdValue = getStringValue('teamId')
-  const projectIdValue = getStringValue('projectId')
-  const planIdValue = getStringValue('planId')
+  const resolveContextValue = useCallback(
+    (key: string): string | undefined => {
+      const resolved = resolveDependencyValue(
+        key,
+        rawValues,
+        canonicalIndex || buildCanonicalIndex([]),
+        canonicalModeOverrides
+      )
+      return typeof resolved === 'string' && resolved.length > 0 ? resolved : undefined
+    },
+    [rawValues, canonicalIndex, canonicalModeOverrides]
+  )
+
+  const domainValue = resolveContextValue('domain')
+  const teamIdValue = resolveContextValue('teamId')
+  const projectIdValue = resolveContextValue('projectId')
+  const planIdValue = resolveContextValue('planId')
+  const baseIdValue = resolveContextValue('baseId')
+  const datasetIdValue = resolveContextValue('datasetId')
+  const serviceDeskIdValue = resolveContextValue('serviceDeskId')
+  const siteIdValue = resolveContextValue('siteId')
+  const collectionIdValue = resolveContextValue('collectionId')
+  const spreadsheetIdValue = resolveContextValue('spreadsheetId')
+  const fileIdValue = resolveContextValue('fileId')

  const { displayName: selectorDisplayName } = useSelectorDisplayName({
    subBlock,
    value: rawValue,
    workflowId,
-    credentialId: typeof credentialId === 'string' ? credentialId : undefined,
+    oauthCredential: typeof credentialId === 'string' ? credentialId : undefined,
    knowledgeBaseId: typeof knowledgeBaseId === 'string' ? knowledgeBaseId : undefined,
    domain: domainValue,
    teamId: teamIdValue,
    projectId: projectIdValue,
    planId: planIdValue,
+    baseId: baseIdValue,
+    datasetId: datasetIdValue,
+    serviceDeskId: serviceDeskIdValue,
+    siteId: siteIdValue,
+    collectionId: collectionIdValue,
+    spreadsheetId: spreadsheetIdValue,
+    fileId: fileIdValue,
  })

  const { knowledgeBase: kbForDisplayName } = useKnowledgeBase(
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-workflow-execution.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-workflow-execution.ts
@@ -20,7 +20,10 @@ import {
  TriggerUtils,
 } from '@/lib/workflows/triggers/triggers'
 import { useCurrentWorkflow } from '@/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-current-workflow'
-import { updateActiveBlockRefCount } from '@/app/workspace/[workspaceId]/w/[workflowId]/utils/workflow-execution-utils'
+import {
+  markOutgoingEdgesFromOutput,
+  updateActiveBlockRefCount,
+} from '@/app/workspace/[workspaceId]/w/[workflowId]/utils/workflow-execution-utils'
 import { getBlock } from '@/blocks'
 import type { SerializableExecutionState } from '@/executor/execution/types'
 import type {
@@ -63,7 +66,7 @@ interface DebugValidationResult {
 interface BlockEventHandlerConfig {
  workflowId?: string
  executionIdRef: { current: string }
-  workflowEdges: Array<{ id: string; target: string; sourceHandle?: string | null }>
+  workflowEdges: Array<{ id: string; source: string; target: string; sourceHandle?: string | null }>
  activeBlocksSet: Set<string>
  activeBlockRefCounts: Map<string, number>
  accumulatedBlockLogs: BlockLog[]
@@ -335,13 +338,9 @@ export function useWorkflowExecution() {
        setActiveBlocks(workflowId, new Set(activeBlocksSet))
      }

-      const markIncomingEdges = (blockId: string) => {
+      const markOutgoingEdges = (blockId: string, output: Record<string, any> | undefined) => {
        if (!workflowId) return
-        const incomingEdges = workflowEdges.filter((edge) => edge.target === blockId)
-        incomingEdges.forEach((edge) => {
-          const status = edge.sourceHandle === 'error' ? 'error' : 'success'
-          setEdgeRunStatus(workflowId, edge.id, status)
-        })
+        markOutgoingEdgesFromOutput(blockId, output, workflowEdges, workflowId, setEdgeRunStatus)
      }

      const isContainerBlockType = (blockType?: string) => {
@@ -460,7 +459,6 @@ export function useWorkflowExecution() {
      const onBlockStarted = (data: BlockStartedData) => {
        if (isStaleExecution()) return
        updateActiveBlocks(data.blockId, true)
-        markIncomingEdges(data.blockId)

        if (!includeStartConsoleEntry || !workflowId) return

@@ -487,6 +485,7 @@ export function useWorkflowExecution() {
        if (isStaleExecution()) return
        updateActiveBlocks(data.blockId, false)
        if (workflowId) setBlockRunStatus(workflowId, data.blockId, 'success')
+        markOutgoingEdges(data.blockId, data.output as Record<string, any> | undefined)
        executedBlockIds.add(data.blockId)
        accumulatedBlockStates.set(data.blockId, {
          output: data.output,
@@ -505,7 +504,9 @@ export function useWorkflowExecution() {
        }

        if (isContainerBlockType(data.blockType) && !data.iterationContainerId) {
-          return
+          const output = data.output as Record<string, any> | undefined
+          const isEmptySubflow = Array.isArray(output?.results) && output.results.length === 0
+          if (!isEmptySubflow) return
        }

        accumulatedBlockLogs.push(createBlockLogEntry(data, { success: true, output: data.output }))
@@ -527,6 +528,7 @@ export function useWorkflowExecution() {
        if (isStaleExecution()) return
        updateActiveBlocks(data.blockId, false)
        if (workflowId) setBlockRunStatus(workflowId, data.blockId, 'error')
+        markOutgoingEdges(data.blockId, { error: data.error })

        executedBlockIds.add(data.blockId)
        accumulatedBlockStates.set(data.blockId, {
@@ -1124,9 +1126,7 @@ export function useWorkflowExecution() {
      {} as typeof workflowBlocks
    )

-    const isExecutingFromChat =
-      overrideTriggerType === 'chat' ||
-      (workflowInput && typeof workflowInput === 'object' && 'input' in workflowInput)
+    const isExecutingFromChat = overrideTriggerType === 'chat'

    logger.info('Executing workflow', {
      isDiffMode: currentWorkflow.isDiffMode,
@@ -1495,8 +1495,13 @@ export function useWorkflowExecution() {
                : null
              if (activeWorkflowId && !workflowExecState?.isDebugging) {
                setExecutionResult(executionResult)
-                setIsExecuting(activeWorkflowId, false)
-                setActiveBlocks(activeWorkflowId, new Set())
+                // For chat executions, don't set isExecuting=false here — the chat's
+                // client-side stream wrapper still has buffered data to deliver.
+                // The chat's finally block handles cleanup after the stream is fully consumed.
+                if (!isExecutingFromChat) {
+                  setIsExecuting(activeWorkflowId, false)
+                  setActiveBlocks(activeWorkflowId, new Set())
+                }
                setTimeout(() => {
                  queryClient.invalidateQueries({ queryKey: subscriptionKeys.all })
                }, 1000)
@@ -1536,7 +1541,7 @@ export function useWorkflowExecution() {
                isPreExecutionError,
              })

-              if (activeWorkflowId) {
+              if (activeWorkflowId && !isExecutingFromChat) {
                setIsExecuting(activeWorkflowId, false)
                setIsDebugging(activeWorkflowId, false)
                setActiveBlocks(activeWorkflowId, new Set())
@@ -1562,7 +1567,7 @@ export function useWorkflowExecution() {
                durationMs: data?.duration,
              })

-              if (activeWorkflowId) {
+              if (activeWorkflowId && !isExecutingFromChat) {
                setIsExecuting(activeWorkflowId, false)
                setIsDebugging(activeWorkflowId, false)
                setActiveBlocks(activeWorkflowId, new Set())
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/utils/block-protection-utils.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/utils/block-protection-utils.ts
@@ -1,4 +1,7 @@
 import type { BlockState } from '@/stores/workflows/workflow/types'
+import { isAncestorProtected, isBlockProtected } from '@/stores/workflows/workflow/utils'
+
+export { isAncestorProtected, isBlockProtected }

 /**
 * Result of filtering protected blocks from a deletion operation
@@ -12,28 +15,6 @@ export interface FilterProtectedBlocksResult {
  allProtected: boolean
 }

-/**
- * Checks if a block is protected from editing/deletion.
- * A block is protected if it is locked or if its parent container is locked.
- *
- * @param blockId - The ID of the block to check
- * @param blocks - Record of all blocks in the workflow
- * @returns True if the block is protected
- */
-export function isBlockProtected(blockId: string, blocks: Record<string, BlockState>): boolean {
-  const block = blocks[blockId]
-  if (!block) return false
-
-  // Block is locked directly
-  if (block.locked) return true
-
-  // Block is inside a locked container
-  const parentId = block.data?.parentId
-  if (parentId && blocks[parentId]?.locked) return true
-
-  return false
-}
-
 /**
 * Checks if an edge is protected from modification.
 * An edge is protected only if its target block is protected.
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/utils/workflow-execution-utils.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/utils/workflow-execution-utils.ts
@@ -29,6 +29,62 @@ export function updateActiveBlockRefCount(
  }
 }

+/**
+ * Determines if a workflow edge should be marked as active based on its handle and the block output.
+ * Mirrors the executor's EdgeManager.shouldActivateEdge logic on the client side.
+ * Exclude sentinel handles here
+ */
+function shouldActivateEdgeClient(
+  handle: string | null | undefined,
+  output: Record<string, any> | undefined
+): boolean {
+  if (!handle) return true
+
+  if (handle.startsWith('condition-')) {
+    return output?.selectedOption === handle.substring('condition-'.length)
+  }
+
+  if (handle.startsWith('router-')) {
+    return output?.selectedRoute === handle.substring('router-'.length)
+  }
+
+  switch (handle) {
+    case 'error':
+      return !!output?.error
+    case 'source':
+      return !output?.error
+    case 'loop-start-source':
+    case 'loop-end-source':
+    case 'parallel-start-source':
+    case 'parallel-end-source':
+      return true
+    default:
+      return true
+  }
+}
+
+export function markOutgoingEdgesFromOutput(
+  blockId: string,
+  output: Record<string, any> | undefined,
+  workflowEdges: Array<{
+    id: string
+    source: string
+    target: string
+    sourceHandle?: string | null
+  }>,
+  workflowId: string,
+  setEdgeRunStatus: (wfId: string, edgeId: string, status: 'success' | 'error') => void
+): void {
+  const outgoing = workflowEdges.filter((edge) => edge.source === blockId)
+  for (const edge of outgoing) {
+    const handle = edge.sourceHandle
+    if (shouldActivateEdgeClient(handle, output)) {
+      const status = handle === 'error' ? 'error' : output?.error ? 'error' : 'success'
+      setEdgeRunStatus(workflowId, edge.id, status)
+    }
+  }
+}
+
 export interface WorkflowExecutionOptions {
  workflowInput?: any
  onStream?: (se: StreamingExecution) => Promise<void>
@@ -135,13 +191,6 @@ export async function executeWorkflowWithFullLogging(
                true
              )
              setActiveBlocks(wfId, new Set(activeBlocksSet))
-
-              const incomingEdges = workflowEdges.filter(
-                (edge) => edge.target === event.data.blockId
-              )
-              incomingEdges.forEach((edge) => {
-                setEdgeRunStatus(wfId, edge.id, 'success')
-              })
              break
            }

@@ -155,6 +204,13 @@ export async function executeWorkflowWithFullLogging(
              setActiveBlocks(wfId, new Set(activeBlocksSet))

              setBlockRunStatus(wfId, event.data.blockId, 'success')
+              markOutgoingEdgesFromOutput(
+                event.data.blockId,
+                event.data.output,
+                workflowEdges,
+                wfId,
+                setEdgeRunStatus
+              )

              addConsole({
                input: event.data.input || {},
@@ -194,6 +250,13 @@ export async function executeWorkflowWithFullLogging(
              setActiveBlocks(wfId, new Set(activeBlocksSet))

              setBlockRunStatus(wfId, event.data.blockId, 'error')
+              markOutgoingEdgesFromOutput(
+                event.data.blockId,
+                { error: event.data.error },
+                workflowEdges,
+                wfId,
+                setEdgeRunStatus
+              )

              addConsole({
                input: event.data.input || {},
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/workflow.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/workflow.tsx
@@ -196,17 +196,14 @@ const edgeTypes: EdgeTypes = {
 const defaultEdgeOptions = { type: 'custom' }

 const reactFlowStyles = [
-  'bg-[var(--bg)]',
  '[&_.react-flow__edges]:!z-0',
  '[&_.react-flow__node]:z-[21]',
  '[&_.react-flow__handle]:!z-[30]',
-  '[&_.react-flow__edge-labels]:!z-[60]',
-  '[&_.react-flow__pane]:!bg-[var(--bg)]',
+  '[&_.react-flow__edge-labels]:!z-[1001]',
  '[&_.react-flow__pane]:select-none',
  '[&_.react-flow__selectionpane]:select-none',
-  '[&_.react-flow__renderer]:!bg-[var(--bg)]',
-  '[&_.react-flow__viewport]:!bg-[var(--bg)]',
  '[&_.react-flow__background]:hidden',
+  '[&_.react-flow__node-subflowNode.selected]:!shadow-none',
 ].join(' ')
 const reactFlowFitViewOptions = { padding: 0.6, maxZoom: 1.0 } as const
 const reactFlowProOptions = { hideAttribution: true } as const
@@ -2412,6 +2409,12 @@ const WorkflowContent = React.memo(() => {
      const nodeType = block.type === 'note' ? 'noteBlock' : 'workflowBlock'
      const dragHandle = block.type === 'note' ? '.note-drag-handle' : '.workflow-drag-handle'

+      // Compute zIndex for blocks inside containers so they render above the
+      // parent subflow's interactive body area (which needs pointer-events for
+      // click-to-select). Container nodes use zIndex: depth (0, 1, 2...),
+      // so child blocks use a baseline that is always above any container.
+      const childZIndex = block.data?.parentId ? 1000 : undefined
+
      // Create stable node object - React Flow will handle shallow comparison
      nodeArray.push({
        id: block.id,
@@ -2420,6 +2423,7 @@ const WorkflowContent = React.memo(() => {
        parentId: block.data?.parentId,
        dragHandle,
        draggable: !isBlockProtected(block.id, blocks),
+        ...(childZIndex !== undefined && { zIndex: childZIndex }),
        extent: (() => {
          // Clamp children to subflow body (exclude header)
          const parentId = block.data?.parentId as string | undefined
@@ -3768,21 +3772,20 @@ const WorkflowContent = React.memo(() => {
  return (
    <div className='flex h-full w-full flex-col overflow-hidden'>
      <div className='relative h-full w-full flex-1'>
-        {/* Loading spinner - always mounted, animation paused when hidden to avoid overhead */}
-        <div
-          className={`absolute inset-0 z-[5] flex items-center justify-center bg-[var(--bg)] transition-opacity duration-150 ${isWorkflowReady ? 'pointer-events-none opacity-0' : 'opacity-100'}`}
-        >
-          <div
-            className={`h-[18px] w-[18px] rounded-full ${isWorkflowReady ? '' : 'animate-spin'}`}
-            style={{
-              background:
-                'conic-gradient(from 0deg, hsl(var(--muted-foreground)) 0deg 120deg, transparent 120deg 180deg, hsl(var(--muted-foreground)) 180deg 300deg, transparent 300deg 360deg)',
-              mask: 'radial-gradient(farthest-side, transparent calc(100% - 1.5px), black calc(100% - 1.5px))',
-              WebkitMask:
-                'radial-gradient(farthest-side, transparent calc(100% - 1.5px), black calc(100% - 1.5px))',
-            }}
-          />
-        </div>
+        {!isWorkflowReady && (
+          <div className='absolute inset-0 z-[5] flex items-center justify-center bg-[var(--bg)]'>
+            <div
+              className='h-[18px] w-[18px] animate-spin rounded-full'
+              style={{
+                background:
+                  'conic-gradient(from 0deg, hsl(var(--muted-foreground)) 0deg 120deg, transparent 120deg 180deg, hsl(var(--muted-foreground)) 180deg 300deg, transparent 300deg 360deg)',
+                mask: 'radial-gradient(farthest-side, transparent calc(100% - 1.5px), black calc(100% - 1.5px))',
+                WebkitMask:
+                  'radial-gradient(farthest-side, transparent calc(100% - 1.5px), black calc(100% - 1.5px))',
+              }}
+            />
+          </div>
+        )}

