fix(ci): commit message passed in via env var

fix(variables): boolean type support and input improvements (#2981 )
* fix(variables): boolean type support and input improvements * fix formatting
2026-01-25 06:48:12 -05:00 · 2026-01-24 14:27:54 -08:00 · 2026-01-24 13:52:09 -08:00 · 2026-01-24 13:19:52 -08:00 · 2026-01-24 13:04:06 -08:00 · 2026-01-24 12:45:14 -08:00
290 changed files with 16878 additions and 4291 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,8 +27,9 @@ jobs:
    steps:
      - name: Extract version from commit message
        id: extract
        env:
          COMMIT_MSG: ${{ github.event.head_commit.message }}
        run: |
          COMMIT_MSG="${{ github.event.head_commit.message }}"
          # Only tag versions on main branch
          if [ "${{ github.ref }}" = "refs/heads/main" ] && [[ "$COMMIT_MSG" =~ ^(v[0-9]+\.[0-9]+\.[0-9]+): ]]; then
            VERSION="${BASH_REMATCH[1]}"
--- a/apps/docs/content/docs/en/blocks/loop.mdx
+++ b/apps/docs/content/docs/en/blocks/loop.mdx
@@ -124,11 +124,44 @@ Choose between four types of loops:
 3. Drag other blocks inside the loop container
 4. Connect the blocks as needed
-### Accessing Results
+### Referencing Loop Data
-After a loop completes, you can access aggregated results:
+There's an important distinction between referencing loop data from **inside** vs **outside** the loop:
- **`<loop.results>`**: Array of results from all loop iterations
+<Tabs items={['Inside the Loop', 'Outside the Loop']}>
  <Tab>
    **Inside the loop**, use `<loop.>` references to access the current iteration context:
    - **`<loop.index>`**: Current iteration number (0-based)
    - **`<loop.currentItem>`**: Current item being processed (forEach only)
    - **`<loop.items>`**: Full collection being iterated (forEach only)
    ```
    // Inside a Function block within the loop
    const idx = <loop.index>;           // 0, 1, 2, ...
    const item = <loop.currentItem>;    // Current item
    ```
    <Callout type="info">
      These references are only available for blocks **inside** the loop container. They give you access to the current iteration's context.
    </Callout>
  </Tab>
  <Tab>
    **Outside the loop** (after it completes), reference the loop block by its name to access aggregated results:
    - **`<LoopBlockName.results>`**: Array of results from all iterations
    ```
    // If your loop block is named "Process Items"
    const allResults = <processitems.results>;
    // Returns: [result1, result2, result3, ...]
    ```
    <Callout type="info">
      After the loop completes, use the loop's block name (not `loop.`) to access the collected results. The block name is normalized (lowercase, no spaces).
    </Callout>
  </Tab>
 </Tabs>
 ## Example Use Cases
@@ -184,28 +217,29 @@ Variables (i=0) → Loop (While i<10) → Agent (Process) → Variables (i++)
    </ul>
  </Tab>
  <Tab>
    Available **inside** the loop only:
    <ul className="list-disc space-y-2 pl-6">
      <li>
-        <strong>loop.currentItem</strong>: Current item being processed
+        <strong>{"<loop.index>"}</strong>: Current iteration number (0-based)
      </li>
      <li>
-        <strong>loop.index</strong>: Current iteration number (0-based)
+        <strong>{"<loop.currentItem>"}</strong>: Current item being processed (forEach only)
      </li>
      <li>
-        <strong>loop.items</strong>: Full collection (forEach loops)
+        <strong>{"<loop.items>"}</strong>: Full collection (forEach only)
      </li>
    </ul>
  </Tab>
  <Tab>
    <ul className="list-disc space-y-2 pl-6">
      <li>
-        <strong>loop.results</strong>: Array of all iteration results
+        <strong>{"<blockname.results>"}</strong>: Array of all iteration results (accessed via block name)
      </li>
      <li>
        <strong>Structure</strong>: Results maintain iteration order
      </li>
      <li>
-        <strong>Access</strong>: Available in blocks after the loop
+        <strong>Access</strong>: Available in blocks after the loop completes
      </li>
    </ul>
  </Tab>
--- a/apps/docs/content/docs/en/blocks/parallel.mdx
+++ b/apps/docs/content/docs/en/blocks/parallel.mdx
@@ -76,11 +76,44 @@ Choose between two types of parallel execution:
 3. Drag a single block inside the parallel container
 4. Connect the block as needed
-### Accessing Results
+### Referencing Parallel Data
-After a parallel block completes, you can access aggregated results:
+There's an important distinction between referencing parallel data from **inside** vs **outside** the parallel block:
- **`<parallel.results>`**: Array of results from all parallel instances
+<Tabs items={['Inside the Parallel', 'Outside the Parallel']}>
  <Tab>
    **Inside the parallel**, use `<parallel.>` references to access the current instance context:
    - **`<parallel.index>`**: Current instance number (0-based)
    - **`<parallel.currentItem>`**: Item for this instance (collection-based only)
    - **`<parallel.items>`**: Full collection being distributed (collection-based only)
    ```
    // Inside a Function block within the parallel
    const idx = <parallel.index>;           // 0, 1, 2, ...
    const item = <parallel.currentItem>;    // This instance's item
    ```
    <Callout type="info">
      These references are only available for blocks **inside** the parallel container. They give you access to the current instance's context.
    </Callout>
  </Tab>
  <Tab>
    **Outside the parallel** (after it completes), reference the parallel block by its name to access aggregated results:
    - **`<ParallelBlockName.results>`**: Array of results from all instances
    ```
    // If your parallel block is named "Process Tasks"
    const allResults = <processtasks.results>;
    // Returns: [result1, result2, result3, ...]
    ```
    <Callout type="info">
      After the parallel completes, use the parallel's block name (not `parallel.`) to access the collected results. The block name is normalized (lowercase, no spaces).
    </Callout>
  </Tab>
 </Tabs>
 ## Example Use Cases
@@ -98,11 +131,11 @@ Parallel (["gpt-4o", "claude-3.7-sonnet", "gemini-2.5-pro"]) → Agent → Evalu
 ### Result Aggregation
-Results from all parallel instances are automatically collected:
+Results from all parallel instances are automatically collected and accessible via the block name:
 ```javascript
-// In a Function block after the parallel
+// In a Function block after a parallel named "Process Tasks"
-const allResults = input.parallel.results;
+const allResults = <processtasks.results>;
 // Returns: [result1, result2, result3, ...]
 ```
@@ -158,25 +191,26 @@ Understanding when to use each:
    </ul>
  </Tab>
  <Tab>
    Available **inside** the parallel only:
    <ul className="list-disc space-y-2 pl-6">
      <li>
-        <strong>parallel.currentItem</strong>: Item for this instance
+        <strong>{"<parallel.index>"}</strong>: Instance number (0-based)
      </li>
      <li>
-        <strong>parallel.index</strong>: Instance number (0-based)
+        <strong>{"<parallel.currentItem>"}</strong>: Item for this instance (collection-based only)
      </li>
      <li>
-        <strong>parallel.items</strong>: Full collection (collection-based)
+        <strong>{"<parallel.items>"}</strong>: Full collection (collection-based only)
      </li>
    </ul>
  </Tab>
  <Tab>
    <ul className="list-disc space-y-2 pl-6">
      <li>
-        <strong>parallel.results</strong>: Array of all instance results
+        <strong>{"<blockname.results>"}</strong>: Array of all instance results (accessed via block name)
      </li>
      <li>
-        <strong>Access</strong>: Available in blocks after the parallel
+        <strong>Access</strong>: Available in blocks after the parallel completes
      </li>
    </ul>
  </Tab>
--- a/apps/sim/app/(landing)/components/footer/components/status-indicator.tsx
+++ b/apps/sim/app/(landing)/components/footer/components/status-indicator.tsx
@@ -59,7 +59,7 @@ export default function StatusIndicator() {
      href={statusUrl}
      target='_blank'
      rel='noopener noreferrer'
-      className={`flex items-center gap-[6px] whitespace-nowrap text-[12px] transition-colors ${STATUS_COLORS[status]}`}
+      className={`flex min-w-[165px] items-center gap-[6px] whitespace-nowrap text-[12px] transition-colors ${STATUS_COLORS[status]}`}
      aria-label={`System status: ${message}`}
    >
      <StatusDotIcon status={status} className='h-[6px] w-[6px]' aria-hidden='true' />
--- a/apps/sim/app/(landing)/components/hero/components/index.ts
+++ b/apps/sim/app/(landing)/components/hero/components/index.ts
@@ -10,8 +10,8 @@ export { LandingLoopNode } from './landing-canvas/landing-block/landing-loop-nod
 export { LandingNode } from './landing-canvas/landing-block/landing-node'
 export type { LoopBlockProps } from './landing-canvas/landing-block/loop-block'
 export { LoopBlock } from './landing-canvas/landing-block/loop-block'
-export type { TagProps } from './landing-canvas/landing-block/tag'
+export type { SubBlockRowProps, TagProps } from './landing-canvas/landing-block/tag'
-export { Tag } from './landing-canvas/landing-block/tag'
+export { SubBlockRow, Tag } from './landing-canvas/landing-block/tag'
 export type {
  LandingBlockNode,
  LandingCanvasProps,
--- a/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-block/landing-block.tsx
+++ b/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-block/landing-block.tsx
@@ -1,12 +1,12 @@
 import React from 'react'
 import { BookIcon } from 'lucide-react'
 import {
-  Tag,
+  SubBlockRow,
-  type TagProps,
+  type SubBlockRowProps,
 } from '@/app/(landing)/components/hero/components/landing-canvas/landing-block/tag'
 /**
 * Data structure for a landing card component
 * Matches the workflow block structure from the application
 */
 export interface LandingCardData {
  /** Icon element to display in the card header */
@@ -15,8 +15,8 @@ export interface LandingCardData {
  color: string | '#f6f6f6'
  /** Name/title of the card */
  name: string
-  /** Optional tags to display at the bottom of the card */
+  /** Optional subblock rows to display below the header */
-  tags?: TagProps[]
+  tags?: SubBlockRowProps[]
 }
 /**
@@ -28,7 +28,8 @@ export interface LandingBlockProps extends LandingCardData {
 }
 /**
- * Landing block component that displays a card with icon, name, and optional tags
+ * Landing block component that displays a card with icon, name, and optional subblock rows
 * Styled to match the application's workflow blocks
 * @param props - Component properties including icon, color, name, tags, and className
 * @returns A styled block card component
 */
@@ -39,33 +40,37 @@ export const LandingBlock = React.memo(function LandingBlock({
  tags,
  className,
 }: LandingBlockProps) {
  const hasContentBelowHeader = tags && tags.length > 0
  return (
    <div
-      className={`z-10 flex w-64 flex-col items-start gap-3 rounded-[14px] border border-[#E5E5E5] bg-[#FEFEFE] p-3 ${className ?? ''}`}
+      className={`z-10 flex w-[250px] flex-col rounded-[8px] border border-[#E5E5E5] bg-white ${className ?? ''}`}
      style={{
        boxShadow: '0 1px 2px 0 rgba(0, 0, 0, 0.05)',
      }}
    >
-      <div className='flex w-full items-center justify-between'>
