make evaluator metrics only

address greptile comments
update tests
2026-02-10 06:35:01 -05:00 · 2026-02-09 23:08:33 -08:00 · 2026-02-09 22:52:16 -08:00 · 2026-02-09 20:09:22 -08:00 · 2026-02-09 19:51:31 -08:00 · 2026-02-09 19:45:33 -08:00
459 changed files with 54618 additions and 20369 deletions
--- a/apps/docs/components/icons.tsx
+++ b/apps/docs/components/icons.tsx
@@ -1131,6 +1131,32 @@ export function AirtableIcon(props: SVGProps<SVGSVGElement>) {
  )
 }
 export function AirweaveIcon(props: SVGProps<SVGSVGElement>) {
  return (
    <svg
      {...props}
      width='143'
      height='143'
      viewBox='0 0 143 143'
      fill='none'
      xmlns='http://www.w3.org/2000/svg'
    >
      <path
        d='M89.8854 128.872C79.9165 123.339 66.7502 115.146 60.5707 107.642L60.0432 107.018C58.7836 105.5 57.481 104.014 56.1676 102.593C51.9152 97.9641 47.3614 93.7978 42.646 90.2021C40.7405 88.7487 38.7704 87.3492 36.8111 86.0789C35.7991 85.4222 34.8302 84.8193 33.9151 84.2703C31.6221 82.903 28.8338 82.5263 26.2716 83.2476C23.8385 83.9366 21.89 85.5406 20.7596 87.7476C18.5634 92.0323 20.0814 97.3289 24.2046 99.805C27.5204 101.786 30.7608 104.111 33.8398 106.717C34.2381 107.05 34.3996 107.578 34.2596 108.062C33.1292 112.185 31.9989 118.957 31.5682 121.67C30.6424 127.429 33.4737 133.081 38.5982 135.751L38.7812 135.848C41.0204 137 43.6472 136.946 45.8219 135.697C47.9858 134.459 49.353 132.231 49.4822 129.733C49.536 128.657 49.6006 127.58 49.676 126.59C49.719 126.062 50.042 125.632 50.5264 125.459C50.6772 125.406 50.8494 125.373 51.0001 125.373C51.3554 125.373 51.6784 125.513 51.9475 125.782C56.243 130.185 60.8829 134.169 65.7167 137.625C70.3674 140.951 75.8686 142.706 81.639 142.706C83.7383 142.706 85.8376 142.469 87.8938 141.995L88.1199 141.942C90.9943 141.274 93.029 139.024 93.4488 136.085C93.8687 133.146 92.4476 130.315 89.8747 128.883H89.8639L89.8854 128.872Z'
        fill='currentColor'
      />
      <path
        d='M142.551 58.1747L142.529 58.0563C142.045 55.591 140.118 53.7069 137.598 53.2548C135.112 52.8134 132.754 53.8577 131.484 55.9893L131.408 56.1077C126.704 64.1604 120.061 71.6101 111.653 78.2956C109.446 80.0504 107.293 81.902 105.226 83.8075C103.644 85.2717 101.265 85.53 99.4452 84.4212C97.6474 83.3339 95.8495 82.1389 94.1055 80.8686C90.3268 78.1233 86.6772 74.9475 83.2753 71.4271C81.4989 69.597 79.798 67.6915 78.1939 65.7321C76.0408 63.1161 73.7477 60.5539 71.3685 58.1316C66.3195 52.9857 56.6089 45.9127 53.7453 43.878C53.3792 43.6304 53.1639 43.2428 53.0993 42.8014C53.0455 42.3601 53.1639 41.9509 53.4546 41.6064C55.274 39.4318 56.9965 37.1818 58.5683 34.921C60.2369 32.5311 60.786 29.6028 60.0862 26.8899C59.408 24.2523 57.6424 22.11 55.134 20.8827C50.9139 18.7942 45.8972 20.0968 43.2273 23.9293C40.8373 27.3636 38.0167 30.7332 34.8732 33.9306C34.5718 34.232 34.1304 34.3397 33.7213 34.1889C30.5239 33.1447 27.2296 32.2942 23.9461 31.659C23.7093 31.616 23.354 31.5514 22.9126 31.4975C16.4102 30.5286 10.1123 33.7798 7.21639 39.5717L7.1195 39.7548C6.18289 41.628 6.26902 43.8349 7.32405 45.6651C8.40061 47.5167 10.3277 48.701 12.4592 48.8194C13.4604 48.8732 14.4401 48.9378 15.3659 49.0024C15.7966 49.0347 16.1411 49.2823 16.3025 49.6914C16.4533 50.1112 16.3671 50.5419 16.0657 50.8541C12.147 54.8804 8.60515 59.1974 5.5262 63.6867C1.1446 70.0814 -0.481008 78.2095 1.08 85.9822L1.10154 86.1006C1.70441 89.0719 4.05131 91.2035 7.07644 91.5264C9.98315 91.8386 12.6099 90.3208 13.7619 87.6724L13.8265 87.5109C18.6925 75.8625 26.7559 65.5168 37.7907 56.7536C38.3182 56.3445 39.0072 56.28 39.567 56.5922C45.3373 59.768 50.8601 63.902 55.9738 68.8864C56.5982 69.4893 56.6089 70.5013 56.0168 71.1257C53.4761 73.8063 51.0862 76.6054 48.9115 79.469C47.2106 81.7083 47.5335 84.8949 49.6221 86.7358L53.3254 89.9977L53.2824 90.0409C53.8637 90.5576 54.445 91.0744 55.0264 91.5911L55.8123 92.194C56.9319 93.1844 58.3529 93.6365 59.8386 93.4858C61.3027 93.3351 62.67 92.56 63.5635 91.3758C65.1353 89.2873 66.8578 87.2525 68.6556 85.304C68.957 84.9702 69.3661 84.798 69.8075 84.7872C70.2705 84.7872 70.6257 84.9379 70.9164 85.2286C75.8147 90.0624 81.1114 94.3686 86.6772 97.9966C88.8626 99.4176 89.4978 102.26 88.1306 104.477C86.9248 106.448 85.7729 108.493 84.7179 110.539C83.5014 112.918 83.2968 115.738 84.1688 118.257C84.9978 120.68 86.7095 122.585 88.981 123.64C90.2514 124.232 91.5971 124.534 92.9859 124.534C96.5062 124.534 99.682 122.596 101.286 119.452C102.729 116.61 104.419 113.8 106.281 111.131C107.369 109.559 109.36 108.838 111.255 109.322C115.26 110.355 120.643 111.421 124.454 112.143C128.308 112.864 132.119 111.023 133.96 107.578L134.143 107.233C135.521 104.628 135.531 101.506 134.164 98.8901C132.786 96.2526 130.181 94.4655 127.21 94.121C126.478 94.0349 125.778 93.9488 125.11 93.8626C124.97 93.8411 124.852 93.8196 124.744 93.798L123.356 93.4751L124.357 92.4523C124.432 92.377 124.529 92.2801 124.658 92.194C128.771 88.8028 132.571 85.1963 135.962 81.4714C141.668 75.1951 144.122 66.4965 142.518 58.1747H142.529H142.551Z'
        fill='currentColor'
      />
      <path
        d='M56.6506 14.3371C65.5861 19.6338 77.4067 27.3743 82.9833 34.1674C83.64 34.9532 84.2967 35.7391 84.9534 36.4927C86.1591 37.8815 86.2991 39.8731 85.2979 41.4233C83.4892 44.2116 81.4115 46.9569 79.1399 49.5945C77.4713 51.5107 77.4067 54.3098 78.9785 56.2476L79.0431 56.323C79.2261 56.5598 79.4306 56.8074 79.6136 57.0442C81.2931 59.1758 83.0801 61.2213 84.9211 63.1375C85.9007 64.1603 87.2249 64.7309 88.6352 64.7309L88.7644 65.5275L88.7429 64.7309C90.207 64.6986 91.6173 64.0526 92.5969 62.933C94.8362 60.4031 96.9247 57.744 98.8302 55.0633C100.133 53.2224 102.63 52.8026 104.525 54.1052C106.463 55.4402 108.465 56.7105 110.457 57.8839C112.793 59.2511 115.614 59.5095 118.165 58.5621C120.749 57.604 122.762 55.5694 123.656 52.9533C125.055 48.9055 123.257 44.2547 119.382 41.9078C116.755 40.3145 114.15 38.5166 111.674 36.5788C110.382 35.5561 109.833 33.8767 110.296 32.2941C111.437 28.3001 112.481 23.1218 113.148 19.4831C113.837 15.7259 112.147 11.8826 108.939 9.94477L108.562 9.72944C105.871 8.12537 102.587 8.00696 99.7668 9.40649C96.9247 10.8168 95.03 13.5405 94.6855 16.6733L94.6639 16.867C94.6209 17.2546 94.384 17.5453 94.018 17.6637C93.652 17.7821 93.2859 17.6852 93.0168 17.4269C89.0012 13.1422 84.738 9.25576 80.3134 5.8646C74.3708 1.31075 66.7811 -0.583999 59.4928 0.675575L59.1805 0.729423C56.1124 1.2677 53.7547 3.60383 53.1949 6.68279C52.6351 9.72946 53.9915 12.7223 56.6722 14.3048H56.6614L56.6506 14.3371Z'
        fill='currentColor'
      />
    </svg>
  )
 }
 export function GoogleDocsIcon(props: SVGProps<SVGSVGElement>) {
  return (
    <svg
@@ -5436,3 +5462,58 @@ export function EnrichSoIcon(props: SVGProps<SVGSVGElement>) {
    </svg>
  )
 }
 export function AgentSkillsIcon(props: SVGProps<SVGSVGElement>) {
  return (
    <svg
      {...props}
      xmlns='http://www.w3.org/2000/svg'
      width='16'
      height='16'
      viewBox='0 0 16 16'
      fill='none'
    >
      <path
        d='M8 1L14.0622 4.5V11.5L8 15L1.93782 11.5V4.5L8 1Z'
        stroke='currentColor'
        strokeWidth='1.5'
        fill='none'
      />
      <path d='M8 4.5L11 6.25V9.75L8 11.5L5 9.75V6.25L8 4.5Z' fill='currentColor' />
    </svg>
  )
 }
 export function OnePasswordIcon(props: SVGProps<SVGSVGElement>) {
  return (
    <svg {...props} viewBox='0 0 48 48' xmlns='http://www.w3.org/2000/svg' fill='none'>
      <circle
        cx='24'
        cy='24'
        r='21.5'
        stroke='#000000'
        strokeLinecap='round'
        strokeLinejoin='round'
      />
      <path
        d='M28.083,17.28a7.8633,7.8633,0,0,1,0,13.44'
        stroke='#000000'
        strokeLinecap='round'
        strokeLinejoin='round'
      />
      <path
        d='M19.917,30.72a7.8633,7.8633,0,0,1,0-13.44'
        stroke='#000000'
        strokeLinecap='round'
        strokeLinejoin='round'
      />
      <path
        d='M26.067,10.43H21.933a2.0172,2.0172,0,0,0-2.016,2.016v6.36c2.358,1.281,2.736,2.562,0,3.843V35.574a2.0169,2.0169,0,0,0,2.016,2.015h4.134a2.0169,2.0169,0,0,0,2.016-2.015V29.213c-2.358-1.281-2.736-2.562,0-3.842V12.446A2.0172,2.0172,0,0,0,26.067,10.43Z'
        fill='#000000'
        stroke='#000000'
        strokeLinecap='round'
        strokeLinejoin='round'
      />
    </svg>
  )
 }
--- a/apps/docs/components/ui/icon-mapping.ts
+++ b/apps/docs/components/ui/icon-mapping.ts
@@ -7,6 +7,7 @@ import {
  A2AIcon,
  AhrefsIcon,
  AirtableIcon,
  AirweaveIcon,
  ApifyIcon,
  ApolloIcon,
  ArxivIcon,
@@ -79,6 +80,7 @@ import {
  MySQLIcon,
  Neo4jIcon,
  NotionIcon,
  OnePasswordIcon,
  OpenAIIcon,
  OutlookIcon,
  PackageSearchIcon,
@@ -141,6 +143,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
  a2a: A2AIcon,
  ahrefs: AhrefsIcon,
  airtable: AirtableIcon,
  airweave: AirweaveIcon,
  apify: ApifyIcon,
  apollo: ApolloIcon,
  arxiv: ArxivIcon,
@@ -212,6 +215,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
  neo4j: Neo4jIcon,
  notion_v2: NotionIcon,
  onedrive: MicrosoftOneDriveIcon,
  onepassword: OnePasswordIcon,
  openai: OpenAIIcon,
  outlook: OutlookIcon,
  parallel_ai: ParallelIcon,
--- a/apps/docs/content/docs/en/copilot/index.mdx
+++ b/apps/docs/content/docs/en/copilot/index.mdx
@@ -56,7 +56,7 @@ Switch between modes using the mode selector at the bottom of the input area.
 Select your preferred AI model using the model selector at the bottom right of the input area.
 **Available Models:**
- Claude 4.5 Opus, Sonnet (default), Haiku
+- Claude 4.6 Opus (default), 4.5 Opus, Sonnet, Haiku
 - GPT 5.2 Codex, Pro
 - Gemini 3 Pro
@@ -190,3 +190,99 @@ Copilot usage is billed per token from the underlying LLM. If you reach your usa
 <Callout type="info">
  See the [Cost Calculation page](/execution/costs) for billing details.
 </Callout>
 ## Copilot MCP
 You can use Copilot as an MCP server in your favorite editor or AI client. This lets you build, test, deploy, and manage Sim workflows directly from tools like Cursor, Claude Code, Claude Desktop, and VS Code.
 ### Generating a Copilot API Key
 To connect to the Copilot MCP server, you need a **Copilot API key**:
 1. Go to [sim.ai](https://sim.ai) and sign in
 2. Navigate to **Settings** → **Copilot**
 3. Click **Generate API Key**
 4. Copy the key — it is only shown once
 The key will look like `sk-sim-copilot-...`. You will use this in the configuration below.
 ### Cursor
 Add the following to your `.cursor/mcp.json` (project-level) or global Cursor MCP settings:
 ```json
 {
  "mcpServers": {
    "sim-copilot": {
      "url": "https://www.sim.ai/api/mcp/copilot",
      "headers": {
        "X-API-Key": "YOUR_COPILOT_API_KEY"
      }
    }
  }
 }
 ```
 Replace `YOUR_COPILOT_API_KEY` with the key you generated above.
 ### Claude Code
 Run the following command to add the Copilot MCP server:
 ```bash
 claude mcp add sim-copilot \
  --transport http \
  https://www.sim.ai/api/mcp/copilot \
  --header "X-API-Key: YOUR_COPILOT_API_KEY"
 ```
 Replace `YOUR_COPILOT_API_KEY` with your key.
 ### Claude Desktop
 Claude Desktop requires [`mcp-remote`](https://www.npmjs.com/package/mcp-remote) to connect to HTTP-based MCP servers. Add the following to your Claude Desktop config file (`~/Library/Application Support/Claude/claude_desktop_config.json` on macOS):
 ```json
 {
  "mcpServers": {
    "sim-copilot": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://www.sim.ai/api/mcp/copilot",
        "--header",
        "X-API-Key: YOUR_COPILOT_API_KEY"
      ]
    }
  }
 }
 ```
 Replace `YOUR_COPILOT_API_KEY` with your key.
 ### VS Code
 Add the following to your VS Code `settings.json` or workspace `.vscode/settings.json`:
 ```json
 {
  "mcp": {
    "servers": {
      "sim-copilot": {
        "type": "http",
        "url": "https://www.sim.ai/api/mcp/copilot",
        "headers": {
          "X-API-Key": "YOUR_COPILOT_API_KEY"
        }
      }
    }
  }
 }
 ```
 Replace `YOUR_COPILOT_API_KEY` with your key.
 <Callout type="info">
  For self-hosted deployments, replace `https://www.sim.ai` with your self-hosted Sim URL.
 </Callout>
--- a/apps/docs/content/docs/en/meta.json
+++ b/apps/docs/content/docs/en/meta.json
@@ -10,6 +10,7 @@
    "connections",
    "mcp",
    "copilot",
    "skills",
    "knowledgebase",
    "variables",
    "execution",
--- a/apps/docs/content/docs/en/skills/index.mdx
+++ b/apps/docs/content/docs/en/skills/index.mdx
@@ -0,0 +1,134 @@
 ---
 title: Agent Skills
 ---
 import { Callout } from 'fumadocs-ui/components/callout'
 Agent Skills are reusable packages of instructions that give your AI agents specialized capabilities. Based on the open [Agent Skills](https://agentskills.io) format, skills let you capture domain expertise, workflows, and best practices that agents can load on demand.
 ## How Skills Work
 Skills use **progressive disclosure** to keep agent context lean:
 1. **Discovery** — Only skill names and descriptions are included in the agent's system prompt (~50-100 tokens each)
 2. **Activation** — When the agent decides a skill is relevant, it calls the `load_skill` tool to load the full instructions into context
 3. **Execution** — The agent follows the loaded instructions to complete the task
 This means you can attach many skills to an agent without bloating its context window. The agent only loads what it needs.
 ## Creating Skills
 Go to **Settings** and select **Skills** under the Tools section.
 ![Manage Skills](/static/skills/manage-skills.png)
 Click **Add** to create a new skill with three fields:
 | Field | Description |
 |-------|-------------|
 | **Name** | A kebab-case identifier (e.g. `sql-expert`, `code-reviewer`). Max 64 characters. |
 | **Description** | A short explanation of what the skill does and when to use it. This is what the agent reads to decide whether to activate the skill. Max 1024 characters. |
 | **Content** | The full skill instructions in markdown. This is loaded when the agent activates the skill. |
 <Callout type="info">
  The description is critical — it's the only thing the agent sees before deciding to load a skill. Be specific about when and why the skill should be used.
 </Callout>
 ### Writing Good Skill Content
 Skill content follows the same conventions as [SKILL.md files](https://agentskills.io/specification):
 ```markdown
 # SQL Expert
 ## When to use this skill
 Use when the user asks you to write, optimize, or debug SQL queries.
 ## Instructions
 1. Always ask which database engine (PostgreSQL, MySQL, SQLite)
 2. Use CTEs over subqueries for readability
 3. Add index recommendations when relevant
 4. Explain query plans for optimization requests
 ## Common Patterns
 ...
 ```
 **Recommended structure:**
 - **When to use** — Specific triggers and scenarios
 - **Instructions** — Step-by-step guidance with numbered lists
 - **Examples** — Input/output samples showing expected behavior
 - **Common Patterns** — Reusable approaches for frequent tasks
 - **Edge Cases** — Gotchas and special considerations
 Keep skills focused and under 500 lines. If a skill grows too large, split it into multiple specialized skills.
 ## Adding Skills to an Agent
 Open any **Agent** block and find the **Skills** dropdown below the tools section. Select the skills you want the agent to have access to.
 ![Add Skill](/static/skills/add-skill.png)
 Selected skills appear as cards that you can click to edit or remove.
 ### What Happens at Runtime
 When the workflow runs:
 1. The agent's system prompt includes an `<available_skills>` section listing each skill's name and description
 2. A `load_skill` tool is automatically added to the agent's available tools
 3. When the agent determines a skill is relevant to the current task, it calls `load_skill` with the skill name
 4. The full skill content is returned as a tool response, giving the agent detailed instructions
 This works across all supported LLM providers — the `load_skill` tool uses standard tool-calling, so no provider-specific configuration is needed.