        {isWorkflowReady && (
          <>
@@ -3835,7 +3838,7 @@ const WorkflowContent = React.memo(() => {
              noWheelClassName='allow-scroll'
              edgesFocusable={true}
              edgesUpdatable={effectivePermissions.canEdit}
-              className={`workflow-container h-full transition-opacity duration-150 ${reactFlowStyles} ${isCanvasReady ? 'opacity-100' : 'opacity-0'} ${isHandMode ? 'canvas-mode-hand' : 'canvas-mode-cursor'}`}
+              className={`workflow-container h-full bg-[var(--bg)] transition-opacity duration-150 ${reactFlowStyles} ${isCanvasReady ? 'opacity-100' : 'opacity-0'} ${isHandMode ? 'canvas-mode-hand' : 'canvas-mode-cursor'}`}
              onNodeDrag={effectivePermissions.canEdit ? onNodeDrag : undefined}
              onNodeDragStop={effectivePermissions.canEdit ? onNodeDragStop : undefined}
              onSelectionDragStart={effectivePermissions.canEdit ? onSelectionDragStart : undefined}
@@ -3847,7 +3850,7 @@ const WorkflowContent = React.memo(() => {
              elevateEdgesOnSelect={true}
              onlyRenderVisibleElements={false}
              deleteKeyCode={null}
-              elevateNodesOnSelect={true}
+              elevateNodesOnSelect={false}
              autoPanOnConnect={effectivePermissions.canEdit}
              autoPanOnNodeDrag={effectivePermissions.canEdit}
            />
--- a/apps/sim/app/workspace/[workspaceId]/w/components/preview/components/preview-workflow/preview-workflow.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/preview/components/preview-workflow/preview-workflow.tsx
@@ -145,7 +145,7 @@ interface PreviewWorkflowProps {
  /** Cursor style to show when hovering the canvas */
  cursorStyle?: 'default' | 'pointer' | 'grab'
  /** Map of executed block IDs to their status for highlighting the execution path */
-  executedBlocks?: Record<string, { status: string }>
+  executedBlocks?: Record<string, { status: string; output?: unknown }>
  /** Currently selected block ID for highlighting */
  selectedBlockId?: string | null
  /** Skips expensive subblock computations for thumbnails/template previews */
@@ -274,9 +274,9 @@ export function PreviewWorkflow({

  /** Maps base block IDs to execution data, handling parallel iteration variants (blockId₍n₎). */
  const blockExecutionMap = useMemo(() => {
-    if (!executedBlocks) return new Map<string, { status: string }>()
+    if (!executedBlocks) return new Map<string, { status: string; output?: unknown }>()

-    const map = new Map<string, { status: string }>()
+    const map = new Map<string, { status: string; output?: unknown }>()
    for (const [key, value] of Object.entries(executedBlocks)) {
      // Extract base ID (remove iteration suffix like ₍0₎)
      const baseId = key.includes('₍') ? key.split('₍')[0] : key
@@ -451,7 +451,6 @@ export function PreviewWorkflow({
  const edges: Edge[] = useMemo(() => {
    if (!isValidWorkflowState) return []

-    /** Edge is green if target executed and source condition met by edge type. */
    const getEdgeExecutionStatus = (edge: {
      source: string
      target: string
@@ -463,17 +462,40 @@ export function PreviewWorkflow({
      if (!targetStatus?.executed) return 'not-executed'

      const sourceStatus = getBlockExecutionStatus(edge.source)
-      const { sourceHandle } = edge
+      if (!sourceStatus?.executed) return 'not-executed'

-      if (sourceHandle === 'error') {
-        return sourceStatus?.status === 'error' ? 'success' : 'not-executed'
+      const handle = edge.sourceHandle
+      if (!handle) {
+        return sourceStatus.status === 'success' ? 'success' : 'not-executed'
      }

-      if (sourceHandle === 'loop-start-source' || sourceHandle === 'parallel-start-source') {
-        return 'success'
+      const sourceOutput = blockExecutionMap.get(edge.source)?.output as
+        | Record<string, any>
+        | undefined
+
+      if (handle.startsWith('condition-')) {
+        const conditionValue = handle.substring('condition-'.length)
+        return sourceOutput?.selectedOption === conditionValue ? 'success' : 'not-executed'
      }

-      return sourceStatus?.status === 'success' ? 'success' : 'not-executed'
+      if (handle.startsWith('router-')) {
+        const routeId = handle.substring('router-'.length)
+        return sourceOutput?.selectedRoute === routeId ? 'success' : 'not-executed'
+      }
+
+      switch (handle) {
+        case 'error':
+          return sourceStatus.status === 'error' ? 'error' : 'not-executed'
+        case 'source':
+          return sourceStatus.status === 'success' ? 'success' : 'not-executed'
+        case 'loop-start-source':
+        case 'loop-end-source':
+        case 'parallel-start-source':
+        case 'parallel-end-source':
+          return 'success'
+        default:
+          return sourceStatus.status === 'success' ? 'success' : 'not-executed'
+      }
    }

    return (workflowState.edges || []).map((edge) => {
--- a/apps/sim/blocks/blocks.test.ts
+++ b/apps/sim/blocks/blocks.test.ts
@@ -667,15 +667,18 @@ describe.concurrent('Blocks Module', () => {
      const errors: string[] = []

      for (const block of blocks) {
-        const allSubBlockIds = new Set(block.subBlocks.map((sb) => sb.id))
+        // Exclude trigger-mode subBlocks — they operate in a separate rendering context
+        // and their IDs don't participate in canonical param resolution
+        const nonTriggerSubBlocks = block.subBlocks.filter((sb) => sb.mode !== 'trigger')
+        const allSubBlockIds = new Set(nonTriggerSubBlocks.map((sb) => sb.id))
        const canonicalParamIds = new Set(
-          block.subBlocks.filter((sb) => sb.canonicalParamId).map((sb) => sb.canonicalParamId)
+          nonTriggerSubBlocks.filter((sb) => sb.canonicalParamId).map((sb) => sb.canonicalParamId)
        )

        for (const canonicalId of canonicalParamIds) {
          if (allSubBlockIds.has(canonicalId!)) {
            // Check if the matching subBlock also has a canonicalParamId pointing to itself
-            const matchingSubBlock = block.subBlocks.find(
+            const matchingSubBlock = nonTriggerSubBlocks.find(
              (sb) => sb.id === canonicalId && !sb.canonicalParamId
            )
            if (matchingSubBlock) {
@@ -857,6 +860,10 @@ describe.concurrent('Blocks Module', () => {
            if (typeof subBlock.condition === 'function') {
              continue
            }
+            // Skip trigger-mode subBlocks — they operate in a separate rendering context
+            if (subBlock.mode === 'trigger') {
+              continue
+            }
            const conditionKey = serializeCondition(subBlock.condition)
            if (!canonicalByCondition.has(subBlock.canonicalParamId)) {
              canonicalByCondition.set(subBlock.canonicalParamId, new Set())
--- a/apps/sim/blocks/blocks/agent.ts
+++ b/apps/sim/blocks/blocks/agent.ts
@@ -1,5 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { AgentIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import { getApiKeyCondition, getModelOptions } from '@/blocks/utils'
@@ -128,7 +129,7 @@ Return ONLY the JSON array.`,
      serviceId: 'vertex-ai',
      canonicalParamId: 'oauthCredential',
      mode: 'basic',
-      requiredScopes: ['https://www.googleapis.com/auth/cloud-platform'],
+      requiredScopes: getScopesForService('vertex-ai'),
      placeholder: 'Select Google Cloud account',
      required: true,
      condition: {
--- a/apps/sim/blocks/blocks/airtable.ts
+++ b/apps/sim/blocks/blocks/airtable.ts
@@ -1,4 +1,5 @@
 import { AirtableIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import type { AirtableResponse } from '@/tools/airtable/types'
@@ -38,13 +39,7 @@ export const AirtableBlock: BlockConfig<AirtableResponse> = {
      canonicalParamId: 'oauthCredential',
      mode: 'basic',
      serviceId: 'airtable',
-      requiredScopes: [
-        'data.records:read',
-        'data.records:write',
-        'schema.bases:read',
-        'user.email:read',
-        'webhook:manage',
-      ],
+      requiredScopes: getScopesForService('airtable'),
      placeholder: 'Select Airtable account',
      required: true,
    },
@@ -57,21 +52,51 @@ export const AirtableBlock: BlockConfig<AirtableResponse> = {
      placeholder: 'Enter credential ID',
      required: true,
    },
+    {
+      id: 'baseSelector',
+      title: 'Base',
+      type: 'project-selector',
+      canonicalParamId: 'baseId',
+      serviceId: 'airtable',
+      selectorKey: 'airtable.bases',
+      selectorAllowSearch: false,
+      placeholder: 'Select Airtable base',
+      dependsOn: ['credential'],
+      mode: 'basic',
+      condition: { field: 'operation', value: 'listBases', not: true },
+      required: { field: 'operation', value: 'listBases', not: true },
+    },
    {
      id: 'baseId',
      title: 'Base ID',
      type: 'short-input',
+      canonicalParamId: 'baseId',
      placeholder: 'Enter your base ID (e.g., appXXXXXXXXXXXXXX)',
-      dependsOn: ['credential'],
+      mode: 'advanced',
      condition: { field: 'operation', value: 'listBases', not: true },
      required: { field: 'operation', value: 'listBases', not: true },
    },
+    {
+      id: 'tableSelector',
+      title: 'Table',
+      type: 'file-selector',
+      canonicalParamId: 'tableId',
+      serviceId: 'airtable',
+      selectorKey: 'airtable.tables',
+      selectorAllowSearch: false,
+      placeholder: 'Select Airtable table',
+      dependsOn: ['credential', 'baseSelector'],
+      mode: 'basic',
+      condition: { field: 'operation', value: ['listBases', 'listTables'], not: true },
+      required: { field: 'operation', value: ['listBases', 'listTables'], not: true },
+    },
    {
      id: 'tableId',
      title: 'Table ID',
      type: 'short-input',
+      canonicalParamId: 'tableId',
      placeholder: 'Enter table ID (e.g., tblXXXXXXXXXXXXXX)',
-      dependsOn: ['credential', 'baseId'],
+      mode: 'advanced',
      condition: { field: 'operation', value: ['listBases', 'listTables'], not: true },
      required: { field: 'operation', value: ['listBases', 'listTables'], not: true },
    },
--- a/apps/sim/blocks/blocks/asana.ts
+++ b/apps/sim/blocks/blocks/asana.ts
@@ -1,4 +1,5 @@
 import { AsanaIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import type { AsanaResponse } from '@/tools/asana/types'
@@ -36,7 +37,7 @@ export const AsanaBlock: BlockConfig<AsanaResponse> = {
      mode: 'basic',
      required: true,
      serviceId: 'asana',
-      requiredScopes: ['default'],
+      requiredScopes: getScopesForService('asana'),
      placeholder: 'Select Asana account',
    },
    {
@@ -48,12 +49,31 @@ export const AsanaBlock: BlockConfig<AsanaResponse> = {
      placeholder: 'Enter credential ID',
      required: true,
    },
+    {
+      id: 'workspaceSelector',
+      title: 'Workspace',
+      type: 'project-selector',
+      canonicalParamId: 'workspace',
+      serviceId: 'asana',
+      selectorKey: 'asana.workspaces',
+      selectorAllowSearch: false,
+      placeholder: 'Select Asana workspace',
+      dependsOn: ['credential'],
+      mode: 'basic',
+      condition: {
+        field: 'operation',
+        value: ['create_task', 'get_projects', 'search_tasks'],
+      },
+      required: true,
+    },
    {
      id: 'workspace',
      title: 'Workspace GID',
      type: 'short-input',
+      canonicalParamId: 'workspace',
      required: true,
      placeholder: 'Enter Asana workspace GID',
+      mode: 'advanced',
      condition: {
        field: 'operation',
        value: ['create_task', 'get_projects', 'search_tasks'],
@@ -81,11 +101,29 @@ export const AsanaBlock: BlockConfig<AsanaResponse> = {
        value: ['update_task', 'add_comment'],
      },
    },
+    {
+      id: 'getTasksWorkspaceSelector',
+      title: 'Workspace',
+      type: 'project-selector',
+      canonicalParamId: 'getTasks_workspace',
+      serviceId: 'asana',
+      selectorKey: 'asana.workspaces',
+      selectorAllowSearch: false,
+      placeholder: 'Select Asana workspace',
+      dependsOn: ['credential'],
+      mode: 'basic',
+      condition: {
+        field: 'operation',
+        value: ['get_task'],
+      },
+    },
    {
      id: 'getTasks_workspace',
      title: 'Workspace GID',
      type: 'short-input',
+      canonicalParamId: 'getTasks_workspace',
      placeholder: 'Enter workspace GID',
+      mode: 'advanced',
      condition: {
        field: 'operation',
        value: ['get_task'],
--- a/apps/sim/blocks/blocks/attio.ts
+++ b/apps/sim/blocks/blocks/attio.ts
@@ -86,11 +86,47 @@ export const AttioBlock: BlockConfig<AttioResponse> = {
    },

    // Record fields
+    {
+      id: 'objectTypeSelector',
+      title: 'Object Type',
+      type: 'project-selector',
+      canonicalParamId: 'objectType',
+      serviceId: 'attio',
+      selectorKey: 'attio.objects',
+      selectorAllowSearch: false,
+      placeholder: 'Select object type',
+      dependsOn: ['credential'],
+      mode: 'basic',
+      condition: {
+        field: 'operation',
+        value: [
+          'list_records',
+          'get_record',
+          'create_record',
+          'update_record',
+          'delete_record',
+          'assert_record',
+        ],
+      },
+      required: {
+        field: 'operation',
+        value: [
+          'list_records',
+          'get_record',
+          'create_record',
+          'update_record',
+          'delete_record',
+          'assert_record',
+        ],
+      },
+    },
    {
      id: 'objectType',
      title: 'Object Type',
      type: 'short-input',
+      canonicalParamId: 'objectType',
      placeholder: 'e.g. people, companies',
+      mode: 'advanced',
      condition: {
        field: 'operation',
        value: [
@@ -524,11 +560,49 @@ Return ONLY the JSON array. No explanations, no markdown, no extra text.
    },

    // List fields
+    {
+      id: 'listSelector',
+      title: 'List',
+      type: 'project-selector',
+      canonicalParamId: 'listIdOrSlug',
+      serviceId: 'attio',
+      selectorKey: 'attio.lists',
+      selectorAllowSearch: false,
+      placeholder: 'Select Attio list',
+      dependsOn: ['credential'],
+      mode: 'basic',
+      condition: {
+        field: 'operation',
+        value: [
+          'get_list',
+          'update_list',
+          'query_list_entries',
+          'get_list_entry',
+          'create_list_entry',
+          'update_list_entry',
+          'delete_list_entry',
+        ],
+      },
+      required: {
+        field: 'operation',
+        value: [
+          'get_list',
+          'update_list',
+          'query_list_entries',
+          'get_list_entry',
+          'create_list_entry',
+          'update_list_entry',
+          'delete_list_entry',
+        ],
+      },
+    },
    {
      id: 'listIdOrSlug',
      title: 'List ID or Slug',
      type: 'short-input',
+      canonicalParamId: 'listIdOrSlug',
      placeholder: 'Enter the list ID or slug',
+      mode: 'advanced',
      condition: {
        field: 'operation',
        value: [
--- a/apps/sim/blocks/blocks/calcom.ts
+++ b/apps/sim/blocks/blocks/calcom.ts
@@ -65,11 +65,30 @@ export const CalComBlock: BlockConfig<ToolResponse> = {
    },