+      {/* Header - matches workflow-block.tsx header styling */}
        <div className='flex items-center gap-2.5'>
      <div
-            className='flex h-6 w-6 items-center justify-center rounded-[8px] text-white'
+        className={`flex items-center justify-between p-[8px] ${hasContentBelowHeader ? 'border-[#E5E5E5] border-b' : ''}`}
-            style={{ backgroundColor: color as string }}
+      >
        <div className='flex min-w-0 flex-1 items-center gap-[10px]'>
          <div
            className='flex h-[24px] w-[24px] flex-shrink-0 items-center justify-center rounded-[6px]'
            style={{ background: color as string }}
          >
            {icon}
          </div>
-          <p className='text-base text-card-foreground'>{name}</p>
+          <span className='truncate font-medium text-[#171717] text-[16px]' title={name}>
            {name}
          </span>
        </div>
        <BookIcon className='h-4 w-4 text-muted-foreground' />
      </div>
-      {tags && tags.length > 0 ? (
+      {/* Content - SubBlock Rows matching workflow-block.tsx */}
-        <div className='flex flex-wrap gap-2'>
+      {hasContentBelowHeader && (
        <div className='flex flex-col gap-[8px] p-[8px]'>
          {tags.map((tag) => (
-            <Tag key={tag.label} icon={tag.icon} label={tag.label} />
+            <SubBlockRow key={tag.label} icon={tag.icon} label={tag.label} />
          ))}
        </div>
-      ) : null}
+      )}
    </div>
  )
 })
--- a/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-block/landing-node.tsx
+++ b/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-block/landing-node.tsx
@@ -7,9 +7,14 @@ import {
  type LandingCardData,
 } from '@/app/(landing)/components/hero/components/landing-canvas/landing-block/landing-block'
 /**
 * Handle Y offset from block top - matches HANDLE_POSITIONS.DEFAULT_Y_OFFSET
 */
 const HANDLE_Y_OFFSET = 20
 /**
 * React Flow node component for the landing canvas
- * Includes CSS animations and connection handles
+ * Styled to match the application's workflow blocks
 * @param props - Component properties containing node data
 * @returns A React Flow compatible node component
 */
@@ -41,15 +46,15 @@ export const LandingNode = React.memo(function LandingNode({ data }: { data: Lan
          type='target'
          position={Position.Left}
          style={{
-            width: '12px',
+            width: '7px',
-            height: '12px',
+            height: '20px',
-            background: '#FEFEFE',
+            background: '#D1D1D1',
-            border: '1px solid #E5E5E5',
+            border: 'none',
-            borderRadius: '50%',
+            borderRadius: '2px 0 0 2px',
-            top: '50%',
+            top: `${HANDLE_Y_OFFSET}px`,
-            left: '-20px',
+            left: '-7px',
            transform: 'translateY(-50%)',
-            zIndex: 2,
+            zIndex: 10,
          }}
          isConnectable={false}
        />
@@ -59,15 +64,15 @@ export const LandingNode = React.memo(function LandingNode({ data }: { data: Lan
          type='source'
          position={Position.Right}
          style={{
-            width: '12px',
+            width: '7px',
-            height: '12px',
+            height: '20px',
-            background: '#FEFEFE',
+            background: '#D1D1D1',
-            border: '1px solid #E5E5E5',
+            border: 'none',
-            borderRadius: '50%',
+            borderRadius: '0 2px 2px 0',
-            top: '50%',
+            top: `${HANDLE_Y_OFFSET}px`,
-            right: '-20px',
+            right: '-7px',
            transform: 'translateY(-50%)',
-            zIndex: 2,
+            zIndex: 10,
          }}
          isConnectable={false}
        />
--- a/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-block/loop-block.tsx
+++ b/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-block/loop-block.tsx
@@ -15,6 +15,7 @@ export interface LoopBlockProps {
 /**
 * Loop block container component that provides a styled container
 * for grouping related elements with a dashed border
 * Styled to match the application's subflow containers
 * @param props - Component properties including children and styling
 * @returns A styled loop container component
 */
@@ -29,33 +30,33 @@ export const LoopBlock = React.memo(function LoopBlock({
      style={{
        width: '1198px',
        height: '528px',
-        borderRadius: '14px',
+        borderRadius: '8px',
-        background: 'rgba(59, 130, 246, 0.10)',
+        background: 'rgba(59, 130, 246, 0.08)',
        position: 'relative',
        ...style,
      }}
    >
-      {/* Custom dashed border with SVG */}
+      {/* Custom dashed border with SVG - 8px border radius to match blocks */}
      <svg
        className='pointer-events-none absolute inset-0 h-full w-full'
-        style={{ borderRadius: '14px' }}
+        style={{ borderRadius: '8px' }}
        preserveAspectRatio='none'
      >
        <path
          className='landing-loop-animated-dash'
-          d='M 1183.5 527.5 
+          d='M 1190 527.5 
-             L 14 527.5 
+             L 8 527.5 
-             A 13.5 13.5 0 0 1 0.5 514 
+             A 7.5 7.5 0 0 1 0.5 520 
-             L 0.5 14 
+             L 0.5 8 
-             A 13.5 13.5 0 0 1 14 0.5 
+             A 7.5 7.5 0 0 1 8 0.5 
-             L 1183.5 0.5 
+             L 1190 0.5 
-             A 13.5 13.5 0 0 1 1197 14 
+             A 7.5 7.5 0 0 1 1197.5 8 
-             L 1197 514 
+             L 1197.5 520 
-             A 13.5 13.5 0 0 1 1183.5 527.5 Z'
+             A 7.5 7.5 0 0 1 1190 527.5 Z'
          fill='none'
          stroke='#3B82F6'
          strokeWidth='1'
-          strokeDasharray='12 12'
+          strokeDasharray='8 8'
          strokeLinecap='round'
        />
      </svg>
--- a/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-block/tag.tsx
+++ b/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-block/tag.tsx
@@ -1,25 +1,52 @@
 import React from 'react'
 /**
- * Properties for a tag component
+ * Properties for a subblock row component
 * Matches the SubBlockRow pattern from workflow-block.tsx
 */
-export interface TagProps {
+export interface SubBlockRowProps {
-  /** Icon element to display in the tag */
+  /** Icon element to display (optional, for visual context) */
-  icon: React.ReactNode
+  icon?: React.ReactNode
-  /** Text label for the tag */
+  /** Text label for the row title */
  label: string
  /** Optional value to display on the right side */
  value?: string
 }
 /**
- * Tag component for displaying labeled icons in a compact format
+ * Kept for backwards compatibility
 * @param props - Tag properties including icon and label
 * @returns A styled tag component
 */
-export const Tag = React.memo(function Tag({ icon, label }: TagProps) {
+export type TagProps = SubBlockRowProps
 /**
 * SubBlockRow component matching the workflow block's subblock row style
 * @param props - Row properties including label and optional value
 * @returns A styled row component
 */
 export const SubBlockRow = React.memo(function SubBlockRow({ label, value }: SubBlockRowProps) {
  // Split label by colon to separate title and value if present
  const [title, displayValue] = label.includes(':')
    ? label.split(':').map((s) => s.trim())
    : [label, value]
  return (
-    <div className='flex w-fit items-center gap-1 rounded-[8px] border border-gray-300 bg-white px-2 py-0.5'>
+    <div className='flex items-center gap-[8px]'>
-      <div className='h-3 w-3 text-muted-foreground'>{icon}</div>
+      <span className='min-w-0 truncate text-[#888888] text-[14px] capitalize' title={title}>
-      <p className='text-muted-foreground text-xs leading-normal'>{label}</p>
+        {title}
      </span>
      {displayValue && (
        <span
          className='flex-1 truncate text-right text-[#171717] text-[14px]'
          title={displayValue}
        >
          {displayValue}
        </span>
      )}
    </div>
  )
 })
 /**
 * Tag component - alias for SubBlockRow for backwards compatibility
 */
 export const Tag = SubBlockRow
--- a/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-canvas.tsx
+++ b/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-canvas.tsx
@@ -9,9 +9,10 @@ import { LandingFlow } from '@/app/(landing)/components/hero/components/landing-
 /**
 * Visual constants for landing node dimensions
 * Matches BLOCK_DIMENSIONS from the application
 */
-export const CARD_WIDTH = 256
+export const CARD_WIDTH = 250
-export const CARD_HEIGHT = 92
+export const CARD_HEIGHT = 100
 /**
 * Landing block node with positioning information
--- a/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-edge/landing-edge.tsx
+++ b/apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-edge/landing-edge.tsx
@@ -4,33 +4,29 @@ import React from 'react'
 import { type EdgeProps, getSmoothStepPath, Position } from 'reactflow'
 /**
- * Custom edge component with animated dotted line that floats between handles
+ * Custom edge component with animated dashed line
 * Styled to match the application's workflow edges with rectangular handles
 * @param props - React Flow edge properties
- * @returns An animated dotted edge component
+ * @returns An animated dashed edge component
 */
 export const LandingEdge = React.memo(function LandingEdge(props: EdgeProps) {
-  const { id, sourceX, sourceY, targetX, targetY, sourcePosition, targetPosition, style, data } =
+  const { id, sourceX, sourceY, targetX, targetY, sourcePosition, targetPosition, style } = props
    props
-  // Adjust the connection points to create floating effect
+  // Adjust the connection points to connect flush with rectangular handles
-  // Account for handle size (12px) and additional spacing
+  // Handle width is 7px, positioned at -7px from edge
  const handleRadius = 6 // Half of handle width (12px)
  const floatingGap = 1 // Additional gap for floating effect
  // Calculate adjusted positions based on edge direction
  let adjustedSourceX = sourceX
  let adjustedTargetX = targetX
  if (sourcePosition === Position.Right) {
-    adjustedSourceX = sourceX + handleRadius + floatingGap
+    adjustedSourceX = sourceX + 1
  } else if (sourcePosition === Position.Left) {
-    adjustedSourceX = sourceX - handleRadius - floatingGap
+    adjustedSourceX = sourceX - 1
  }
  if (targetPosition === Position.Left) {
-    adjustedTargetX = targetX - handleRadius - floatingGap
+    adjustedTargetX = targetX - 1
  } else if (targetPosition === Position.Right) {
-    adjustedTargetX = targetX + handleRadius + floatingGap
+    adjustedTargetX = targetX + 1
  }
  const [path] = getSmoothStepPath({
@@ -40,8 +36,8 @@ export const LandingEdge = React.memo(function LandingEdge(props: EdgeProps) {
    targetY,
    sourcePosition,
    targetPosition,
-    borderRadius: 20,
+    borderRadius: 8,
-    offset: 10,
+    offset: 16,
  })
  return (
--- a/apps/sim/app/(landing)/components/hero/hero.tsx
+++ b/apps/sim/app/(landing)/components/hero/hero.tsx
@@ -1,16 +1,7 @@
 'use client'
 import React from 'react'
-import {
+import { ArrowUp, CodeIcon } from 'lucide-react'
  ArrowUp,
  BinaryIcon,
  BookIcon,
  CalendarIcon,
  CodeIcon,
  Globe2Icon,