 ## Common Use Cases
 Skills are most valuable when agents need specialized knowledge or multi-step workflows:
 **Domain Expertise**
 - `api-integration-expert` — Best practices for calling specific APIs (authentication, rate limiting, error handling)
 - `data-transformation` — ETL patterns, data cleaning, and validation rules
 - `code-reviewer` — Code review guidelines specific to your team's standards
 **Workflow Templates**
 - `bug-investigation` — Step-by-step debugging methodology (reproduce → isolate → test → fix)
 - `feature-implementation` — Development workflow from requirements to deployment
 - `document-generator` — Templates and formatting rules for technical documentation
 **Company-Specific Knowledge**
 - `our-architecture` — System architecture diagrams, service dependencies, and deployment processes
 - `style-guide` — Brand guidelines, writing tone, UI/UX patterns
 - `customer-onboarding` — Standard procedures and common customer questions
 **When to use skills vs. agent instructions:**
 - Use **skills** for knowledge that applies across multiple workflows or changes frequently
 - Use **agent instructions** for task-specific context that's unique to a single agent
 ## Best Practices
 **Writing Effective Descriptions**
 - **Be specific and keyword-rich** — Instead of "Helps with SQL", write "Write optimized SQL queries for PostgreSQL, MySQL, and SQLite, including index recommendations and query plan analysis"
 - **Include activation triggers** — Mention specific words or phrases that should prompt the skill (e.g., "Use when the user mentions PDFs, forms, or document extraction")
 - **Keep it under 200 words** — Agents scan descriptions quickly; make every word count
 **Skill Scope and Organization**
 - **One skill per domain** — A focused `sql-expert` skill works better than a broad `database-everything` skill
 - **Limit to 5-10 skills per agent** — More skills = more decision overhead; start small and add as needed
 - **Split large skills** — If a skill exceeds 500 lines, break it into focused sub-skills
 **Content Structure**
 - **Use markdown formatting** — Headers, lists, and code blocks help agents parse and follow instructions
 - **Provide examples** — Show input/output pairs so agents understand expected behavior
 - **Be explicit about edge cases** — Don't assume agents will infer special handling
 **Testing and Iteration**
 - **Test activation** — Run your workflow and verify the agent loads the skill when expected
 - **Check for false positives** — Make sure skills aren't activating when they shouldn't
 - **Refine descriptions** — If a skill isn't loading when needed, add more keywords to the description
 ## Learn More
 - [Agent Skills specification](https://agentskills.io) — The open format for portable agent skills
 - [Example skills](https://github.com/anthropics/skills) — Browse community skill examples
 - [Best practices](https://agentskills.io/what-are-skills) — Writing effective skills
--- a/apps/docs/content/docs/en/tools/airweave.mdx
+++ b/apps/docs/content/docs/en/tools/airweave.mdx
@@ -0,0 +1,68 @@
 ---
 title: Airweave
 description: Search your synced data collections
 ---
 import { BlockInfoCard } from "@/components/ui/block-info-card"
 <BlockInfoCard 
  type="airweave"
  color="#6366F1"
 />
 {/* MANUAL-CONTENT-START:intro */}
 [Airweave](https://airweave.ai/) is an AI-powered semantic search platform that helps you discover and retrieve knowledge across all your synced data sources. Built for modern teams, Airweave enables fast, relevant search results using neural, hybrid, or keyword-based strategies tailored to your needs.
 With Airweave, you can:
 - **Search smarter**: Use natural language queries to uncover information stored across your connected tools and databases
 - **Unify your data**: Seamlessly access content from sources like code, docs, chat, emails, cloud files, and more
 - **Customize retrieval**: Select between hybrid (semantic + keyword), neural, or keyword search strategies for optimal results
 - **Boost recall**: Expand search queries with AI to find more comprehensive answers
 - **Rerank results using AI**: Prioritize the most relevant answers with powerful language models
 - **Get instant answers**: Generate clear, AI-powered responses synthesized from your data
 In Sim, the Airweave integration empowers your agents to search, summarize, and extract insights from all your organization’s data via a single tool. Use Airweave to drive rich, contextual knowledge retrieval within your workflows—whether answering questions, generating summaries, or supporting dynamic decision-making.
 {/* MANUAL-CONTENT-END */}
 ## Usage Instructions
 Search across your synced data sources using Airweave. Supports semantic search with hybrid, neural, or keyword retrieval strategies. Optionally generate AI-powered answers from search results.
 ## Tools
 ### `airweave_search`
 Search your synced data collections using Airweave. Supports semantic search with hybrid, neural, or keyword retrieval strategies. Optionally generate AI-powered answers from search results.
 #### Input
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `apiKey` | string | Yes | Airweave API Key for authentication |
 | `collectionId` | string | Yes | The readable ID of the collection to search |
 | `query` | string | Yes | The search query text |
 | `limit` | number | No | Maximum number of results to return \(default: 100\) |
 | `retrievalStrategy` | string | No | Retrieval strategy: hybrid \(default\), neural, or keyword |
 | `expandQuery` | boolean | No | Generate query variations to improve recall |
 | `rerank` | boolean | No | Reorder results for improved relevance using LLM |
 | `generateAnswer` | boolean | No | Generate a natural-language answer to the query |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `results` | array | Search results with content, scores, and metadata from your synced data |
 |   ↳ `entity_id` | string | Unique identifier for the search result entity |
 |   ↳ `source_name` | string | Name of the data source \(e.g., "GitHub", "Slack"\) |
 |   ↳ `md_content` | string | Markdown-formatted content of the result |
 |   ↳ `score` | number | Relevance score from the search |
 |   ↳ `metadata` | object | Additional metadata associated with the result |
 |   ↳ `breadcrumbs` | array | Navigation path to the result within its source |
 |   ↳ `url` | string | URL to the original content |
 | `completion` | string | AI-generated answer to the query \(when generateAnswer is enabled\) |
--- a/apps/docs/content/docs/en/tools/jira.mdx
+++ b/apps/docs/content/docs/en/tools/jira.mdx
@@ -43,7 +43,6 @@ Retrieve detailed information about a specific Jira issue
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `domain` | string | Yes | Your Jira domain \(e.g., yourcompany.atlassian.net\) |
 | `projectId` | string | No | Jira project key \(e.g., PROJ\). Optional when retrieving a single issue. |
 | `issueKey` | string | Yes | Jira issue key to retrieve \(e.g., PROJ-123\) |
 | `cloudId` | string | No | Jira Cloud ID for the instance. If not provided, it will be fetched using the domain. |
@@ -51,13 +50,184 @@ Retrieve detailed information about a specific Jira issue
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `ts` | string | Timestamp of the operation |
+| `ts` | string | ISO 8601 timestamp of the operation |
-| `issueKey` | string | Issue key \(e.g., PROJ-123\) |
+| `id` | string | Issue ID |
 | `key` | string | Issue key \(e.g., PROJ-123\) |
 | `self` | string | REST API URL for this issue |
 | `summary` | string | Issue summary |
-| `description` | json | Issue description content |
+| `description` | string | Issue description text \(extracted from ADF\) |
-| `created` | string | Issue creation timestamp |
+| `status` | object | Issue status |
-| `updated` | string | Issue last updated timestamp |
+|   ↳ `id` | string | Status ID |
-| `issue` | json | Complete issue object with all fields |
+|   ↳ `name` | string | Status name \(e.g., Open, In Progress, Done\) |
 |   ↳ `description` | string | Status description |
 |   ↳ `statusCategory` | object | Status category grouping |
 |     ↳ `id` | number | Status category ID |
 |     ↳ `key` | string | Status category key \(e.g., new, indeterminate, done\) |
 |     ↳ `name` | string | Status category name \(e.g., To Do, In Progress, Done\) |
 |     ↳ `colorName` | string | Status category color \(e.g., blue-gray, yellow, green\) |
 | `issuetype` | object | Issue type |
 |   ↳ `id` | string | Issue type ID |
 |   ↳ `name` | string | Issue type name \(e.g., Task, Bug, Story, Epic\) |
 |   ↳ `description` | string | Issue type description |
 |   ↳ `subtask` | boolean | Whether this is a subtask type |
 |   ↳ `iconUrl` | string | URL to the issue type icon |
 | `project` | object | Project the issue belongs to |
 |   ↳ `id` | string | Project ID |
 |   ↳ `key` | string | Project key \(e.g., PROJ\) |
 |   ↳ `name` | string | Project name |
 |   ↳ `projectTypeKey` | string | Project type key \(e.g., software, business\) |
 | `priority` | object | Issue priority |
 |   ↳ `id` | string | Priority ID |
 |   ↳ `name` | string | Priority name \(e.g., Highest, High, Medium, Low, Lowest\) |
 |   ↳ `iconUrl` | string | URL to the priority icon |
 | `assignee` | object | Assigned user |
 |   ↳ `accountId` | string | Atlassian account ID of the user |
 |   ↳ `displayName` | string | Display name of the user |
 |   ↳ `active` | boolean | Whether the user account is active |
 |   ↳ `emailAddress` | string | Email address of the user |
 |   ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |   ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |   ↳ `timeZone` | string | User timezone |
 | `reporter` | object | Reporter user |
 |   ↳ `accountId` | string | Atlassian account ID of the user |
 |   ↳ `displayName` | string | Display name of the user |
 |   ↳ `active` | boolean | Whether the user account is active |
 |   ↳ `emailAddress` | string | Email address of the user |
 |   ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |   ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |   ↳ `timeZone` | string | User timezone |
 | `creator` | object | Issue creator |
 |   ↳ `accountId` | string | Atlassian account ID of the user |
 |   ↳ `displayName` | string | Display name of the user |
 |   ↳ `active` | boolean | Whether the user account is active |
 |   ↳ `emailAddress` | string | Email address of the user |
 |   ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |   ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |   ↳ `timeZone` | string | User timezone |
 | `labels` | array | Issue labels |
 | `components` | array | Issue components |
 |   ↳ `id` | string | Component ID |
 |   ↳ `name` | string | Component name |
 |   ↳ `description` | string | Component description |
 | `fixVersions` | array | Fix versions |
 |   ↳ `id` | string | Version ID |
 |   ↳ `name` | string | Version name |
 |   ↳ `released` | boolean | Whether the version is released |
 |   ↳ `releaseDate` | string | Release date \(YYYY-MM-DD\) |
 | `resolution` | object | Issue resolution |
 |   ↳ `id` | string | Resolution ID |
 |   ↳ `name` | string | Resolution name \(e.g., Fixed, Duplicate, Won't Fix\) |
 |   ↳ `description` | string | Resolution description |
 | `duedate` | string | Due date \(YYYY-MM-DD\) |
 | `created` | string | ISO 8601 timestamp when the issue was created |
 | `updated` | string | ISO 8601 timestamp when the issue was last updated |
 | `resolutiondate` | string | ISO 8601 timestamp when the issue was resolved |
 | `timetracking` | object | Time tracking information |
 |   ↳ `originalEstimate` | string | Original estimate in human-readable format \(e.g., 1w 2d\) |
 |   ↳ `remainingEstimate` | string | Remaining estimate in human-readable format |
 |   ↳ `timeSpent` | string | Time spent in human-readable format |
 |   ↳ `originalEstimateSeconds` | number | Original estimate in seconds |
 |   ↳ `remainingEstimateSeconds` | number | Remaining estimate in seconds |
 |   ↳ `timeSpentSeconds` | number | Time spent in seconds |
 | `parent` | object | Parent issue \(for subtasks\) |
 |   ↳ `id` | string | Parent issue ID |
 |   ↳ `key` | string | Parent issue key |
 |   ↳ `summary` | string | Parent issue summary |
 | `issuelinks` | array | Linked issues |
 |   ↳ `id` | string | Issue link ID |
 |   ↳ `type` | object | Link type information |
 |     ↳ `id` | string | Link type ID |
 |     ↳ `name` | string | Link type name \(e.g., Blocks, Relates\) |
 |     ↳ `inward` | string | Inward description \(e.g., is blocked by\) |
 |     ↳ `outward` | string | Outward description \(e.g., blocks\) |
 |   ↳ `inwardIssue` | object | Inward linked issue |
 |     ↳ `id` | string | Issue ID |
 |     ↳ `key` | string | Issue key |
 |     ↳ `statusName` | string | Issue status name |
 |     ↳ `summary` | string | Issue summary |
 |   ↳ `outwardIssue` | object | Outward linked issue |
 |     ↳ `id` | string | Issue ID |
 |     ↳ `key` | string | Issue key |
 |     ↳ `statusName` | string | Issue status name |
 |     ↳ `summary` | string | Issue summary |
 | `subtasks` | array | Subtask issues |
 |   ↳ `id` | string | Subtask issue ID |
 |   ↳ `key` | string | Subtask issue key |
 |   ↳ `summary` | string | Subtask summary |
 |   ↳ `statusName` | string | Subtask status name |
 |   ↳ `issueTypeName` | string | Subtask issue type name |
 | `votes` | object | Vote information |
 |   ↳ `votes` | number | Number of votes |
 |   ↳ `hasVoted` | boolean | Whether the current user has voted |
 | `watches` | object | Watch information |
 |   ↳ `watchCount` | number | Number of watchers |
 |   ↳ `isWatching` | boolean | Whether the current user is watching |
 | `comments` | array | Issue comments \(fetched separately\) |
 |   ↳ `id` | string | Comment ID |
 |   ↳ `body` | string | Comment body text \(extracted from ADF\) |
 |   ↳ `author` | object | Comment author |
 |     ↳ `accountId` | string | Atlassian account ID of the user |
 |     ↳ `displayName` | string | Display name of the user |
 |     ↳ `active` | boolean | Whether the user account is active |
 |     ↳ `emailAddress` | string | Email address of the user |
 |     ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |     ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |     ↳ `timeZone` | string | User timezone |
 |   ↳ `updateAuthor` | object | User who last updated the comment |
 |     ↳ `accountId` | string | Atlassian account ID of the user |
 |     ↳ `displayName` | string | Display name of the user |
 |     ↳ `active` | boolean | Whether the user account is active |
 |     ↳ `emailAddress` | string | Email address of the user |
 |     ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |     ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |     ↳ `timeZone` | string | User timezone |
 |   ↳ `created` | string | ISO 8601 timestamp when the comment was created |
 |   ↳ `updated` | string | ISO 8601 timestamp when the comment was last updated |
 |   ↳ `visibility` | object | Comment visibility restriction |
 |     ↳ `type` | string | Restriction type \(e.g., role, group\) |
 |     ↳ `value` | string | Restriction value \(e.g., Administrators\) |
 | `worklogs` | array | Issue worklogs \(fetched separately\) |
 |   ↳ `id` | string | Worklog ID |
 |   ↳ `author` | object | Worklog author |
 |     ↳ `accountId` | string | Atlassian account ID of the user |
 |     ↳ `displayName` | string | Display name of the user |
 |     ↳ `active` | boolean | Whether the user account is active |
 |     ↳ `emailAddress` | string | Email address of the user |
 |     ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |     ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |     ↳ `timeZone` | string | User timezone |
 |   ↳ `updateAuthor` | object | User who last updated the worklog |
 |     ↳ `accountId` | string | Atlassian account ID of the user |
 |     ↳ `displayName` | string | Display name of the user |
 |     ↳ `active` | boolean | Whether the user account is active |
 |     ↳ `emailAddress` | string | Email address of the user |
 |     ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |     ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |     ↳ `timeZone` | string | User timezone |
 |   ↳ `comment` | string | Worklog comment text |
 |   ↳ `started` | string | ISO 8601 timestamp when the work started |
 |   ↳ `timeSpent` | string | Time spent in human-readable format \(e.g., 3h 20m\) |
 |   ↳ `timeSpentSeconds` | number | Time spent in seconds |
 |   ↳ `created` | string | ISO 8601 timestamp when the worklog was created |
 |   ↳ `updated` | string | ISO 8601 timestamp when the worklog was last updated |
 | `attachments` | array | Issue attachments |
 |   ↳ `id` | string | Attachment ID |
 |   ↳ `filename` | string | Attachment file name |
 |   ↳ `mimeType` | string | MIME type of the attachment |
 |   ↳ `size` | number | File size in bytes |
 |   ↳ `content` | string | URL to download the attachment content |
 |   ↳ `thumbnail` | string | URL to the attachment thumbnail |
 |   ↳ `author` | object | Attachment author |
 |     ↳ `accountId` | string | Atlassian account ID of the user |
 |     ↳ `displayName` | string | Display name of the user |
 |     ↳ `active` | boolean | Whether the user account is active |
 |     ↳ `emailAddress` | string | Email address of the user |
 |     ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |     ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |     ↳ `timeZone` | string | User timezone |
 |   ↳ `created` | string | ISO 8601 timestamp when the attachment was created |
 | `issueKey` | string | Issue key \(e.g., PROJ-123\) |
 | `issue` | json | Complete raw Jira issue object from the API |
 ### `jira_update`
@@ -68,26 +238,32 @@ Update a Jira issue
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `domain` | string | Yes | Your Jira domain \(e.g., yourcompany.atlassian.net\) |
 | `projectId` | string | No | Jira project key \(e.g., PROJ\). Optional when updating a single issue. |
 | `issueKey` | string | Yes | Jira issue key to update \(e.g., PROJ-123\) |
 | `summary` | string | No | New summary for the issue |
 | `description` | string | No | New description for the issue |
-| `status` | string | No | New status for the issue |
+| `priority` | string | No | New priority ID or name for the issue \(e.g., "High"\) |
-| `priority` | string | No | New priority for the issue |
+| `assignee` | string | No | New assignee account ID for the issue |
-| `assignee` | string | No | New assignee for the issue |
+| `labels` | json | No | Labels to set on the issue \(array of label name strings\) |
 | `components` | json | No | Components to set on the issue \(array of component name strings\) |
 | `duedate` | string | No | Due date for the issue \(format: YYYY-MM-DD\) |
 | `fixVersions` | json | No | Fix versions to set \(array of version name strings\) |
 | `environment` | string | No | Environment information for the issue |
 | `customFieldId` | string | No | Custom field ID to update \(e.g., customfield_10001\) |
 | `customFieldValue` | string | No | Value for the custom field |
 | `notifyUsers` | boolean | No | Whether to send email notifications about this update \(default: true\) |
 | `cloudId` | string | No | Jira Cloud ID for the instance. If not provided, it will be fetched using the domain. |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `ts` | string | Timestamp of the operation |
+| `ts` | string | ISO 8601 timestamp of the operation |
 | `issueKey` | string | Updated issue key \(e.g., PROJ-123\) |
 | `summary` | string | Issue summary after update |
 ### `jira_write`
-Write a Jira issue
+Create a new Jira issue
 #### Input
@@ -100,9 +276,12 @@ Write a Jira issue
 | `priority` | string | No | Priority ID or name for the issue \(e.g., "10000" or "High"\) |
 | `assignee` | string | No | Assignee account ID for the issue |
 | `cloudId` | string | No | Jira Cloud ID for the instance. If not provided, it will be fetched using the domain. |
-| `issueType` | string | Yes | Type of issue to create \(e.g., Task, Story\) |
+| `issueType` | string | Yes | Type of issue to create \(e.g., Task, Story, Bug, Epic, Sub-task\) |
 | `parent` | json | No | Parent issue key for creating subtasks \(e.g., \{ "key": "PROJ-123" \}\) |
 | `labels` | array | No | Labels for the issue \(array of label names\) |
 | `components` | array | No | Components for the issue \(array of component names\) |
 | `duedate` | string | No | Due date for the issue \(format: YYYY-MM-DD\) |
 | `fixVersions` | array | No | Fix versions for the issue \(array of version names\) |
 | `reporter` | string | No | Reporter account ID for the issue |
 | `environment` | string | No | Environment information for the issue |
 | `customFieldId` | string | No | Custom field ID \(e.g., customfield_10001\) |
@@ -112,15 +291,17 @@ Write a Jira issue
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `ts` | string | Timestamp of the operation |
+| `ts` | string | ISO 8601 timestamp of the operation |
 | `id` | string | Created issue ID |
 | `issueKey` | string | Created issue key \(e.g., PROJ-123\) |
 | `self` | string | REST API URL for the created issue |
 | `summary` | string | Issue summary |
-| `url` | string | URL to the created issue |
+| `url` | string | URL to the created issue in Jira |
-| `assigneeId` | string | Account ID of the assigned user \(if assigned\) |
+| `assigneeId` | string | Account ID of the assigned user \(null if no assignee was set\) |
 ### `jira_bulk_read`
-Retrieve multiple Jira issues in bulk
+Retrieve multiple Jira issues from a project in bulk
 #### Input
@@ -134,7 +315,30 @@ Retrieve multiple Jira issues in bulk
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `issues` | array | Array of Jira issues with ts, summary, description, created, and updated timestamps |
+| `ts` | string | ISO 8601 timestamp of the operation |
 | `total` | number | Total number of issues in the project \(may not always be available\) |
 | `issues` | array | Array of Jira issues |
 |   ↳ `id` | string | Issue ID |
 |   ↳ `key` | string | Issue key \(e.g., PROJ-123\) |
 |   ↳ `self` | string | REST API URL for this issue |
 |   ↳ `summary` | string | Issue summary |
 |   ↳ `description` | string | Issue description text |
 |   ↳ `status` | object | Issue status |
 |     ↳ `id` | string | Status ID |
 |     ↳ `name` | string | Status name |
 |   ↳ `issuetype` | object | Issue type |
 |     ↳ `id` | string | Issue type ID |