    // === Create Booking fields ===
+    {
+      id: 'eventTypeSelector',
+      title: 'Event Type',
+      type: 'project-selector',
+      canonicalParamId: 'eventTypeId',
+      serviceId: 'calcom',
+      selectorKey: 'calcom.eventTypes',
+      selectorAllowSearch: false,
+      placeholder: 'Select event type',
+      dependsOn: ['credential'],
+      mode: 'basic',
+      condition: {
+        field: 'operation',
+        value: ['calcom_create_booking', 'calcom_get_slots'],
+      },
+      required: { field: 'operation', value: 'calcom_create_booking' },
+    },
    {
      id: 'eventTypeId',
      title: 'Event Type ID',
      type: 'short-input',
+      canonicalParamId: 'eventTypeId',
      placeholder: 'Enter event type ID (number)',
+      mode: 'advanced',
      condition: {
        field: 'operation',
        value: ['calcom_create_booking', 'calcom_get_slots'],
@@ -261,11 +280,33 @@ Return ONLY the IANA timezone string - no explanations or quotes.`,
    },

    // === Event Type fields ===
+    {
+      id: 'eventTypeParamSelector',
+      title: 'Event Type',
+      type: 'project-selector',
+      canonicalParamId: 'eventTypeIdParam',
+      serviceId: 'calcom',
+      selectorKey: 'calcom.eventTypes',
+      selectorAllowSearch: false,
+      placeholder: 'Select event type',
+      dependsOn: ['credential'],
+      mode: 'basic',
+      condition: {
+        field: 'operation',
+        value: ['calcom_get_event_type', 'calcom_update_event_type', 'calcom_delete_event_type'],
+      },
+      required: {
+        field: 'operation',
+        value: ['calcom_get_event_type', 'calcom_update_event_type', 'calcom_delete_event_type'],
+      },
+    },
    {
      id: 'eventTypeIdParam',
      title: 'Event Type ID',
      type: 'short-input',
+      canonicalParamId: 'eventTypeIdParam',
      placeholder: 'Enter event type ID',
+      mode: 'advanced',
      condition: {
        field: 'operation',
        value: ['calcom_get_event_type', 'calcom_update_event_type', 'calcom_delete_event_type'],
@@ -364,10 +405,27 @@ Return ONLY the IANA timezone string - no explanations or quotes.`,
      },
      mode: 'advanced',
    },
+    {
+      id: 'eventTypeScheduleSelector',
+      title: 'Schedule',
+      type: 'project-selector',
+      canonicalParamId: 'eventTypeScheduleId',
+      serviceId: 'calcom',
+      selectorKey: 'calcom.schedules',
+      selectorAllowSearch: false,
+      placeholder: 'Select schedule',
+      dependsOn: ['credential'],
+      mode: 'basic',
+      condition: {
+        field: 'operation',
+        value: ['calcom_create_event_type', 'calcom_update_event_type'],
+      },
+    },
    {
      id: 'eventTypeScheduleId',
      title: 'Schedule ID',
      type: 'short-input',
+      canonicalParamId: 'eventTypeScheduleId',
      placeholder: 'Assign to a specific schedule',
      condition: {
        field: 'operation',
@@ -388,11 +446,33 @@ Return ONLY the IANA timezone string - no explanations or quotes.`,
    },

    // === Schedule fields ===
+    {
+      id: 'scheduleSelector',
+      title: 'Schedule',
+      type: 'project-selector',
+      canonicalParamId: 'scheduleId',
+      serviceId: 'calcom',
+      selectorKey: 'calcom.schedules',
+      selectorAllowSearch: false,
+      placeholder: 'Select schedule',
+      dependsOn: ['credential'],
+      mode: 'basic',
+      condition: {
+        field: 'operation',
+        value: ['calcom_get_schedule', 'calcom_update_schedule', 'calcom_delete_schedule'],
+      },
+      required: {
+        field: 'operation',
+        value: ['calcom_get_schedule', 'calcom_update_schedule', 'calcom_delete_schedule'],
+      },
+    },
    {
      id: 'scheduleId',
      title: 'Schedule ID',
      type: 'short-input',
+      canonicalParamId: 'scheduleId',
      placeholder: 'Enter schedule ID',
+      mode: 'advanced',
      condition: {
        field: 'operation',
        value: ['calcom_get_schedule', 'calcom_update_schedule', 'calcom_delete_schedule'],
@@ -771,7 +851,10 @@ Return ONLY valid JSON - no explanations.`,
    cancellationReason: { type: 'string', description: 'Reason for cancellation' },
    reschedulingReason: { type: 'string', description: 'Reason for rescheduling' },
    bookingStatus: { type: 'string', description: 'Filter by booking status' },
-    eventTypeIdParam: { type: 'number', description: 'Event type ID for get/update/delete' },
+    eventTypeIdParam: {
+      type: 'number',
+      description: 'Event type ID for get/update/delete',
+    },
    title: { type: 'string', description: 'Event type title' },
    slug: { type: 'string', description: 'URL-friendly slug' },
    eventLength: { type: 'number', description: 'Event duration in minutes' },
--- a/apps/sim/blocks/blocks/confluence.ts
+++ b/apps/sim/blocks/blocks/confluence.ts
@@ -1,4 +1,5 @@
 import { ConfluenceIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import { normalizeFileInput } from '@/blocks/utils'
@@ -55,37 +56,7 @@ export const ConfluenceBlock: BlockConfig<ConfluenceResponse> = {
      canonicalParamId: 'oauthCredential',
      mode: 'basic',
      serviceId: 'confluence',
-      requiredScopes: [
-        'read:confluence-content.all',
-        'read:confluence-space.summary',
-        'read:space:confluence',
-        'read:space-details:confluence',
-        'write:confluence-content',
-        'write:confluence-space',
-        'write:confluence-file',
-        'read:content:confluence',
-        'read:page:confluence',
-        'write:page:confluence',
-        'read:comment:confluence',
-        'write:comment:confluence',
-        'delete:comment:confluence',
-        'read:attachment:confluence',
-        'write:attachment:confluence',
-        'delete:attachment:confluence',
-        'delete:page:confluence',
-        'read:label:confluence',
-        'write:label:confluence',
-        'search:confluence',
-        'read:me',
-        'offline_access',
-        'read:blogpost:confluence',
-        'write:blogpost:confluence',
-        'read:content.property:confluence',
-        'write:content.property:confluence',
-        'read:hierarchical-content:confluence',
-        'read:content.metadata:confluence',
-        'read:user:confluence',
-      ],
+      requiredScopes: getScopesForService('confluence'),
      placeholder: 'Select Confluence account',
      required: true,
    },
@@ -464,45 +435,7 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
      canonicalParamId: 'oauthCredential',
      mode: 'basic',
      serviceId: 'confluence',
-      requiredScopes: [
-        'read:confluence-content.all',
-        'read:confluence-space.summary',
-        'read:space:confluence',
-        'read:space-details:confluence',
-        'write:confluence-content',
-        'write:confluence-space',
-        'write:confluence-file',
-        'read:content:confluence',
-        'read:page:confluence',
-        'write:page:confluence',
-        'read:comment:confluence',
-        'write:comment:confluence',
-        'delete:comment:confluence',
-        'read:attachment:confluence',
-        'write:attachment:confluence',
-        'delete:attachment:confluence',
-        'delete:page:confluence',
-        'read:label:confluence',
-        'write:label:confluence',
-        'search:confluence',
-        'read:me',
-        'offline_access',
-        'read:blogpost:confluence',
-        'write:blogpost:confluence',
-        'read:content.property:confluence',
-        'write:content.property:confluence',
-        'read:hierarchical-content:confluence',
-        'read:content.metadata:confluence',
-        'read:user:confluence',
-        'read:task:confluence',
-        'write:task:confluence',
-        'delete:blogpost:confluence',
-        'write:space:confluence',
-        'delete:space:confluence',
-        'read:space.property:confluence',
-        'write:space.property:confluence',
-        'read:space.permission:confluence',
-      ],
+      requiredScopes: getScopesForService('confluence'),
      placeholder: 'Select Confluence account',
      required: true,
    },
@@ -645,11 +578,44 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
        ],
      },
    },
+    {
+      id: 'spaceSelector',
+      title: 'Space',
+      type: 'project-selector',
+      canonicalParamId: 'spaceId',
+      serviceId: 'confluence',
+      selectorKey: 'confluence.spaces',
+      selectorAllowSearch: false,
+      placeholder: 'Select Confluence space',
+      dependsOn: ['credential', 'domain'],
+      mode: 'basic',
+      required: true,
+      condition: {
+        field: 'operation',
+        value: [
+          'create',
+          'get_space',
+          'update_space',
+          'delete_space',
+          'list_pages_in_space',
+          'search_in_space',
+          'create_blogpost',
+          'list_blogposts_in_space',
+          'list_space_labels',
+          'list_space_permissions',
+          'list_space_properties',
+          'create_space_property',
+          'delete_space_property',
+        ],
+      },
+    },
    {
      id: 'spaceId',
      title: 'Space ID',
      type: 'short-input',
+      canonicalParamId: 'spaceId',
      placeholder: 'Enter Confluence space ID',
+      mode: 'advanced',
      required: true,
      condition: {
        field: 'operation',
@@ -1250,7 +1216,6 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
          ...rest
        } = params

-        // Use canonical param (serializer already handles basic/advanced mode)
        const effectivePageId = pageId ? String(pageId).trim() : ''

        if (operation === 'add_label') {
@@ -1511,7 +1476,7 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
    operation: { type: 'string', description: 'Operation to perform' },
    domain: { type: 'string', description: 'Confluence domain' },
    oauthCredential: { type: 'string', description: 'Confluence access token' },
-    pageId: { type: 'string', description: 'Page identifier (canonical param)' },
+    pageId: { type: 'string', description: 'Page identifier' },
    spaceId: { type: 'string', description: 'Space identifier' },
    blogPostId: { type: 'string', description: 'Blog post identifier' },
    versionNumber: { type: 'number', description: 'Page version number' },
--- a/apps/sim/blocks/blocks/dropbox.ts
+++ b/apps/sim/blocks/blocks/dropbox.ts
@@ -1,4 +1,5 @@
 import { DropboxIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import { normalizeFileInput } from '@/blocks/utils'
@@ -41,15 +42,7 @@ export const DropboxBlock: BlockConfig<DropboxResponse> = {
      canonicalParamId: 'oauthCredential',
      mode: 'basic',
      serviceId: 'dropbox',
-      requiredScopes: [
-        'account_info.read',
-        'files.metadata.read',
-        'files.metadata.write',
-        'files.content.read',
-        'files.content.write',
-        'sharing.read',
-        'sharing.write',
-      ],
+      requiredScopes: getScopesForService('dropbox'),
      placeholder: 'Select Dropbox account',
      required: true,
    },
--- a/apps/sim/blocks/blocks/gmail.ts
+++ b/apps/sim/blocks/blocks/gmail.ts
@@ -1,4 +1,5 @@
 import { GmailIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import { createVersionedToolSelector, normalizeFileInput } from '@/blocks/utils'
@@ -79,11 +80,7 @@ export const GmailBlock: BlockConfig<GmailToolResponse> = {
      canonicalParamId: 'oauthCredential',
      mode: 'basic',
      serviceId: 'gmail',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/gmail.send',
-        'https://www.googleapis.com/auth/gmail.modify',
-        'https://www.googleapis.com/auth/gmail.labels',
-      ],
+      requiredScopes: getScopesForService('gmail'),
      placeholder: 'Select Gmail account',
      required: true,
    },
@@ -222,7 +219,7 @@ Return ONLY the email body - no explanations, no extra text.`,
      canonicalParamId: 'folder',
      serviceId: 'gmail',
      selectorKey: 'gmail.labels',
-      requiredScopes: ['https://www.googleapis.com/auth/gmail.labels'],
+      requiredScopes: getScopesForService('gmail'),
      placeholder: 'Select Gmail label/folder',
      dependsOn: ['credential'],
      mode: 'basic',
@@ -303,7 +300,7 @@ Return ONLY the search query - no explanations, no extra text.`,
      canonicalParamId: 'addLabelIds',
      serviceId: 'gmail',
      selectorKey: 'gmail.labels',
-      requiredScopes: ['https://www.googleapis.com/auth/gmail.labels'],
+      requiredScopes: getScopesForService('gmail'),
      placeholder: 'Select destination label',
      dependsOn: ['credential'],
      mode: 'basic',
@@ -329,7 +326,7 @@ Return ONLY the search query - no explanations, no extra text.`,
      canonicalParamId: 'removeLabelIds',
      serviceId: 'gmail',
      selectorKey: 'gmail.labels',
-      requiredScopes: ['https://www.googleapis.com/auth/gmail.labels'],
+      requiredScopes: getScopesForService('gmail'),
      placeholder: 'Select label to remove',
      dependsOn: ['credential'],
      mode: 'basic',
@@ -382,7 +379,7 @@ Return ONLY the search query - no explanations, no extra text.`,
      canonicalParamId: 'manageLabelId',
      serviceId: 'gmail',
      selectorKey: 'gmail.labels',
-      requiredScopes: ['https://www.googleapis.com/auth/gmail.labels'],
+      requiredScopes: getScopesForService('gmail'),
      placeholder: 'Select label',
      dependsOn: ['credential'],
      mode: 'basic',
--- a/apps/sim/blocks/blocks/google_bigquery.ts
+++ b/apps/sim/blocks/blocks/google_bigquery.ts
@@ -1,4 +1,5 @@
 import { GoogleBigQueryIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'

@@ -36,7 +37,7 @@ export const GoogleBigQueryBlock: BlockConfig = {
      mode: 'basic',
      required: true,
      serviceId: 'google-bigquery',
-      requiredScopes: ['https://www.googleapis.com/auth/bigquery'],
+      requiredScopes: getScopesForService('google-bigquery'),
      placeholder: 'Select Google account',
    },
    {
@@ -109,20 +110,52 @@ Return ONLY the SQL query - no explanations, no quotes, no extra text.`,
      condition: { field: 'operation', value: 'query' },
    },

+    {
+      id: 'datasetSelector',
+      title: 'Dataset',
+      type: 'project-selector',
+      canonicalParamId: 'datasetId',
+      serviceId: 'google-bigquery',
+      selectorKey: 'bigquery.datasets',
+      selectorAllowSearch: false,
+      placeholder: 'Select BigQuery dataset',
+      dependsOn: ['credential', 'projectId'],
+      mode: 'basic',
+      condition: { field: 'operation', value: ['list_tables', 'get_table', 'insert_rows'] },
+      required: { field: 'operation', value: ['list_tables', 'get_table', 'insert_rows'] },
+    },
    {
      id: 'datasetId',
      title: 'Dataset ID',
      type: 'short-input',
+      canonicalParamId: 'datasetId',
      placeholder: 'Enter BigQuery dataset ID',
+      mode: 'advanced',
      condition: { field: 'operation', value: ['list_tables', 'get_table', 'insert_rows'] },
      required: { field: 'operation', value: ['list_tables', 'get_table', 'insert_rows'] },
    },