  MessageSquareIcon,
  VariableIcon,
 } from 'lucide-react'
 import { useRouter } from 'next/navigation'
 import { type Edge, type Node, Position } from 'reactflow'
 import {
@@ -23,7 +14,6 @@ import {
  JiraIcon,
  LinearIcon,
  NotionIcon,
  OpenAIIcon,
  OutlookIcon,
  PackageSearchIcon,
  PineconeIcon,
@@ -65,67 +55,56 @@ const SERVICE_TEMPLATES = {
 /**
 * Landing blocks for the canvas preview
 * Styled to match the application's workflow blocks with subblock rows
 */
 const LANDING_BLOCKS: LandingManualBlock[] = [
  {
    id: 'schedule',
    name: 'Schedule',
    color: '#7B68EE',
-    icon: <ScheduleIcon className='h-4 w-4' />,
+    icon: <ScheduleIcon className='h-[16px] w-[16px] text-white' />,
    positions: {
      mobile: { x: 8, y: 60 },
      tablet: { x: 40, y: 120 },
      desktop: { x: 60, y: 180 },
    },
-    tags: [
+    tags: [{ label: 'Time: 09:00AM Daily' }, { label: 'Timezone: PST' }],
      { icon: <CalendarIcon className='h-3 w-3' />, label: '09:00AM Daily' },
      { icon: <Globe2Icon className='h-3 w-3' />, label: 'PST' },
    ],
  },
  {
    id: 'knowledge',
    name: 'Knowledge',
    color: '#00B0B0',
-    icon: <PackageSearchIcon className='h-4 w-4' />,
+    icon: <PackageSearchIcon className='h-[16px] w-[16px] text-white' />,
    positions: {
      mobile: { x: 120, y: 140 },
      tablet: { x: 220, y: 200 },
      desktop: { x: 420, y: 241 },
    },
-    tags: [
+    tags: [{ label: 'Source: Product Vector DB' }, { label: 'Limit: 10' }],
      { icon: <BookIcon className='h-3 w-3' />, label: 'Product Vector DB' },
      { icon: <BinaryIcon className='h-3 w-3' />, label: 'Limit: 10' },
    ],
  },
  {
    id: 'agent',
    name: 'Agent',
    color: '#802FFF',
-    icon: <AgentIcon className='h-4 w-4' />,
+    icon: <AgentIcon className='h-[16px] w-[16px] text-white' />,
    positions: {
      mobile: { x: 340, y: 60 },
      tablet: { x: 540, y: 120 },
      desktop: { x: 880, y: 142 },
    },
-    tags: [
+    tags: [{ label: 'Model: gpt-5' }, { label: 'Prompt: You are a support ag...' }],
      { icon: <OpenAIIcon className='h-3 w-3' />, label: 'gpt-5' },
      { icon: <MessageSquareIcon className='h-3 w-3' />, label: 'You are a support ag...' },
    ],
  },
  {
    id: 'function',
    name: 'Function',
    color: '#FF402F',
-    icon: <CodeIcon className='h-4 w-4' />,
+    icon: <CodeIcon className='h-[16px] w-[16px] text-white' />,
    positions: {
      mobile: { x: 480, y: 220 },
      tablet: { x: 740, y: 280 },
      desktop: { x: 880, y: 340 },
    },
-    tags: [
+    tags: [{ label: 'Language: Python' }, { label: 'Code: time = "2025-09-01...' }],
      { icon: <CodeIcon className='h-3 w-3' />, label: 'Python' },
      { icon: <VariableIcon className='h-3 w-3' />, label: 'time = "2025-09-01...' },
    ],
  },
 ]
--- a/apps/sim/app/(landing)/components/landing-pricing/landing-pricing.tsx
+++ b/apps/sim/app/(landing)/components/landing-pricing/landing-pricing.tsx
@@ -229,7 +229,7 @@ function PricingCard({
 */
 export default function LandingPricing() {
  return (
-    <section id='pricing' className='px-4 pt-[19px] sm:px-0 sm:pt-0' aria-label='Pricing plans'>
+    <section id='pricing' className='px-4 pt-[23px] sm:px-0 sm:pt-[4px]' aria-label='Pricing plans'>
      <h2 className='sr-only'>Pricing Plans</h2>
      <div className='relative mx-auto w-full max-w-[1289px]'>
        <div className='grid grid-cols-1 gap-4 sm:grid-cols-2 sm:gap-0 lg:grid-cols-4'>
--- a/apps/sim/app/(landing)/components/nav/nav.tsx
+++ b/apps/sim/app/(landing)/components/nav/nav.tsx
@@ -21,7 +21,7 @@ interface NavProps {
 }
 export default function Nav({ hideAuthButtons = false, variant = 'landing' }: NavProps = {}) {
-  const [githubStars, setGithubStars] = useState('25.8k')
+  const [githubStars, setGithubStars] = useState('26.1k')
  const [isHovered, setIsHovered] = useState(false)
  const [isLoginHovered, setIsLoginHovered] = useState(false)
  const router = useRouter()
--- a/apps/sim/app/(landing)/studio/[slug]/back-link.tsx
+++ b/apps/sim/app/(landing)/studio/[slug]/back-link.tsx
@@ -0,0 +1,27 @@
 'use client'
 import { useState } from 'react'
 import { ArrowLeft, ChevronLeft } from 'lucide-react'
 import Link from 'next/link'
 export function BackLink() {
  const [isHovered, setIsHovered] = useState(false)
  return (
    <Link
      href='/studio'
      className='group flex items-center gap-1 text-gray-600 text-sm hover:text-gray-900'
      onMouseEnter={() => setIsHovered(true)}
      onMouseLeave={() => setIsHovered(false)}
    >
      <span className='group-hover:-translate-x-0.5 inline-flex transition-transform duration-200'>
        {isHovered ? (
          <ArrowLeft className='h-4 w-4' aria-hidden='true' />
        ) : (
          <ChevronLeft className='h-4 w-4' aria-hidden='true' />
        )}
      </span>
      Back to Sim Studio
    </Link>
  )
 }
--- a/apps/sim/app/(landing)/studio/[slug]/page.tsx
+++ b/apps/sim/app/(landing)/studio/[slug]/page.tsx
@@ -5,7 +5,10 @@ import { Avatar, AvatarFallback, AvatarImage } from '@/components/emcn'
 import { FAQ } from '@/lib/blog/faq'
 import { getAllPostMeta, getPostBySlug, getRelatedPosts } from '@/lib/blog/registry'
 import { buildArticleJsonLd, buildBreadcrumbJsonLd, buildPostMetadata } from '@/lib/blog/seo'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
 import { BackLink } from '@/app/(landing)/studio/[slug]/back-link'
 import { ShareButton } from '@/app/(landing)/studio/[slug]/share-button'
 export async function generateStaticParams() {
  const posts = await getAllPostMeta()
@@ -48,9 +51,7 @@ export default async function Page({ params }: { params: Promise<{ slug: string
      />
      <header className='mx-auto max-w-[1450px] px-6 pt-8 sm:px-8 sm:pt-12 md:px-12 md:pt-16'>
        <div className='mb-6'>
-          <Link href='/studio' className='text-gray-600 text-sm hover:text-gray-900'>
+          <BackLink />
            ← Back to Sim Studio
          </Link>
        </div>
        <div className='flex flex-col gap-8 md:flex-row md:gap-12'>
          <div className='w-full flex-shrink-0 md:w-[450px]'>
@@ -75,7 +76,8 @@ export default async function Page({ params }: { params: Promise<{ slug: string
            >
              {post.title}
            </h1>
-            <div className='mt-4 flex items-center gap-3'>
+            <div className='mt-4 flex items-center justify-between'>
              <div className='flex items-center gap-3'>
                {(post.authors || [post.author]).map((a, idx) => (
                  <div key={idx} className='flex items-center gap-2'>
                    {a?.avatarUrl ? (
@@ -98,6 +100,8 @@ export default async function Page({ params }: { params: Promise<{ slug: string
                  </div>
                ))}
              </div>
              <ShareButton url={`${getBaseUrl()}/studio/${slug}`} title={post.title} />
            </div>
          </div>
        </div>
        <hr className='mt-8 border-gray-200 border-t sm:mt-12' />
--- a/apps/sim/app/(landing)/studio/[slug]/share-button.tsx
+++ b/apps/sim/app/(landing)/studio/[slug]/share-button.tsx
@@ -0,0 +1,65 @@
 'use client'
 import { useState } from 'react'
 import { Share2 } from 'lucide-react'
 import { Popover, PopoverContent, PopoverItem, PopoverTrigger } from '@/components/emcn'
 interface ShareButtonProps {
  url: string
  title: string
 }
 export function ShareButton({ url, title }: ShareButtonProps) {
  const [open, setOpen] = useState(false)
  const [copied, setCopied] = useState(false)
  const handleCopyLink = async () => {
    try {
      await navigator.clipboard.writeText(url)
      setCopied(true)
      setTimeout(() => {
        setCopied(false)
        setOpen(false)
      }, 1000)
    } catch {
      setOpen(false)
    }
  }
  const handleShareTwitter = () => {
    const tweetUrl = `https://twitter.com/intent/tweet?url=${encodeURIComponent(url)}&text=${encodeURIComponent(title)}`
    window.open(tweetUrl, '_blank', 'noopener,noreferrer')
    setOpen(false)
  }
  const handleShareLinkedIn = () => {
    const linkedInUrl = `https://www.linkedin.com/sharing/share-offsite/?url=${encodeURIComponent(url)}`
    window.open(linkedInUrl, '_blank', 'noopener,noreferrer')
    setOpen(false)
  }
  return (
    <Popover
      open={open}
      onOpenChange={setOpen}
      variant='secondary'
      size='sm'
      colorScheme='inverted'
    >
      <PopoverTrigger asChild>
        <button
          className='flex items-center gap-1.5 text-gray-600 text-sm hover:text-gray-900'
          aria-label='Share this post'
        >
          <Share2 className='h-4 w-4' />
          <span>Share</span>
        </button>
      </PopoverTrigger>
      <PopoverContent align='end' minWidth={140}>
        <PopoverItem onClick={handleCopyLink}>{copied ? 'Copied!' : 'Copy link'}</PopoverItem>
        <PopoverItem onClick={handleShareTwitter}>Share on X</PopoverItem>
        <PopoverItem onClick={handleShareLinkedIn}>Share on LinkedIn</PopoverItem>
      </PopoverContent>
    </Popover>
  )
 }
--- a/apps/sim/app/(landing)/studio/page.tsx
+++ b/apps/sim/app/(landing)/studio/page.tsx
@@ -22,7 +22,7 @@ export default async function StudioIndex({
      ? filtered.sort((a, b) => {
          if (a.featured && !b.featured) return -1
          if (!a.featured && b.featured) return 1
-          return 0
+          return new Date(b.date).getTime() - new Date(a.date).getTime()
        })
      : filtered
--- a/apps/sim/app/api/a2a/agents/[agentId]/route.ts
+++ b/apps/sim/app/api/a2a/agents/[agentId]/route.ts
@@ -8,6 +8,7 @@ import type { AgentCapabilities, AgentSkill } from '@/lib/a2a/types'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { getRedisClient } from '@/lib/core/config/redis'
 import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 const logger = createLogger('A2AAgentCardAPI')
@@ -95,6 +96,11 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<Ro
      return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
    }
    const workspaceAccess = await checkWorkspaceAccess(existingAgent.workspaceId, auth.userId)
    if (!workspaceAccess.canWrite) {
      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
    }
    const body = await request.json()
    if (
@@ -160,6 +166,11 @@ export async function DELETE(request: NextRequest, { params }: { params: Promise
      return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
    }
    const workspaceAccess = await checkWorkspaceAccess(existingAgent.workspaceId, auth.userId)
    if (!workspaceAccess.canWrite) {
      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
    }
    await db.delete(a2aAgent).where(eq(a2aAgent.id, agentId))
    logger.info(`Deleted A2A agent: ${agentId}`)
@@ -194,6 +205,11 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
      return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
    }
    const workspaceAccess = await checkWorkspaceAccess(existingAgent.workspaceId, auth.userId)
    if (!workspaceAccess.canWrite) {
      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
    }
    const body = await request.json()
    const action = body.action as 'publish' | 'unpublish' | 'refresh'
--- a/apps/sim/app/api/a2a/serve/[agentId]/route.ts
+++ b/apps/sim/app/api/a2a/serve/[agentId]/route.ts