 |     ↳ `name` | string | Issue type name |
 |   ↳ `priority` | object | Issue priority |
 |     ↳ `id` | string | Priority ID |
 |     ↳ `name` | string | Priority name |
 |   ↳ `assignee` | object | Assigned user |
 |     ↳ `accountId` | string | Atlassian account ID |
 |     ↳ `displayName` | string | Display name |
 |   ↳ `created` | string | ISO 8601 creation timestamp |
 |   ↳ `updated` | string | ISO 8601 last updated timestamp |
 | `nextPageToken` | string | Cursor token for the next page. Null when no more results. |
 | `isLast` | boolean | Whether this is the last page of results |
 ### `jira_delete_issue`
@@ -153,7 +357,7 @@ Delete a Jira issue
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `ts` | string | Timestamp of the operation |
+| `ts` | string | ISO 8601 timestamp of the operation |
 | `issueKey` | string | Deleted issue key |
 ### `jira_assign_issue`
@@ -173,9 +377,9 @@ Assign a Jira issue to a user
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `ts` | string | Timestamp of the operation |
+| `ts` | string | ISO 8601 timestamp of the operation |
 | `issueKey` | string | Issue key that was assigned |
-| `assigneeId` | string | Account ID of the assignee |
+| `assigneeId` | string | Account ID of the assignee \(use "-1" for auto-assign, null to unassign\) |
 ### `jira_transition_issue`
@@ -189,15 +393,20 @@ Move a Jira issue between workflow statuses (e.g., To Do -> In Progress)
 | `issueKey` | string | Yes | Jira issue key to transition \(e.g., PROJ-123\) |
 | `transitionId` | string | Yes | ID of the transition to execute \(e.g., "11" for "To Do", "21" for "In Progress"\) |
 | `comment` | string | No | Optional comment to add when transitioning the issue |
 | `resolution` | string | No | Resolution name to set during transition \(e.g., "Fixed", "Won\'t Fix"\) |
 | `cloudId` | string | No | Jira Cloud ID for the instance. If not provided, it will be fetched using the domain. |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `ts` | string | Timestamp of the operation |
+| `ts` | string | ISO 8601 timestamp of the operation |
 | `issueKey` | string | Issue key that was transitioned |
 | `transitionId` | string | Applied transition ID |
 | `transitionName` | string | Applied transition name |
 | `toStatus` | object | Target status after transition |
 |   ↳ `id` | string | Status ID |
 |   ↳ `name` | string | Status name |
 ### `jira_search_issues`
@@ -209,20 +418,77 @@ Search for Jira issues using JQL (Jira Query Language)
 | --------- | ---- | -------- | ----------- |
 | `domain` | string | Yes | Your Jira domain \(e.g., yourcompany.atlassian.net\) |
 | `jql` | string | Yes | JQL query string to search for issues \(e.g., "project = PROJ AND status = Open"\) |
-| `startAt` | number | No | The index of the first result to return \(for pagination\) |
+| `nextPageToken` | string | No | Cursor token for the next page of results. Omit for the first page. |
-| `maxResults` | number | No | Maximum number of results to return \(default: 50\) |
+| `maxResults` | number | No | Maximum number of results to return per page \(default: 50\) |
-| `fields` | array | No | Array of field names to return \(default: \['summary', 'status', 'assignee', 'created', 'updated'\]\) |
+| `fields` | array | No | Array of field names to return \(default: all navigable\). Use "*all" for every field. |
 | `cloudId` | string | No | Jira Cloud ID for the instance. If not provided, it will be fetched using the domain. |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `ts` | string | Timestamp of the operation |
+| `ts` | string | ISO 8601 timestamp of the operation |
-| `total` | number | Total number of matching issues |
+| `issues` | array | Array of matching issues |
-| `startAt` | number | Pagination start index |
+|   ↳ `id` | string | Issue ID |
-| `maxResults` | number | Maximum results per page |
+|   ↳ `key` | string | Issue key \(e.g., PROJ-123\) |
-| `issues` | array | Array of matching issues with key, summary, status, assignee, created, updated |
+|   ↳ `self` | string | REST API URL for this issue |
 |   ↳ `summary` | string | Issue summary |
 |   ↳ `description` | string | Issue description text \(extracted from ADF\) |
 |   ↳ `status` | object | Issue status |
 |     ↳ `id` | string | Status ID |
 |     ↳ `name` | string | Status name \(e.g., Open, In Progress, Done\) |
 |     ↳ `description` | string | Status description |
 |     ↳ `statusCategory` | object | Status category grouping |
 |       ↳ `id` | number | Status category ID |
 |       ↳ `key` | string | Status category key \(e.g., new, indeterminate, done\) |
 |       ↳ `name` | string | Status category name \(e.g., To Do, In Progress, Done\) |
 |       ↳ `colorName` | string | Status category color \(e.g., blue-gray, yellow, green\) |
 |   ↳ `issuetype` | object | Issue type |
 |     ↳ `id` | string | Issue type ID |
 |     ↳ `name` | string | Issue type name \(e.g., Task, Bug, Story, Epic\) |
 |     ↳ `description` | string | Issue type description |
 |     ↳ `subtask` | boolean | Whether this is a subtask type |
 |     ↳ `iconUrl` | string | URL to the issue type icon |
 |   ↳ `project` | object | Project the issue belongs to |
 |     ↳ `id` | string | Project ID |
 |     ↳ `key` | string | Project key \(e.g., PROJ\) |
 |     ↳ `name` | string | Project name |
 |     ↳ `projectTypeKey` | string | Project type key \(e.g., software, business\) |
 |   ↳ `priority` | object | Issue priority |
 |     ↳ `id` | string | Priority ID |
 |     ↳ `name` | string | Priority name \(e.g., Highest, High, Medium, Low, Lowest\) |
 |     ↳ `iconUrl` | string | URL to the priority icon |
 |   ↳ `assignee` | object | Assigned user |
 |     ↳ `accountId` | string | Atlassian account ID of the user |
 |     ↳ `displayName` | string | Display name of the user |
 |     ↳ `active` | boolean | Whether the user account is active |
 |     ↳ `emailAddress` | string | Email address of the user |
 |     ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |     ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |     ↳ `timeZone` | string | User timezone |
 |   ↳ `reporter` | object | Reporter user |
 |     ↳ `accountId` | string | Atlassian account ID of the user |
 |     ↳ `displayName` | string | Display name of the user |
 |     ↳ `active` | boolean | Whether the user account is active |
 |     ↳ `emailAddress` | string | Email address of the user |
 |     ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |     ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |     ↳ `timeZone` | string | User timezone |
 |   ↳ `labels` | array | Issue labels |
 |   ↳ `components` | array | Issue components |
 |     ↳ `id` | string | Component ID |
 |     ↳ `name` | string | Component name |
 |     ↳ `description` | string | Component description |
 |   ↳ `resolution` | object | Issue resolution |
 |     ↳ `id` | string | Resolution ID |
 |     ↳ `name` | string | Resolution name \(e.g., Fixed, Duplicate, Won't Fix\) |
 |     ↳ `description` | string | Resolution description |
 |   ↳ `duedate` | string | Due date \(YYYY-MM-DD\) |
 |   ↳ `created` | string | ISO 8601 timestamp when the issue was created |
 |   ↳ `updated` | string | ISO 8601 timestamp when the issue was last updated |
 | `nextPageToken` | string | Cursor token for the next page. Null when no more results. |
 | `isLast` | boolean | Whether this is the last page of results |
 | `total` | number | Total number of matching issues \(may not always be available\) |
 ### `jira_add_comment`
@@ -235,16 +501,27 @@ Add a comment to a Jira issue
 | `domain` | string | Yes | Your Jira domain \(e.g., yourcompany.atlassian.net\) |
 | `issueKey` | string | Yes | Jira issue key to add comment to \(e.g., PROJ-123\) |
 | `body` | string | Yes | Comment body text |
 | `visibility` | json | No | Restrict comment visibility. Object with "type" \("role" or "group"\) and "value" \(role/group name\). |
 | `cloudId` | string | No | Jira Cloud ID for the instance. If not provided, it will be fetched using the domain. |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `ts` | string | Timestamp of the operation |
+| `ts` | string | ISO 8601 timestamp of the operation |
 | `issueKey` | string | Issue key the comment was added to |
 | `commentId` | string | Created comment ID |
 | `body` | string | Comment text content |
 | `author` | object | Comment author |
 |   ↳ `accountId` | string | Atlassian account ID of the user |
 |   ↳ `displayName` | string | Display name of the user |
 |   ↳ `active` | boolean | Whether the user account is active |
 |   ↳ `emailAddress` | string | Email address of the user |
 |   ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |   ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |   ↳ `timeZone` | string | User timezone |
 | `created` | string | ISO 8601 timestamp when the comment was created |
 | `updated` | string | ISO 8601 timestamp when the comment was last updated |
 ### `jira_get_comments`
@@ -258,16 +535,42 @@ Get all comments from a Jira issue
 | `issueKey` | string | Yes | Jira issue key to get comments from \(e.g., PROJ-123\) |
 | `startAt` | number | No | Index of the first comment to return \(default: 0\) |
 | `maxResults` | number | No | Maximum number of comments to return \(default: 50\) |
 | `orderBy` | string | No | Sort order for comments: "-created" for newest first, "created" for oldest first |
 | `cloudId` | string | No | Jira Cloud ID for the instance. If not provided, it will be fetched using the domain. |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `ts` | string | Timestamp of the operation |
+| `ts` | string | ISO 8601 timestamp of the operation |
 | `issueKey` | string | Issue key |
 | `total` | number | Total number of comments |
-| `comments` | array | Array of comments with id, author, body, created, updated |
+| `startAt` | number | Pagination start index |
 | `maxResults` | number | Maximum results per page |
 | `comments` | array | Array of comments |
 |   ↳ `id` | string | Comment ID |
 |   ↳ `body` | string | Comment body text \(extracted from ADF\) |
 |   ↳ `author` | object | Comment author |
 |     ↳ `accountId` | string | Atlassian account ID of the user |
 |     ↳ `displayName` | string | Display name of the user |
 |     ↳ `active` | boolean | Whether the user account is active |
 |     ↳ `emailAddress` | string | Email address of the user |
 |     ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |     ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |     ↳ `timeZone` | string | User timezone |
 |   ↳ `updateAuthor` | object | User who last updated the comment |
 |     ↳ `accountId` | string | Atlassian account ID of the user |
 |     ↳ `displayName` | string | Display name of the user |
 |     ↳ `active` | boolean | Whether the user account is active |
 |     ↳ `emailAddress` | string | Email address of the user |
 |     ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |     ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |     ↳ `timeZone` | string | User timezone |
 |   ↳ `created` | string | ISO 8601 timestamp when the comment was created |
 |   ↳ `updated` | string | ISO 8601 timestamp when the comment was last updated |
 |   ↳ `visibility` | object | Comment visibility restriction |
 |     ↳ `type` | string | Restriction type \(e.g., role, group\) |
 |     ↳ `value` | string | Restriction value \(e.g., Administrators\) |
 ### `jira_update_comment`
@@ -281,16 +584,27 @@ Update an existing comment on a Jira issue
 | `issueKey` | string | Yes | Jira issue key containing the comment \(e.g., PROJ-123\) |
 | `commentId` | string | Yes | ID of the comment to update |
 | `body` | string | Yes | Updated comment text |
 | `visibility` | json | No | Restrict comment visibility. Object with "type" \("role" or "group"\) and "value" \(role/group name\). |
 | `cloudId` | string | No | Jira Cloud ID for the instance. If not provided, it will be fetched using the domain. |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `ts` | string | Timestamp of the operation |
+| `ts` | string | ISO 8601 timestamp of the operation |
 | `issueKey` | string | Issue key |
 | `commentId` | string | Updated comment ID |
 | `body` | string | Updated comment text |
 | `author` | object | Comment author |
 |   ↳ `accountId` | string | Atlassian account ID of the user |
 |   ↳ `displayName` | string | Display name of the user |
 |   ↳ `active` | boolean | Whether the user account is active |
 |   ↳ `emailAddress` | string | Email address of the user |
 |   ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |   ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |   ↳ `timeZone` | string | User timezone |
 | `created` | string | ISO 8601 timestamp when the comment was created |
 | `updated` | string | ISO 8601 timestamp when the comment was last updated |
 ### `jira_delete_comment`
@@ -309,7 +623,7 @@ Delete a comment from a Jira issue
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `ts` | string | Timestamp of the operation |
+| `ts` | string | ISO 8601 timestamp of the operation |
 | `issueKey` | string | Issue key |
 | `commentId` | string | Deleted comment ID |
@@ -329,9 +643,24 @@ Get all attachments from a Jira issue
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `ts` | string | Timestamp of the operation |
+| `ts` | string | ISO 8601 timestamp of the operation |
 | `issueKey` | string | Issue key |
-| `attachments` | array | Array of attachments with id, filename, size, mimeType, created, author |
+| `attachments` | array | Array of attachments |
 |   ↳ `id` | string | Attachment ID |
 |   ↳ `filename` | string | Attachment file name |
 |   ↳ `mimeType` | string | MIME type of the attachment |
 |   ↳ `size` | number | File size in bytes |
 |   ↳ `content` | string | URL to download the attachment content |
 |   ↳ `thumbnail` | string | URL to the attachment thumbnail |
 |   ↳ `author` | object | Attachment author |
 |     ↳ `accountId` | string | Atlassian account ID of the user |
 |     ↳ `displayName` | string | Display name of the user |
 |     ↳ `active` | boolean | Whether the user account is active |
 |     ↳ `emailAddress` | string | Email address of the user |
 |     ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |     ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |     ↳ `timeZone` | string | User timezone |
 |   ↳ `created` | string | ISO 8601 timestamp when the attachment was created |
 ### `jira_add_attachment`
@@ -350,10 +679,19 @@ Add attachments to a Jira issue
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `ts` | string | Timestamp of the operation |
+| `ts` | string | ISO 8601 timestamp of the operation |
 | `issueKey` | string | Issue key |
-| `attachmentIds` | json | IDs of uploaded attachments |
+| `attachments` | array | Uploaded attachments |
-| `files` | file[] | Uploaded attachment files |
+|   ↳ `id` | string | Attachment ID |
 |   ↳ `filename` | string | Attachment file name |
 |   ↳ `mimeType` | string | MIME type |
 |   ↳ `size` | number | File size in bytes |
 |   ↳ `content` | string | URL to download the attachment |
 | `attachmentIds` | array | Array of attachment IDs |
 | `files` | array | Uploaded file metadata |
 |   ↳ `name` | string | File name |
 |   ↳ `mimeType` | string | MIME type |
 |   ↳ `size` | number | File size in bytes |
 ### `jira_delete_attachment`
@@ -371,7 +709,7 @@ Delete an attachment from a Jira issue
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `ts` | string | Timestamp of the operation |
+| `ts` | string | ISO 8601 timestamp of the operation |
 | `attachmentId` | string | Deleted attachment ID |
 ### `jira_add_worklog`
@@ -387,16 +725,28 @@ Add a time tracking worklog entry to a Jira issue
 | `timeSpentSeconds` | number | Yes | Time spent in seconds |
 | `comment` | string | No | Optional comment for the worklog entry |
 | `started` | string | No | Optional start time in ISO format \(defaults to current time\) |
 | `visibility` | json | No | Restrict worklog visibility. Object with "type" \("role" or "group"\) and "value" \(role/group name\). |
 | `cloudId` | string | No | Jira Cloud ID for the instance. If not provided, it will be fetched using the domain. |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `ts` | string | Timestamp of the operation |
+| `ts` | string | ISO 8601 timestamp of the operation |
 | `issueKey` | string | Issue key the worklog was added to |
 | `worklogId` | string | Created worklog ID |
 | `timeSpent` | string | Time spent in human-readable format \(e.g., 3h 20m\) |
 | `timeSpentSeconds` | number | Time spent in seconds |
 | `author` | object | Worklog author |
 |   ↳ `accountId` | string | Atlassian account ID of the user |
 |   ↳ `displayName` | string | Display name of the user |
 |   ↳ `active` | boolean | Whether the user account is active |
 |   ↳ `emailAddress` | string | Email address of the user |
 |   ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |   ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |   ↳ `timeZone` | string | User timezone |
 | `started` | string | ISO 8601 timestamp when the work started |
 | `created` | string | ISO 8601 timestamp when the worklog was created |
 ### `jira_get_worklogs`
@@ -416,10 +766,35 @@ Get all worklog entries from a Jira issue
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `ts` | string | Timestamp of the operation |
+| `ts` | string | ISO 8601 timestamp of the operation |
 | `issueKey` | string | Issue key |
 | `total` | number | Total number of worklogs |
-| `worklogs` | array | Array of worklogs with id, author, timeSpentSeconds, timeSpent, comment, created, updated, started |
+| `startAt` | number | Pagination start index |
 | `maxResults` | number | Maximum results per page |
 | `worklogs` | array | Array of worklogs |
 |   ↳ `id` | string | Worklog ID |
 |   ↳ `author` | object | Worklog author |
 |     ↳ `accountId` | string | Atlassian account ID of the user |
 |     ↳ `displayName` | string | Display name of the user |
 |     ↳ `active` | boolean | Whether the user account is active |
 |     ↳ `emailAddress` | string | Email address of the user |
 |     ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |     ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |     ↳ `timeZone` | string | User timezone |
 |   ↳ `updateAuthor` | object | User who last updated the worklog |
 |     ↳ `accountId` | string | Atlassian account ID of the user |
 |     ↳ `displayName` | string | Display name of the user |
 |     ↳ `active` | boolean | Whether the user account is active |
 |     ↳ `emailAddress` | string | Email address of the user |
 |     ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |     ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |     ↳ `timeZone` | string | User timezone |
 |   ↳ `comment` | string | Worklog comment text |
 |   ↳ `started` | string | ISO 8601 timestamp when the work started |
 |   ↳ `timeSpent` | string | Time spent in human-readable format \(e.g., 3h 20m\) |
 |   ↳ `timeSpentSeconds` | number | Time spent in seconds |
 |   ↳ `created` | string | ISO 8601 timestamp when the worklog was created |
 |   ↳ `updated` | string | ISO 8601 timestamp when the worklog was last updated |
 ### `jira_update_worklog`
@@ -435,15 +810,38 @@ Update an existing worklog entry on a Jira issue
 | `timeSpentSeconds` | number | No | Time spent in seconds |
 | `comment` | string | No | Optional comment for the worklog entry |
 | `started` | string | No | Optional start time in ISO format |
 | `visibility` | json | No | Restrict worklog visibility. Object with "type" \("role" or "group"\) and "value" \(role/group name\). |
 | `cloudId` | string | No | Jira Cloud ID for the instance. If not provided, it will be fetched using the domain. |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `ts` | string | Timestamp of the operation |
+| `ts` | string | ISO 8601 timestamp of the operation |
 | `issueKey` | string | Issue key |
 | `worklogId` | string | Updated worklog ID |
 | `timeSpent` | string | Human-readable time spent \(e.g., "3h 20m"\) |
 | `timeSpentSeconds` | number | Time spent in seconds |
 | `comment` | string | Worklog comment text |
 | `author` | object | Worklog author |
 |   ↳ `accountId` | string | Atlassian account ID of the user |
 |   ↳ `displayName` | string | Display name of the user |
 |   ↳ `active` | boolean | Whether the user account is active |
 |   ↳ `emailAddress` | string | Email address of the user |
 |   ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |   ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |   ↳ `timeZone` | string | User timezone |
 | `updateAuthor` | object | User who last updated the worklog |
 |   ↳ `accountId` | string | Atlassian account ID of the user |
 |   ↳ `displayName` | string | Display name of the user |
 |   ↳ `active` | boolean | Whether the user account is active |
 |   ↳ `emailAddress` | string | Email address of the user |
 |   ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |   ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |   ↳ `timeZone` | string | User timezone |
 | `started` | string | Worklog start time in ISO format |
 | `created` | string | Worklog creation time |
 | `updated` | string | Worklog last update time |
 ### `jira_delete_worklog`
@@ -462,7 +860,7 @@ Delete a worklog entry from a Jira issue
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `ts` | string | Timestamp of the operation |
+| `ts` | string | ISO 8601 timestamp of the operation |
 | `issueKey` | string | Issue key |
 | `worklogId` | string | Deleted worklog ID |
@@ -485,7 +883,7 @@ Create a link relationship between two Jira issues
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `ts` | string | Timestamp of the operation |
+| `ts` | string | ISO 8601 timestamp of the operation |
 | `inwardIssue` | string | Inward issue key |
 | `outwardIssue` | string | Outward issue key |
 | `linkType` | string | Type of issue link |
@@ -507,7 +905,7 @@ Delete a link between two Jira issues
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `ts` | string | Timestamp of the operation |
+| `ts` | string | ISO 8601 timestamp of the operation |
 | `linkId` | string | Deleted link ID |
 ### `jira_add_watcher`
@@ -527,7 +925,7 @@ Add a watcher to a Jira issue to receive notifications about updates
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `ts` | string | Timestamp of the operation |
+| `ts` | string | ISO 8601 timestamp of the operation |
 | `issueKey` | string | Issue key |