+    {
+      id: 'tableSelector',
+      title: 'Table',
+      type: 'file-selector',
+      canonicalParamId: 'tableId',
+      serviceId: 'google-bigquery',
+      selectorKey: 'bigquery.tables',
+      selectorAllowSearch: false,
+      placeholder: 'Select BigQuery table',
+      dependsOn: ['credential', 'projectId', 'datasetSelector'],
+      mode: 'basic',
+      condition: { field: 'operation', value: ['get_table', 'insert_rows'] },
+      required: { field: 'operation', value: ['get_table', 'insert_rows'] },
+    },
    {
      id: 'tableId',
      title: 'Table ID',
      type: 'short-input',
+      canonicalParamId: 'tableId',
      placeholder: 'Enter BigQuery table ID',
+      mode: 'advanced',
      condition: { field: 'operation', value: ['get_table', 'insert_rows'] },
      required: { field: 'operation', value: ['get_table', 'insert_rows'] },
    },
--- a/apps/sim/blocks/blocks/google_calendar.ts
+++ b/apps/sim/blocks/blocks/google_calendar.ts
@@ -1,4 +1,5 @@
 import { GoogleCalendarIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import { createVersionedToolSelector } from '@/blocks/utils'
@@ -43,7 +44,7 @@ export const GoogleCalendarBlock: BlockConfig<GoogleCalendarResponse> = {
      mode: 'basic',
      required: true,
      serviceId: 'google-calendar',
-      requiredScopes: ['https://www.googleapis.com/auth/calendar'],
+      requiredScopes: getScopesForService('google-calendar'),
      placeholder: 'Select Google Calendar account',
    },
    {
@@ -64,7 +65,7 @@ export const GoogleCalendarBlock: BlockConfig<GoogleCalendarResponse> = {
      serviceId: 'google-calendar',
      selectorKey: 'google.calendar',
      selectorAllowSearch: false,
-      requiredScopes: ['https://www.googleapis.com/auth/calendar'],
+      requiredScopes: getScopesForService('google-calendar'),
      placeholder: 'Select calendar',
      dependsOn: ['credential'],
      mode: 'basic',
@@ -330,7 +331,7 @@ Return ONLY the timestamp string - no explanations, no quotes, no extra text.`,
      serviceId: 'google-calendar',
      selectorKey: 'google.calendar',
      selectorAllowSearch: false,
-      requiredScopes: ['https://www.googleapis.com/auth/calendar'],
+      requiredScopes: getScopesForService('google-calendar'),
      placeholder: 'Select destination calendar',
      dependsOn: ['credential'],
      condition: { field: 'operation', value: 'move' },
--- a/apps/sim/blocks/blocks/google_contacts.ts
+++ b/apps/sim/blocks/blocks/google_contacts.ts
@@ -1,4 +1,5 @@
 import { GoogleContactsIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import type { GoogleContactsResponse } from '@/tools/google_contacts/types'
@@ -37,7 +38,7 @@ export const GoogleContactsBlock: BlockConfig<GoogleContactsResponse> = {
      mode: 'basic',
      required: true,
      serviceId: 'google-contacts',
-      requiredScopes: ['https://www.googleapis.com/auth/contacts'],
+      requiredScopes: getScopesForService('google-contacts'),
      placeholder: 'Select Google account',
    },
    {
--- a/apps/sim/blocks/blocks/google_docs.ts
+++ b/apps/sim/blocks/blocks/google_docs.ts
@@ -1,4 +1,5 @@
 import { GoogleDocsIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import type { GoogleDocsResponse } from '@/tools/google_docs/types'
@@ -36,10 +37,7 @@ export const GoogleDocsBlock: BlockConfig<GoogleDocsResponse> = {
      mode: 'basic',
      required: true,
      serviceId: 'google-docs',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/drive.file',
-        'https://www.googleapis.com/auth/drive',
-      ],
+      requiredScopes: getScopesForService('google-docs'),
      placeholder: 'Select Google account',
    },
    {
--- a/apps/sim/blocks/blocks/google_drive.ts
+++ b/apps/sim/blocks/blocks/google_drive.ts
@@ -1,4 +1,5 @@
 import { GoogleDriveIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import { normalizeFileInput } from '@/blocks/utils'
@@ -48,10 +49,7 @@ export const GoogleDriveBlock: BlockConfig<GoogleDriveResponse> = {
      mode: 'basic',
      required: true,
      serviceId: 'google-drive',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/drive.file',
-        'https://www.googleapis.com/auth/drive',
-      ],
+      requiredScopes: getScopesForService('google-drive'),
      placeholder: 'Select Google Drive account',
    },
    {
@@ -138,10 +136,7 @@ Return ONLY the file content - no explanations, no markdown code blocks, no extr
      canonicalParamId: 'uploadFolderId',
      serviceId: 'google-drive',
      selectorKey: 'google.drive',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/drive.file',
-        'https://www.googleapis.com/auth/drive',
-      ],
+      requiredScopes: getScopesForService('google-drive'),
      mimeType: 'application/vnd.google-apps.folder',
      placeholder: 'Select a parent folder',
      mode: 'basic',
@@ -211,10 +206,7 @@ Return ONLY the file content - no explanations, no markdown code blocks, no extr
      canonicalParamId: 'createFolderParentId',
      serviceId: 'google-drive',
      selectorKey: 'google.drive',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/drive.file',
-        'https://www.googleapis.com/auth/drive',
-      ],
+      requiredScopes: getScopesForService('google-drive'),
      mimeType: 'application/vnd.google-apps.folder',
      placeholder: 'Select a parent folder',
      mode: 'basic',
@@ -239,10 +231,7 @@ Return ONLY the file content - no explanations, no markdown code blocks, no extr
      canonicalParamId: 'listFolderId',
      serviceId: 'google-drive',
      selectorKey: 'google.drive',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/drive.file',
-        'https://www.googleapis.com/auth/drive',
-      ],
+      requiredScopes: getScopesForService('google-drive'),
      mimeType: 'application/vnd.google-apps.folder',
      placeholder: 'Select a folder to list files from',
      mode: 'basic',
@@ -299,10 +288,7 @@ Return ONLY the query string - no explanations, no quotes around the whole thing
      canonicalParamId: 'downloadFileId',
      serviceId: 'google-drive',
      selectorKey: 'google.drive',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/drive.file',
-        'https://www.googleapis.com/auth/drive',
-      ],
+      requiredScopes: getScopesForService('google-drive'),
      placeholder: 'Select a file to download',
      mode: 'basic',
      dependsOn: ['credential'],
@@ -361,10 +347,7 @@ Return ONLY the query string - no explanations, no quotes around the whole thing
      canonicalParamId: 'getFileId',
      serviceId: 'google-drive',
      selectorKey: 'google.drive',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/drive.file',
-        'https://www.googleapis.com/auth/drive',
-      ],
+      requiredScopes: getScopesForService('google-drive'),
      placeholder: 'Select a file to get info for',
      mode: 'basic',
      dependsOn: ['credential'],
@@ -389,10 +372,7 @@ Return ONLY the query string - no explanations, no quotes around the whole thing
      canonicalParamId: 'copyFileId',
      serviceId: 'google-drive',
      selectorKey: 'google.drive',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/drive.file',
-        'https://www.googleapis.com/auth/drive',
-      ],
+      requiredScopes: getScopesForService('google-drive'),
      placeholder: 'Select a file to copy',
      mode: 'basic',
      dependsOn: ['credential'],
@@ -423,10 +403,7 @@ Return ONLY the query string - no explanations, no quotes around the whole thing
      canonicalParamId: 'copyDestFolderId',
      serviceId: 'google-drive',
      selectorKey: 'google.drive',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/drive.file',
-        'https://www.googleapis.com/auth/drive',
-      ],
+      requiredScopes: getScopesForService('google-drive'),
      mimeType: 'application/vnd.google-apps.folder',
      placeholder: 'Select destination folder (optional)',
      mode: 'basic',
@@ -450,10 +427,7 @@ Return ONLY the query string - no explanations, no quotes around the whole thing
      canonicalParamId: 'updateFileId',
      serviceId: 'google-drive',
      selectorKey: 'google.drive',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/drive.file',
-        'https://www.googleapis.com/auth/drive',
-      ],
+      requiredScopes: getScopesForService('google-drive'),
      placeholder: 'Select a file to update',
      mode: 'basic',
      dependsOn: ['credential'],
@@ -529,10 +503,7 @@ Return ONLY the description text - no explanations, no quotes, no extra text.`,
      canonicalParamId: 'trashFileId',
      serviceId: 'google-drive',
      selectorKey: 'google.drive',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/drive.file',
-        'https://www.googleapis.com/auth/drive',
-      ],
+      requiredScopes: getScopesForService('google-drive'),
      placeholder: 'Select a file to move to trash',
      mode: 'basic',
      dependsOn: ['credential'],
@@ -557,10 +528,7 @@ Return ONLY the description text - no explanations, no quotes, no extra text.`,
      canonicalParamId: 'deleteFileId',
      serviceId: 'google-drive',
      selectorKey: 'google.drive',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/drive.file',
-        'https://www.googleapis.com/auth/drive',
-      ],
+      requiredScopes: getScopesForService('google-drive'),
      placeholder: 'Select a file to permanently delete',
      mode: 'basic',
      dependsOn: ['credential'],
@@ -585,10 +553,7 @@ Return ONLY the description text - no explanations, no quotes, no extra text.`,
      canonicalParamId: 'shareFileId',
      serviceId: 'google-drive',
      selectorKey: 'google.drive',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/drive.file',
-        'https://www.googleapis.com/auth/drive',
-      ],
+      requiredScopes: getScopesForService('google-drive'),
      placeholder: 'Select a file to share',
      mode: 'basic',
      dependsOn: ['credential'],
@@ -700,10 +665,7 @@ Return ONLY the message text - no subject line, no greetings/signatures, no extr
      canonicalParamId: 'unshareFileId',
      serviceId: 'google-drive',
      selectorKey: 'google.drive',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/drive.file',
-        'https://www.googleapis.com/auth/drive',
-      ],
+      requiredScopes: getScopesForService('google-drive'),
      placeholder: 'Select a file to remove sharing from',
      mode: 'basic',
      dependsOn: ['credential'],
@@ -736,10 +698,7 @@ Return ONLY the message text - no subject line, no greetings/signatures, no extr
      canonicalParamId: 'listPermissionsFileId',
      serviceId: 'google-drive',
      selectorKey: 'google.drive',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/drive.file',
-        'https://www.googleapis.com/auth/drive',
-      ],
+      requiredScopes: getScopesForService('google-drive'),
      placeholder: 'Select a file to list permissions for',
      mode: 'basic',
      dependsOn: ['credential'],
--- a/apps/sim/blocks/blocks/google_forms.ts
+++ b/apps/sim/blocks/blocks/google_forms.ts
@@ -1,4 +1,5 @@
 import { GoogleFormsIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { getTrigger } from '@/triggers'

@@ -38,13 +39,7 @@ export const GoogleFormsBlock: BlockConfig = {
      mode: 'basic',
      required: true,
      serviceId: 'google-forms',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/userinfo.email',
-        'https://www.googleapis.com/auth/userinfo.profile',
-        'https://www.googleapis.com/auth/drive',
-        'https://www.googleapis.com/auth/forms.body',
-        'https://www.googleapis.com/auth/forms.responses.readonly',
-      ],
+      requiredScopes: getScopesForService('google-forms'),
      placeholder: 'Select Google account',
    },
    {
--- a/apps/sim/blocks/blocks/google_groups.ts
+++ b/apps/sim/blocks/blocks/google_groups.ts
@@ -1,4 +1,5 @@
 import { GoogleGroupsIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'

@@ -46,10 +47,7 @@ export const GoogleGroupsBlock: BlockConfig = {
      mode: 'basic',
      required: true,
      serviceId: 'google-groups',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/admin.directory.group',
-        'https://www.googleapis.com/auth/admin.directory.group.member',
-      ],
+      requiredScopes: getScopesForService('google-groups'),
      placeholder: 'Select Google Workspace account',
    },
    {
--- a/apps/sim/blocks/blocks/google_meet.ts
+++ b/apps/sim/blocks/blocks/google_meet.ts
@@ -1,4 +1,5 @@
 import { GoogleMeetIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import type { GoogleMeetResponse } from '@/tools/google_meet/types'
@@ -37,10 +38,7 @@ export const GoogleMeetBlock: BlockConfig<GoogleMeetResponse> = {
      mode: 'basic',
      required: true,
      serviceId: 'google-meet',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/meetings.space.created',
-        'https://www.googleapis.com/auth/meetings.space.readonly',
-      ],
+      requiredScopes: getScopesForService('google-meet'),
      placeholder: 'Select Google Meet account',
    },
    {
--- a/apps/sim/blocks/blocks/google_sheets.ts
+++ b/apps/sim/blocks/blocks/google_sheets.ts
@@ -1,4 +1,5 @@
 import { GoogleSheetsIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import { createVersionedToolSelector } from '@/blocks/utils'
@@ -40,10 +41,7 @@ export const GoogleSheetsBlock: BlockConfig<GoogleSheetsResponse> = {
      mode: 'basic',
      required: true,
      serviceId: 'google-sheets',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/drive.file',
-        'https://www.googleapis.com/auth/drive',
-      ],
+      requiredScopes: getScopesForService('google-sheets'),
      placeholder: 'Select Google account',
    },
    {
@@ -63,10 +61,7 @@ export const GoogleSheetsBlock: BlockConfig<GoogleSheetsResponse> = {
      canonicalParamId: 'spreadsheetId',
      serviceId: 'google-sheets',
      selectorKey: 'google.drive',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/drive.file',
-        'https://www.googleapis.com/auth/drive',
-      ],
+      requiredScopes: getScopesForService('google-sheets'),
      mimeType: 'application/vnd.google-apps.spreadsheet',
      placeholder: 'Select a spreadsheet',
      dependsOn: ['credential'],
@@ -339,10 +334,7 @@ export const GoogleSheetsV2Block: BlockConfig<GoogleSheetsV2Response> = {
      mode: 'basic',
      required: true,
      serviceId: 'google-sheets',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/drive.file',
-        'https://www.googleapis.com/auth/drive',
-      ],
+      requiredScopes: getScopesForService('google-sheets'),
      placeholder: 'Select Google account',
    },
    {
@@ -362,10 +354,7 @@ export const GoogleSheetsV2Block: BlockConfig<GoogleSheetsV2Response> = {
      canonicalParamId: 'spreadsheetId',
      serviceId: 'google-sheets',
      selectorKey: 'google.drive',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/drive.file',
-        'https://www.googleapis.com/auth/drive',
-      ],
+      requiredScopes: getScopesForService('google-sheets'),
      mimeType: 'application/vnd.google-apps.spreadsheet',
      placeholder: 'Select a spreadsheet',
      dependsOn: ['credential'],
--- a/apps/sim/blocks/blocks/google_slides.ts
+++ b/apps/sim/blocks/blocks/google_slides.ts
@@ -1,4 +1,5 @@
 import { GoogleSlidesIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import { resolveHttpsUrlFromFileInput } from '@/lib/uploads/utils/file-utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
@@ -50,10 +51,7 @@ export const GoogleSlidesBlock: BlockConfig<GoogleSlidesResponse> = {
      mode: 'basic',
      required: true,
      serviceId: 'google-drive',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/drive.file',
-        'https://www.googleapis.com/auth/drive',
-      ],
+      requiredScopes: getScopesForService('google-drive'),
      placeholder: 'Select Google account',
    },
    {
--- a/apps/sim/blocks/blocks/google_tasks.ts
+++ b/apps/sim/blocks/blocks/google_tasks.ts
@@ -1,4 +1,5 @@
 import { GoogleTasksIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import type { GoogleTasksResponse } from '@/tools/google_tasks/types'
@@ -38,7 +39,7 @@ export const GoogleTasksBlock: BlockConfig<GoogleTasksResponse> = {
      mode: 'basic',
      required: true,
      serviceId: 'google-tasks',
-      requiredScopes: ['https://www.googleapis.com/auth/tasks'],
+      requiredScopes: getScopesForService('google-tasks'),
      placeholder: 'Select Google Tasks account',
    },
    {
@@ -51,12 +52,27 @@ export const GoogleTasksBlock: BlockConfig<GoogleTasksResponse> = {
      required: true,
    },