@@ -16,6 +16,7 @@ import {
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { getBrandConfig } from '@/lib/branding/branding'
 import { acquireLock, getRedisClient, releaseLock } from '@/lib/core/config/redis'
 import { validateExternalUrl } from '@/lib/core/security/input-validation'
 import { SSE_HEADERS } from '@/lib/core/utils/sse'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { markExecutionCancelled } from '@/lib/execution/cancellation'
@@ -1118,17 +1119,13 @@ async function handlePushNotificationSet(
    )
  }
-  try {
+  const urlValidation = validateExternalUrl(
-    const url = new URL(params.pushNotificationConfig.url)
+    params.pushNotificationConfig.url,
-    if (url.protocol !== 'https:') {
+    'Push notification URL'
      return NextResponse.json(
        createError(id, A2A_ERROR_CODES.INVALID_PARAMS, 'Push notification URL must use HTTPS'),
        { status: 400 }
  )
-    }
+  if (!urlValidation.isValid) {
  } catch {
    return NextResponse.json(
-      createError(id, A2A_ERROR_CODES.INVALID_PARAMS, 'Invalid push notification URL'),
+      createError(id, A2A_ERROR_CODES.INVALID_PARAMS, urlValidation.error || 'Invalid URL'),
      { status: 400 }
    )
  }
--- a/apps/sim/app/api/copilot/execute-tool/route.ts
+++ b/apps/sim/app/api/copilot/execute-tool/route.ts
@@ -104,17 +104,11 @@ export async function POST(req: NextRequest) {
    })
    // Build execution params starting with LLM-provided arguments
-    // Resolve all {{ENV_VAR}} references in the arguments
+    // Resolve all {{ENV_VAR}} references in the arguments (deep for nested objects)
    const executionParams: Record<string, any> = resolveEnvVarReferences(
      toolArgs,
      decryptedEnvVars,
-      {
+      { deep: true }
        resolveExactMatch: true,
        allowEmbedded: true,
        trimKeys: true,
        onMissing: 'keep',
        deep: true,
      }
    ) as Record<string, any>
    logger.info(`[${tracker.requestId}] Resolved env var references in arguments`, {
--- a/apps/sim/app/api/function/execute/route.test.ts
+++ b/apps/sim/app/api/function/execute/route.test.ts
@@ -84,6 +84,14 @@ vi.mock('@/lib/execution/isolated-vm', () => ({
 vi.mock('@sim/logger', () => loggerMock)
 vi.mock('@/lib/auth/hybrid', () => ({
  checkInternalAuth: vi.fn().mockResolvedValue({
    success: true,
    userId: 'user-123',
    authType: 'internal_jwt',
  }),
 }))
 vi.mock('@/lib/execution/e2b', () => ({
  executeInE2B: vi.fn(),
 }))
@@ -110,6 +118,24 @@ describe('Function Execute API Route', () => {
  })
  describe('Security Tests', () => {
    it('should reject unauthorized requests', async () => {
      const { checkInternalAuth } = await import('@/lib/auth/hybrid')
      vi.mocked(checkInternalAuth).mockResolvedValueOnce({
        success: false,
        error: 'Unauthorized',
      })
      const req = createMockRequest('POST', {
        code: 'return "test"',
      })
      const response = await POST(req)
      const data = await response.json()
      expect(response.status).toBe(401)
      expect(data).toHaveProperty('error', 'Unauthorized')
    })
    it.concurrent('should use isolated-vm for secure sandboxed execution', async () => {
      const req = createMockRequest('POST', {
        code: 'return "test"',
--- a/apps/sim/app/api/function/execute/route.ts
+++ b/apps/sim/app/api/function/execute/route.ts
@@ -1,5 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { isE2bEnabled } from '@/lib/core/config/feature-flags'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { executeInE2B } from '@/lib/execution/e2b'
@@ -581,6 +582,12 @@ export async function POST(req: NextRequest) {
  let resolvedCode = '' // Store resolved code for error reporting
  try {
    const auth = await checkInternalAuth(req)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized function execution attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await req.json()
    const { DEFAULT_EXECUTION_TIMEOUT_MS } = await import('@/lib/execution/constants')
--- a/apps/sim/app/api/knowledge/[id]/documents/route.test.ts
+++ b/apps/sim/app/api/knowledge/[id]/documents/route.test.ts
@@ -157,7 +157,7 @@ describe('Knowledge Base Documents API Route', () => {
      expect(vi.mocked(getDocuments)).toHaveBeenCalledWith(
        'kb-123',
        {
-          includeDisabled: false,
+          enabledFilter: undefined,
          search: undefined,
          limit: 50,
          offset: 0,
@@ -166,7 +166,7 @@ describe('Knowledge Base Documents API Route', () => {
      )
    })
-    it('should filter disabled documents by default', async () => {
+    it('should return documents with default filter', async () => {
      const { checkKnowledgeBaseAccess } = await import('@/app/api/knowledge/utils')
      const { getDocuments } = await import('@/lib/knowledge/documents/service')
@@ -194,7 +194,7 @@ describe('Knowledge Base Documents API Route', () => {
      expect(vi.mocked(getDocuments)).toHaveBeenCalledWith(
        'kb-123',
        {
-          includeDisabled: false,
+          enabledFilter: undefined,
          search: undefined,
          limit: 50,
          offset: 0,
@@ -203,7 +203,7 @@ describe('Knowledge Base Documents API Route', () => {
      )
    })
-    it('should include disabled documents when requested', async () => {
+    it('should filter documents by enabled status when requested', async () => {
      const { checkKnowledgeBaseAccess } = await import('@/app/api/knowledge/utils')
      const { getDocuments } = await import('@/lib/knowledge/documents/service')
@@ -223,7 +223,7 @@ describe('Knowledge Base Documents API Route', () => {
        },
      })
-      const url = 'http://localhost:3000/api/knowledge/kb-123/documents?includeDisabled=true'
+      const url = 'http://localhost:3000/api/knowledge/kb-123/documents?enabledFilter=disabled'
      const req = new Request(url, { method: 'GET' }) as any
      const { GET } = await import('@/app/api/knowledge/[id]/documents/route')
@@ -233,7 +233,7 @@ describe('Knowledge Base Documents API Route', () => {
      expect(vi.mocked(getDocuments)).toHaveBeenCalledWith(
        'kb-123',
        {
-          includeDisabled: true,
+          enabledFilter: 'disabled',
          search: undefined,
          limit: 50,
          offset: 0,
@@ -361,8 +361,7 @@ describe('Knowledge Base Documents API Route', () => {
      expect(vi.mocked(createSingleDocument)).toHaveBeenCalledWith(
        validDocumentData,
        'kb-123',
-        expect.any(String),
+        expect.any(String)
        'user-123'
      )
    })
@@ -470,8 +469,7 @@ describe('Knowledge Base Documents API Route', () => {
      expect(vi.mocked(createDocumentRecords)).toHaveBeenCalledWith(
        validBulkData.documents,
        'kb-123',
-        expect.any(String),
+        expect.any(String)
        'user-123'
      )
      expect(vi.mocked(processDocumentsWithQueue)).toHaveBeenCalled()
    })
--- a/apps/sim/app/api/knowledge/[id]/documents/route.ts
+++ b/apps/sim/app/api/knowledge/[id]/documents/route.ts
@@ -5,6 +5,7 @@ import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import {
  bulkDocumentOperation,
  bulkDocumentOperationByFilter,
  createDocumentRecords,
  createSingleDocument,
  getDocuments,
@@ -57,12 +58,19 @@ const BulkCreateDocumentsSchema = z.object({
  bulk: z.literal(true),
 })
-const BulkUpdateDocumentsSchema = z.object({
+const BulkUpdateDocumentsSchema = z
  .object({
    operation: z.enum(['enable', 'disable', 'delete']),
    documentIds: z
      .array(z.string())
      .min(1, 'At least one document ID is required')
-    .max(100, 'Cannot operate on more than 100 documents at once'),
+      .max(100, 'Cannot operate on more than 100 documents at once')
      .optional(),
    selectAll: z.boolean().optional(),
    enabledFilter: z.enum(['all', 'enabled', 'disabled']).optional(),
  })
  .refine((data) => data.selectAll || (data.documentIds && data.documentIds.length > 0), {
    message: 'Either selectAll must be true or documentIds must be provided',
  })
 export async function GET(req: NextRequest, { params }: { params: Promise<{ id: string }> }) {
@@ -90,14 +98,17 @@ export async function GET(req: NextRequest, { params }: { params: Promise<{ id:
    }
    const url = new URL(req.url)
-    const includeDisabled = url.searchParams.get('includeDisabled') === 'true'
+    const enabledFilter = url.searchParams.get('enabledFilter') as
      | 'all'
      | 'enabled'
      | 'disabled'
      | null
    const search = url.searchParams.get('search') || undefined
    const limit = Number.parseInt(url.searchParams.get('limit') || '50')
    const offset = Number.parseInt(url.searchParams.get('offset') || '0')
    const sortByParam = url.searchParams.get('sortBy')
    const sortOrderParam = url.searchParams.get('sortOrder')
    // Validate sort parameters
    const validSortFields: DocumentSortField[] = [
      'filename',
      'fileSize',
@@ -105,6 +116,7 @@ export async function GET(req: NextRequest, { params }: { params: Promise<{ id:
      'chunkCount',
      'uploadedAt',
      'processingStatus',
      'enabled',
    ]
    const validSortOrders: SortOrder[] = ['asc', 'desc']
@@ -120,7 +132,7 @@ export async function GET(req: NextRequest, { params }: { params: Promise<{ id:
    const result = await getDocuments(
      knowledgeBaseId,
      {
-        includeDisabled,
+        enabledFilter: enabledFilter || undefined,
        search,
        limit,
        offset,
@@ -190,8 +202,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
        const createdDocuments = await createDocumentRecords(
          validatedData.documents,
          knowledgeBaseId,
-          requestId,
+          requestId
          userId
        )
        logger.info(
@@ -250,16 +261,10 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
        throw validationError
      }
    } else {
      // Handle single document creation
      try {
        const validatedData = CreateDocumentSchema.parse(body)
-        const newDocument = await createSingleDocument(
+        const newDocument = await createSingleDocument(validatedData, knowledgeBaseId, requestId)
          validatedData,
          knowledgeBaseId,
          requestId,
          userId
        )
        try {
          const { PlatformEvents } = await import('@/lib/core/telemetry')
@@ -294,7 +299,6 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
  } catch (error) {
    logger.error(`[${requestId}] Error creating document`, error)
    // Check if it's a storage limit error
    const errorMessage = error instanceof Error ? error.message : 'Failed to create document'
    const isStorageLimitError =
      errorMessage.includes('Storage limit exceeded') || errorMessage.includes('storage limit')
@@ -331,16 +335,22 @@ export async function PATCH(req: NextRequest, { params }: { params: Promise<{ id
    try {
      const validatedData = BulkUpdateDocumentsSchema.parse(body)
-      const { operation, documentIds } = validatedData
+      const { operation, documentIds, selectAll, enabledFilter } = validatedData
      try {
-        const result = await bulkDocumentOperation(
+        let result
        if (selectAll) {
          result = await bulkDocumentOperationByFilter(
            knowledgeBaseId,