 | `watcherAccountId` | string | Added watcher account ID |
@@ -548,7 +946,7 @@ Remove a watcher from a Jira issue
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `ts` | string | Timestamp of the operation |
+| `ts` | string | ISO 8601 timestamp of the operation |
 | `issueKey` | string | Issue key |
 | `watcherAccountId` | string | Removed watcher account ID |
@@ -570,8 +968,15 @@ Get Jira users. If an account ID is provided, returns a single user. Otherwise,
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `ts` | string | Timestamp of the operation |
+| `ts` | string | ISO 8601 timestamp of the operation |
-| `users` | json | Array of users with accountId, displayName, emailAddress, active status, and avatarUrls |
+| `users` | array | Array of Jira users |
 |   ↳ `accountId` | string | Atlassian account ID of the user |
 |   ↳ `displayName` | string | Display name of the user |
 |   ↳ `active` | boolean | Whether the user account is active |
 |   ↳ `emailAddress` | string | Email address of the user |
 |   ↳ `accountType` | string | Type of account \(e.g., atlassian, app, customer\) |
 |   ↳ `avatarUrl` | string | URL to the user avatar \(48x48\) |
 |   ↳ `timeZone` | string | User timezone |
 | `total` | number | Total number of users returned |
 | `startAt` | number | Pagination start index |
 | `maxResults` | number | Maximum results per page |
--- a/apps/docs/content/docs/en/tools/jira_service_management.mdx
+++ b/apps/docs/content/docs/en/tools/jira_service_management.mdx
@@ -46,6 +46,7 @@ Get all service desks from Jira Service Management
 | --------- | ---- | -------- | ----------- |
 | `domain` | string | Yes | Your Jira domain \(e.g., yourcompany.atlassian.net\) |
 | `cloudId` | string | No | Jira Cloud ID for the instance |
 | `expand` | string | No | Comma-separated fields to expand in the response |
 | `start` | number | No | Start index for pagination \(e.g., 0, 50, 100\) |
 | `limit` | number | No | Maximum results to return \(e.g., 10, 25, 50\) |
@@ -54,7 +55,14 @@ Get all service desks from Jira Service Management
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | Timestamp of the operation |
-| `serviceDesks` | json | Array of service desks |
+| `serviceDesks` | array | List of service desks |
 |   ↳ `id` | string | Service desk ID |
 |   ↳ `projectId` | string | Associated Jira project ID |
 |   ↳ `projectName` | string | Associated project name |
 |   ↳ `projectKey` | string | Associated project key |
 |   ↳ `name` | string | Service desk name |
 |   ↳ `description` | string | Service desk description |
 |   ↳ `leadDisplayName` | string | Project lead display name |
 | `total` | number | Total number of service desks |
 | `isLastPage` | boolean | Whether this is the last page |
@@ -69,6 +77,9 @@ Get request types for a service desk in Jira Service Management
 | `domain` | string | Yes | Your Jira domain \(e.g., yourcompany.atlassian.net\) |
 | `cloudId` | string | No | Jira Cloud ID for the instance |
 | `serviceDeskId` | string | Yes | Service Desk ID \(e.g., "1", "2"\) |
 | `searchQuery` | string | No | Filter request types by name |
 | `groupId` | string | No | Filter by request type group ID |
 | `expand` | string | No | Comma-separated fields to expand in the response |
 | `start` | number | No | Start index for pagination \(e.g., 0, 50, 100\) |
 | `limit` | number | No | Maximum results to return \(e.g., 10, 25, 50\) |
@@ -77,7 +88,16 @@ Get request types for a service desk in Jira Service Management
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | Timestamp of the operation |
-| `requestTypes` | json | Array of request types |
+| `requestTypes` | array | List of request types |
 |   ↳ `id` | string | Request type ID |
 |   ↳ `name` | string | Request type name |
 |   ↳ `description` | string | Request type description |
 |   ↳ `helpText` | string | Help text for customers |
 |   ↳ `issueTypeId` | string | Associated Jira issue type ID |
 |   ↳ `serviceDeskId` | string | Parent service desk ID |
 |   ↳ `groupIds` | json | Groups this request type belongs to |
 |   ↳ `icon` | json | Request type icon with id and links |
 |   ↳ `restrictionStatus` | string | OPEN or RESTRICTED |
 | `total` | number | Total number of request types |
 | `isLastPage` | boolean | Whether this is the last page |
@@ -96,6 +116,9 @@ Create a new service request in Jira Service Management
 | `summary` | string | Yes | Summary/title for the service request |
 | `description` | string | No | Description for the service request |
 | `raiseOnBehalfOf` | string | No | Account ID of customer to raise request on behalf of |
 | `requestFieldValues` | json | No | Custom field values as key-value pairs \(overrides summary/description if provided\) |
 | `requestParticipants` | string | No | Comma-separated account IDs to add as request participants |
 | `channel` | string | No | Channel the request originates from \(e.g., portal, email\) |
 #### Output
@@ -106,6 +129,9 @@ Create a new service request in Jira Service Management
 | `issueKey` | string | Created request issue key \(e.g., SD-123\) |
 | `requestTypeId` | string | Request type ID |
 | `serviceDeskId` | string | Service desk ID |
 | `createdDate` | json | Creation date with iso8601, friendly, epochMillis |
 | `currentStatus` | json | Current status with status name and category |
 | `reporter` | json | Reporter user with accountId, displayName, emailAddress |
 | `success` | boolean | Whether the request was created successfully |
 | `url` | string | URL to the created request |
@@ -120,12 +146,33 @@ Get a single service request from Jira Service Management
 | `domain` | string | Yes | Your Jira domain \(e.g., yourcompany.atlassian.net\) |
 | `cloudId` | string | No | Jira Cloud ID for the instance |
 | `issueIdOrKey` | string | Yes | Issue ID or key \(e.g., SD-123\) |
 | `expand` | string | No | Comma-separated fields to expand: participant, status, sla, requestType, serviceDesk, attachment, comment, action |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | Timestamp of the operation |
 | `issueId` | string | Jira issue ID |
 | `issueKey` | string | Issue key \(e.g., SD-123\) |
 | `requestTypeId` | string | Request type ID |
 | `serviceDeskId` | string | Service desk ID |
 | `createdDate` | json | Creation date with iso8601, friendly, epochMillis |
 | `currentStatus` | object | Current request status |
 |   ↳ `status` | string | Status name |
 |   ↳ `statusCategory` | string | Status category \(NEW, INDETERMINATE, DONE\) |
 |   ↳ `statusDate` | json | Status change date with iso8601, friendly, epochMillis |
 | `reporter` | object | Reporter user details |
 |   ↳ `accountId` | string | Atlassian account ID |
 |   ↳ `displayName` | string | User display name |
 |   ↳ `emailAddress` | string | User email address |
 |   ↳ `active` | boolean | Whether the account is active |
 | `requestFieldValues` | array | Request field values |
 |   ↳ `fieldId` | string | Field identifier |
 |   ↳ `label` | string | Human-readable field label |
 |   ↳ `value` | json | Field value |
 |   ↳ `renderedValue` | json | HTML-rendered field value |
 | `url` | string | URL to the request |
 | `request` | json | The service request object |
 ### `jsm_get_requests`
@@ -139,9 +186,11 @@ Get multiple service requests from Jira Service Management
 | `domain` | string | Yes | Your Jira domain \(e.g., yourcompany.atlassian.net\) |
 | `cloudId` | string | No | Jira Cloud ID for the instance |
 | `serviceDeskId` | string | No | Filter by service desk ID \(e.g., "1", "2"\) |
-| `requestOwnership` | string | No | Filter by ownership: OWNED_REQUESTS, PARTICIPATED_REQUESTS, ORGANIZATION, ALL_REQUESTS |
+| `requestOwnership` | string | No | Filter by ownership: OWNED_REQUESTS, PARTICIPATED_REQUESTS, APPROVER, ALL_REQUESTS |
-| `requestStatus` | string | No | Filter by status: OPEN, CLOSED, ALL |
+| `requestStatus` | string | No | Filter by status: OPEN_REQUESTS, CLOSED_REQUESTS, ALL_REQUESTS |
 | `requestTypeId` | string | No | Filter by request type ID |
 | `searchTerm` | string | No | Search term to filter requests \(e.g., "password reset", "laptop"\) |
 | `expand` | string | No | Comma-separated fields to expand: participant, status, sla, requestType, serviceDesk, attachment, comment, action |
 | `start` | number | No | Start index for pagination \(e.g., 0, 50, 100\) |
 | `limit` | number | No | Maximum results to return \(e.g., 10, 25, 50\) |
@@ -150,8 +199,27 @@ Get multiple service requests from Jira Service Management
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | Timestamp of the operation |
-| `requests` | json | Array of service requests |
+| `requests` | array | List of service requests |
-| `total` | number | Total number of requests |
+|   ↳ `issueId` | string | Jira issue ID |
 |   ↳ `issueKey` | string | Issue key \(e.g., SD-123\) |
 |   ↳ `requestTypeId` | string | Request type ID |
 |   ↳ `serviceDeskId` | string | Service desk ID |
 |   ↳ `createdDate` | json | Creation date with iso8601, friendly, epochMillis |
 |   ↳ `currentStatus` | object | Current request status |
 |     ↳ `status` | string | Status name |
 |     ↳ `statusCategory` | string | Status category \(NEW, INDETERMINATE, DONE\) |
 |     ↳ `statusDate` | json | Status change date with iso8601, friendly, epochMillis |
 |   ↳ `reporter` | object | Reporter user details |
 |     ↳ `accountId` | string | Atlassian account ID |
 |     ↳ `displayName` | string | User display name |
 |     ↳ `emailAddress` | string | User email address |
 |     ↳ `active` | boolean | Whether the account is active |
 |   ↳ `requestFieldValues` | array | Request field values |
 |     ↳ `fieldId` | string | Field identifier |
 |     ↳ `label` | string | Human-readable field label |
 |     ↳ `value` | json | Field value |
 |     ↳ `renderedValue` | json | HTML-rendered field value |
 | `total` | number | Total number of requests in current page |
 | `isLastPage` | boolean | Whether this is the last page |
 ### `jsm_add_comment`
@@ -177,6 +245,12 @@ Add a comment (public or internal) to a service request in Jira Service Manageme
 | `commentId` | string | Created comment ID |
 | `body` | string | Comment body text |
 | `isPublic` | boolean | Whether the comment is public |
 | `author` | object | Comment author |
 |   ↳ `accountId` | string | Atlassian account ID |
 |   ↳ `displayName` | string | User display name |
 |   ↳ `emailAddress` | string | User email address |
 |   ↳ `active` | boolean | Whether the account is active |
 | `createdDate` | json | Comment creation date with iso8601, friendly, epochMillis |
 | `success` | boolean | Whether the comment was added successfully |
 ### `jsm_get_comments`
@@ -192,6 +266,7 @@ Get comments for a service request in Jira Service Management
 | `issueIdOrKey` | string | Yes | Issue ID or key \(e.g., SD-123\) |
 | `isPublic` | boolean | No | Filter to only public comments \(true/false\) |
 | `internal` | boolean | No | Filter to only internal comments \(true/false\) |
 | `expand` | string | No | Comma-separated fields to expand: renderedBody, attachment |
 | `start` | number | No | Start index for pagination \(e.g., 0, 50, 100\) |
 | `limit` | number | No | Maximum results to return \(e.g., 10, 25, 50\) |
@@ -201,7 +276,17 @@ Get comments for a service request in Jira Service Management
 | --------- | ---- | ----------- |
 | `ts` | string | Timestamp of the operation |
 | `issueIdOrKey` | string | Issue ID or key |
-| `comments` | json | Array of comments |
+| `comments` | array | List of comments |
 |   ↳ `id` | string | Comment ID |
 |   ↳ `body` | string | Comment body text |
 |   ↳ `public` | boolean | Whether the comment is public |
 |   ↳ `author` | object | Comment author |
 |     ↳ `accountId` | string | Atlassian account ID |
 |     ↳ `displayName` | string | User display name |
 |     ↳ `emailAddress` | string | User email address |
 |     ↳ `active` | boolean | Whether the account is active |
 |   ↳ `created` | json | Creation date with iso8601, friendly, epochMillis |
 |   ↳ `renderedBody` | json | HTML-rendered comment body \(when expand=renderedBody\) |
 | `total` | number | Total number of comments |
 | `isLastPage` | boolean | Whether this is the last page |
@@ -225,7 +310,12 @@ Get customers for a service desk in Jira Service Management
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | Timestamp of the operation |
-| `customers` | json | Array of customers |
+| `customers` | array | List of customers |
 |   ↳ `accountId` | string | Atlassian account ID |
 |   ↳ `displayName` | string | Display name |
 |   ↳ `emailAddress` | string | Email address |
 |   ↳ `active` | boolean | Whether the account is active |
 |   ↳ `timeZone` | string | User timezone |
 | `total` | number | Total number of customers |
 | `isLastPage` | boolean | Whether this is the last page |
@@ -240,7 +330,8 @@ Add customers to a service desk in Jira Service Management
 | `domain` | string | Yes | Your Jira domain \(e.g., yourcompany.atlassian.net\) |
 | `cloudId` | string | No | Jira Cloud ID for the instance |
 | `serviceDeskId` | string | Yes | Service Desk ID \(e.g., "1", "2"\) |
-| `emails` | string | Yes | Comma-separated email addresses to add as customers |
+| `accountIds` | string | No | Comma-separated Atlassian account IDs to add as customers |
 | `emails` | string | No | Comma-separated email addresses to add as customers |
 #### Output
@@ -269,7 +360,9 @@ Get organizations for a service desk in Jira Service Management
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | Timestamp of the operation |
-| `organizations` | json | Array of organizations |
+| `organizations` | array | List of organizations |
 |   ↳ `id` | string | Organization ID |
 |   ↳ `name` | string | Organization name |
 | `total` | number | Total number of organizations |
 | `isLastPage` | boolean | Whether this is the last page |
@@ -336,7 +429,12 @@ Get queues for a service desk in Jira Service Management
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | Timestamp of the operation |
-| `queues` | json | Array of queues |
+| `queues` | array | List of queues |
 |   ↳ `id` | string | Queue ID |
 |   ↳ `name` | string | Queue name |
 |   ↳ `jql` | string | JQL filter for the queue |
 |   ↳ `fields` | json | Fields displayed in the queue |
 |   ↳ `issueCount` | number | Number of issues in the queue |
 | `total` | number | Total number of queues |
 | `isLastPage` | boolean | Whether this is the last page |
@@ -360,7 +458,11 @@ Get SLA information for a service request in Jira Service Management
 | --------- | ---- | ----------- |
 | `ts` | string | Timestamp of the operation |
 | `issueIdOrKey` | string | Issue ID or key |
-| `slas` | json | Array of SLA information |
+| `slas` | array | List of SLA metrics |
 |   ↳ `id` | string | SLA metric ID |
 |   ↳ `name` | string | SLA metric name |
 |   ↳ `completedCycles` | json | Completed SLA cycles with startTime, stopTime, breachTime, breached, goalDuration, elapsedTime, remainingTime \(each time as DateDTO, durations as DurationDTO\) |
 |   ↳ `ongoingCycle` | json | Ongoing SLA cycle with startTime, breachTime, breached, paused, withinCalendarHours, goalDuration, elapsedTime, remainingTime |
 | `total` | number | Total number of SLAs |
 | `isLastPage` | boolean | Whether this is the last page |
@@ -375,6 +477,8 @@ Get available transitions for a service request in Jira Service Management
 | `domain` | string | Yes | Your Jira domain \(e.g., yourcompany.atlassian.net\) |
 | `cloudId` | string | No | Jira Cloud ID for the instance |
 | `issueIdOrKey` | string | Yes | Issue ID or key \(e.g., SD-123\) |
 | `start` | number | No | Start index for pagination \(e.g., 0, 50, 100\) |
 | `limit` | number | No | Maximum results to return \(e.g., 10, 25, 50\) |
 #### Output
@@ -382,7 +486,11 @@ Get available transitions for a service request in Jira Service Management
 | --------- | ---- | ----------- |
 | `ts` | string | Timestamp of the operation |
 | `issueIdOrKey` | string | Issue ID or key |
-| `transitions` | json | Array of available transitions |
+| `transitions` | array | List of available transitions |
 |   ↳ `id` | string | Transition ID |
 |   ↳ `name` | string | Transition name |
 | `total` | number | Total number of transitions |
 | `isLastPage` | boolean | Whether this is the last page |
 ### `jsm_transition_request`
@@ -427,7 +535,11 @@ Get participants for a request in Jira Service Management
 | --------- | ---- | ----------- |
 | `ts` | string | Timestamp of the operation |
 | `issueIdOrKey` | string | Issue ID or key |
-| `participants` | json | Array of participants |
+| `participants` | array | List of participants |
 |   ↳ `accountId` | string | Atlassian account ID |
 |   ↳ `displayName` | string | Display name |
 |   ↳ `emailAddress` | string | Email address |
 |   ↳ `active` | boolean | Whether the account is active |
 | `total` | number | Total number of participants |
 | `isLastPage` | boolean | Whether this is the last page |
@@ -450,7 +562,11 @@ Add participants to a request in Jira Service Management
 | --------- | ---- | ----------- |
 | `ts` | string | Timestamp of the operation |
 | `issueIdOrKey` | string | Issue ID or key |
-| `participants` | json | Array of added participants |
+| `participants` | array | List of added participants |
 |   ↳ `accountId` | string | Atlassian account ID |
 |   ↳ `displayName` | string | Display name |
 |   ↳ `emailAddress` | string | Email address |
 |   ↳ `active` | boolean | Whether the account is active |
 | `success` | boolean | Whether the operation succeeded |
 ### `jsm_get_approvals`
@@ -473,7 +589,20 @@ Get approvals for a request in Jira Service Management
 | --------- | ---- | ----------- |
 | `ts` | string | Timestamp of the operation |
 | `issueIdOrKey` | string | Issue ID or key |
-| `approvals` | json | Array of approvals |
+| `approvals` | array | List of approvals |
 |   ↳ `id` | string | Approval ID |
 |   ↳ `name` | string | Approval description |
 |   ↳ `finalDecision` | string | Final decision: pending, approved, or declined |
 |   ↳ `canAnswerApproval` | boolean | Whether current user can respond |
 |   ↳ `approvers` | array | List of approvers with their decisions |
 |     ↳ `approver` | object | Approver user details |
 |       ↳ `accountId` | string | Atlassian account ID |
 |       ↳ `displayName` | string | User display name |
 |       ↳ `emailAddress` | string | User email address |
 |       ↳ `active` | boolean | Whether the account is active |
 |     ↳ `approverDecision` | string | Decision: pending, approved, or declined |
 |   ↳ `createdDate` | json | Creation date |
 |   ↳ `completedDate` | json | Completion date |
 | `total` | number | Total number of approvals |
 | `isLastPage` | boolean | Whether this is the last page |
@@ -499,6 +628,53 @@ Approve or decline an approval request in Jira Service Management
 | `issueIdOrKey` | string | Issue ID or key |
 | `approvalId` | string | Approval ID |
 | `decision` | string | Decision made \(approve/decline\) |
 | `id` | string | Approval ID from response |
 | `name` | string | Approval description |
 | `finalDecision` | string | Final approval decision: pending, approved, or declined |
 | `canAnswerApproval` | boolean | Whether the current user can still respond |
 | `approvers` | array | Updated list of approvers with decisions |
 |   ↳ `approver` | object | Approver user details |
 |     ↳ `accountId` | string | Approver account ID |
 |     ↳ `displayName` | string | Approver display name |
 |     ↳ `emailAddress` | string | Approver email |
 |     ↳ `active` | boolean | Whether the account is active |
 |   ↳ `approverDecision` | string | Individual approver decision |
 | `createdDate` | json | Approval creation date |
 | `completedDate` | json | Approval completion date |
 | `approval` | json | The approval object |
 | `success` | boolean | Whether the operation succeeded |
 ### `jsm_get_request_type_fields`
 Get the fields required to create a request of a specific type in Jira Service Management
 #### Input
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `domain` | string | Yes | Your Jira domain \(e.g., yourcompany.atlassian.net\) |
 | `cloudId` | string | No | Jira Cloud ID for the instance |
 | `serviceDeskId` | string | Yes | Service Desk ID \(e.g., "1", "2"\) |
 | `requestTypeId` | string | Yes | Request Type ID \(e.g., "10", "15"\) |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `ts` | string | Timestamp of the operation |
 | `serviceDeskId` | string | Service desk ID |
 | `requestTypeId` | string | Request type ID |
 | `canAddRequestParticipants` | boolean | Whether participants can be added to requests of this type |
 | `canRaiseOnBehalfOf` | boolean | Whether requests can be raised on behalf of another user |
 | `requestTypeFields` | array | List of fields for this request type |
 |   ↳ `fieldId` | string | Field identifier \(e.g., summary, description, customfield_10010\) |
 |   ↳ `name` | string | Human-readable field name |
 |   ↳ `description` | string | Help text for the field |
 |   ↳ `required` | boolean | Whether the field is required |
 |   ↳ `visible` | boolean | Whether the field is visible |
 |   ↳ `validValues` | json | Allowed values for select fields |
 |   ↳ `presetValues` | json | Pre-populated values |
 |   ↳ `defaultValues` | json | Default values for the field |
 |   ↳ `jiraSchema` | json | Jira field schema with type, system, custom, customId |
--- a/apps/docs/content/docs/en/tools/meta.json
+++ b/apps/docs/content/docs/en/tools/meta.json
@@ -4,6 +4,7 @@
    "a2a",
    "ahrefs",
    "airtable",
    "airweave",
    "apify",
    "apollo",
    "arxiv",
@@ -75,6 +76,7 @@
    "neo4j",
    "notion",
    "onedrive",
    "onepassword",
    "openai",
    "outlook",
    "parallel_ai",
--- a/apps/docs/content/docs/en/tools/onepassword.mdx
+++ b/apps/docs/content/docs/en/tools/onepassword.mdx
@@ -0,0 +1,260 @@
 ---
 title: 1Password
 description: Manage secrets and items in 1Password vaults
 ---
 import { BlockInfoCard } from "@/components/ui/block-info-card"
 <BlockInfoCard 
  type="onepassword"
  color="#E0E0E0"
 />
 {/* MANUAL-CONTENT-START:intro */}
 [1Password](https://1password.com) is a widely trusted password manager and secrets vault solution, allowing individuals and teams to securely store, access, and share passwords, API credentials, and sensitive information. With robust encryption, granular access controls, and seamless syncing across devices, 1Password supports teams and organizations in managing secrets efficiently and securely.