-    // Task List ID - shown for all task operations (not list_task_lists)
+    // Task List - shown for all task operations (not list_task_lists)
+    {
+      id: 'taskListSelector',
+      title: 'Task List',
+      type: 'project-selector',
+      canonicalParamId: 'taskListId',
+      serviceId: 'google-tasks',
+      selectorKey: 'google.tasks.lists',
+      selectorAllowSearch: false,
+      placeholder: 'Select task list',
+      dependsOn: ['credential'],
+      mode: 'basic',
+      condition: { field: 'operation', value: 'list_task_lists', not: true },
+    },
    {
      id: 'taskListId',
      title: 'Task List ID',
      type: 'short-input',
+      canonicalParamId: 'taskListId',
      placeholder: 'Task list ID (leave empty for default list)',
+      mode: 'advanced',
      condition: { field: 'operation', value: 'list_task_lists', not: true },
    },

@@ -210,7 +226,9 @@ Return ONLY the timestamp - no explanations, no extra text.`,
      params: (params) => {
        const { oauthCredential, operation, showCompleted, maxResults, ...rest } = params

-        const processedParams: Record<string, unknown> = { ...rest }
+        const processedParams: Record<string, unknown> = {
+          ...rest,
+        }

        if (maxResults && typeof maxResults === 'string') {
          processedParams.maxResults = Number.parseInt(maxResults, 10)
--- a/apps/sim/blocks/blocks/google_vault.ts
+++ b/apps/sim/blocks/blocks/google_vault.ts
@@ -1,4 +1,5 @@
 import { GoogleVaultIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'

@@ -38,10 +39,7 @@ export const GoogleVaultBlock: BlockConfig = {
      mode: 'basic',
      required: true,
      serviceId: 'google-vault',
-      requiredScopes: [
-        'https://www.googleapis.com/auth/ediscovery',
-        'https://www.googleapis.com/auth/devstorage.read_only',
-      ],
+      requiredScopes: getScopesForService('google-vault'),
      placeholder: 'Select Google Vault account',
    },
    {
--- a/apps/sim/blocks/blocks/hubspot.ts
+++ b/apps/sim/blocks/blocks/hubspot.ts
@@ -1,4 +1,5 @@
 import { HubspotIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import type { HubSpotResponse } from '@/tools/hubspot/types'
@@ -42,31 +43,7 @@ export const HubSpotBlock: BlockConfig<HubSpotResponse> = {
      canonicalParamId: 'oauthCredential',
      mode: 'basic',
      serviceId: 'hubspot',
-      requiredScopes: [
-        'crm.objects.contacts.read',
-        'crm.objects.contacts.write',
-        'crm.objects.companies.read',
-        'crm.objects.companies.write',
-        'crm.objects.deals.read',
-        'crm.objects.deals.write',
-        'crm.objects.owners.read',
-        'crm.objects.users.read',
-        'crm.objects.users.write',
-        'crm.objects.marketing_events.read',
-        'crm.objects.marketing_events.write',
-        'crm.objects.line_items.read',
-        'crm.objects.line_items.write',
-        'crm.objects.quotes.read',
-        'crm.objects.quotes.write',
-        'crm.objects.appointments.read',
-        'crm.objects.appointments.write',
-        'crm.objects.carts.read',
-        'crm.objects.carts.write',
-        'crm.import',
-        'crm.lists.read',
-        'crm.lists.write',
-        'tickets',
-      ],
+      requiredScopes: getScopesForService('hubspot'),
      placeholder: 'Select HubSpot account',
      required: true,
    },
--- a/apps/sim/blocks/blocks/jira.ts
+++ b/apps/sim/blocks/blocks/jira.ts
@@ -1,4 +1,5 @@
 import { JiraIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import { normalizeFileInput } from '@/blocks/utils'
@@ -64,38 +65,7 @@ export const JiraBlock: BlockConfig<JiraResponse> = {
      mode: 'basic',
      required: true,
      serviceId: 'jira',
-      requiredScopes: [
-        'read:jira-work',
-        'read:jira-user',
-        'write:jira-work',
-        'read:issue-event:jira',
-        'write:issue:jira',
-        'read:project:jira',
-        'read:issue-type:jira',
-        'read:me',
-        'offline_access',
-        'read:issue-meta:jira',
-        'read:issue-security-level:jira',
-        'read:issue.vote:jira',
-        'read:issue.changelog:jira',
-        'read:avatar:jira',
-        'read:issue:jira',
-        'read:status:jira',
-        'read:user:jira',
-        'read:field-configuration:jira',
-        'read:issue-details:jira',
-        'delete:issue:jira',
-        'write:comment:jira',
-        'read:comment:jira',
-        'delete:comment:jira',
-        'read:attachment:jira',
-        'delete:attachment:jira',
-        'write:issue-worklog:jira',
-        'read:issue-worklog:jira',
-        'delete:issue-worklog:jira',
-        'write:issue-link:jira',
-        'delete:issue-link:jira',
-      ],
+      requiredScopes: getScopesForService('jira'),
      placeholder: 'Select Jira account',
    },
    {
--- a/apps/sim/blocks/blocks/jira_service_management.ts
+++ b/apps/sim/blocks/blocks/jira_service_management.ts
@@ -1,4 +1,5 @@
 import { JiraServiceManagementIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import type { JsmResponse } from '@/tools/jsm/types'
@@ -59,42 +60,7 @@ export const JiraServiceManagementBlock: BlockConfig<JsmResponse> = {
      mode: 'basic',
      required: true,
      serviceId: 'jira',
-      requiredScopes: [
-        'read:jira-user',
-        'read:jira-work',
-        'write:jira-work',
-        'read:project:jira',
-        'read:me',
-        'offline_access',
-        'read:issue:jira',
-        'read:status:jira',
-        'read:user:jira',
-        'read:issue-details:jira',
-        'write:comment:jira',
-        'read:comment:jira',
-        'read:servicedesk:jira-service-management',
-        'read:requesttype:jira-service-management',
-        'read:request:jira-service-management',
-        'write:request:jira-service-management',
-        'read:request.comment:jira-service-management',
-        'write:request.comment:jira-service-management',
-        'read:customer:jira-service-management',
-        'write:customer:jira-service-management',
-        'read:servicedesk.customer:jira-service-management',
-        'write:servicedesk.customer:jira-service-management',
-        'read:organization:jira-service-management',
-        'write:organization:jira-service-management',
-        'read:servicedesk.organization:jira-service-management',
-        'write:servicedesk.organization:jira-service-management',
-        'read:queue:jira-service-management',
-        'read:request.sla:jira-service-management',
-        'read:request.status:jira-service-management',
-        'write:request.status:jira-service-management',
-        'read:request.participant:jira-service-management',
-        'write:request.participant:jira-service-management',
-        'read:request.approval:jira-service-management',
-        'write:request.approval:jira-service-management',
-      ],
+      requiredScopes: getScopesForService('jira'),
      placeholder: 'Select Jira account',
    },
    {
@@ -107,10 +73,16 @@ export const JiraServiceManagementBlock: BlockConfig<JsmResponse> = {
      required: true,
    },
    {
-      id: 'serviceDeskId',
-      title: 'Service Desk ID',
-      type: 'short-input',
-      placeholder: 'Enter service desk ID',
+      id: 'serviceDeskSelector',
+      title: 'Service Desk',
+      type: 'project-selector',
+      canonicalParamId: 'serviceDeskId',
+      serviceId: 'jira',
+      selectorKey: 'jsm.serviceDesks',
+      selectorAllowSearch: false,
+      placeholder: 'Select service desk',
+      dependsOn: ['credential', 'domain'],
+      mode: 'basic',
      required: {
        field: 'operation',
        value: [
@@ -139,12 +111,63 @@ export const JiraServiceManagementBlock: BlockConfig<JsmResponse> = {
        ],
      },
    },
+    {
+      id: 'serviceDeskId',
+      title: 'Service Desk ID',
+      type: 'short-input',
+      canonicalParamId: 'serviceDeskId',
+      placeholder: 'Enter service desk ID',
+      mode: 'advanced',
+      required: {
+        field: 'operation',
+        value: [
+          'get_request_types',
+          'create_request',
+          'get_customers',
+          'add_customer',
+          'get_organizations',
+          'add_organization',
+          'get_queues',
+          'get_request_type_fields',
+        ],
+      },
+      condition: {
+        field: 'operation',
+        value: [
+          'get_request_types',
+          'create_request',
+          'get_customers',
+          'add_customer',
+          'get_organizations',
+          'add_organization',
+          'get_queues',
+          'get_requests',
+          'get_request_type_fields',
+        ],
+      },
+    },
+    {
+      id: 'requestTypeSelector',
+      title: 'Request Type',
+      type: 'file-selector',
+      canonicalParamId: 'requestTypeId',
+      serviceId: 'jira',
+      selectorKey: 'jsm.requestTypes',
+      selectorAllowSearch: false,
+      placeholder: 'Select request type',
+      dependsOn: ['credential', 'domain', 'serviceDeskSelector'],
+      mode: 'basic',
+      required: true,
+      condition: { field: 'operation', value: ['create_request', 'get_request_type_fields'] },
+    },
    {
      id: 'requestTypeId',
      title: 'Request Type ID',
      type: 'short-input',
+      canonicalParamId: 'requestTypeId',
      required: true,
      placeholder: 'Enter request type ID',
+      mode: 'advanced',
      condition: { field: 'operation', value: ['create_request', 'get_request_type_fields'] },
    },
    {
--- a/apps/sim/blocks/blocks/linear.ts
+++ b/apps/sim/blocks/blocks/linear.ts
@@ -1,4 +1,5 @@
 import { LinearIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import { normalizeFileInput } from '@/blocks/utils'
@@ -132,7 +133,7 @@ export const LinearBlock: BlockConfig<LinearResponse> = {
      canonicalParamId: 'oauthCredential',
      mode: 'basic',
      serviceId: 'linear',
-      requiredScopes: ['read', 'write'],
+      requiredScopes: getScopesForService('linear'),
      placeholder: 'Select Linear account',
      required: true,
    },
--- a/apps/sim/blocks/blocks/linkedin.ts
+++ b/apps/sim/blocks/blocks/linkedin.ts
@@ -1,4 +1,5 @@
 import { LinkedInIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import type { LinkedInResponse } from '@/tools/linkedin/types'
@@ -35,7 +36,7 @@ export const LinkedInBlock: BlockConfig<LinkedInResponse> = {
      serviceId: 'linkedin',
      canonicalParamId: 'oauthCredential',
      mode: 'basic',
-      requiredScopes: ['profile', 'openid', 'email', 'w_member_social'],
+      requiredScopes: getScopesForService('linkedin'),
      placeholder: 'Select LinkedIn account',
      required: true,
    },
--- a/apps/sim/blocks/blocks/microsoft_dataverse.ts
+++ b/apps/sim/blocks/blocks/microsoft_dataverse.ts
@@ -1,4 +1,5 @@
 import { MicrosoftDataverseIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import { normalizeFileInput } from '@/blocks/utils'
@@ -46,13 +47,7 @@ export const MicrosoftDataverseBlock: BlockConfig<DataverseResponse> = {
      title: 'Microsoft Account',
      type: 'oauth-input',
      serviceId: 'microsoft-dataverse',
-      requiredScopes: [
-        'openid',
-        'profile',
-        'email',
-        'https://dynamics.microsoft.com/user_impersonation',
-        'offline_access',
-      ],
+      requiredScopes: getScopesForService('microsoft-dataverse'),
      placeholder: 'Select Microsoft account',
      required: true,
    },
--- a/apps/sim/blocks/blocks/microsoft_excel.ts
+++ b/apps/sim/blocks/blocks/microsoft_excel.ts
@@ -1,4 +1,5 @@
 import { MicrosoftExcelIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import { createVersionedToolSelector } from '@/blocks/utils'
@@ -39,14 +40,7 @@ export const MicrosoftExcelBlock: BlockConfig<MicrosoftExcelResponse> = {
      canonicalParamId: 'oauthCredential',
      mode: 'basic',
      serviceId: 'microsoft-excel',
-      requiredScopes: [
-        'openid',
-        'profile',
-        'email',
-        'Files.Read',
-        'Files.ReadWrite',
-        'offline_access',
-      ],
+      requiredScopes: getScopesForService('microsoft-excel'),
      placeholder: 'Select Microsoft account',
      required: true,
    },
@@ -366,14 +360,7 @@ export const MicrosoftExcelV2Block: BlockConfig<MicrosoftExcelV2Response> = {
      canonicalParamId: 'oauthCredential',
      mode: 'basic',
      serviceId: 'microsoft-excel',
-      requiredScopes: [
-        'openid',
-        'profile',
-        'email',
-        'Files.Read',
-        'Files.ReadWrite',
-        'offline_access',
-      ],
+      requiredScopes: getScopesForService('microsoft-excel'),
      placeholder: 'Select Microsoft account',
      required: true,
    },
--- a/apps/sim/blocks/blocks/microsoft_planner.ts
+++ b/apps/sim/blocks/blocks/microsoft_planner.ts
@@ -1,4 +1,5 @@
 import { MicrosoftPlannerIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import type { MicrosoftPlannerResponse } from '@/tools/microsoft_planner/types'
@@ -64,15 +65,7 @@ export const MicrosoftPlannerBlock: BlockConfig<MicrosoftPlannerResponse> = {
      canonicalParamId: 'oauthCredential',
      mode: 'basic',
      serviceId: 'microsoft-planner',
-      requiredScopes: [
-        'openid',
-        'profile',
-        'email',
-        'Group.ReadWrite.All',
-        'Group.Read.All',
-        'Tasks.ReadWrite',
-        'offline_access',
-      ],
+      requiredScopes: getScopesForService('microsoft-planner'),
      placeholder: 'Select Microsoft account',
    },
    {
@@ -84,12 +77,36 @@ export const MicrosoftPlannerBlock: BlockConfig<MicrosoftPlannerResponse> = {
      placeholder: 'Enter credential ID',
    },