            operation,
-          documentIds,
+            enabledFilter,
-          requestId,
+            requestId
          session.user.id
          )
        } else if (documentIds && documentIds.length > 0) {
          result = await bulkDocumentOperation(knowledgeBaseId, operation, documentIds, requestId)
        } else {
          return NextResponse.json({ error: 'No documents specified' }, { status: 400 })
        }
        return NextResponse.json({
          success: true,
--- a/apps/sim/app/api/mcp/servers/test-connection/route.ts
+++ b/apps/sim/app/api/mcp/servers/test-connection/route.ts
@@ -1,11 +1,10 @@
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
 import { getEffectiveDecryptedEnv } from '@/lib/environment/utils'
 import { McpClient } from '@/lib/mcp/client'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
-import type { McpServerConfig, McpTransport } from '@/lib/mcp/types'
+import { resolveMcpConfigEnvVars } from '@/lib/mcp/resolve-config'
 import type { McpTransport } from '@/lib/mcp/types'
 import { createMcpErrorResponse, createMcpSuccessResponse } from '@/lib/mcp/utils'
 import { resolveEnvVarReferences } from '@/executor/utils/reference-validation'
 const logger = createLogger('McpServerTestAPI')
@@ -19,30 +18,6 @@ function isUrlBasedTransport(transport: McpTransport): boolean {
  return transport === 'streamable-http'
 }
 /**
 * Resolve environment variables in strings
 */
 function resolveEnvVars(value: string, envVars: Record<string, string>): string {
  const missingVars: string[] = []
  const resolvedValue = resolveEnvVarReferences(value, envVars, {
    allowEmbedded: true,
    resolveExactMatch: true,
    trimKeys: true,
    onMissing: 'keep',
    deep: false,
    missingKeys: missingVars,
  }) as string
  if (missingVars.length > 0) {
    const uniqueMissing = Array.from(new Set(missingVars))
    uniqueMissing.forEach((envKey) => {
      logger.warn(`Environment variable "${envKey}" not found in MCP server test`)
    })
  }
  return resolvedValue
 }
 interface TestConnectionRequest {
  name: string
  transport: McpTransport
@@ -96,39 +71,30 @@ export const POST = withMcpAuth('write')(
        )
      }
-      let resolvedUrl = body.url
+      // Build initial config for resolution
-      let resolvedHeaders = body.headers || {}
+      const initialConfig = {
      try {
        const envVars = await getEffectiveDecryptedEnv(userId, workspaceId)
        if (resolvedUrl) {
          resolvedUrl = resolveEnvVars(resolvedUrl, envVars)
        }
        const resolvedHeadersObj: Record<string, string> = {}
        for (const [key, value] of Object.entries(resolvedHeaders)) {
          resolvedHeadersObj[key] = resolveEnvVars(value, envVars)
        }
        resolvedHeaders = resolvedHeadersObj
      } catch (envError) {
        logger.warn(
          `[${requestId}] Failed to resolve environment variables, using raw values:`,
          envError
        )
      }
      const testConfig: McpServerConfig = {
        id: `test-${requestId}`,
        name: body.name,
        transport: body.transport,
-        url: resolvedUrl,
+        url: body.url,
-        headers: resolvedHeaders,
+        headers: body.headers || {},
        timeout: body.timeout || 10000,
        retries: 1, // Only one retry for tests
        enabled: true,
      }
      // Resolve env vars using shared utility (non-strict mode for testing)
      const { config: testConfig, missingVars } = await resolveMcpConfigEnvVars(
        initialConfig,
        userId,
        workspaceId,
        { strict: false }
      )
      if (missingVars.length > 0) {
        logger.warn(`[${requestId}] Some environment variables not found:`, { missingVars })
      }
      const testSecurityPolicy = {
        requireConsent: false,
        auditLevel: 'none' as const,
--- a/apps/sim/app/api/providers/route.ts
+++ b/apps/sim/app/api/providers/route.ts
@@ -3,7 +3,9 @@ import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 import { refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 import type { StreamingExecution } from '@/executor/types'
 import { executeProviderRequest } from '@/providers'
@@ -20,6 +22,11 @@ export async function POST(request: NextRequest) {
  const startTime = Date.now()
  try {
    const auth = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!auth.success || !auth.userId) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
    logger.info(`[${requestId}] Provider API request started`, {
      timestamp: new Date().toISOString(),
      userAgent: request.headers.get('User-Agent'),
@@ -85,6 +92,13 @@ export async function POST(request: NextRequest) {
      verbosity,
    })
    if (workspaceId) {
      const workspaceAccess = await checkWorkspaceAccess(workspaceId, auth.userId)
      if (!workspaceAccess.hasAccess) {
        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
      }
    }
    let finalApiKey: string | undefined = apiKey
    try {
      if (provider === 'vertex' && vertexCredential) {
--- a/apps/sim/app/api/tools/a2a/set-push-notification/route.ts
+++ b/apps/sim/app/api/tools/a2a/set-push-notification/route.ts
@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { validateExternalUrl } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -39,6 +40,18 @@ export async function POST(request: NextRequest) {
    const body = await request.json()
    const validatedData = A2ASetPushNotificationSchema.parse(body)
    const urlValidation = validateExternalUrl(validatedData.webhookUrl, 'Webhook URL')
    if (!urlValidation.isValid) {
      logger.warn(`[${requestId}] Invalid webhook URL`, { error: urlValidation.error })
      return NextResponse.json(
        {
          success: false,
          error: urlValidation.error,
        },
        { status: 400 }
      )
    }
    logger.info(`[${requestId}] A2A set push notification request`, {
      agentUrl: validatedData.agentUrl,
      taskId: validatedData.taskId,
--- a/apps/sim/app/api/tools/custom/route.test.ts
+++ b/apps/sim/app/api/tools/custom/route.test.ts
@@ -181,7 +181,7 @@ describe('Custom Tools API Routes', () => {
    }))
    vi.doMock('@/lib/auth/hybrid', () => ({
-      checkHybridAuth: vi.fn().mockResolvedValue({
+      checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
        success: true,
        userId: 'user-123',
        authType: 'session',
@@ -254,7 +254,7 @@ describe('Custom Tools API Routes', () => {
      )
      vi.doMock('@/lib/auth/hybrid', () => ({
-        checkHybridAuth: vi.fn().mockResolvedValue({
+        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
          success: false,
          error: 'Unauthorized',
        }),
@@ -304,7 +304,7 @@ describe('Custom Tools API Routes', () => {
  describe('POST /api/tools/custom', () => {
    it('should reject unauthorized requests', async () => {
      vi.doMock('@/lib/auth/hybrid', () => ({
-        checkHybridAuth: vi.fn().mockResolvedValue({
+        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
          success: false,
          error: 'Unauthorized',
        }),
@@ -390,7 +390,7 @@ describe('Custom Tools API Routes', () => {
    it('should prevent unauthorized deletion of user-scoped tool', async () => {
      vi.doMock('@/lib/auth/hybrid', () => ({
-        checkHybridAuth: vi.fn().mockResolvedValue({
+        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
          success: true,
          userId: 'user-456',
          authType: 'session',
@@ -413,7 +413,7 @@ describe('Custom Tools API Routes', () => {
    it('should reject unauthorized requests', async () => {
      vi.doMock('@/lib/auth/hybrid', () => ({
-        checkHybridAuth: vi.fn().mockResolvedValue({
+        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
          success: false,
          error: 'Unauthorized',
        }),
--- a/apps/sim/app/api/tools/custom/route.ts
+++ b/apps/sim/app/api/tools/custom/route.ts
@@ -4,7 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, desc, eq, isNull, or } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { upsertCustomTools } from '@/lib/workflows/custom-tools/operations'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
@@ -42,8 +42,8 @@ export async function GET(request: NextRequest) {
  const workflowId = searchParams.get('workflowId')
  try {
-    // Use hybrid auth to support session, API key, and internal JWT
+    // Use session/internal auth to support session and internal JWT (no API key access)
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized custom tools access attempt`)
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
@@ -69,8 +69,8 @@ export async function GET(request: NextRequest) {
    }
    // Check workspace permissions
-    // For internal JWT with workflowId: checkHybridAuth already resolved userId from workflow owner
+    // For internal JWT with workflowId: checkSessionOrInternalAuth already resolved userId from workflow owner
-    // For session/API key: verify user has access to the workspace
+    // For session: verify user has access to the workspace
    // For legacy (no workspaceId): skip workspace check, rely on userId match
    if (resolvedWorkspaceId && !(authResult.authType === 'internal_jwt' && workflowId)) {
      const userPermission = await getUserEntityPermissions(
@@ -116,8 +116,8 @@ export async function POST(req: NextRequest) {
  const requestId = generateRequestId()
  try {
-    // Use hybrid auth (though this endpoint is only called from UI)
+    // Use session/internal auth (no API key access)
-    const authResult = await checkHybridAuth(req, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized custom tools update attempt`)
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
@@ -193,8 +193,8 @@ export async function DELETE(request: NextRequest) {
  }
  try {
-    // Use hybrid auth (though this endpoint is only called from UI)
+    // Use session/internal auth (no API key access)
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized custom tool deletion attempt`)
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/discord/send-message/route.ts
+++ b/apps/sim/app/api/tools/discord/send-message/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateNumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Discord send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/add-label/route.ts
+++ b/apps/sim/app/api/tools/gmail/add-label/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail add label attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/archive/route.ts
+++ b/apps/sim/app/api/tools/gmail/archive/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail archive attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/delete/route.ts
+++ b/apps/sim/app/api/tools/gmail/delete/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail delete attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/draft/route.ts
+++ b/apps/sim/app/api/tools/gmail/draft/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -35,7 +35,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail draft attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/mark-read/route.ts
+++ b/apps/sim/app/api/tools/gmail/mark-read/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail mark read attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/mark-unread/route.ts