 The [1Password Connect API](https://developer.1password.com/docs/connect/) allows programmatic access to vaults and items within an organization's 1Password account. This integration in Sim lets you automate secret retrieval, onboarding workflows, secret rotation, vault audits, and more, all in a secure and auditable manner.
 With 1Password in your Sim workflow, you can:
 - **List, search, and retrieve vaults**: Access metadata or browse available vaults for organizing secrets by project or purpose
 - **Fetch items and secrets**: Get credentials, API keys, or custom secrets in real time to power your workflows securely
 - **Create, update, or delete secrets**: Automate secret management, provisioning, and rotation for enhanced security practices
 - **Integrate with CI/CD and automation**: Fetch credentials or tokens only when needed, reducing manual work and reducing risk
 - **Ensure access controls**: Leverage role-based access and fine-grained permissions to control which agents or users can access specific secrets
 By connecting Sim with 1Password, you empower your agents to securely manage secrets, reduce manual overhead, and maintain best practices for security automation, incident response, and DevOps workflows—all while ensuring secrets never leave a controlled environment.
 {/* MANUAL-CONTENT-END */}
 ## Usage Instructions
 Access and manage secrets stored in 1Password vaults using the Connect API or Service Account SDK. List vaults, retrieve items with their fields and secrets, create new items, update existing ones, delete items, and resolve secret references.
 ## Tools
 ### `onepassword_list_vaults`
 List all vaults accessible by the Connect token or Service Account
 #### Input
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `connectionMode` | string | No | Connection mode: "service_account" or "connect" |
 | `serviceAccountToken` | string | No | 1Password Service Account token \(for Service Account mode\) |
 | `apiKey` | string | No | 1Password Connect API token \(for Connect Server mode\) |
 | `serverUrl` | string | No | 1Password Connect server URL \(for Connect Server mode\) |
 | `filter` | string | No | SCIM filter expression \(e.g., name eq "My Vault"\) |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `vaults` | array | List of accessible vaults |
 |   ↳ `id` | string | Vault ID |
 |   ↳ `name` | string | Vault name |
 |   ↳ `description` | string | Vault description |
 |   ↳ `attributeVersion` | number | Vault attribute version |
 |   ↳ `contentVersion` | number | Vault content version |
 |   ↳ `type` | string | Vault type \(USER_CREATED, PERSONAL, EVERYONE, TRANSFER\) |
 |   ↳ `createdAt` | string | Creation timestamp |
 |   ↳ `updatedAt` | string | Last update timestamp |
 ### `onepassword_get_vault`
 Get details of a specific vault by ID
 #### Input
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `connectionMode` | string | No | Connection mode: "service_account" or "connect" |
 | `serviceAccountToken` | string | No | 1Password Service Account token \(for Service Account mode\) |
 | `apiKey` | string | No | 1Password Connect API token \(for Connect Server mode\) |
 | `serverUrl` | string | No | 1Password Connect server URL \(for Connect Server mode\) |
 | `vaultId` | string | Yes | The vault UUID |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `id` | string | Vault ID |
 | `name` | string | Vault name |
 | `description` | string | Vault description |
 | `attributeVersion` | number | Vault attribute version |
 | `contentVersion` | number | Vault content version |
 | `items` | number | Number of items in the vault |
 | `type` | string | Vault type \(USER_CREATED, PERSONAL, EVERYONE, TRANSFER\) |
 | `createdAt` | string | Creation timestamp |
 | `updatedAt` | string | Last update timestamp |
 ### `onepassword_list_items`
 List items in a vault. Returns summaries without field values.
 #### Input
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `connectionMode` | string | No | Connection mode: "service_account" or "connect" |
 | `serviceAccountToken` | string | No | 1Password Service Account token \(for Service Account mode\) |
 | `apiKey` | string | No | 1Password Connect API token \(for Connect Server mode\) |
 | `serverUrl` | string | No | 1Password Connect server URL \(for Connect Server mode\) |
 | `vaultId` | string | Yes | The vault UUID to list items from |
 | `filter` | string | No | SCIM filter expression \(e.g., title eq "API Key" or tag eq "production"\) |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `items` | array | List of items in the vault \(summaries without field values\) |
 |   ↳ `id` | string | Item ID |
 |   ↳ `title` | string | Item title |
 |   ↳ `vault` | object | Vault reference |
 |     ↳ `id` | string | Vault ID |
 |   ↳ `category` | string | Item category \(e.g., LOGIN, API_CREDENTIAL\) |
 |   ↳ `urls` | array | URLs associated with the item |
 |     ↳ `href` | string | URL |
 |     ↳ `label` | string | URL label |
 |     ↳ `primary` | boolean | Whether this is the primary URL |
 |   ↳ `favorite` | boolean | Whether the item is favorited |
 |   ↳ `tags` | array | Item tags |
 |   ↳ `version` | number | Item version number |
 |   ↳ `state` | string | Item state \(ARCHIVED or DELETED\) |
 |   ↳ `createdAt` | string | Creation timestamp |
 |   ↳ `updatedAt` | string | Last update timestamp |
 |   ↳ `lastEditedBy` | string | ID of the last editor |
 ### `onepassword_get_item`
 Get full details of an item including all fields and secrets
 #### Input
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `connectionMode` | string | No | Connection mode: "service_account" or "connect" |
 | `serviceAccountToken` | string | No | 1Password Service Account token \(for Service Account mode\) |
 | `apiKey` | string | No | 1Password Connect API token \(for Connect Server mode\) |
 | `serverUrl` | string | No | 1Password Connect server URL \(for Connect Server mode\) |
 | `vaultId` | string | Yes | The vault UUID |
 | `itemId` | string | Yes | The item UUID to retrieve |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `response` | json | Operation response data |
 ### `onepassword_create_item`
 Create a new item in a vault
 #### Input
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `connectionMode` | string | No | Connection mode: "service_account" or "connect" |
 | `serviceAccountToken` | string | No | 1Password Service Account token \(for Service Account mode\) |
 | `apiKey` | string | No | 1Password Connect API token \(for Connect Server mode\) |
 | `serverUrl` | string | No | 1Password Connect server URL \(for Connect Server mode\) |
 | `vaultId` | string | Yes | The vault UUID to create the item in |
 | `category` | string | Yes | Item category \(e.g., LOGIN, PASSWORD, API_CREDENTIAL, SECURE_NOTE, SERVER, DATABASE\) |
 | `title` | string | No | Item title |
 | `tags` | string | No | Comma-separated list of tags |
 | `fields` | string | No | JSON array of field objects \(e.g., \[\{"label":"username","value":"admin","type":"STRING","purpose":"USERNAME"\}\]\) |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `response` | json | Operation response data |
 ### `onepassword_replace_item`
 Replace an entire item with new data (full update)
 #### Input
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `connectionMode` | string | No | Connection mode: "service_account" or "connect" |
 | `serviceAccountToken` | string | No | 1Password Service Account token \(for Service Account mode\) |
 | `apiKey` | string | No | 1Password Connect API token \(for Connect Server mode\) |
 | `serverUrl` | string | No | 1Password Connect server URL \(for Connect Server mode\) |
 | `vaultId` | string | Yes | The vault UUID |
 | `itemId` | string | Yes | The item UUID to replace |
 | `item` | string | Yes | JSON object representing the full item \(e.g., \{"vault":\{"id":"..."\},"category":"LOGIN","title":"My Item","fields":\[...\]\}\) |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `response` | json | Operation response data |
 ### `onepassword_update_item`
 Update an existing item using JSON Patch operations (RFC6902)
 #### Input
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `connectionMode` | string | No | Connection mode: "service_account" or "connect" |
 | `serviceAccountToken` | string | No | 1Password Service Account token \(for Service Account mode\) |
 | `apiKey` | string | No | 1Password Connect API token \(for Connect Server mode\) |
 | `serverUrl` | string | No | 1Password Connect server URL \(for Connect Server mode\) |
 | `vaultId` | string | Yes | The vault UUID |
 | `itemId` | string | Yes | The item UUID to update |
 | `operations` | string | Yes | JSON array of RFC6902 patch operations \(e.g., \[\{"op":"replace","path":"/title","value":"New Title"\}\]\) |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `response` | json | Operation response data |
 ### `onepassword_delete_item`
 Delete an item from a vault
 #### Input
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `connectionMode` | string | No | Connection mode: "service_account" or "connect" |
 | `serviceAccountToken` | string | No | 1Password Service Account token \(for Service Account mode\) |
 | `apiKey` | string | No | 1Password Connect API token \(for Connect Server mode\) |
 | `serverUrl` | string | No | 1Password Connect server URL \(for Connect Server mode\) |
 | `vaultId` | string | Yes | The vault UUID |
 | `itemId` | string | Yes | The item UUID to delete |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `success` | boolean | Whether the item was successfully deleted |
 ### `onepassword_resolve_secret`
 Resolve a secret reference (op://vault/item/field) to its value. Service Account mode only.
 #### Input
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `connectionMode` | string | No | Connection mode: must be "service_account" for this operation |
 | `serviceAccountToken` | string | Yes | 1Password Service Account token |
 | `secretReference` | string | Yes | Secret reference URI \(e.g., op://vault-name/item-name/field-name or op://vault-name/item-name/section-name/field-name\) |
 #### Output
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
 | `value` | string | The resolved secret value |
 | `reference` | string | The original secret reference URI |
--- a/apps/docs/public/static/skills/add-skill.png
+++ b/apps/docs/public/static/skills/add-skill.png
--- a/apps/docs/public/static/skills/manage-skills.png
+++ b/apps/docs/public/static/skills/manage-skills.png
--- a/apps/sim/app/.well-known/oauth-authorization-server/[...issuer]/route.ts
+++ b/apps/sim/app/.well-known/oauth-authorization-server/[...issuer]/route.ts
@@ -0,0 +1,6 @@
 import type { NextRequest, NextResponse } from 'next/server'
 import { createMcpAuthorizationServerMetadataResponse } from '@/lib/mcp/oauth-discovery'
 export async function GET(request: NextRequest): Promise<NextResponse> {
  return createMcpAuthorizationServerMetadataResponse(request)
 }
--- a/apps/sim/app/.well-known/oauth-authorization-server/api/mcp/copilot/route.ts
+++ b/apps/sim/app/.well-known/oauth-authorization-server/api/mcp/copilot/route.ts
@@ -0,0 +1,6 @@
 import type { NextRequest, NextResponse } from 'next/server'
 import { createMcpAuthorizationServerMetadataResponse } from '@/lib/mcp/oauth-discovery'
 export async function GET(request: NextRequest): Promise<NextResponse> {
  return createMcpAuthorizationServerMetadataResponse(request)
 }
--- a/apps/sim/app/.well-known/oauth-authorization-server/route.ts
+++ b/apps/sim/app/.well-known/oauth-authorization-server/route.ts
@@ -0,0 +1,6 @@
 import type { NextRequest, NextResponse } from 'next/server'
 import { createMcpAuthorizationServerMetadataResponse } from '@/lib/mcp/oauth-discovery'
 export async function GET(request: NextRequest): Promise<NextResponse> {
  return createMcpAuthorizationServerMetadataResponse(request)
 }
--- a/apps/sim/app/.well-known/oauth-protected-resource/api/mcp/copilot/route.ts
+++ b/apps/sim/app/.well-known/oauth-protected-resource/api/mcp/copilot/route.ts
@@ -0,0 +1,6 @@
 import type { NextRequest, NextResponse } from 'next/server'
 import { createMcpProtectedResourceMetadataResponse } from '@/lib/mcp/oauth-discovery'
 export async function GET(request: NextRequest): Promise<NextResponse> {
  return createMcpProtectedResourceMetadataResponse(request)
 }
--- a/apps/sim/app/.well-known/oauth-protected-resource/route.ts
+++ b/apps/sim/app/.well-known/oauth-protected-resource/route.ts
@@ -0,0 +1,6 @@
 import type { NextRequest, NextResponse } from 'next/server'
 import { createMcpProtectedResourceMetadataResponse } from '@/lib/mcp/oauth-discovery'
 export async function GET(request: NextRequest): Promise<NextResponse> {
  return createMcpProtectedResourceMetadataResponse(request)
 }
--- a/apps/sim/app/api/a2a/agents/[agentId]/route.ts
+++ b/apps/sim/app/api/a2a/agents/[agentId]/route.ts
@@ -5,7 +5,7 @@ import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { generateAgentCard, generateSkillsFromWorkflow } from '@/lib/a2a/agent-card'
 import type { AgentCapabilities, AgentSkill } from '@/lib/a2a/types'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { getRedisClient } from '@/lib/core/config/redis'
 import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
@@ -40,7 +40,7 @@ export async function GET(request: NextRequest, { params }: { params: Promise<Ro
    }
    if (!agent.agent.isPublished) {
-      const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+      const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
      if (!auth.success) {
        return NextResponse.json({ error: 'Agent not published' }, { status: 404 })
      }
@@ -81,7 +81,7 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<Ro
  const { agentId } = await params
  try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!auth.success || !auth.userId) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
@@ -151,7 +151,7 @@ export async function DELETE(request: NextRequest, { params }: { params: Promise
  const { agentId } = await params
  try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!auth.success || !auth.userId) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
@@ -189,7 +189,7 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
  const { agentId } = await params
  try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!auth.success || !auth.userId) {
      logger.warn('A2A agent publish auth failed:', { error: auth.error, hasUserId: !!auth.userId })
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/a2a/agents/route.ts
+++ b/apps/sim/app/api/a2a/agents/route.ts
@@ -13,7 +13,7 @@ import { v4 as uuidv4 } from 'uuid'
 import { generateSkillsFromWorkflow } from '@/lib/a2a/agent-card'
 import { A2A_DEFAULT_CAPABILITIES } from '@/lib/a2a/constants'
 import { sanitizeAgentName } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
 import { hasValidStartBlockInState } from '@/lib/workflows/triggers/trigger-utils'
 import { getWorkspaceById } from '@/lib/workspaces/permissions/utils'
@@ -27,7 +27,7 @@ export const dynamic = 'force-dynamic'
 */
 export async function GET(request: NextRequest) {
  try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!auth.success || !auth.userId) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
@@ -87,7 +87,7 @@ export async function GET(request: NextRequest) {
 */
 export async function POST(request: NextRequest) {
  try {
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!auth.success || !auth.userId) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
--- a/apps/sim/app/api/auth/oauth/credentials/route.ts
+++ b/apps/sim/app/api/auth/oauth/credentials/route.ts
@@ -5,7 +5,7 @@ import { and, eq } from 'drizzle-orm'
 import { jwtDecode } from 'jwt-decode'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { evaluateScopeCoverage, type OAuthProvider, parseProvider } from '@/lib/oauth'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
@@ -81,7 +81,7 @@ export async function GET(request: NextRequest) {
    const { provider: providerParam, workflowId, credentialId } = parseResult.data
    // Authenticate requester (supports session, API key, internal JWT)
-    const authResult = await checkHybridAuth(request)
+    const authResult = await checkSessionOrInternalAuth(request)
    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthenticated credentials request rejected`)
      return NextResponse.json({ error: 'User not authenticated' }, { status: 401 })
--- a/apps/sim/app/api/auth/oauth/token/route.test.ts
+++ b/apps/sim/app/api/auth/oauth/token/route.test.ts
@@ -12,7 +12,7 @@ describe('OAuth Token API Routes', () => {
  const mockRefreshTokenIfNeeded = vi.fn()
  const mockGetOAuthToken = vi.fn()
  const mockAuthorizeCredentialUse = vi.fn()
-  const mockCheckHybridAuth = vi.fn()
+  const mockCheckSessionOrInternalAuth = vi.fn()
  const mockLogger = createMockLogger()
@@ -42,7 +42,7 @@ describe('OAuth Token API Routes', () => {
    }))
    vi.doMock('@/lib/auth/hybrid', () => ({
-      checkHybridAuth: mockCheckHybridAuth,
+      checkSessionOrInternalAuth: mockCheckSessionOrInternalAuth,
    }))
  })
@@ -235,7 +235,7 @@ describe('OAuth Token API Routes', () => {
    describe('credentialAccountUserId + providerId path', () => {
      it('should reject unauthenticated requests', async () => {
-        mockCheckHybridAuth.mockResolvedValueOnce({
+        mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
          success: false,
          error: 'Authentication required',
        })
@@ -255,30 +255,8 @@ describe('OAuth Token API Routes', () => {
        expect(mockGetOAuthToken).not.toHaveBeenCalled()
      })
      it('should reject API key authentication', async () => {
        mockCheckHybridAuth.mockResolvedValueOnce({
          success: true,