-    // Plan ID - for various operations
+    // Plan selector - basic mode
+    {
+      id: 'planSelector',
+      title: 'Plan',
+      type: 'project-selector',
+      canonicalParamId: 'planId',
+      serviceId: 'microsoft-planner',
+      selectorKey: 'microsoft.planner.plans',
+      selectorAllowSearch: false,
+      placeholder: 'Select a plan',
+      dependsOn: ['credential'],
+      mode: 'basic',
+      condition: {
+        field: 'operation',
+        value: ['create_task', 'read_task', 'read_plan', 'list_buckets', 'create_bucket'],
+      },
+      required: {
+        field: 'operation',
+        value: ['read_plan', 'list_buckets', 'create_bucket', 'create_task'],
+      },
+    },
+
+    // Plan ID - advanced mode
    {
      id: 'planId',
      title: 'Plan ID',
      type: 'short-input',
+      canonicalParamId: 'planId',
      placeholder: 'Enter the plan ID',
+      mode: 'advanced',
      condition: {
        field: 'operation',
        value: ['create_task', 'read_task', 'read_plan', 'list_buckets', 'create_bucket'],
@@ -110,7 +127,7 @@ export const MicrosoftPlannerBlock: BlockConfig<MicrosoftPlannerResponse> = {
      serviceId: 'microsoft-planner',
      selectorKey: 'microsoft.planner',
      condition: { field: 'operation', value: ['read_task'] },
-      dependsOn: ['credential', 'planId'],
+      dependsOn: ['credential', 'planSelector'],
      mode: 'basic',
      canonicalParamId: 'readTaskId',
    },
--- a/apps/sim/blocks/blocks/microsoft_teams.ts
+++ b/apps/sim/blocks/blocks/microsoft_teams.ts
@@ -1,4 +1,5 @@
 import { MicrosoftTeamsIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import { normalizeFileInput } from '@/blocks/utils'
@@ -47,28 +48,7 @@ export const MicrosoftTeamsBlock: BlockConfig<MicrosoftTeamsResponse> = {
      canonicalParamId: 'oauthCredential',
      mode: 'basic',
      serviceId: 'microsoft-teams',
-      requiredScopes: [
-        'openid',
-        'profile',
-        'email',
-        'User.Read',
-        'Chat.Read',
-        'Chat.ReadWrite',
-        'Chat.ReadBasic',
-        'ChatMessage.Send',
-        'Channel.ReadBasic.All',
-        'ChannelMessage.Send',
-        'ChannelMessage.Read.All',
-        'ChannelMessage.ReadWrite',
-        'ChannelMember.Read.All',
-        'Group.Read.All',
-        'Group.ReadWrite.All',
-        'Team.ReadBasic.All',
-        'TeamMember.Read.All',
-        'offline_access',
-        'Files.Read',
-        'Sites.Read.All',
-      ],
+      requiredScopes: getScopesForService('microsoft-teams'),
      placeholder: 'Select Microsoft account',
      required: true,
    },
--- a/apps/sim/blocks/blocks/notion.ts
+++ b/apps/sim/blocks/blocks/notion.ts
@@ -53,15 +53,49 @@ export const NotionBlock: BlockConfig<NotionResponse> = {
      placeholder: 'Enter credential ID',
      required: true,
    },
-    // Read/Write operation - Page ID
+    {
+      id: 'pageSelector',
+      title: 'Page',
+      type: 'file-selector',
+      canonicalParamId: 'pageId',
+      serviceId: 'notion',
+      selectorKey: 'notion.pages',
+      placeholder: 'Select Notion page',
+      dependsOn: ['credential'],
+      mode: 'basic',
+      condition: {
+        field: 'operation',
+        value: ['notion_read', 'notion_write'],
+      },
+      required: true,
+    },
    {
      id: 'pageId',
      title: 'Page ID',
      type: 'short-input',
+      canonicalParamId: 'pageId',
      placeholder: 'Enter Notion page ID',
+      mode: 'advanced',
      condition: {
        field: 'operation',
-        value: 'notion_read',
+        value: ['notion_read', 'notion_write'],
+      },
+      required: true,
+    },
+    {
+      id: 'databaseSelector',
+      title: 'Database',
+      type: 'project-selector',
+      canonicalParamId: 'databaseId',
+      serviceId: 'notion',
+      selectorKey: 'notion.databases',
+      selectorAllowSearch: false,
+      placeholder: 'Select Notion database',
+      dependsOn: ['credential'],
+      mode: 'basic',
+      condition: {
+        field: 'operation',
+        value: ['notion_read_database', 'notion_query_database', 'notion_add_database_row'],
      },
      required: true,
    },
@@ -69,31 +103,36 @@ export const NotionBlock: BlockConfig<NotionResponse> = {
      id: 'databaseId',
      title: 'Database ID',
      type: 'short-input',
+      canonicalParamId: 'databaseId',
      placeholder: 'Enter Notion database ID',
+      mode: 'advanced',
      condition: {
        field: 'operation',
-        value: 'notion_read_database',
+        value: ['notion_read_database', 'notion_query_database', 'notion_add_database_row'],
      },
      required: true,
    },
    {
-      id: 'pageId',
-      title: 'Page ID',
-      type: 'short-input',
-      placeholder: 'Enter Notion page ID',
-      condition: {
-        field: 'operation',
-        value: 'notion_write',
-      },
+      id: 'parentSelector',
+      title: 'Parent Page',
+      type: 'file-selector',
+      canonicalParamId: 'parentId',
+      serviceId: 'notion',
+      selectorKey: 'notion.pages',
+      placeholder: 'Select parent page',
+      dependsOn: ['credential'],
+      mode: 'basic',
+      condition: { field: 'operation', value: ['notion_create_page', 'notion_create_database'] },
      required: true,
    },
-    // Create operation fields
    {
      id: 'parentId',
      title: 'Parent Page ID',
      type: 'short-input',
+      canonicalParamId: 'parentId',
      placeholder: 'ID of parent page',
-      condition: { field: 'operation', value: 'notion_create_page' },
+      mode: 'advanced',
+      condition: { field: 'operation', value: ['notion_create_page', 'notion_create_database'] },
      required: true,
    },
    {
@@ -148,14 +187,6 @@ export const NotionBlock: BlockConfig<NotionResponse> = {
      },
    },
    // Query Database Fields
-    {
-      id: 'databaseId',
-      title: 'Database ID',
-      type: 'short-input',
-      placeholder: 'Enter Notion database ID',
-      condition: { field: 'operation', value: 'notion_query_database' },
-      required: true,
-    },
    {
      id: 'filter',
      title: 'Filter',
@@ -218,14 +249,6 @@ export const NotionBlock: BlockConfig<NotionResponse> = {
      condition: { field: 'operation', value: 'notion_search' },
    },
    // Create Database Fields
-    {
-      id: 'parentId',
-      title: 'Parent Page ID',
-      type: 'short-input',
-      placeholder: 'ID of parent page where database will be created',
-      condition: { field: 'operation', value: 'notion_create_database' },
-      required: true,
-    },
    {
      id: 'title',
      title: 'Database Title',
@@ -256,14 +279,6 @@ export const NotionBlock: BlockConfig<NotionResponse> = {
      },
    },
    // Add Database Row Fields
-    {
-      id: 'databaseId',
-      title: 'Database ID',
-      type: 'short-input',
-      placeholder: 'Enter Notion database ID',
-      condition: { field: 'operation', value: 'notion_add_database_row' },
-      required: true,
-    },
    {
      id: 'properties',
      title: 'Row Properties',
@@ -404,6 +419,7 @@ export const NotionBlock: BlockConfig<NotionResponse> = {
 }

 // V2 Block with API-aligned outputs
+
 export const NotionV2Block: BlockConfig<any> = {
  type: 'notion_v2',
  name: 'Notion',
--- a/apps/sim/blocks/blocks/onedrive.ts
+++ b/apps/sim/blocks/blocks/onedrive.ts
@@ -1,5 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { MicrosoftOneDriveIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import { normalizeFileInput } from '@/blocks/utils'
@@ -42,14 +43,7 @@ export const OneDriveBlock: BlockConfig<OneDriveResponse> = {
      canonicalParamId: 'oauthCredential',
      mode: 'basic',
      serviceId: 'onedrive',
-      requiredScopes: [
-        'openid',
-        'profile',
-        'email',
-        'Files.Read',
-        'Files.ReadWrite',
-        'offline_access',
-      ],
+      requiredScopes: getScopesForService('onedrive'),
      placeholder: 'Select Microsoft account',
    },
    {
@@ -156,14 +150,7 @@ export const OneDriveBlock: BlockConfig<OneDriveResponse> = {
      canonicalParamId: 'uploadFolderId',
      serviceId: 'onedrive',
      selectorKey: 'onedrive.folders',
-      requiredScopes: [
-        'openid',
-        'profile',
-        'email',
-        'Files.Read',
-        'Files.ReadWrite',
-        'offline_access',
-      ],
+      requiredScopes: getScopesForService('onedrive'),
      mimeType: 'application/vnd.microsoft.graph.folder',
      placeholder: 'Select a parent folder',
      dependsOn: ['credential'],
@@ -194,14 +181,7 @@ export const OneDriveBlock: BlockConfig<OneDriveResponse> = {
      canonicalParamId: 'createFolderParentId',
      serviceId: 'onedrive',
      selectorKey: 'onedrive.folders',
-      requiredScopes: [
-        'openid',
-        'profile',
-        'email',
-        'Files.Read',
-        'Files.ReadWrite',
-        'offline_access',
-      ],
+      requiredScopes: getScopesForService('onedrive'),
      mimeType: 'application/vnd.microsoft.graph.folder',
      placeholder: 'Select a parent folder',
      dependsOn: ['credential'],
@@ -227,14 +207,7 @@ export const OneDriveBlock: BlockConfig<OneDriveResponse> = {
      canonicalParamId: 'listFolderId',
      serviceId: 'onedrive',
      selectorKey: 'onedrive.folders',
-      requiredScopes: [
-        'openid',
-        'profile',
-        'email',
-        'Files.Read',
-        'Files.ReadWrite',
-        'offline_access',
-      ],
+      requiredScopes: getScopesForService('onedrive'),
      mimeType: 'application/vnd.microsoft.graph.folder',
      placeholder: 'Select a folder to list files from',
      dependsOn: ['credential'],
@@ -274,14 +247,7 @@ export const OneDriveBlock: BlockConfig<OneDriveResponse> = {
      canonicalParamId: 'downloadFileId',
      serviceId: 'onedrive',
      selectorKey: 'onedrive.files',
-      requiredScopes: [
-        'openid',
-        'profile',
-        'email',
-        'Files.Read',
-        'Files.ReadWrite',
-        'offline_access',
-      ],
+      requiredScopes: getScopesForService('onedrive'),
      mimeType: 'file', // Exclude folders, show only files
      placeholder: 'Select a file to download',
      mode: 'basic',
@@ -315,14 +281,7 @@ export const OneDriveBlock: BlockConfig<OneDriveResponse> = {
      canonicalParamId: 'deleteFileId',
      serviceId: 'onedrive',
      selectorKey: 'onedrive.files',
-      requiredScopes: [
-        'openid',
-        'profile',
-        'email',
-        'Files.Read',
-        'Files.ReadWrite',
-        'offline_access',
-      ],
+      requiredScopes: getScopesForService('onedrive'),
      mimeType: 'file', // Exclude folders, show only files
      placeholder: 'Select a file to delete',
      mode: 'basic',
--- a/apps/sim/blocks/blocks/outlook.ts
+++ b/apps/sim/blocks/blocks/outlook.ts
@@ -1,4 +1,5 @@
 import { OutlookIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import { normalizeFileInput } from '@/blocks/utils'
@@ -42,16 +43,7 @@ export const OutlookBlock: BlockConfig<OutlookResponse> = {
      canonicalParamId: 'oauthCredential',
      mode: 'basic',
      serviceId: 'outlook',
-      requiredScopes: [
-        'Mail.ReadWrite',
-        'Mail.ReadBasic',
-        'Mail.Read',
-        'Mail.Send',
-        'offline_access',
-        'openid',
-        'profile',
-        'email',
-      ],
+      requiredScopes: getScopesForService('outlook'),
      placeholder: 'Select Microsoft account',
      required: true,
    },
@@ -188,7 +180,7 @@ export const OutlookBlock: BlockConfig<OutlookResponse> = {
      canonicalParamId: 'folder',
      serviceId: 'outlook',
      selectorKey: 'outlook.folders',
-      requiredScopes: ['Mail.ReadWrite', 'Mail.ReadBasic', 'Mail.Read'],
+      requiredScopes: getScopesForService('outlook'),
      placeholder: 'Select Outlook folder',
      dependsOn: ['credential'],
      mode: 'basic',
@@ -234,7 +226,7 @@ export const OutlookBlock: BlockConfig<OutlookResponse> = {
      canonicalParamId: 'destinationId',
      serviceId: 'outlook',
      selectorKey: 'outlook.folders',
-      requiredScopes: ['Mail.ReadWrite', 'Mail.ReadBasic', 'Mail.Read'],
+      requiredScopes: getScopesForService('outlook'),
      placeholder: 'Select destination folder',
      dependsOn: ['credential'],
      mode: 'basic',
@@ -281,7 +273,7 @@ export const OutlookBlock: BlockConfig<OutlookResponse> = {
      canonicalParamId: 'copyDestinationId',
      serviceId: 'outlook',
      selectorKey: 'outlook.folders',
-      requiredScopes: ['Mail.ReadWrite', 'Mail.ReadBasic', 'Mail.Read'],
+      requiredScopes: getScopesForService('outlook'),
      placeholder: 'Select destination folder',
      dependsOn: ['credential'],
      mode: 'basic',
--- a/apps/sim/blocks/blocks/pipedrive.ts
+++ b/apps/sim/blocks/blocks/pipedrive.ts
@@ -1,4 +1,5 @@
 import { PipedriveIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import type { PipedriveResponse } from '@/tools/pipedrive/types'
@@ -48,15 +49,7 @@ export const PipedriveBlock: BlockConfig<PipedriveResponse> = {
      canonicalParamId: 'oauthCredential',
      mode: 'basic',
      serviceId: 'pipedrive',
-      requiredScopes: [
-        'base',
-        'deals:full',
-        'contacts:full',
-        'leads:full',
-        'activities:full',
-        'mail:full',
-        'projects:full',
-      ],
+      requiredScopes: getScopesForService('pipedrive'),
      placeholder: 'Select Pipedrive account',
      required: true,
    },
@@ -96,12 +89,35 @@ export const PipedriveBlock: BlockConfig<PipedriveResponse> = {
      placeholder: 'Filter by organization ID',
      condition: { field: 'operation', value: ['get_all_deals'] },
    },
+    {
+      id: 'pipelineSelector',
+      title: 'Pipeline',
+      type: 'project-selector',
+      canonicalParamId: 'pipeline_id',
+      serviceId: 'pipedrive',
+      selectorKey: 'pipedrive.pipelines',
+      selectorAllowSearch: false,
+      placeholder: 'Select pipeline',
+      dependsOn: ['credential'],
+      mode: 'basic',
+      condition: {
+        field: 'operation',
+        value: ['get_all_deals', 'create_deal', 'get_pipeline_deals'],
+      },
+      required: { field: 'operation', value: 'get_pipeline_deals' },
+    },
    {
      id: 'pipeline_id',
      title: 'Pipeline ID',
      type: 'short-input',
-      placeholder: 'Filter by pipeline ID ',
-      condition: { field: 'operation', value: ['get_all_deals'] },
+      canonicalParamId: 'pipeline_id',
+      placeholder: 'Enter pipeline ID',
+      mode: 'advanced',
+      condition: {
+        field: 'operation',
+        value: ['get_all_deals', 'create_deal', 'get_pipeline_deals'],
+      },
+      required: { field: 'operation', value: 'get_pipeline_deals' },
    },
    {
      id: 'updated_since',
@@ -174,13 +190,6 @@ Return ONLY the timestamp string - no explanations, no quotes, no extra text.`,
      placeholder: 'Associated organization ID ',
      condition: { field: 'operation', value: ['create_deal'] },
    },
-    {
-      id: 'pipeline_id',
-      title: 'Pipeline ID',
-      type: 'short-input',
-      placeholder: 'Pipeline ID ',
-      condition: { field: 'operation', value: ['create_deal'] },
-    },
    {
      id: 'stage_id',
      title: 'Stage ID',
@@ -329,14 +338,6 @@ Return ONLY the date string in YYYY-MM-DD format - no explanations, no quotes, n
        ],
      },
    },
-    {
-      id: 'pipeline_id',
-      title: 'Pipeline ID',
-      type: 'short-input',
-      placeholder: 'Enter pipeline ID',
-      required: true,
-      condition: { field: 'operation', value: ['get_pipeline_deals'] },
-    },
    {
      id: 'stage_id',
      title: 'Stage ID',
--- a/apps/sim/blocks/blocks/reddit.ts
+++ b/apps/sim/blocks/blocks/reddit.ts
--- a/apps/sim/blocks/blocks/salesforce.ts
+++ b/apps/sim/blocks/blocks/salesforce.ts
@@ -1,4 +1,5 @@
 import { SalesforceIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import type { SalesforceResponse } from '@/tools/salesforce/types'
@@ -65,7 +66,7 @@ export const SalesforceBlock: BlockConfig<SalesforceResponse> = {
      canonicalParamId: 'oauthCredential',
      mode: 'basic',
      serviceId: 'salesforce',
-      requiredScopes: ['api', 'refresh_token', 'openid', 'offline_access'],
+      requiredScopes: getScopesForService('salesforce'),
      placeholder: 'Select Salesforce account',
      required: true,
    },
--- a/apps/sim/blocks/blocks/servicenow.ts
+++ b/apps/sim/blocks/blocks/servicenow.ts
@@ -129,6 +129,30 @@ Output: {"short_description": "Network outage", "description": "Network connecti
      condition: { field: 'operation', value: 'servicenow_read_record' },
      mode: 'advanced',
    },
+    {
+      id: 'offset',
+      title: 'Offset',
+      type: 'short-input',
+      placeholder: '0',
+      condition: { field: 'operation', value: 'servicenow_read_record' },
+      description: 'Number of records to skip for pagination',
+      mode: 'advanced',
+    },
+    {
+      id: 'displayValue',
+      title: 'Display Value',
+      type: 'dropdown',
+      options: [
+        { label: 'Default (not set)', id: '' },
+        { label: 'False (sys_id only)', id: 'false' },
+        { label: 'True (display value only)', id: 'true' },
+        { label: 'All (both)', id: 'all' },
+      ],
+      value: () => '',
+      condition: { field: 'operation', value: 'servicenow_read_record' },
+      description: 'Return display values for reference fields instead of sys_ids',
+      mode: 'advanced',
+    },
    {
      id: 'fields',
      title: 'Fields to Return',
@@ -203,6 +227,9 @@ Output: {"state": "2", "assigned_to": "john.doe", "work_notes": "Assigned and st
        const isCreateOrUpdate =
          operation === 'servicenow_create_record' || operation === 'servicenow_update_record'