+++ b/apps/sim/app/api/tools/gmail/mark-unread/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail mark unread attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/move/route.ts
+++ b/apps/sim/app/api/tools/gmail/move/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail move attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/remove-label/route.ts
+++ b/apps/sim/app/api/tools/gmail/remove-label/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail remove label attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/send/route.ts
+++ b/apps/sim/app/api/tools/gmail/send/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -35,7 +35,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/unarchive/route.ts
+++ b/apps/sim/app/api/tools/gmail/unarchive/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail unarchive attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/google_drive/upload/route.ts
+++ b/apps/sim/app/api/tools/google_drive/upload/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -56,7 +56,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Google Drive upload attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/image/route.ts
+++ b/apps/sim/app/api/tools/image/route.ts
@@ -1,6 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateImageUrl } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
@@ -15,7 +15,7 @@ export async function GET(request: NextRequest) {
  const imageUrl = url.searchParams.get('url')
  const requestId = generateRequestId()
-  const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+  const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
  if (!authResult.success) {
    logger.error(`[${requestId}] Authentication failed for image proxy:`, authResult.error)
    return new NextResponse('Unauthorized', { status: 401 })
--- a/apps/sim/app/api/tools/mail/send/route.ts
+++ b/apps/sim/app/api/tools/mail/send/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { Resend } from 'resend'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized mail send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/microsoft_teams/delete_chat_message/route.ts
+++ b/apps/sim/app/api/tools/microsoft_teams/delete_chat_message/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -18,7 +18,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Teams chat delete attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/microsoft_teams/write_channel/route.ts
+++ b/apps/sim/app/api/tools/microsoft_teams/write_channel/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -23,7 +23,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Teams channel write attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/microsoft_teams/write_chat/route.ts
+++ b/apps/sim/app/api/tools/microsoft_teams/write_chat/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Teams chat write attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/mistral/parse/route.ts
+++ b/apps/sim/app/api/tools/mistral/parse/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
@@ -30,7 +30,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized Mistral parse attempt`, {
--- a/apps/sim/app/api/tools/mysql/delete/route.ts
+++ b/apps/sim/app/api/tools/mysql/delete/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { buildDeleteQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'
 const logger = createLogger('MySQLDeleteAPI')
@@ -21,6 +22,12 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized MySQL delete attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = DeleteSchema.parse(body)
--- a/apps/sim/app/api/tools/mysql/execute/route.ts
+++ b/apps/sim/app/api/tools/mysql/execute/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeQuery, validateQuery } from '@/app/api/tools/mysql/utils'
 const logger = createLogger('MySQLExecuteAPI')
@@ -20,6 +21,12 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized MySQL execute attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = ExecuteSchema.parse(body)
--- a/apps/sim/app/api/tools/mysql/insert/route.ts
+++ b/apps/sim/app/api/tools/mysql/insert/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { buildInsertQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'
 const logger = createLogger('MySQLInsertAPI')
@@ -42,6 +43,12 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized MySQL insert attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = InsertSchema.parse(body)
--- a/apps/sim/app/api/tools/mysql/introspect/route.ts
+++ b/apps/sim/app/api/tools/mysql/introspect/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeIntrospect } from '@/app/api/tools/mysql/utils'
 const logger = createLogger('MySQLIntrospectAPI')
@@ -19,6 +20,12 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized MySQL introspect attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = IntrospectSchema.parse(body)
--- a/apps/sim/app/api/tools/mysql/query/route.ts
+++ b/apps/sim/app/api/tools/mysql/query/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeQuery, validateQuery } from '@/app/api/tools/mysql/utils'
 const logger = createLogger('MySQLQueryAPI')
@@ -20,6 +21,12 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized MySQL query attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = QuerySchema.parse(body)
--- a/apps/sim/app/api/tools/mysql/update/route.ts
+++ b/apps/sim/app/api/tools/mysql/update/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { buildUpdateQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'
 const logger = createLogger('MySQLUpdateAPI')
@@ -40,6 +41,12 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized MySQL update attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = UpdateSchema.parse(body)
--- a/apps/sim/app/api/tools/onedrive/upload/route.ts
+++ b/apps/sim/app/api/tools/onedrive/upload/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import * as XLSX from 'xlsx'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
@@ -39,7 +39,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized OneDrive upload attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/outlook/copy/route.ts
+++ b/apps/sim/app/api/tools/outlook/copy/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -18,7 +18,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Outlook copy attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/outlook/delete/route.ts
+++ b/apps/sim/app/api/tools/outlook/delete/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -17,7 +17,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Outlook delete attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/outlook/draft/route.ts
+++ b/apps/sim/app/api/tools/outlook/draft/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -25,7 +25,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Outlook draft attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/outlook/mark-read/route.ts
+++ b/apps/sim/app/api/tools/outlook/mark-read/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -17,7 +17,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Outlook mark read attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/outlook/mark-unread/route.ts
+++ b/apps/sim/app/api/tools/outlook/mark-unread/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -17,7 +17,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Outlook mark unread attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/outlook/move/route.ts
+++ b/apps/sim/app/api/tools/outlook/move/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -18,7 +18,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Outlook move attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/outlook/send/route.ts
+++ b/apps/sim/app/api/tools/outlook/send/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -27,7 +27,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Outlook send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/postgresql/delete/route.ts
+++ b/apps/sim/app/api/tools/postgresql/delete/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeDelete } from '@/app/api/tools/postgresql/utils'
 const logger = createLogger('PostgreSQLDeleteAPI')
@@ -21,6 +22,12 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized PostgreSQL delete attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = DeleteSchema.parse(body)
--- a/apps/sim/app/api/tools/postgresql/execute/route.ts
+++ b/apps/sim/app/api/tools/postgresql/execute/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  createPostgresConnection,
  executeQuery,
@@ -24,6 +25,12 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized PostgreSQL execute attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = ExecuteSchema.parse(body)
--- a/apps/sim/app/api/tools/postgresql/insert/route.ts
+++ b/apps/sim/app/api/tools/postgresql/insert/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeInsert } from '@/app/api/tools/postgresql/utils'
 const logger = createLogger('PostgreSQLInsertAPI')
@@ -42,6 +43,12 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized PostgreSQL insert attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = InsertSchema.parse(body)
--- a/apps/sim/app/api/tools/postgresql/introspect/route.ts
+++ b/apps/sim/app/api/tools/postgresql/introspect/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeIntrospect } from '@/app/api/tools/postgresql/utils'
 const logger = createLogger('PostgreSQLIntrospectAPI')
@@ -20,6 +21,12 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized PostgreSQL introspect attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = IntrospectSchema.parse(body)
--- a/apps/sim/app/api/tools/postgresql/query/route.ts
+++ b/apps/sim/app/api/tools/postgresql/query/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeQuery } from '@/app/api/tools/postgresql/utils'
 const logger = createLogger('PostgreSQLQueryAPI')
@@ -20,6 +21,12 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized PostgreSQL query attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = QuerySchema.parse(body)
--- a/apps/sim/app/api/tools/postgresql/update/route.ts
+++ b/apps/sim/app/api/tools/postgresql/update/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeUpdate } from '@/app/api/tools/postgresql/utils'
 const logger = createLogger('PostgreSQLUpdateAPI')
@@ -40,6 +41,12 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized PostgreSQL update attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = UpdateSchema.parse(body)
--- a/apps/sim/app/api/tools/pulse/parse/route.ts
+++ b/apps/sim/app/api/tools/pulse/parse/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
@@ -31,7 +31,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized Pulse parse attempt`, {
--- a/apps/sim/app/api/tools/reducto/parse/route.ts
+++ b/apps/sim/app/api/tools/reducto/parse/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
@@ -27,7 +27,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized Reducto parse attempt`, {
--- a/apps/sim/app/api/tools/s3/copy-object/route.ts
+++ b/apps/sim/app/api/tools/s3/copy-object/route.ts
@@ -2,7 +2,7 @@ import { CopyObjectCommand, type ObjectCannedACL, S3Client } from '@aws-sdk/clie