          authType: 'api_key',
          userId: 'test-user-id',
        })
        const req = createMockRequest('POST', {
          credentialAccountUserId: 'test-user-id',
          providerId: 'google',
        })
        const { POST } = await import('@/app/api/auth/oauth/token/route')
        const response = await POST(req)
        const data = await response.json()
        expect(response.status).toBe(401)
        expect(data).toHaveProperty('error', 'User not authenticated')
        expect(mockGetOAuthToken).not.toHaveBeenCalled()
      })
      it('should reject internal JWT authentication', async () => {
-        mockCheckHybridAuth.mockResolvedValueOnce({
+        mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
          success: true,
          authType: 'internal_jwt',
          userId: 'test-user-id',
@@ -300,7 +278,7 @@ describe('OAuth Token API Routes', () => {
      })
      it('should reject requests for other users credentials', async () => {
-        mockCheckHybridAuth.mockResolvedValueOnce({
+        mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
          success: true,
          authType: 'session',
          userId: 'attacker-user-id',
@@ -322,7 +300,7 @@ describe('OAuth Token API Routes', () => {
      })
      it('should allow session-authenticated users to access their own credentials', async () => {
-        mockCheckHybridAuth.mockResolvedValueOnce({
+        mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
          success: true,
          authType: 'session',
          userId: 'test-user-id',
@@ -345,7 +323,7 @@ describe('OAuth Token API Routes', () => {
      })
      it('should return 404 when credential not found for user', async () => {
-        mockCheckHybridAuth.mockResolvedValueOnce({
+        mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
          success: true,
          authType: 'session',
          userId: 'test-user-id',
@@ -373,7 +351,7 @@ describe('OAuth Token API Routes', () => {
   */
  describe('GET handler', () => {
    it('should return access token successfully', async () => {
-      mockCheckHybridAuth.mockResolvedValueOnce({
+      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
        success: true,
        authType: 'session',
        userId: 'test-user-id',
@@ -402,7 +380,7 @@ describe('OAuth Token API Routes', () => {
      expect(response.status).toBe(200)
      expect(data).toHaveProperty('accessToken', 'fresh-token')
-      expect(mockCheckHybridAuth).toHaveBeenCalled()
+      expect(mockCheckSessionOrInternalAuth).toHaveBeenCalled()
      expect(mockGetCredential).toHaveBeenCalledWith(mockRequestId, 'credential-id', 'test-user-id')
      expect(mockRefreshTokenIfNeeded).toHaveBeenCalled()
    })
@@ -421,7 +399,7 @@ describe('OAuth Token API Routes', () => {
    })
    it('should handle authentication failure', async () => {
-      mockCheckHybridAuth.mockResolvedValueOnce({
+      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
        success: false,
        error: 'Authentication required',
      })
@@ -440,7 +418,7 @@ describe('OAuth Token API Routes', () => {
    })
    it('should handle credential not found', async () => {
-      mockCheckHybridAuth.mockResolvedValueOnce({
+      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
        success: true,
        authType: 'session',
        userId: 'test-user-id',
@@ -461,7 +439,7 @@ describe('OAuth Token API Routes', () => {
    })
    it('should handle missing access token', async () => {
-      mockCheckHybridAuth.mockResolvedValueOnce({
+      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
        success: true,
        authType: 'session',
        userId: 'test-user-id',
@@ -487,7 +465,7 @@ describe('OAuth Token API Routes', () => {
    })
    it('should handle token refresh failure', async () => {
-      mockCheckHybridAuth.mockResolvedValueOnce({
+      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
        success: true,
        authType: 'session',
        userId: 'test-user-id',
--- a/apps/sim/app/api/auth/oauth/token/route.ts
+++ b/apps/sim/app/api/auth/oauth/token/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getCredential, getOAuthToken, refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
@@ -71,7 +71,7 @@ export async function POST(request: NextRequest) {
        providerId,
      })
-      const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+      const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
      if (!auth.success || auth.authType !== 'session' || !auth.userId) {
        logger.warn(`[${requestId}] Unauthorized request for credentialAccountUserId path`, {
          success: auth.success,
@@ -187,7 +187,7 @@ export async function GET(request: NextRequest) {
    const { credentialId } = parseResult.data
    // For GET requests, we only support session-based authentication
-    const auth = await checkHybridAuth(request, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!auth.success || auth.authType !== 'session' || !auth.userId) {
      return NextResponse.json({ error: 'User not authenticated' }, { status: 401 })
    }
--- a/apps/sim/app/api/billing/update-cost/route.ts
+++ b/apps/sim/app/api/billing/update-cost/route.ts
@@ -18,6 +18,7 @@ const UpdateCostSchema = z.object({
  model: z.string().min(1, 'Model is required'),
  inputTokens: z.number().min(0).default(0),
  outputTokens: z.number().min(0).default(0),
  source: z.enum(['copilot', 'mcp_copilot']).default('copilot'),
 })
 /**
@@ -75,12 +76,14 @@ export async function POST(req: NextRequest) {
      )
    }
-    const { userId, cost, model, inputTokens, outputTokens } = validation.data
+    const { userId, cost, model, inputTokens, outputTokens, source } = validation.data
    const isMcp = source === 'mcp_copilot'
    logger.info(`[${requestId}] Processing cost update`, {
      userId,
      cost,
      model,
      source,
    })
    // Check if user stats record exists (same as ExecutionLogger)
@@ -96,7 +99,7 @@ export async function POST(req: NextRequest) {
      return NextResponse.json({ error: 'User stats record not found' }, { status: 500 })
    }
-    const updateFields = {
+    const updateFields: Record<string, unknown> = {
      totalCost: sql`total_cost + ${cost}`,
      currentPeriodCost: sql`current_period_cost + ${cost}`,
      totalCopilotCost: sql`total_copilot_cost + ${cost}`,
@@ -105,17 +108,24 @@ export async function POST(req: NextRequest) {
      lastActive: new Date(),
    }
    // Also increment MCP-specific counters when source is mcp_copilot
    if (isMcp) {
      updateFields.totalMcpCopilotCost = sql`total_mcp_copilot_cost + ${cost}`
      updateFields.currentPeriodMcpCopilotCost = sql`current_period_mcp_copilot_cost + ${cost}`
    }
    await db.update(userStats).set(updateFields).where(eq(userStats.userId, userId))
    logger.info(`[${requestId}] Updated user stats record`, {
      userId,
      addedCost: cost,
      source,
    })
    // Log usage for complete audit trail
    await logModelUsage({
      userId,
-      source: 'copilot',
+      source: isMcp ? 'mcp_copilot' : 'copilot',
      model,
      inputTokens,
      outputTokens,
--- a/apps/sim/app/api/copilot/api-keys/generate/route.ts
+++ b/apps/sim/app/api/copilot/api-keys/generate/route.ts
@@ -1,7 +1,7 @@
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
-import { SIM_AGENT_API_URL_DEFAULT } from '@/lib/copilot/constants'
+import { SIM_AGENT_API_URL } from '@/lib/copilot/constants'
 import { env } from '@/lib/core/config/env'
 const GenerateApiKeySchema = z.object({
@@ -17,9 +17,6 @@ export async function POST(req: NextRequest) {
    const userId = session.user.id
    // Move environment variable access inside the function
    const SIM_AGENT_API_URL = env.SIM_AGENT_API_URL || SIM_AGENT_API_URL_DEFAULT
    const body = await req.json().catch(() => ({}))
    const validationResult = GenerateApiKeySchema.safeParse(body)
--- a/apps/sim/app/api/copilot/api-keys/route.test.ts
+++ b/apps/sim/app/api/copilot/api-keys/route.test.ts
@@ -19,6 +19,7 @@ describe('Copilot API Keys API Route', () => {
    vi.doMock('@/lib/copilot/constants', () => ({
      SIM_AGENT_API_URL_DEFAULT: 'https://agent.sim.example.com',
      SIM_AGENT_API_URL: 'https://agent.sim.example.com',
    }))
    vi.doMock('@/lib/core/config/env', async () => {
--- a/apps/sim/app/api/copilot/api-keys/route.ts
+++ b/apps/sim/app/api/copilot/api-keys/route.ts
@@ -1,6 +1,6 @@
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
-import { SIM_AGENT_API_URL_DEFAULT } from '@/lib/copilot/constants'
+import { SIM_AGENT_API_URL } from '@/lib/copilot/constants'
 import { env } from '@/lib/core/config/env'
 export async function GET(request: NextRequest) {
@@ -12,8 +12,6 @@ export async function GET(request: NextRequest) {
    const userId = session.user.id
    const SIM_AGENT_API_URL = env.SIM_AGENT_API_URL || SIM_AGENT_API_URL_DEFAULT
    const res = await fetch(`${SIM_AGENT_API_URL}/api/validate-key/get-api-keys`, {
      method: 'POST',
      headers: {
@@ -68,8 +66,6 @@ export async function DELETE(request: NextRequest) {
      return NextResponse.json({ error: 'id is required' }, { status: 400 })
    }
    const SIM_AGENT_API_URL = env.SIM_AGENT_API_URL || SIM_AGENT_API_URL_DEFAULT
    const res = await fetch(`${SIM_AGENT_API_URL}/api/validate-key/delete`, {
      method: 'POST',
      headers: {
--- a/apps/sim/app/api/copilot/chat/route.ts
+++ b/apps/sim/app/api/copilot/chat/route.ts
--- a/apps/sim/app/api/copilot/chat/stream/route.ts
+++ b/apps/sim/app/api/copilot/chat/stream/route.ts
@@ -0,0 +1,130 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import {
  getStreamMeta,
  readStreamEvents,
  type StreamMeta,
 } from '@/lib/copilot/orchestrator/stream-buffer'
 import { authenticateCopilotRequestSessionOnly } from '@/lib/copilot/request-helpers'
 import { SSE_HEADERS } from '@/lib/core/utils/sse'
 const logger = createLogger('CopilotChatStreamAPI')
 const POLL_INTERVAL_MS = 250
 const MAX_STREAM_MS = 10 * 60 * 1000
 function encodeEvent(event: Record<string, any>): Uint8Array {
  return new TextEncoder().encode(`data: ${JSON.stringify(event)}\n\n`)
 }
 export async function GET(request: NextRequest) {
  const { userId: authenticatedUserId, isAuthenticated } =
    await authenticateCopilotRequestSessionOnly()
  if (!isAuthenticated || !authenticatedUserId) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
  }
  const url = new URL(request.url)
  const streamId = url.searchParams.get('streamId') || ''
  const fromParam = url.searchParams.get('from') || '0'
  const fromEventId = Number(fromParam || 0)
  // If batch=true, return buffered events as JSON instead of SSE
  const batchMode = url.searchParams.get('batch') === 'true'
  const toParam = url.searchParams.get('to')
  const toEventId = toParam ? Number(toParam) : undefined
  if (!streamId) {
    return NextResponse.json({ error: 'streamId is required' }, { status: 400 })
  }
  const meta = (await getStreamMeta(streamId)) as StreamMeta | null
  logger.info('[Resume] Stream lookup', {
    streamId,
    fromEventId,
    toEventId,
    batchMode,
    hasMeta: !!meta,
    metaStatus: meta?.status,
  })
  if (!meta) {
    return NextResponse.json({ error: 'Stream not found' }, { status: 404 })
  }
  if (meta.userId && meta.userId !== authenticatedUserId) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
  }
  // Batch mode: return all buffered events as JSON
  if (batchMode) {
    const events = await readStreamEvents(streamId, fromEventId)
    const filteredEvents = toEventId ? events.filter((e) => e.eventId <= toEventId) : events
    logger.info('[Resume] Batch response', {
      streamId,
      fromEventId,
      toEventId,
      eventCount: filteredEvents.length,
    })
    return NextResponse.json({
      success: true,
      events: filteredEvents,
      status: meta.status,
    })
  }
  const startTime = Date.now()
  const stream = new ReadableStream({
    async start(controller) {
      let lastEventId = Number.isFinite(fromEventId) ? fromEventId : 0
      const flushEvents = async () => {
        const events = await readStreamEvents(streamId, lastEventId)
        if (events.length > 0) {
          logger.info('[Resume] Flushing events', {
            streamId,
            fromEventId: lastEventId,
            eventCount: events.length,
          })
        }
        for (const entry of events) {
          lastEventId = entry.eventId
          const payload = {
            ...entry.event,
            eventId: entry.eventId,
            streamId: entry.streamId,
          }
          controller.enqueue(encodeEvent(payload))
        }
      }
      try {
        await flushEvents()
        while (Date.now() - startTime < MAX_STREAM_MS) {
          const currentMeta = await getStreamMeta(streamId)
          if (!currentMeta) break
          await flushEvents()
          if (currentMeta.status === 'complete' || currentMeta.status === 'error') {
            break
          }
          if (request.signal.aborted) {
            break
          }
          await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS))
        }
      } catch (error) {
        logger.warn('Stream replay failed', {
          streamId,
          error: error instanceof Error ? error.message : String(error),
        })
      } finally {
        controller.close()
      }
    },
  })
  return new Response(stream, { headers: SSE_HEADERS })
 }
--- a/apps/sim/app/api/copilot/confirm/route.test.ts
+++ b/apps/sim/app/api/copilot/confirm/route.test.ts
@@ -139,7 +139,6 @@ describe('Copilot Confirm API Route', () => {
        status: 'success',
      })
      expect(mockRedisExists).toHaveBeenCalled()
      expect(mockRedisSet).toHaveBeenCalled()
    })
@@ -256,11 +255,11 @@ describe('Copilot Confirm API Route', () => {
      expect(responseData.error).toBe('Failed to update tool call status or tool call not found')
    })
-    it('should return 400 when tool call is not found in Redis', async () => {
+    it('should return 400 when Redis set fails', async () => {
      const authMocks = mockAuth()
      authMocks.setAuthenticated()
-      mockRedisExists.mockResolvedValue(0)
+      mockRedisSet.mockRejectedValueOnce(new Error('Redis set failed'))
      const req = createMockRequest('POST', {
        toolCallId: 'non-existent-tool',
@@ -279,7 +278,7 @@ describe('Copilot Confirm API Route', () => {
      const authMocks = mockAuth()
      authMocks.setAuthenticated()
-      mockRedisExists.mockRejectedValue(new Error('Redis connection failed'))
+      mockRedisSet.mockRejectedValueOnce(new Error('Redis connection failed'))
      const req = createMockRequest('POST', {
        toolCallId: 'tool-call-123',
--- a/apps/sim/app/api/copilot/confirm/route.ts
+++ b/apps/sim/app/api/copilot/confirm/route.ts
@@ -1,6 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { REDIS_TOOL_CALL_PREFIX, REDIS_TOOL_CALL_TTL_SECONDS } from '@/lib/copilot/constants'
 import {
  authenticateCopilotRequestSessionOnly,
  createBadRequestResponse,
@@ -23,7 +24,8 @@ const ConfirmationSchema = z.object({
 })
 /**
- * Update tool call status in Redis
+ * Write the user's tool decision to Redis. The server-side orchestrator's
 * waitForToolDecision() polls Redis for this value.
 */
 async function updateToolCallStatus(
  toolCallId: string,
@@ -32,57 +34,24 @@ async function updateToolCallStatus(
 ): Promise<boolean> {
  const redis = getRedisClient()
  if (!redis) {
-    logger.warn('updateToolCallStatus: Redis client not available')
+    logger.warn('Redis client not available for tool confirmation')
    return false
  }
  try {
-    const key = `tool_call:${toolCallId}`
+    const key = `${REDIS_TOOL_CALL_PREFIX}${toolCallId}`
-    const timeout = 600000 // 10 minutes timeout for user confirmation
+    const payload = {
    const pollInterval = 100 // Poll every 100ms
    const startTime = Date.now()
    logger.info('Polling for tool call in Redis', { toolCallId, key, timeout })
    // Poll until the key exists or timeout
    while (Date.now() - startTime < timeout) {
      const exists = await redis.exists(key)
      if (exists) {
        break
      }
      // Wait before next poll
      await new Promise((resolve) => setTimeout(resolve, pollInterval))
    }
    // Final check if key exists after polling
    const exists = await redis.exists(key)
    if (!exists) {
      logger.warn('Tool call not found in Redis after polling timeout', {
        toolCallId,
        key,
        timeout,
        pollDuration: Date.now() - startTime,
      })
      return false
    }
    // Store both status and message as JSON
    const toolCallData = {
      status,
      message: message || null,
      timestamp: new Date().toISOString(),
    }
-
+    await redis.set(key, JSON.stringify(payload), 'EX', REDIS_TOOL_CALL_TTL_SECONDS)
    await redis.set(key, JSON.stringify(toolCallData), 'EX', 86400) // Keep 24 hour expiry
    return true
  } catch (error) {
-    logger.error('Failed to update tool call status in Redis', {
+    logger.error('Failed to update tool call status', {
      toolCallId,
      status,
-      message,
+      error: error instanceof Error ? error.message : String(error),
      error: error instanceof Error ? error.message : 'Unknown error',
    })
    return false
  }
--- a/apps/sim/app/api/copilot/credentials/route.ts
+++ b/apps/sim/app/api/copilot/credentials/route.ts
@@ -0,0 +1,28 @@
 import { type NextRequest, NextResponse } from 'next/server'
 import { authenticateCopilotRequestSessionOnly } from '@/lib/copilot/request-helpers'
 import { routeExecution } from '@/lib/copilot/tools/server/router'
 /**
 * GET /api/copilot/credentials
 * Returns connected OAuth credentials for the authenticated user.
 * Used by the copilot store for credential masking.