+        if (rest.limit != null && rest.limit !== '') rest.limit = Number(rest.limit)
+        if (rest.offset != null && rest.offset !== '') rest.offset = Number(rest.offset)
+
        if (fields && isCreateOrUpdate) {
          const parsedFields = typeof fields === 'string' ? JSON.parse(fields) : fields
          return { ...rest, fields: parsedFields }
@@ -222,7 +249,9 @@ Output: {"state": "2", "assigned_to": "john.doe", "work_notes": "Assigned and st
    number: { type: 'string', description: 'Record number' },
    query: { type: 'string', description: 'Query string' },
    limit: { type: 'number', description: 'Result limit' },
+    offset: { type: 'number', description: 'Pagination offset' },
    fields: { type: 'json', description: 'Fields object or JSON string' },
+    displayValue: { type: 'string', description: 'Display value mode for reference fields' },
  },
  outputs: {
    record: { type: 'json', description: 'Single ServiceNow record' },
--- a/apps/sim/blocks/blocks/sharepoint.ts
+++ b/apps/sim/blocks/blocks/sharepoint.ts
@@ -1,5 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { MicrosoftSharepointIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import { normalizeFileInput } from '@/blocks/utils'
@@ -41,15 +42,7 @@ export const SharepointBlock: BlockConfig<SharepointResponse> = {
      canonicalParamId: 'oauthCredential',
      mode: 'basic',
      serviceId: 'sharepoint',
-      requiredScopes: [
-        'openid',
-        'profile',
-        'email',
-        'Sites.Read.All',
-        'Sites.ReadWrite.All',
-        'Sites.Manage.All',
-        'offline_access',
-      ],
+      requiredScopes: getScopesForService('sharepoint'),
      placeholder: 'Select Microsoft account',
    },
    {
@@ -68,14 +61,7 @@ export const SharepointBlock: BlockConfig<SharepointResponse> = {
      canonicalParamId: 'siteId',
      serviceId: 'sharepoint',
      selectorKey: 'sharepoint.sites',
-      requiredScopes: [
-        'openid',
-        'profile',
-        'email',
-        'Files.Read',
-        'Files.ReadWrite',
-        'offline_access',
-      ],
+      requiredScopes: getScopesForService('sharepoint'),
      mimeType: 'application/vnd.microsoft.graph.folder',
      placeholder: 'Select a site',
      dependsOn: ['credential'],
@@ -112,12 +98,26 @@ export const SharepointBlock: BlockConfig<SharepointResponse> = {
      mode: 'advanced',
    },

+    {
+      id: 'listSelector',
+      title: 'List',
+      type: 'file-selector',
+      canonicalParamId: 'listId',
+      serviceId: 'sharepoint',
+      selectorKey: 'sharepoint.lists',
+      selectorAllowSearch: false,
+      placeholder: 'Select a list',
+      dependsOn: ['credential', 'siteSelector'],
+      mode: 'basic',
+      condition: { field: 'operation', value: ['read_list', 'update_list', 'add_list_items'] },
+    },
    {
      id: 'listId',
      title: 'List ID',
      type: 'short-input',
-      placeholder: 'Enter list ID (GUID). Required for Update; optional for Read.',
      canonicalParamId: 'listId',
+      placeholder: 'Enter list ID (GUID). Required for Update; optional for Read.',
+      mode: 'advanced',
      condition: { field: 'operation', value: ['read_list', 'update_list', 'add_list_items'] },
    },

@@ -425,7 +425,9 @@ Return ONLY the JSON object - no explanations, no markdown, no extra text.`,
          includeColumns,
          includeItems,
          files, // canonical param from uploadFiles (basic) or files (advanced)
+          driveId, // canonical param from driveId
          columnDefinitions,
+          listId,
          ...others
        } = rest as any

@@ -457,7 +459,7 @@ Return ONLY the JSON object - no explanations, no markdown, no extra text.`,
          try {
            logger.info('SharepointBlock list item param check', {
              siteId: effectiveSiteId || undefined,
-              listId: (others as any)?.listId,
+              listId: listId,
              listTitle: (others as any)?.listTitle,
              itemId: sanitizedItemId,
              hasItemFields: !!parsedItemFields && typeof parsedItemFields === 'object',
@@ -477,6 +479,8 @@ Return ONLY the JSON object - no explanations, no markdown, no extra text.`,
          pageSize: others.pageSize ? Number.parseInt(others.pageSize as string, 10) : undefined,
          mimeType: mimeType,
          ...others,
+          ...(listId ? { listId } : {}),
+          ...(driveId ? { driveId } : {}),
          itemId: sanitizedItemId,
          listItemFields: parsedItemFields,
          includeColumns: coerceBoolean(includeColumns),
@@ -517,10 +521,13 @@ Return ONLY the JSON object - no explanations, no markdown, no extra text.`,
    includeItems: { type: 'boolean', description: 'Include items in response' },
    itemId: { type: 'string', description: 'List item ID (canonical param)' },
    listItemFields: { type: 'string', description: 'List item fields (canonical param)' },
-    driveId: { type: 'string', description: 'Document library (drive) ID (canonical param)' },
+    driveId: {
+      type: 'string',
+      description: 'Document library (drive) ID',
+    },
    folderPath: { type: 'string', description: 'Folder path for file upload' },
    fileName: { type: 'string', description: 'File name override' },
-    files: { type: 'array', description: 'Files to upload (canonical param)' },
+    files: { type: 'array', description: 'Files to upload' },
  },
  outputs: {
    sites: {
--- a/apps/sim/blocks/blocks/shopify.ts
+++ b/apps/sim/blocks/blocks/shopify.ts
@@ -1,4 +1,5 @@
 import { ShopifyIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'