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -24,7 +24,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized S3 copy object attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/s3/delete-object/route.ts
+++ b/apps/sim/app/api/tools/s3/delete-object/route.ts
@@ -2,7 +2,7 @@ import { DeleteObjectCommand, S3Client } from '@aws-sdk/client-s3'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized S3 delete object attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/s3/list-objects/route.ts
+++ b/apps/sim/app/api/tools/s3/list-objects/route.ts
@@ -2,7 +2,7 @@ import { ListObjectsV2Command, S3Client } from '@aws-sdk/client-s3'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -23,7 +23,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized S3 list objects attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/s3/put-object/route.ts
+++ b/apps/sim/app/api/tools/s3/put-object/route.ts
@@ -2,7 +2,7 @@ import { type ObjectCannedACL, PutObjectCommand, S3Client } from '@aws-sdk/clien
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -27,7 +27,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized S3 put object attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/search/route.ts
+++ b/apps/sim/app/api/tools/search/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { SEARCH_TOOL_COST } from '@/lib/billing/constants'
 import { env } from '@/lib/core/config/env'
 import { executeTool } from '@/tools'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
    const { searchParams: urlParams } = new URL(request.url)
    const workflowId = urlParams.get('workflowId') || undefined
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success || !authResult.userId) {
      const errorMessage = workflowId ? 'Workflow not found' : authResult.error || 'Unauthorized'
--- a/apps/sim/app/api/tools/sftp/delete/route.ts
+++ b/apps/sim/app/api/tools/sftp/delete/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
  createSftpConnection,
@@ -72,7 +72,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SFTP delete attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/sftp/download/route.ts
+++ b/apps/sim/app/api/tools/sftp/download/route.ts
@@ -2,7 +2,7 @@ import path from 'path'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { createSftpConnection, getSftp, isPathSafe, sanitizePath } from '@/app/api/tools/sftp/utils'
@@ -25,7 +25,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SFTP download attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/sftp/list/route.ts
+++ b/apps/sim/app/api/tools/sftp/list/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
  createSftpConnection,
@@ -31,7 +31,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SFTP list attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/sftp/mkdir/route.ts
+++ b/apps/sim/app/api/tools/sftp/mkdir/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
  createSftpConnection,
@@ -60,7 +60,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SFTP mkdir attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/sftp/upload/route.ts
+++ b/apps/sim/app/api/tools/sftp/upload/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -44,7 +44,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SFTP upload attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/sharepoint/upload/route.ts
+++ b/apps/sim/app/api/tools/sharepoint/upload/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -23,7 +23,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SharePoint upload attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/slack/add-reaction/route.ts
+++ b/apps/sim/app/api/tools/slack/add-reaction/route.ts
@@ -1,6 +1,6 @@
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 export const dynamic = 'force-dynamic'
@@ -13,7 +13,7 @@ const SlackAddReactionSchema = z.object({
 export async function POST(request: NextRequest) {
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      return NextResponse.json(
--- a/apps/sim/app/api/tools/slack/delete-message/route.ts
+++ b/apps/sim/app/api/tools/slack/delete-message/route.ts
@@ -1,6 +1,6 @@
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 export const dynamic = 'force-dynamic'
@@ -12,7 +12,7 @@ const SlackDeleteMessageSchema = z.object({
 export async function POST(request: NextRequest) {
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      return NextResponse.json(
--- a/apps/sim/app/api/tools/slack/read-messages/route.ts
+++ b/apps/sim/app/api/tools/slack/read-messages/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { openDMChannel } from '../utils'
@@ -31,7 +31,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Slack read messages attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/slack/send-message/route.ts
+++ b/apps/sim/app/api/tools/slack/send-message/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { sendSlackMessage } from '../utils'
@@ -26,7 +26,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Slack send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/slack/update-message/route.ts
+++ b/apps/sim/app/api/tools/slack/update-message/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Slack update message attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/sms/send/route.ts
+++ b/apps/sim/app/api/tools/sms/send/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { env } from '@/lib/core/config/env'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { type SMSOptions, sendSMS } from '@/lib/messaging/sms/service'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SMS send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/smtp/send/route.ts
+++ b/apps/sim/app/api/tools/smtp/send/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import nodemailer from 'nodemailer'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -35,7 +35,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SMTP send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/ssh/check-command-exists/route.ts
+++ b/apps/sim/app/api/tools/ssh/check-command-exists/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, escapeShellArg, executeSSHCommand } from '@/app/api/tools/ssh/utils'
 const logger = createLogger('SSHCheckCommandExistsAPI')
@@ -20,6 +21,12 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH check command exists attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = CheckCommandExistsSchema.parse(body)
--- a/apps/sim/app/api/tools/ssh/check-file-exists/route.ts
+++ b/apps/sim/app/api/tools/ssh/check-file-exists/route.ts
@@ -3,6 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper, Stats } from 'ssh2'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  createSSHConnection,
  getFileType,
@@ -39,10 +40,15 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH check file exists attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = CheckFileExistsSchema.parse(body)
    // Validate authentication
    if (!params.password && !params.privateKey) {
      return NextResponse.json(
        { error: 'Either password or privateKey must be provided' },
--- a/apps/sim/app/api/tools/ssh/create-directory/route.ts
+++ b/apps/sim/app/api/tools/ssh/create-directory/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  createSSHConnection,
  escapeShellArg,
@@ -27,10 +28,15 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH create directory attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = CreateDirectorySchema.parse(body)
    // Validate authentication
    if (!params.password && !params.privateKey) {
      return NextResponse.json(
        { error: 'Either password or privateKey must be provided' },
@@ -53,7 +59,6 @@ export async function POST(request: NextRequest) {
      const dirPath = sanitizePath(params.path)
      const escapedPath = escapeShellArg(dirPath)
      // Check if directory already exists
      const checkResult = await executeSSHCommand(
        client,
        `test -d '${escapedPath}' && echo "exists"`
@@ -70,7 +75,6 @@ export async function POST(request: NextRequest) {
        })
      }
      // Create directory
      const mkdirFlag = params.recursive ? '-p' : ''
      const command = `mkdir ${mkdirFlag} -m ${params.permissions} '${escapedPath}'`
      const result = await executeSSHCommand(client, command)
--- a/apps/sim/app/api/tools/ssh/delete-file/route.ts
+++ b/apps/sim/app/api/tools/ssh/delete-file/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  createSSHConnection,
  escapeShellArg,
@@ -27,10 +28,15 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH delete file attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = DeleteFileSchema.parse(body)
    // Validate authentication
    if (!params.password && !params.privateKey) {
      return NextResponse.json(
        { error: 'Either password or privateKey must be provided' },
@@ -53,7 +59,6 @@ export async function POST(request: NextRequest) {
      const filePath = sanitizePath(params.path)
      const escapedPath = escapeShellArg(filePath)
      // Check if path exists
      const checkResult = await executeSSHCommand(
        client,
        `test -e '${escapedPath}' && echo "exists"`
@@ -62,7 +67,6 @@ export async function POST(request: NextRequest) {
        return NextResponse.json({ error: `Path does not exist: ${filePath}` }, { status: 404 })
      }
      // Build delete command
      let command: string
      if (params.recursive) {
        command = params.force ? `rm -rf '${escapedPath}'` : `rm -r '${escapedPath}'`
--- a/apps/sim/app/api/tools/ssh/download-file/route.ts
+++ b/apps/sim/app/api/tools/ssh/download-file/route.ts
@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'
 const logger = createLogger('SSHDownloadFileAPI')
@@ -34,10 +35,15 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH download file attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = DownloadFileSchema.parse(body)
    // Validate authentication
    if (!params.password && !params.privateKey) {
      return NextResponse.json(
        { error: 'Either password or privateKey must be provided' },
--- a/apps/sim/app/api/tools/ssh/execute-command/route.ts
+++ b/apps/sim/app/api/tools/ssh/execute-command/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, executeSSHCommand, sanitizeCommand } from '@/app/api/tools/ssh/utils'
 const logger = createLogger('SSHExecuteCommandAPI')
@@ -21,10 +22,15 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH execute command attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = ExecuteCommandSchema.parse(body)
    // Validate authentication
    if (!params.password && !params.privateKey) {
      return NextResponse.json(
        { error: 'Either password or privateKey must be provided' },
@@ -44,7 +50,6 @@ export async function POST(request: NextRequest) {
    })
    try {
      // Build command with optional working directory
      let command = sanitizeCommand(params.command)
      if (params.workingDirectory) {
        command = `cd "${params.workingDirectory}" && ${command}`
--- a/apps/sim/app/api/tools/ssh/execute-script/route.ts
+++ b/apps/sim/app/api/tools/ssh/execute-script/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, escapeShellArg, executeSSHCommand } from '@/app/api/tools/ssh/utils'
 const logger = createLogger('SSHExecuteScriptAPI')