 */
 export async function GET(_req: NextRequest) {
  const { userId, isAuthenticated } = await authenticateCopilotRequestSessionOnly()
  if (!isAuthenticated || !userId) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
  }
  try {
    const result = await routeExecution('get_credentials', {}, { userId })
    return NextResponse.json({ success: true, result })
  } catch (error) {
    return NextResponse.json(
      {
        success: false,
        error: error instanceof Error ? error.message : 'Failed to load credentials',
      },
      { status: 500 }
    )
  }
 }
--- a/apps/sim/app/api/copilot/execute-copilot-server-tool/route.ts
+++ b/apps/sim/app/api/copilot/execute-copilot-server-tool/route.ts
@@ -1,54 +0,0 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import {
  authenticateCopilotRequestSessionOnly,
  createBadRequestResponse,
  createInternalServerErrorResponse,
  createRequestTracker,
  createUnauthorizedResponse,
 } from '@/lib/copilot/request-helpers'
 import { routeExecution } from '@/lib/copilot/tools/server/router'
 const logger = createLogger('ExecuteCopilotServerToolAPI')
 const ExecuteSchema = z.object({
  toolName: z.string(),
  payload: z.unknown().optional(),
 })
 export async function POST(req: NextRequest) {
  const tracker = createRequestTracker()
  try {
    const { userId, isAuthenticated } = await authenticateCopilotRequestSessionOnly()
    if (!isAuthenticated || !userId) {
      return createUnauthorizedResponse()
    }
    const body = await req.json()
    try {
      const preview = JSON.stringify(body).slice(0, 300)
      logger.debug(`[${tracker.requestId}] Incoming request body preview`, { preview })
    } catch {}
    const { toolName, payload } = ExecuteSchema.parse(body)
    logger.info(`[${tracker.requestId}] Executing server tool`, { toolName })
    const result = await routeExecution(toolName, payload, { userId })
    try {
      const resultPreview = JSON.stringify(result).slice(0, 300)
      logger.debug(`[${tracker.requestId}] Server tool result preview`, { toolName, resultPreview })
    } catch {}
    return NextResponse.json({ success: true, result })
  } catch (error) {
    if (error instanceof z.ZodError) {
      logger.debug(`[${tracker.requestId}] Zod validation error`, { issues: error.issues })
      return createBadRequestResponse('Invalid request body for execute-copilot-server-tool')
    }
    logger.error(`[${tracker.requestId}] Failed to execute server tool:`, error)
    const errorMessage = error instanceof Error ? error.message : 'Failed to execute server tool'
    return createInternalServerErrorResponse(errorMessage)
  }
 }
--- a/apps/sim/app/api/copilot/execute-tool/route.ts
+++ b/apps/sim/app/api/copilot/execute-tool/route.ts
@@ -1,247 +0,0 @@
 import { db } from '@sim/db'
 import { account, workflow } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import {
  createBadRequestResponse,
  createInternalServerErrorResponse,
  createRequestTracker,
  createUnauthorizedResponse,
 } from '@/lib/copilot/request-helpers'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getEffectiveDecryptedEnv } from '@/lib/environment/utils'
 import { refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 import { resolveEnvVarReferences } from '@/executor/utils/reference-validation'
 import { executeTool } from '@/tools'
 import { getTool, resolveToolId } from '@/tools/utils'
 const logger = createLogger('CopilotExecuteToolAPI')
 const ExecuteToolSchema = z.object({
  toolCallId: z.string(),
  toolName: z.string(),
  arguments: z.record(z.any()).optional().default({}),
  workflowId: z.string().optional(),
 })
 export async function POST(req: NextRequest) {
  const tracker = createRequestTracker()
  try {
    const session = await getSession()
    if (!session?.user?.id) {
      return createUnauthorizedResponse()
    }
    const userId = session.user.id
    const body = await req.json()
    try {
      const preview = JSON.stringify(body).slice(0, 300)
      logger.debug(`[${tracker.requestId}] Incoming execute-tool request`, { preview })
    } catch {}
    const { toolCallId, toolName, arguments: toolArgs, workflowId } = ExecuteToolSchema.parse(body)
    const resolvedToolName = resolveToolId(toolName)
    logger.info(`[${tracker.requestId}] Executing tool`, {
      toolCallId,
      toolName,
      resolvedToolName,
      workflowId,
      hasArgs: Object.keys(toolArgs).length > 0,
    })
    const toolConfig = getTool(resolvedToolName)
    if (!toolConfig) {
      // Find similar tool names to help debug
      const { tools: allTools } = await import('@/tools/registry')
      const allToolNames = Object.keys(allTools)
      const prefix = toolName.split('_').slice(0, 2).join('_')
      const similarTools = allToolNames
        .filter((name) => name.startsWith(`${prefix.split('_')[0]}_`))
        .slice(0, 10)
      logger.warn(`[${tracker.requestId}] Tool not found in registry`, {
        toolName,
        prefix,
        similarTools,
        totalToolsInRegistry: allToolNames.length,
      })
      return NextResponse.json(
        {
          success: false,
          error: `Tool not found: ${toolName}. Similar tools: ${similarTools.join(', ')}`,
          toolCallId,
        },
        { status: 404 }
      )
    }
    // Get the workspaceId from the workflow (env vars are stored at workspace level)
    let workspaceId: string | undefined
    if (workflowId) {
      const workflowResult = await db
        .select({ workspaceId: workflow.workspaceId })
        .from(workflow)
        .where(eq(workflow.id, workflowId))
        .limit(1)
      workspaceId = workflowResult[0]?.workspaceId ?? undefined
    }
    // Get decrypted environment variables early so we can resolve all {{VAR}} references
    const decryptedEnvVars = await getEffectiveDecryptedEnv(userId, workspaceId)
    logger.info(`[${tracker.requestId}] Fetched environment variables`, {
      workflowId,
      workspaceId,
      envVarCount: Object.keys(decryptedEnvVars).length,
      envVarKeys: Object.keys(decryptedEnvVars),
    })
    // Build execution params starting with LLM-provided arguments
    // Resolve all {{ENV_VAR}} references in the arguments (deep for nested objects)
    const executionParams: Record<string, any> = resolveEnvVarReferences(
      toolArgs,
      decryptedEnvVars,
      { deep: true }
    ) as Record<string, any>
    logger.info(`[${tracker.requestId}] Resolved env var references in arguments`, {
      toolName,
      originalArgKeys: Object.keys(toolArgs),
      resolvedArgKeys: Object.keys(executionParams),
    })
    // Resolve OAuth access token if required
    if (toolConfig.oauth?.required && toolConfig.oauth.provider) {
      const provider = toolConfig.oauth.provider
      logger.info(`[${tracker.requestId}] Resolving OAuth token`, { provider })
      try {
        // Find the account for this provider and user
        const accounts = await db
          .select()
          .from(account)
          .where(and(eq(account.providerId, provider), eq(account.userId, userId)))
          .limit(1)
        if (accounts.length > 0) {
          const acc = accounts[0]
          const requestId = generateRequestId()
          const { accessToken } = await refreshTokenIfNeeded(requestId, acc as any, acc.id)
          if (accessToken) {
            executionParams.accessToken = accessToken
            logger.info(`[${tracker.requestId}] OAuth token resolved`, { provider })
          } else {
            logger.warn(`[${tracker.requestId}] No access token available`, { provider })
            return NextResponse.json(
              {
                success: false,
                error: `OAuth token not available for ${provider}. Please reconnect your account.`,
                toolCallId,
              },
              { status: 400 }
            )
          }
        } else {
          logger.warn(`[${tracker.requestId}] No account found for provider`, { provider })
          return NextResponse.json(
            {
              success: false,
              error: `No ${provider} account connected. Please connect your account first.`,
              toolCallId,
            },
            { status: 400 }
          )
        }
      } catch (error) {
        logger.error(`[${tracker.requestId}] Failed to resolve OAuth token`, {
          provider,
          error: error instanceof Error ? error.message : String(error),
        })
        return NextResponse.json(
          {
            success: false,
            error: `Failed to get OAuth token for ${provider}`,
            toolCallId,
          },
          { status: 500 }
        )
      }
    }
    // Check if tool requires an API key that wasn't resolved via {{ENV_VAR}} reference
    const needsApiKey = toolConfig.params?.apiKey?.required
    if (needsApiKey && !executionParams.apiKey) {
      logger.warn(`[${tracker.requestId}] No API key found for tool`, { toolName })
      return NextResponse.json(
        {
          success: false,
          error: `API key not provided for ${toolName}. Use {{YOUR_API_KEY_ENV_VAR}} to reference your environment variable.`,
          toolCallId,
        },
        { status: 400 }
      )
    }
    // Add execution context
    executionParams._context = {
      workflowId,
      userId,
    }
    // Special handling for function_execute - inject environment variables
    if (toolName === 'function_execute') {
      executionParams.envVars = decryptedEnvVars
      executionParams.workflowVariables = {} // No workflow variables in copilot context
      executionParams.blockData = {} // No block data in copilot context
      executionParams.blockNameMapping = {} // No block mapping in copilot context
      executionParams.language = executionParams.language || 'javascript'
      executionParams.timeout = executionParams.timeout || 30000
      logger.info(`[${tracker.requestId}] Injected env vars for function_execute`, {
        envVarCount: Object.keys(decryptedEnvVars).length,
      })
    }
    // Execute the tool
    logger.info(`[${tracker.requestId}] Executing tool with resolved credentials`, {
      toolName,
      hasAccessToken: !!executionParams.accessToken,
      hasApiKey: !!executionParams.apiKey,
    })
    const result = await executeTool(resolvedToolName, executionParams)
    logger.info(`[${tracker.requestId}] Tool execution complete`, {
      toolName,
      success: result.success,
      hasOutput: !!result.output,
    })
    return NextResponse.json({
      success: true,
      toolCallId,
      result: {
        success: result.success,
        output: result.output,
        error: result.error,
      },
    })
  } catch (error) {
    if (error instanceof z.ZodError) {
      logger.debug(`[${tracker.requestId}] Zod validation error`, { issues: error.issues })
      return createBadRequestResponse('Invalid request body for execute-tool')
    }
    logger.error(`[${tracker.requestId}] Failed to execute tool:`, error)
    const errorMessage = error instanceof Error ? error.message : 'Failed to execute tool'
    return createInternalServerErrorResponse(errorMessage)
  }
 }
--- a/apps/sim/app/api/copilot/stats/route.test.ts
+++ b/apps/sim/app/api/copilot/stats/route.test.ts
@@ -40,6 +40,7 @@ describe('Copilot Stats API Route', () => {
    vi.doMock('@/lib/copilot/constants', () => ({
      SIM_AGENT_API_URL_DEFAULT: 'https://agent.sim.example.com',
      SIM_AGENT_API_URL: 'https://agent.sim.example.com',
    }))
    vi.doMock('@/lib/core/config/env', async () => {
--- a/apps/sim/app/api/copilot/stats/route.ts
+++ b/apps/sim/app/api/copilot/stats/route.ts
@@ -1,6 +1,6 @@
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { SIM_AGENT_API_URL_DEFAULT } from '@/lib/copilot/constants'
+import { SIM_AGENT_API_URL } from '@/lib/copilot/constants'
 import {
  authenticateCopilotRequestSessionOnly,
  createBadRequestResponse,
@@ -10,8 +10,6 @@ import {
 } from '@/lib/copilot/request-helpers'
 import { env } from '@/lib/core/config/env'
 const SIM_AGENT_API_URL = env.SIM_AGENT_API_URL || SIM_AGENT_API_URL_DEFAULT
 const BodySchema = z.object({
  messageId: z.string(),
  diffCreated: z.boolean(),
--- a/apps/sim/app/api/copilot/tools/mark-complete/route.ts
+++ b/apps/sim/app/api/copilot/tools/mark-complete/route.ts
@@ -1,123 +0,0 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { SIM_AGENT_API_URL_DEFAULT } from '@/lib/copilot/constants'
 import {
  authenticateCopilotRequestSessionOnly,
  createBadRequestResponse,
  createInternalServerErrorResponse,
  createRequestTracker,
  createUnauthorizedResponse,
 } from '@/lib/copilot/request-helpers'
 import { env } from '@/lib/core/config/env'
 const logger = createLogger('CopilotMarkToolCompleteAPI')
 const SIM_AGENT_API_URL = env.SIM_AGENT_API_URL || SIM_AGENT_API_URL_DEFAULT
 const MarkCompleteSchema = z.object({
  id: z.string(),
  name: z.string(),
  status: z.number().int(),
  message: z.any().optional(),
  data: z.any().optional(),
 })
 /**
 * POST /api/copilot/tools/mark-complete
 * Proxy to Sim Agent: POST /api/tools/mark-complete
 */
 export async function POST(req: NextRequest) {
  const tracker = createRequestTracker()
  try {
    const { userId, isAuthenticated } = await authenticateCopilotRequestSessionOnly()
    if (!isAuthenticated || !userId) {
      return createUnauthorizedResponse()
    }
    const body = await req.json()
    // Log raw body shape for diagnostics (avoid dumping huge payloads)
    try {
      const bodyPreview = JSON.stringify(body).slice(0, 300)
      logger.debug(`[${tracker.requestId}] Incoming mark-complete raw body preview`, {
        preview: `${bodyPreview}${bodyPreview.length === 300 ? '...' : ''}`,
      })
    } catch {}
    const parsed = MarkCompleteSchema.parse(body)
    const messagePreview = (() => {
      try {
        const s =
          typeof parsed.message === 'string' ? parsed.message : JSON.stringify(parsed.message)
        return s ? `${s.slice(0, 200)}${s.length > 200 ? '...' : ''}` : undefined
      } catch {
        return undefined
      }
    })()
    logger.info(`[${tracker.requestId}] Forwarding tool mark-complete`, {
      userId,
      toolCallId: parsed.id,
      toolName: parsed.name,
      status: parsed.status,
      hasMessage: parsed.message !== undefined,
      hasData: parsed.data !== undefined,
      messagePreview,
      agentUrl: `${SIM_AGENT_API_URL}/api/tools/mark-complete`,
    })
    const agentRes = await fetch(`${SIM_AGENT_API_URL}/api/tools/mark-complete`, {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
        ...(env.COPILOT_API_KEY ? { 'x-api-key': env.COPILOT_API_KEY } : {}),
      },
      body: JSON.stringify(parsed),
    })
    // Attempt to parse agent response JSON
    let agentJson: any = null
    let agentText: string | null = null
    try {
      agentJson = await agentRes.json()
    } catch (_) {
      try {
        agentText = await agentRes.text()
      } catch {}
    }
    logger.info(`[${tracker.requestId}] Agent responded to mark-complete`, {
      status: agentRes.status,
      ok: agentRes.ok,
      responseJsonPreview: agentJson ? JSON.stringify(agentJson).slice(0, 300) : undefined,
      responseTextPreview: agentText ? agentText.slice(0, 300) : undefined,
    })
    if (agentRes.ok) {
      return NextResponse.json({ success: true })
    }
    const errorMessage =
      agentJson?.error || agentText || `Agent responded with status ${agentRes.status}`
    const status = agentRes.status >= 500 ? 500 : 400
    logger.warn(`[${tracker.requestId}] Mark-complete failed`, {
      status,
      error: errorMessage,
    })
    return NextResponse.json({ success: false, error: errorMessage }, { status })
  } catch (error) {
    if (error instanceof z.ZodError) {
      logger.warn(`[${tracker.requestId}] Invalid mark-complete request body`, {
        issues: error.issues,
      })
      return createBadRequestResponse('Invalid request body for mark-complete')
    }
    logger.error(`[${tracker.requestId}] Failed to proxy mark-complete:`, error)
    return createInternalServerErrorResponse('Failed to mark tool as complete')
  }
 }
--- a/apps/sim/app/api/copilot/user-models/route.ts
+++ b/apps/sim/app/api/copilot/user-models/route.ts
@@ -28,6 +28,7 @@ const DEFAULT_ENABLED_MODELS: Record<CopilotModelId, boolean> = {
  'claude-4-sonnet': false,
  'claude-4.5-haiku': true,
  'claude-4.5-sonnet': true,
  'claude-4.6-opus': true,
  'claude-4.5-opus': true,
  'claude-4.1-opus': false,
  'gemini-3-pro': true,
--- a/apps/sim/app/api/files/delete/route.test.ts
+++ b/apps/sim/app/api/files/delete/route.test.ts
@@ -29,7 +29,7 @@ function setupFileApiMocks(
  }
  vi.doMock('@/lib/auth/hybrid', () => ({
-    checkHybridAuth: vi.fn().mockResolvedValue({
+    checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
      success: authenticated,
      userId: authenticated ? 'test-user-id' : undefined,
      error: authenticated ? undefined : 'Unauthorized',
--- a/apps/sim/app/api/files/delete/route.ts
+++ b/apps/sim/app/api/files/delete/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
 import { NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import type { StorageContext } from '@/lib/uploads/config'
 import { deleteFile, hasCloudStorage } from '@/lib/uploads/core/storage-service'
 import { extractStorageKey, inferContextFromKey } from '@/lib/uploads/utils/file-utils'
@@ -24,7 +24,7 @@ const logger = createLogger('FilesDeleteAPI')
 */
 export async function POST(request: NextRequest) {
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success || !authResult.userId) {
      logger.warn('Unauthorized file delete request', {
--- a/apps/sim/app/api/files/download/route.ts
+++ b/apps/sim/app/api/files/download/route.ts
@@ -1,6 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import type { StorageContext } from '@/lib/uploads/config'
 import { hasCloudStorage } from '@/lib/uploads/core/storage-service'
 import { verifyFileAccess } from '@/app/api/files/authorization'
@@ -12,7 +12,7 @@ export const dynamic = 'force-dynamic'
 export async function POST(request: NextRequest) {
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success || !authResult.userId) {
      logger.warn('Unauthorized download URL request', {
--- a/apps/sim/app/api/files/parse/route.test.ts
+++ b/apps/sim/app/api/files/parse/route.test.ts
@@ -35,7 +35,7 @@ function setupFileApiMocks(
  }
  vi.doMock('@/lib/auth/hybrid', () => ({
-    checkHybridAuth: vi.fn().mockResolvedValue({
+    checkInternalAuth: vi.fn().mockResolvedValue({
      success: authenticated,
      userId: authenticated ? 'test-user-id' : undefined,
      error: authenticated ? undefined : 'Unauthorized',
--- a/apps/sim/app/api/files/parse/route.ts
+++ b/apps/sim/app/api/files/parse/route.ts
@@ -5,7 +5,7 @@ import path from 'path'
 import { createLogger } from '@sim/logger'
 import binaryExtensionsList from 'binary-extensions'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  secureFetchWithPinnedIP,
  validateUrlWithDNS,
@@ -66,7 +66,7 @@ export async function POST(request: NextRequest) {
  const startTime = Date.now()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: true })
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: true })
    if (!authResult.success) {
      logger.warn('Unauthorized file parse request', {
--- a/apps/sim/app/api/files/serve/[...path]/route.test.ts
+++ b/apps/sim/app/api/files/serve/[...path]/route.test.ts
@@ -55,7 +55,7 @@ describe('File Serve API Route', () => {
    })
    vi.doMock('@/lib/auth/hybrid', () => ({
-      checkHybridAuth: vi.fn().mockResolvedValue({
+      checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
        success: true,
        userId: 'test-user-id',
      }),
@@ -165,7 +165,7 @@ describe('File Serve API Route', () => {
    }))
    vi.doMock('@/lib/auth/hybrid', () => ({
-      checkHybridAuth: vi.fn().mockResolvedValue({
+      checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
        success: true,
        userId: 'test-user-id',
      }),
@@ -226,7 +226,7 @@ describe('File Serve API Route', () => {
    }))
    vi.doMock('@/lib/auth/hybrid', () => ({
-      checkHybridAuth: vi.fn().mockResolvedValue({
+      checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
        success: true,
        userId: 'test-user-id',
      }),
@@ -291,7 +291,7 @@ describe('File Serve API Route', () => {
    }))
    vi.doMock('@/lib/auth/hybrid', () => ({
-      checkHybridAuth: vi.fn().mockResolvedValue({
+      checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
        success: true,
        userId: 'test-user-id',
      }),
@@ -350,7 +350,7 @@ describe('File Serve API Route', () => {
    for (const test of contentTypeTests) {
      it(`should serve ${test.ext} file with correct content type`, async () => {
        vi.doMock('@/lib/auth/hybrid', () => ({
-          checkHybridAuth: vi.fn().mockResolvedValue({
+          checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
            success: true,
            userId: 'test-user-id',
          }),
--- a/apps/sim/app/api/files/serve/[...path]/route.ts
+++ b/apps/sim/app/api/files/serve/[...path]/route.ts
@@ -2,7 +2,7 @@ import { readFile } from 'fs/promises'
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
 import { NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { CopilotFiles, isUsingCloudStorage } from '@/lib/uploads'
 import type { StorageContext } from '@/lib/uploads/config'
 import { downloadFile } from '@/lib/uploads/core/storage-service'
@@ -49,7 +49,7 @@ export async function GET(
      return await handleLocalFilePublic(fullPath)
    }
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success || !authResult.userId) {
      logger.warn('Unauthorized file access attempt', {
--- a/apps/sim/app/api/function/execute/route.ts
+++ b/apps/sim/app/api/function/execute/route.ts
@@ -845,6 +845,8 @@ export async function POST(req: NextRequest) {
      contextVariables,
      timeoutMs: timeout,
      requestId,
      ownerKey: `user:${auth.userId}`,
      ownerWeight: 1,
    })
    const executionTime = Date.now() - startTime
--- a/apps/sim/app/api/guardrails/validate/route.ts
+++ b/apps/sim/app/api/guardrails/validate/route.ts
@@ -23,7 +23,16 @@ export async function POST(request: NextRequest) {
      topK,
      model,
      apiKey,
      azureEndpoint,
      azureApiVersion,
      vertexProject,
      vertexLocation,
      vertexCredential,
      bedrockAccessKeyId,
      bedrockSecretKey,
      bedrockRegion,
      workflowId,
      workspaceId,
      piiEntityTypes,
      piiMode,
      piiLanguage,
@@ -110,7 +119,18 @@ export async function POST(request: NextRequest) {
      topK,
      model,
      apiKey,
      {
        azureEndpoint,
        azureApiVersion,
        vertexProject,
        vertexLocation,
        vertexCredential,
        bedrockAccessKeyId,
        bedrockSecretKey,
        bedrockRegion,
      },
      workflowId,
      workspaceId,
      piiEntityTypes,
      piiMode,
      piiLanguage,
@@ -178,7 +198,18 @@ async function executeValidation(
  topK: string | undefined,
  model: string,
  apiKey: string | undefined,
  providerCredentials: {
    azureEndpoint?: string
    azureApiVersion?: string
    vertexProject?: string
    vertexLocation?: string
    vertexCredential?: string
    bedrockAccessKeyId?: string
    bedrockSecretKey?: string
    bedrockRegion?: string
  },
  workflowId: string | undefined,
  workspaceId: string | undefined,
  piiEntityTypes: string[] | undefined,
  piiMode: string | undefined,
  piiLanguage: string | undefined,
@@ -219,7 +250,9 @@ async function executeValidation(
      topK: topK ? Number.parseInt(topK) : 10, // Default topK is 10
      model: model,
      apiKey,
      providerCredentials,
      workflowId,
      workspaceId,
      requestId,
    })
  }
--- a/apps/sim/app/api/knowledge/[id]/tag-definitions/route.ts
+++ b/apps/sim/app/api/knowledge/[id]/tag-definitions/route.ts
@@ -2,7 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { SUPPORTED_FIELD_TYPES } from '@/lib/knowledge/constants'
 import { createTagDefinition, getTagDefinitions } from '@/lib/knowledge/tags/service'
 import { checkKnowledgeBaseAccess } from '@/app/api/knowledge/utils'
@@ -19,19 +19,11 @@ export async function GET(req: NextRequest, { params }: { params: Promise<{ id:
  try {
    logger.info(`[${requestId}] Getting tag definitions for knowledge base ${knowledgeBaseId}`)
-    const auth = await checkHybridAuth(req, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
    if (!auth.success) {
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    // Only allow session and internal JWT auth (not API key)
    if (auth.authType === 'api_key') {
      return NextResponse.json(
        { error: 'API key auth not supported for this endpoint' },
        { status: 401 }
      )
    }
    // For session auth, verify KB access. Internal JWT is trusted.