@@ -63,14 +64,7 @@ export const ShopifyBlock: BlockConfig<ShopifyResponse> = {
      serviceId: 'shopify',
      canonicalParamId: 'oauthCredential',
      mode: 'basic',
-      requiredScopes: [
-        'write_products',
-        'write_orders',
-        'write_customers',
-        'write_inventory',
-        'read_locations',
-        'write_merchant_managed_fulfillment_orders',
-      ],
+      requiredScopes: getScopesForService('shopify'),
      placeholder: 'Select Shopify account',
      required: true,
    },
--- a/apps/sim/blocks/blocks/slack.ts
+++ b/apps/sim/blocks/blocks/slack.ts
@@ -1,4 +1,5 @@
 import { SlackIcon } from '@/components/icons'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
 import { normalizeFileInput } from '@/blocks/utils'
@@ -9,10 +10,10 @@ export const SlackBlock: BlockConfig<SlackResponse> = {
  type: 'slack',
  name: 'Slack',
  description:
-    'Send, update, delete messages, send ephemeral messages, add reactions in Slack or trigger workflows from Slack events',
+    'Send, update, delete messages, manage views and modals, add or remove reactions, manage canvases, get channel info and user presence in Slack',
  authMode: AuthMode.OAuth,
  longDescription:
-    'Integrate Slack into the workflow. Can send, update, and delete messages, send ephemeral messages visible only to a specific user, create canvases, read messages, and add reactions. Requires Bot Token instead of OAuth in advanced mode. Can be used in trigger mode to trigger a workflow when a message is sent to a channel.',
+    'Integrate Slack into the workflow. Can send, update, and delete messages, send ephemeral messages visible only to a specific user, open/update/push modal views, publish Home tab views, create canvases, read messages, and add or remove reactions. Requires Bot Token instead of OAuth in advanced mode. Can be used in trigger mode to trigger a workflow when a message is sent to a channel.',
  docsLink: 'https://docs.sim.ai/tools/slack',
  category: 'tools',
  bgColor: '#611f69',
@@ -38,6 +39,15 @@ export const SlackBlock: BlockConfig<SlackResponse> = {
        { label: 'Update Message', id: 'update' },
        { label: 'Delete Message', id: 'delete' },
        { label: 'Add Reaction', id: 'react' },
+        { label: 'Remove Reaction', id: 'unreact' },
+        { label: 'Get Channel Info', id: 'get_channel_info' },
+        { label: 'Get User Presence', id: 'get_user_presence' },
+        { label: 'Edit Canvas', id: 'edit_canvas' },
+        { label: 'Create Channel Canvas', id: 'create_channel_canvas' },
+        { label: 'Open View', id: 'open_view' },
+        { label: 'Update View', id: 'update_view' },
+        { label: 'Push View', id: 'push_view' },
+        { label: 'Publish View', id: 'publish_view' },
      ],
      value: () => 'send',
    },
@@ -73,22 +83,7 @@ export const SlackBlock: BlockConfig<SlackResponse> = {
      canonicalParamId: 'oauthCredential',
      mode: 'basic',
      serviceId: 'slack',
-      requiredScopes: [
-        'channels:read',
-        'channels:history',
-        'groups:read',
-        'groups:history',
-        'chat:write',
-        'chat:write.public',
-        'im:write',
-        'im:history',
-        'im:read',
-        'users:read',
-        'files:write',
-        'files:read',
-        'canvases:write',
-        'reactions:write',
-      ],
+      requiredScopes: getScopesForService('slack'),
      placeholder: 'Select Slack workspace',
      dependsOn: ['authMethod'],
      condition: {
@@ -141,7 +136,17 @@ export const SlackBlock: BlockConfig<SlackResponse> = {
        }
        return {
          field: 'operation',
-          value: ['list_channels', 'list_users', 'get_user'],
+          value: [
+            'list_channels',
+            'list_users',
+            'get_user',
+            'get_user_presence',
+            'edit_canvas',
+            'open_view',
+            'update_view',
+            'push_view',
+            'publish_view',
+          ],
          not: true,
          and: {
            field: 'destinationType',
@@ -166,7 +171,17 @@ export const SlackBlock: BlockConfig<SlackResponse> = {
        }
        return {
          field: 'operation',
-          value: ['list_channels', 'list_users', 'get_user'],
+          value: [
+            'list_channels',
+            'list_users',
+            'get_user',
+            'get_user_presence',
+            'edit_canvas',
+            'open_view',
+            'update_view',
+            'push_view',
+            'publish_view',
+          ],
          not: true,
          and: {
            field: 'destinationType',
@@ -209,8 +224,26 @@ export const SlackBlock: BlockConfig<SlackResponse> = {
    {
      id: 'ephemeralUser',
      title: 'Target User',
+      type: 'user-selector',
+      canonicalParamId: 'ephemeralUser',
+      serviceId: 'slack',
+      selectorKey: 'slack.users',
+      placeholder: 'Select Slack user',
+      mode: 'basic',
+      dependsOn: { all: ['authMethod'], any: ['credential', 'botToken'] },
+      condition: {
+        field: 'operation',
+        value: 'ephemeral',
+      },
+      required: true,
+    },
+    {
+      id: 'manualEphemeralUser',
+      title: 'Target User ID',
      type: 'short-input',
-      placeholder: 'User ID who will see the message (e.g., U1234567890)',
+      canonicalParamId: 'ephemeralUser',
+      placeholder: 'Enter Slack user ID (e.g., U1234567890)',
+      mode: 'advanced',
      condition: {
        field: 'operation',
        value: 'ephemeral',
@@ -440,9 +473,27 @@ Do not include any explanations, markdown formatting, or other text outside the
    // Get User specific fields
    {
      id: 'userId',
+      title: 'User',
+      type: 'user-selector',
+      canonicalParamId: 'userId',
+      serviceId: 'slack',
+      selectorKey: 'slack.users',
+      placeholder: 'Select Slack user',
+      mode: 'basic',
+      dependsOn: { all: ['authMethod'], any: ['credential', 'botToken'] },
+      condition: {
+        field: 'operation',
+        value: 'get_user',
+      },
+      required: true,
+    },
+    {
+      id: 'manualUserId',
      title: 'User ID',
      type: 'short-input',
+      canonicalParamId: 'userId',
      placeholder: 'Enter Slack user ID (e.g., U1234567890)',
+      mode: 'advanced',
      condition: {
        field: 'operation',
        value: 'get_user',
@@ -608,7 +659,7 @@ Return ONLY the timestamp string - no explanations, no quotes, no extra text.`,
      placeholder: 'Message timestamp (e.g., 1405894322.002768)',
      condition: {
        field: 'operation',
-        value: 'react',
+        value: ['react', 'unreact'],
      },
      required: true,
    },
@@ -619,10 +670,301 @@ Return ONLY the timestamp string - no explanations, no quotes, no extra text.`,
      placeholder: 'Emoji name without colons (e.g., thumbsup, heart, eyes)',
      condition: {
        field: 'operation',
-        value: 'react',
+        value: ['react', 'unreact'],
      },
      required: true,
    },
+    // Get Channel Info specific fields
+    {
+      id: 'includeNumMembers',
+      title: 'Include Member Count',
+      type: 'dropdown',
+      options: [
+        { label: 'Yes', id: 'true' },
+        { label: 'No', id: 'false' },
+      ],
+      value: () => 'true',
+      condition: {
+        field: 'operation',
+        value: 'get_channel_info',
+      },
+    },
+    // Get User Presence specific fields
+    {
+      id: 'presenceUserId',
+      title: 'User',
+      type: 'user-selector',
+      canonicalParamId: 'presenceUserId',
+      serviceId: 'slack',
+      selectorKey: 'slack.users',
+      placeholder: 'Select Slack user',
+      mode: 'basic',
+      dependsOn: { all: ['authMethod'], any: ['credential', 'botToken'] },
+      condition: {
+        field: 'operation',
+        value: 'get_user_presence',
+      },
+      required: true,
+    },
+    {
+      id: 'manualPresenceUserId',
+      title: 'User ID',
+      type: 'short-input',
+      canonicalParamId: 'presenceUserId',
+      placeholder: 'Enter Slack user ID (e.g., U1234567890)',
+      mode: 'advanced',
+      condition: {
+        field: 'operation',
+        value: 'get_user_presence',
+      },
+      required: true,
+    },
+    // Edit Canvas specific fields
+    {
+      id: 'editCanvasId',
+      title: 'Canvas ID',
+      type: 'short-input',
+      placeholder: 'Enter canvas ID (e.g., F1234ABCD)',
+      condition: {
+        field: 'operation',
+        value: 'edit_canvas',
+      },
+      required: true,
+    },
+    {
+      id: 'canvasOperation',
+      title: 'Edit Operation',
+      type: 'dropdown',
+      options: [
+        { label: 'Insert at Start', id: 'insert_at_start' },
+        { label: 'Insert at End', id: 'insert_at_end' },
+        { label: 'Insert After Section', id: 'insert_after' },
+        { label: 'Insert Before Section', id: 'insert_before' },
+        { label: 'Replace Section', id: 'replace' },
+        { label: 'Delete Section', id: 'delete' },
+        { label: 'Rename Canvas', id: 'rename' },
+      ],
+      value: () => 'insert_at_end',
+      condition: {
+        field: 'operation',
+        value: 'edit_canvas',
+      },
+      required: true,
+    },
+    {
+      id: 'canvasContent',
+      title: 'Content',
+      type: 'long-input',
+      placeholder: 'Enter content in markdown format',
+      condition: {
+        field: 'operation',
+        value: 'edit_canvas',
+        and: {
+          field: 'canvasOperation',
+          value: ['delete', 'rename'],
+          not: true,
+        },
+      },
+    },
+    {
+      id: 'sectionId',
+      title: 'Section ID',
+      type: 'short-input',
+      placeholder: 'Section ID to target',
+      condition: {
+        field: 'operation',
+        value: 'edit_canvas',
+        and: {
+          field: 'canvasOperation',
+          value: ['insert_after', 'insert_before', 'replace', 'delete'],
+        },
+      },
+      required: true,
+    },
+    {
+      id: 'canvasTitle',
+      title: 'New Title',
+      type: 'short-input',
+      placeholder: 'Enter new canvas title',
+      condition: {
+        field: 'operation',
+        value: 'edit_canvas',
+        and: { field: 'canvasOperation', value: 'rename' },
+      },
+      required: true,
+    },
+    // Create Channel Canvas specific fields
+    {
+      id: 'channelCanvasTitle',
+      title: 'Canvas Title',
+      type: 'short-input',
+      placeholder: 'Enter canvas title (optional)',
+      condition: {
+        field: 'operation',
+        value: 'create_channel_canvas',
+      },
+    },
+    {
+      id: 'channelCanvasContent',
+      title: 'Canvas Content',
+      type: 'long-input',
+      placeholder: 'Enter canvas content (markdown supported)',
+      condition: {
+        field: 'operation',
+        value: 'create_channel_canvas',
+      },
+    },
+    // Open View / Push View specific fields
+    {
+      id: 'viewTriggerId',
+      title: 'Trigger ID',
+      type: 'short-input',
+      placeholder: 'Trigger ID from interaction payload',
+      condition: {
+        field: 'operation',
+        value: ['open_view', 'push_view'],
+      },
+      required: true,
+    },
+    {
+      id: 'viewInteractivityPointer',
+      title: 'Interactivity Pointer',
+      type: 'short-input',
+      placeholder: 'Alternative to trigger_id (optional)',
+      condition: {
+        field: 'operation',
+        value: ['open_view', 'push_view'],
+      },
+      mode: 'advanced',
+    },
+    // Update View specific fields
+    {
+      id: 'viewId',
+      title: 'View ID',
+      type: 'short-input',
+      placeholder: 'Unique view identifier (either View ID or External ID required)',
+      condition: {
+        field: 'operation',
+        value: 'update_view',
+      },
+    },
+    {
+      id: 'viewExternalId',
+      title: 'External ID',
+      type: 'short-input',
+      placeholder: 'Developer-set unique identifier (max 255 chars)',
+      condition: {
+        field: 'operation',
+        value: 'update_view',
+      },
+    },
+    // Update View / Publish View hash field
+    {
+      id: 'viewHash',
+      title: 'View Hash',
+      type: 'short-input',
+      placeholder: 'View state hash for race condition protection',
+      condition: {
+        field: 'operation',
+        value: ['update_view', 'publish_view'],
+      },
+      mode: 'advanced',
+    },
+    // Publish View specific fields
+    {
+      id: 'publishUserId',
+      title: 'User',
+      type: 'user-selector',
+      canonicalParamId: 'publishUserId',
+      serviceId: 'slack',
+      selectorKey: 'slack.users',
+      placeholder: 'Select user to publish Home tab to',
+      mode: 'basic',
+      dependsOn: { all: ['authMethod'], any: ['credential', 'botToken'] },
+      condition: {
+        field: 'operation',
+        value: 'publish_view',
+      },
+      required: true,
+    },
+    {
+      id: 'manualPublishUserId',
+      title: 'User ID',
+      type: 'short-input',
+      canonicalParamId: 'publishUserId',
+      placeholder: 'Enter Slack user ID (e.g., U0BPQUNTA)',
+      mode: 'advanced',
+      condition: {
+        field: 'operation',
+        value: 'publish_view',
+      },
+      required: true,
+    },
+    // View payload (shared across all view operations)
+    {
+      id: 'viewPayload',
+      title: 'View Payload',
+      type: 'code',
+      language: 'json',
+      placeholder: 'JSON view payload with type, title, and blocks',
+      condition: {
+        field: 'operation',
+        value: ['open_view', 'update_view', 'push_view', 'publish_view'],
+      },
+      required: true,
+      wandConfig: {
+        enabled: true,
+        maintainHistory: true,
+        prompt: `You are an expert at Slack Block Kit views.
+Generate ONLY a valid JSON view payload object based on the user's request.
+The output MUST be a JSON object starting with { and ending with }.
+
+Current view: {context}
+
+The view object must include:
+- "type": "modal" (for open/update/push) or "home" (for publish)
+- "title": { "type": "plain_text", "text": "Title text", "emoji": true } (max 24 chars)
+- "blocks": Array of Block Kit blocks
+
+Optional fields:
+- "submit": { "type": "plain_text", "text": "Submit" } - Submit button text
+- "close": { "type": "plain_text", "text": "Cancel" } - Close button text
+- "private_metadata": String up to 3000 chars
+- "callback_id": String identifier for interaction handling
+- "clear_on_close": true/false
+- "notify_on_close": true/false
+- "external_id": Unique string per workspace (max 255 chars)
+
+Available block types:
+- "section": Text with optional accessory. Text uses { "type": "mrkdwn", "text": "..." } or { "type": "plain_text", "text": "..." }
+- "input": Form input with a label and element (plain_text_input, static_select, multi_static_select, datepicker, timepicker, checkboxes, radio_buttons)
+- "header": Large text header (plain_text only)
+- "divider": Horizontal rule separator
+- "image": Requires "image_url" and "alt_text"
+- "context": Contextual info with "elements" array
+- "actions": Interactive elements like buttons
+
+Example modal:
+{
+  "type": "modal",
+  "title": { "type": "plain_text", "text": "My Form" },
+  "submit": { "type": "plain_text", "text": "Submit" },
+  "close": { "type": "plain_text", "text": "Cancel" },
+  "blocks": [
+    {
+      "type": "input",
+      "block_id": "input_1",
+      "label": { "type": "plain_text", "text": "Name" },
+      "element": { "type": "plain_text_input", "action_id": "name_input" }
+    }
+  ]
+}
+
+You can reference workflow variables using angle brackets, e.g., <blockName.output>.
+Do not include any explanations, markdown formatting, or other text outside the JSON object.`,
+        placeholder: 'Describe the view/modal you want to create...',
+      },
+    },
    ...getTrigger('slack_webhook').subBlocks,
  ],
  tools: {
@@ -641,6 +983,15 @@ Return ONLY the timestamp string - no explanations, no quotes, no extra text.`,
      'slack_update_message',
      'slack_delete_message',
      'slack_add_reaction',
+      'slack_remove_reaction',
+      'slack_get_channel_info',
+      'slack_get_user_presence',
+      'slack_edit_canvas',
+      'slack_create_channel_canvas',
+      'slack_open_view',
+      'slack_update_view',
+      'slack_push_view',
+      'slack_publish_view',
    ],
    config: {
      tool: (params) => {
@@ -673,6 +1024,24 @@ Return ONLY the timestamp string - no explanations, no quotes, no extra text.`,
            return 'slack_delete_message'
          case 'react':
            return 'slack_add_reaction'
+          case 'unreact':
+            return 'slack_remove_reaction'
+          case 'get_channel_info':
+            return 'slack_get_channel_info'
+          case 'get_user_presence':
+            return 'slack_get_user_presence'
+          case 'edit_canvas':
+            return 'slack_edit_canvas'
+          case 'create_channel_canvas':
+            return 'slack_create_channel_canvas'
+          case 'open_view':
+            return 'slack_open_view'
+          case 'update_view':
+            return 'slack_update_view'
+          case 'push_view':
+            return 'slack_push_view'
+          case 'publish_view':
+            return 'slack_publish_view'
          default:
            throw new Error(`Invalid Slack operation: ${params.operation}`)
        }
@@ -710,6 +1079,22 @@ Return ONLY the timestamp string - no explanations, no quotes, no extra text.`,
          getMessageTimestamp,
          getThreadTimestamp,
          threadLimit,
+          includeNumMembers,
+          presenceUserId,
+          editCanvasId,
+          canvasOperation,
+          canvasContent,
+          sectionId,
+          canvasTitle,
+          channelCanvasTitle,
+          channelCanvasContent,
+          viewTriggerId,
+          viewInteractivityPointer,
+          viewId,
+          viewExternalId,
+          viewHash,
+          publishUserId,
+          viewPayload,
          ...rest
        } = params

@@ -820,10 +1205,10 @@ Return ONLY the timestamp string - no explanations, no quotes, no extra text.`,

          case 'download': {
            const fileId = (rest as any).fileId
-            const downloadFileName = (rest as any).downloadFileName
+            const fileName = (rest as any).fileName
            baseParams.fileId = fileId
-            if (downloadFileName) {
-              baseParams.fileName = downloadFileName
+            if (fileName) {
+              baseParams.fileName = fileName
            }
            break
          }
@@ -841,9 +1226,78 @@ Return ONLY the timestamp string - no explanations, no quotes, no extra text.`,
            break

          case 'react':
+          case 'unreact':
            baseParams.timestamp = reactionTimestamp
            baseParams.name = emojiName
            break
+
+          case 'get_channel_info':
+            baseParams.includeNumMembers = includeNumMembers !== 'false'
+            break
+
+          case 'get_user_presence':
+            baseParams.userId = presenceUserId
+            break
+
+          case 'edit_canvas':
+            baseParams.canvasId = editCanvasId
+            baseParams.operation = canvasOperation
+            if (canvasContent) {
+              baseParams.content = canvasContent
+            }
+            if (sectionId) {
+              baseParams.sectionId = sectionId
+            }
+            if (canvasTitle) {
+              baseParams.title = canvasTitle
+            }
+            break
+
+          case 'create_channel_canvas':
+            if (channelCanvasTitle) {
+              baseParams.title = channelCanvasTitle
+            }
+            if (channelCanvasContent) {
+              baseParams.content = channelCanvasContent
+            }
+            break
+
+          case 'open_view':
+            baseParams.triggerId = viewTriggerId
+            if (viewInteractivityPointer) {
+              baseParams.interactivityPointer = viewInteractivityPointer
+            }
+            baseParams.view = viewPayload
+            break
+
+          case 'update_view':
+            if (viewId) {
+              baseParams.viewId = viewId
+            }
+            if (viewExternalId) {
+              baseParams.externalId = viewExternalId
+            }
+            if (viewHash) {
+              baseParams.hash = viewHash
+            }
+            baseParams.view = viewPayload
+            break
+
+          case 'push_view':
+            baseParams.triggerId = viewTriggerId
+            if (viewInteractivityPointer) {
+              baseParams.interactivityPointer = viewInteractivityPointer
+            }
+            baseParams.view = viewPayload
+            break
+
+          case 'publish_view':
+            baseParams.userId = publishUserId
+            if (viewHash) {
+              baseParams.hash = viewHash
+            }
+            baseParams.view = viewPayload
+            break
        }

        return baseParams
@@ -898,6 +1352,36 @@ Return ONLY the timestamp string - no explanations, no quotes, no extra text.`,
      type: 'string',
      description: 'Maximum number of messages to return from thread',
    },
+    // Get Channel Info inputs
+    includeNumMembers: { type: 'string', description: 'Include member count (true/false)' },
+    // Get User Presence inputs
+    presenceUserId: { type: 'string', description: 'User ID to check presence for' },
+    // Edit Canvas inputs
+    editCanvasId: { type: 'string', description: 'Canvas ID to edit' },
+    canvasOperation: { type: 'string', description: 'Canvas edit operation' },
+    canvasContent: { type: 'string', description: 'Markdown content for canvas edit' },
+    sectionId: { type: 'string', description: 'Canvas section ID to target' },
+    canvasTitle: { type: 'string', description: 'New canvas title for rename' },
+    // Create Channel Canvas inputs
+    channelCanvasTitle: { type: 'string', description: 'Title for channel canvas' },
+    channelCanvasContent: { type: 'string', description: 'Content for channel canvas' },
+    // View operation inputs
+    viewTriggerId: { type: 'string', description: 'Trigger ID from interaction payload' },
+    viewInteractivityPointer: {
+      type: 'string',
+      description: 'Alternative to trigger_id for posting to user',
+    },
+    viewId: { type: 'string', description: 'Unique view identifier for update' },
+    viewExternalId: {
+      type: 'string',
+      description: 'Developer-set unique identifier for update (max 255 chars)',
+    },
+    viewHash: { type: 'string', description: 'View state hash for race condition protection' },
+    publishUserId: {
+      type: 'string',
+      description: 'User ID to publish Home tab view to',
+    },
+    viewPayload: { type: 'json', description: 'View payload object with type, title, and blocks' },
  },
  outputs: {
    // slack_message outputs (send operation)
@@ -994,6 +1478,50 @@ Return ONLY the timestamp string - no explanations, no quotes, no extra text.`,
      description: 'Updated message metadata (legacy, use message object instead)',
    },

+    // slack_get_channel_info outputs (get_channel_info operation)
+    channelInfo: {
+      type: 'json',
+      description:
+        'Detailed channel object with properties: id, name, is_private, is_archived, is_member, num_members, topic, purpose, created, creator',
+    },
+
+    // slack_get_user_presence outputs (get_user_presence operation)
+    presence: {
+      type: 'string',
+      description: 'User presence status: "active" or "away"',
+    },
+    online: {
+      type: 'boolean',
+      description:
+        'Whether user has an active client connection (only available when checking own presence)',
+    },
+    autoAway: {
+      type: 'boolean',
+      description:
+        'Whether user was automatically set to away (only available when checking own presence)',
+    },
+    manualAway: {
+      type: 'boolean',
+      description:
+        'Whether user manually set themselves as away (only available when checking own presence)',
+    },
+    connectionCount: {
+      type: 'number',
+      description: 'Total number of active connections (only available when checking own presence)',
+    },
+    lastActivity: {
+      type: 'number',
+      description:
+        'Unix timestamp of last detected activity (only available when checking own presence)',
+    },
+
+    // View operation outputs (open_view, update_view, push_view, publish_view)
+    view: {
+      type: 'json',
+      description:
+        'View object with properties: id, team_id, type, title, submit, close, blocks, private_metadata, callback_id, external_id, state, hash, clear_on_close, notify_on_close, root_view_id, previous_view_id, app_id, bot_id',
+    },
+
    // Trigger outputs (when used as webhook trigger)
    event_type: { type: 'string', description: 'Type of Slack event that triggered the workflow' },
    channel_name: { type: 'string', description: 'Human-readable channel name' },
--- a/Show More
+++ b/Show More