@@ -22,10 +23,15 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH execute script attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = ExecuteScriptSchema.parse(body)
    // Validate authentication
    if (!params.password && !params.privateKey) {
      return NextResponse.json(
        { error: 'Either password or privateKey must be provided' },
@@ -45,13 +51,10 @@ export async function POST(request: NextRequest) {
    })
    try {
      // Create a temporary script file, execute it, and clean up
      const scriptPath = `/tmp/sim_script_${requestId}.sh`
      const escapedScriptPath = escapeShellArg(scriptPath)
      const escapedInterpreter = escapeShellArg(params.interpreter)
      // Build the command to create, execute, and clean up the script
      // Note: heredoc with quoted delimiter ('SIMEOF') prevents variable expansion
      let command = `cat > '${escapedScriptPath}' << 'SIMEOF'
 ${params.script}
 SIMEOF
--- a/apps/sim/app/api/tools/ssh/get-system-info/route.ts
+++ b/apps/sim/app/api/tools/ssh/get-system-info/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, executeSSHCommand } from '@/app/api/tools/ssh/utils'
 const logger = createLogger('SSHGetSystemInfoAPI')
@@ -19,10 +20,15 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH get system info attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = GetSystemInfoSchema.parse(body)
    // Validate authentication
    if (!params.password && !params.privateKey) {
      return NextResponse.json(
        { error: 'Either password or privateKey must be provided' },
--- a/apps/sim/app/api/tools/ssh/list-directory/route.ts
+++ b/apps/sim/app/api/tools/ssh/list-directory/route.ts
@@ -3,6 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, FileEntry, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  createSSHConnection,
  getFileType,
@@ -60,10 +61,15 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH list directory attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = ListDirectorySchema.parse(body)
    // Validate authentication
    if (!params.password && !params.privateKey) {
      return NextResponse.json(
        { error: 'Either password or privateKey must be provided' },
--- a/apps/sim/app/api/tools/ssh/move-rename/route.ts
+++ b/apps/sim/app/api/tools/ssh/move-rename/route.ts
@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  createSSHConnection,
  escapeShellArg,
@@ -27,9 +28,16 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH move/rename attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = MoveRenameSchema.parse(body)
    // Validate SSH authentication
    if (!params.password && !params.privateKey) {
      return NextResponse.json(
        { error: 'Either password or privateKey must be provided' },
--- a/apps/sim/app/api/tools/ssh/read-file-content/route.ts
+++ b/apps/sim/app/api/tools/ssh/read-file-content/route.ts
@@ -3,6 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'
 const logger = createLogger('SSHReadFileContentAPI')
@@ -35,6 +36,12 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH read file content attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = ReadFileContentSchema.parse(body)
--- a/apps/sim/app/api/tools/ssh/upload-file/route.ts
+++ b/apps/sim/app/api/tools/ssh/upload-file/route.ts
@@ -3,6 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'
 const logger = createLogger('SSHUploadFileAPI')
@@ -37,6 +38,12 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  try {
    const auth = await checkInternalAuth(request)
    if (!auth.success || !auth.userId) {
      logger.warn(`[${requestId}] Unauthorized SSH upload file attempt`)
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const body = await request.json()
    const params = UploadFileSchema.parse(body)
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Vikhyath Mondreti	6c1d5586d5	fix(ci): commit message passed in via env var	2026-01-24 14:27:54 -08:00
Waleed	bcf6dc8828	fix(variables): boolean type support and input improvements (#2981 ) * fix(variables): boolean type support and input improvements * fix formatting	2026-01-24 13:52:09 -08:00
Vikhyath Mondreti	841cb638fb	fix(edge-validation): race condition on collaborative add (#2980 )	2026-01-24 13:19:52 -08:00
Emir Karabeg	c7db48e3a2	fix(landing): ui (#2979 )	2026-01-24 13:04:06 -08:00
Siddharth Ganesan	4d844651c2	fix(integrations): hide from tool bar (#2544 )	2026-01-24 12:45:14 -08:00
Siddharth Ganesan	9f916940b3	fix(copilot): fix edit summary for loops/parallels (#2978 )	2026-01-24 12:36:43 -08:00
Siddharth Ganesan	3bbf7f5d1d	fix(auth): copilot routes (#2977 ) * Fix copilot auth * Fix * Fix * Fix	2026-01-24 12:26:21 -08:00
Vikhyath Mondreti	68683258c3	fix(blog): slash actions description (#2976 ) * improvement(docs): loop and parallel var reference syntax * fix(blog): slash actions description	2026-01-24 11:46:07 -08:00
Vikhyath Mondreti	fc7f56e21b	improvement(docs): loop and parallel var reference syntax (#2975 )	2026-01-24 11:36:47 -08:00
Vikhyath Mondreti	8429040921	fix(notes): ghost edges (#2970 ) * fix(notes): ghost edges * fix deployed state fallback * fallback * remove UI level checks * annotation missing from autoconnect source check	2026-01-24 11:20:28 -08:00
Siddharth Ganesan	8574e6c71f	fix(hitl): fix condition blocks after hitl (#2967 )	2026-01-24 10:19:19 -08:00
Siddharth Ganesan	9c3e663cd8	fix(copilot): update copilot chat title (#2968 )	2026-01-24 10:18:13 -08:00
Waleed	48adaa00d8	fix(security): restrict API key access on internal-only routes (#2964 ) * fix(security): restrict API key access on internal-only routes * test(security): update function execute tests for checkInternalAuth * updated agent handler * move session check higher in checkSessionOrInternalAuth * extracted duplicate code into helper for resolving user from jwt	2026-01-24 10:15:52 -08:00
Vikhyath Mondreti	211a7ac3a4	fix(child-workflow): nested spans handoff (#2966 ) * fix(child-workflow): nested spans handoff * remove overly defensive programming * update type check * type more code * remove more dead code * address bugbot comments	2026-01-24 02:39:13 -08:00
Emir Karabeg	0f9b6ad1d2	fix(preview): subblock values (#2969 )	2026-01-24 02:32:08 -08:00
Vikhyath Mondreti	12100e6881	improvement(webhooks): remove dead code (#2965 ) * fix(webhooks): subscription recreation path * improvement(webhooks): remove dead code * fix tests * address bugbot comments * fix restoration edge case * fix more edge cases * address bugbot comments * fix gmail polling * add warnings for UI indication for credential sets	2026-01-23 23:18:20 -08:00
Siddharth Ganesan	23294683e1	fix(copilot): mask credentials fix (#2963 ) * Fix copilot masking * Clean up * Lint	2026-01-23 19:34:55 -08:00
Vikhyath Mondreti	b913cff46e	fix(envvars): resolution standardized (#2957 ) * fix(envvars): resolution standardized * remove comments * address bugbot * fix highlighting for env vars * remove comments * address greptile * address bugbot	2026-01-23 18:59:04 -08:00
Waleed	428781ce7d	feat(blog): enterprise post (#2961 ) * feat(blog): enterprise post * added more images, styling * more content * updated v0-5 post * remove unused transition --------- Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai>	2026-01-23 18:58:00 -08:00
Waleed	f0ee67f3ed	improvement(helm): add internal ingress support and same-host path consolidation (#2960 ) * improvement(helm): add internal ingress support and same-host path consolidation * improvement(helm): clean up ingress template comments Simplify verbose inline Helm comments and section dividers to match the minimal style used in services.yaml. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(helm): add missing copilot path consolidation for realtime host When copilot.host equals realtime.host but differs from app.host, copilot paths were not being routed. Added logic to consolidate copilot paths into the realtime rule for this scenario. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * improvement(helm): follow ingress best practices - Remove orphan comments that appeared when services were disabled - Add documentation about path ordering requirements - Paths rendered in order: realtime, copilot, app (specific before catch-all) - Clean template output matching industry Helm chart standards --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-23 18:44:18 -08:00
Waleed	f44594c380	fix(security): add authentication and input validation to API routes (#2959 ) * fix(security): add authentication and input validation to API routes * moved utils * remove extraneous commetns * removed unused dep	2026-01-23 17:48:39 -08:00
Emir Karabeg	6464cfa7f2	fix(logs): refresh logic to refresh logs details (#2958 )	2026-01-23 17:22:33 -08:00
Waleed	7f4edc85ef	fix(billing): handle missing userStats and prevent crashes (#2956 ) * fix(billing): handle missing userStats and prevent crashes * fix(billing): correct import path for getFilledPillColor * fix(billing): add Number.isFinite check to lastPeriodCost	2026-01-23 14:45:11 -08:00
Siddharth Ganesan	efef91ece0	improvement(copilot): fast mode, subagent tool responses and allow preferences (#2955 ) * Improvements * Fix actions mapping * Remove console logs	2026-01-23 13:03:05 -08:00
Waleed	64efeaa2e6	feat(admin): add credits endpoint to issue credits to users (#2954 ) * feat(admin): add credits endpoint to issue credits to users * fix(admin): use existing credit functions and handle enterprise seats * fix(admin): reject NaN and Infinity in amount validation * styling * fix(admin): validate userId and email are strings	2026-01-23 11:33:13 -08:00
Waleed	9b72b52b33	feat(blog): v0.5 release post (#2953 ) * feat(blog): v0.5 post * improvement(blog): simplify title and remove code block header - Simplified blog title from "Introducing Sim Studio v0.5" to "Introducing Sim v0.5" - Removed language label header and copy button from code blocks for cleaner appearance Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * ack PR comments * small styling improvements * created system to create post-specific components * updated componnet * cache invalidation --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-23 09:07:53 -08:00
Emir Karabeg	1467862488	improvement(logs): trace span, details (#2952 ) * improvement(action-bar): ordering * improvement(logs): details, trace span	2026-01-22 19:50:20 -08:00
Waleed	7f2262857c	improvement(kb): add document filtering, select all, and React Query migration (#2951 ) * improvement(kb): add document filtering, select all, and React Query migration * test(kb): update tests for enabledFilter and removed userId params * fix(kb): remove non-null assertion, add explicit guard	2026-01-22 19:25:16 -08:00
Vikhyath Mondreti	1b309b50e6	fix(idempotency): add conflict target to atomicallyClaimDb query + remove redundant db namespace tracking (#2950 ) * fix(idempotency): add conflict target to atomicallyClaimDb query * delete needs to account for namespace * simplify namespace filtering logic * fix cleanup * consistent target	2026-01-22 18:38:08 -08:00
Waleed	f765b83a26	chore(deps): bump posthog-js to 1.334.1 (#2948 )	2026-01-22 18:06:05 -08:00
Vikhyath Mondreti	aa99db6fdd	fix(subflows): tag dropdown + resolution logic (#2949 ) * fix(subflows): tag dropdown + resolution logic * fixes; * revert parallel change	2026-01-22 17:57:55 -08:00