    if (auth.authType === 'session' && auth.userId) {
      const accessCheck = await checkKnowledgeBaseAccess(knowledgeBaseId, auth.userId)
@@ -64,19 +56,11 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
  try {
    logger.info(`[${requestId}] Creating tag definition for knowledge base ${knowledgeBaseId}`)
-    const auth = await checkHybridAuth(req, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
    if (!auth.success) {
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    // Only allow session and internal JWT auth (not API key)
    if (auth.authType === 'api_key') {
      return NextResponse.json(
        { error: 'API key auth not supported for this endpoint' },
        { status: 401 }
      )
    }
    // For session auth, verify KB access. Internal JWT is trusted.
    if (auth.authType === 'session' && auth.userId) {
      const accessCheck = await checkKnowledgeBaseAccess(knowledgeBaseId, auth.userId)
--- a/apps/sim/app/api/logs/execution/[executionId]/route.ts
+++ b/apps/sim/app/api/logs/execution/[executionId]/route.ts
@@ -8,7 +8,7 @@ import {
 import { createLogger } from '@sim/logger'
 import { and, eq, inArray } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import type { TraceSpan, WorkflowExecutionLog } from '@/lib/logs/types'
@@ -23,7 +23,7 @@ export async function GET(
  try {
    const { executionId } = await params
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized execution data access attempt for: ${executionId}`)
      return NextResponse.json(
--- a/apps/sim/app/api/mcp/copilot/.well-known/oauth-authorization-server/route.ts
+++ b/apps/sim/app/api/mcp/copilot/.well-known/oauth-authorization-server/route.ts
@@ -0,0 +1,6 @@
 import type { NextRequest, NextResponse } from 'next/server'
 import { createMcpAuthorizationServerMetadataResponse } from '@/lib/mcp/oauth-discovery'
 export async function GET(request: NextRequest): Promise<NextResponse> {
  return createMcpAuthorizationServerMetadataResponse(request)
 }
--- a/apps/sim/app/api/mcp/copilot/.well-known/oauth-protected-resource/route.ts
+++ b/apps/sim/app/api/mcp/copilot/.well-known/oauth-protected-resource/route.ts
@@ -0,0 +1,6 @@
 import type { NextRequest, NextResponse } from 'next/server'
 import { createMcpProtectedResourceMetadataResponse } from '@/lib/mcp/oauth-discovery'
 export async function GET(request: NextRequest): Promise<NextResponse> {
  return createMcpProtectedResourceMetadataResponse(request)
 }
--- a/apps/sim/app/api/mcp/copilot/route.ts
+++ b/apps/sim/app/api/mcp/copilot/route.ts
@@ -0,0 +1,793 @@
 import { randomUUID } from 'node:crypto'
 import { Server } from '@modelcontextprotocol/sdk/server/index.js'
 import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js'
 import {
  CallToolRequestSchema,
  type CallToolResult,
  ErrorCode,
  type JSONRPCError,
  ListToolsRequestSchema,
  type ListToolsResult,
  McpError,
  type RequestId,
 } from '@modelcontextprotocol/sdk/types.js'
 import { db } from '@sim/db'
 import { userStats } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq, sql } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getHighestPrioritySubscription } from '@/lib/billing/core/subscription'
 import { getCopilotModel } from '@/lib/copilot/config'
 import {
  ORCHESTRATION_TIMEOUT_MS,
  SIM_AGENT_API_URL,
  SIM_AGENT_VERSION,
 } from '@/lib/copilot/constants'
 import { orchestrateCopilotStream } from '@/lib/copilot/orchestrator'
 import { orchestrateSubagentStream } from '@/lib/copilot/orchestrator/subagent'
 import {
  executeToolServerSide,
  prepareExecutionContext,
 } from '@/lib/copilot/orchestrator/tool-executor'
 import { DIRECT_TOOL_DEFS, SUBAGENT_TOOL_DEFS } from '@/lib/copilot/tools/mcp/definitions'
 import { env } from '@/lib/core/config/env'
 import { RateLimiter } from '@/lib/core/rate-limiter'
 import { resolveWorkflowIdForUser } from '@/lib/workflows/utils'
 const logger = createLogger('CopilotMcpAPI')
 const mcpRateLimiter = new RateLimiter()
 export const dynamic = 'force-dynamic'
 export const runtime = 'nodejs'
 export const maxDuration = 300
 interface CopilotKeyAuthResult {
  success: boolean
  userId?: string
  error?: string
 }
 /**
 * Validates a copilot API key by forwarding it to the Go copilot service's
 * `/api/validate-key` endpoint. Returns the associated userId on success.
 */
 async function authenticateCopilotApiKey(apiKey: string): Promise<CopilotKeyAuthResult> {
  try {
    const internalSecret = env.INTERNAL_API_SECRET
    if (!internalSecret) {
      logger.error('INTERNAL_API_SECRET not configured')
      return { success: false, error: 'Server configuration error' }
    }
    const res = await fetch(`${SIM_AGENT_API_URL}/api/validate-key`, {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
        'x-api-key': internalSecret,
      },
      body: JSON.stringify({ targetApiKey: apiKey }),
      signal: AbortSignal.timeout(10_000),
    })
    if (!res.ok) {
      const body = await res.json().catch(() => null)
      const upstream = (body as Record<string, unknown>)?.message
      const status = res.status
      if (status === 401 || status === 403) {
        return {
          success: false,
          error: `Invalid Copilot API key. Generate a new key in Settings → Copilot and set it in the x-api-key header.`,
        }
      }
      if (status === 402) {
        return {
          success: false,
          error: `Usage limit exceeded for this Copilot API key. Upgrade your plan or wait for your quota to reset.`,
        }
      }
      return { success: false, error: String(upstream ?? 'Copilot API key validation failed') }
    }
    const data = (await res.json()) as { ok?: boolean; userId?: string }
    if (!data.ok || !data.userId) {
      return {
        success: false,
        error: 'Invalid Copilot API key. Generate a new key in Settings → Copilot.',
      }
    }
    return { success: true, userId: data.userId }
  } catch (error) {
    logger.error('Copilot API key validation failed', { error })
    return {
      success: false,
      error:
        'Could not validate Copilot API key — the authentication service is temporarily unreachable. This is NOT a problem with the API key itself; please retry shortly.',
    }
  }
 }
 /**
 * MCP Server instructions that guide LLMs on how to use the Sim copilot tools.
 * This is included in the initialize response to help external LLMs understand
 * the workflow lifecycle and best practices.
 */
 const MCP_SERVER_INSTRUCTIONS = `
 ## Sim Workflow Copilot
 Sim is a workflow automation platform. Workflows are visual pipelines of connected blocks (Agent, Function, Condition, API, integrations, etc.). The Agent block is the core — an LLM with tools, memory, structured output, and knowledge bases.
 ### Workflow Lifecycle (Happy Path)
 1. \`list_workspaces\` → know where to work
 2. \`create_workflow(name, workspaceId)\` → get a workflowId
 3. \`sim_build(request, workflowId)\` → plan and build in one pass
 4. \`sim_test(request, workflowId)\` → verify it works
 5. \`sim_deploy("deploy as api", workflowId)\` → make it accessible externally (optional)
 For fine-grained control, use \`sim_plan\` → \`sim_edit\` instead of \`sim_build\`. Pass the plan object from sim_plan EXACTLY as-is to sim_edit's context.plan field.
 ### Working with Existing Workflows
 When the user refers to a workflow by name or description ("the email one", "my Slack bot"):
 1. Use \`sim_discovery\` to find it by functionality
 2. Or use \`list_workflows\` and match by name
 3. Then pass the workflowId to other tools
 ### Organization
 - \`rename_workflow\` — rename a workflow
 - \`move_workflow\` — move a workflow into a folder (or root with null)
 - \`move_folder\` — nest a folder inside another (or root with null)
 - \`create_folder(name, parentId)\` — create nested folder hierarchies
 ### Key Rules
 - You can test workflows immediately after building — deployment is only needed for external access (API, chat, MCP).
 - All copilot tools (build, plan, edit, deploy, test, debug) require workflowId.
 - If the user reports errors → use \`sim_debug\` first, don't guess.
 - Variable syntax: \`<blockname.field>\` for block outputs, \`{{ENV_VAR}}\` for env vars.
 `
 type HeaderMap = Record<string, string | string[] | undefined>
 function createError(id: RequestId, code: ErrorCode | number, message: string): JSONRPCError {
  return {
    jsonrpc: '2.0',
    id,
    error: { code, message },
  }
 }
 function normalizeRequestHeaders(request: NextRequest): HeaderMap {
  const headers: HeaderMap = {}
  request.headers.forEach((value, key) => {
    headers[key.toLowerCase()] = value
  })
  return headers
 }
 function readHeader(headers: HeaderMap | undefined, name: string): string | undefined {
  if (!headers) return undefined
  const value = headers[name.toLowerCase()]
  if (Array.isArray(value)) {
    return value[0]
  }
  return value
 }
 class NextResponseCapture {
  private _status = 200
  private _headers = new Headers()
  private _controller: ReadableStreamDefaultController<Uint8Array> | null = null
  private _pendingChunks: Uint8Array[] = []
  private _closeHandlers: Array<() => void> = []
  private _errorHandlers: Array<(error: Error) => void> = []
  private _headersWritten = false
  private _ended = false
  private _headersPromise: Promise<void>
  private _resolveHeaders: (() => void) | null = null
  private _endedPromise: Promise<void>
  private _resolveEnded: (() => void) | null = null
  readonly readable: ReadableStream<Uint8Array>
  constructor() {
    this._headersPromise = new Promise<void>((resolve) => {
      this._resolveHeaders = resolve
    })
    this._endedPromise = new Promise<void>((resolve) => {
      this._resolveEnded = resolve
    })
    this.readable = new ReadableStream<Uint8Array>({
      start: (controller) => {
        this._controller = controller
        if (this._pendingChunks.length > 0) {
          for (const chunk of this._pendingChunks) {
            controller.enqueue(chunk)
          }
          this._pendingChunks = []
        }
      },
      cancel: () => {
        this._ended = true
        this._resolveEnded?.()
        this.triggerCloseHandlers()
      },
    })
  }
  private markHeadersWritten(): void {
    if (this._headersWritten) return
    this._headersWritten = true
    this._resolveHeaders?.()
  }
  private triggerCloseHandlers(): void {
    for (const handler of this._closeHandlers) {
      try {
        handler()
      } catch (error) {
        this.triggerErrorHandlers(error instanceof Error ? error : new Error(String(error)))
      }
    }
  }
  private triggerErrorHandlers(error: Error): void {
    for (const errorHandler of this._errorHandlers) {
      errorHandler(error)
    }
  }
  private normalizeChunk(chunk: unknown): Uint8Array | null {
    if (typeof chunk === 'string') {
      return new TextEncoder().encode(chunk)
    }
    if (chunk instanceof Uint8Array) {
      return chunk
    }
    if (chunk === undefined || chunk === null) {
      return null
    }
    return new TextEncoder().encode(String(chunk))
  }
  writeHead(status: number, headers?: Record<string, string | number | string[]>): this {
    this._status = status
    if (headers) {
      Object.entries(headers).forEach(([key, value]) => {
        if (Array.isArray(value)) {
          this._headers.set(key, value.join(', '))
        } else {
          this._headers.set(key, String(value))
        }
      })
    }
    this.markHeadersWritten()
    return this
  }
  flushHeaders(): this {
    this.markHeadersWritten()
    return this
  }
  write(chunk: unknown): boolean {
    const normalized = this.normalizeChunk(chunk)
    if (!normalized) return true
    this.markHeadersWritten()
    if (this._controller) {
      try {
        this._controller.enqueue(normalized)
      } catch (error) {
        this.triggerErrorHandlers(error instanceof Error ? error : new Error(String(error)))
      }
    } else {
      this._pendingChunks.push(normalized)
    }
    return true
  }
  end(chunk?: unknown): this {
    if (chunk !== undefined) this.write(chunk)
    this.markHeadersWritten()
    if (this._ended) return this
    this._ended = true
    this._resolveEnded?.()
    if (this._controller) {
      try {
        this._controller.close()
      } catch (error) {
        this.triggerErrorHandlers(error instanceof Error ? error : new Error(String(error)))
      }
    }
    this.triggerCloseHandlers()
    return this
  }
  async waitForHeaders(timeoutMs = 30000): Promise<void> {
    if (this._headersWritten) return
    await Promise.race([
      this._headersPromise,
      new Promise<void>((resolve) => {
        setTimeout(resolve, timeoutMs)
      }),
    ])
  }
  async waitForEnd(timeoutMs = 30000): Promise<void> {
    if (this._ended) return
    await Promise.race([
      this._endedPromise,
      new Promise<void>((resolve) => {
        setTimeout(resolve, timeoutMs)
      }),
    ])
  }
  on(event: 'close' | 'error', handler: (() => void) | ((error: Error) => void)): this {
    if (event === 'close') {
      this._closeHandlers.push(handler as () => void)
    }
    if (event === 'error') {
      this._errorHandlers.push(handler as (error: Error) => void)
    }
    return this
  }
  toNextResponse(): NextResponse {
    return new NextResponse(this.readable, {
      status: this._status,
      headers: this._headers,
    })
  }
 }
 function buildMcpServer(abortSignal?: AbortSignal): Server {
  const server = new Server(
    {
      name: 'sim-copilot',
      version: '1.0.0',
    },
    {
      capabilities: { tools: {} },
      instructions: MCP_SERVER_INSTRUCTIONS,
    }
  )
  server.setRequestHandler(ListToolsRequestSchema, async () => {
    const directTools = DIRECT_TOOL_DEFS.map((tool) => ({
      name: tool.name,
      description: tool.description,
      inputSchema: tool.inputSchema,
    }))
    const subagentTools = SUBAGENT_TOOL_DEFS.map((tool) => ({
      name: tool.name,
      description: tool.description,
      inputSchema: tool.inputSchema,
    }))
    const result: ListToolsResult = {
      tools: [...directTools, ...subagentTools],
    }
    return result
  })
  server.setRequestHandler(CallToolRequestSchema, async (request, extra) => {
    const headers = (extra.requestInfo?.headers || {}) as HeaderMap
    const apiKeyHeader = readHeader(headers, 'x-api-key')
    if (!apiKeyHeader) {
      return {
        content: [
          {
            type: 'text' as const,
            text: 'AUTHENTICATION ERROR: No Copilot API key provided. The user must set their Copilot API key in the x-api-key header. They can generate one in the Sim app under Settings → Copilot. Do NOT retry — this will fail until the key is configured.',
          },
        ],
        isError: true,
      }
    }
    const authResult = await authenticateCopilotApiKey(apiKeyHeader)
    if (!authResult.success || !authResult.userId) {
      logger.warn('MCP copilot key auth failed', { method: request.method })
      return {
        content: [
          {
            type: 'text' as const,
            text: `AUTHENTICATION ERROR: ${authResult.error} Do NOT retry — this will fail until the user fixes their Copilot API key.`,
          },
        ],
        isError: true,
      }
    }
    const rateLimitResult = await mcpRateLimiter.checkRateLimitWithSubscription(
      authResult.userId,
      await getHighestPrioritySubscription(authResult.userId),
      'api-endpoint',
      false
    )
    if (!rateLimitResult.allowed) {
      return {
        content: [
          {
            type: 'text' as const,
            text: `RATE LIMIT: Too many requests. Please wait and retry after ${rateLimitResult.resetAt.toISOString()}.`,
          },
        ],
        isError: true,
      }
    }
    const params = request.params as
      | { name?: string; arguments?: Record<string, unknown> }
      | undefined
    if (!params?.name) {
      throw new McpError(ErrorCode.InvalidParams, 'Tool name required')
    }
    const result = await handleToolsCall(
      {
        name: params.name,
        arguments: params.arguments,
      },
      authResult.userId,
      abortSignal
    )
    trackMcpCopilotCall(authResult.userId)
    return result
  })
  return server
 }
 async function handleMcpRequestWithSdk(
  request: NextRequest,
  parsedBody: unknown
 ): Promise<NextResponse> {
  const server = buildMcpServer(request.signal)
  const transport = new StreamableHTTPServerTransport({
    sessionIdGenerator: undefined,
    enableJsonResponse: true,
  })
  const responseCapture = new NextResponseCapture()
  const requestAdapter = {
    method: request.method,
    headers: normalizeRequestHeaders(request),
  }
  await server.connect(transport)
  try {
    await transport.handleRequest(requestAdapter as any, responseCapture as any, parsedBody)
    await responseCapture.waitForHeaders()
    // Must exceed the longest possible tool execution (build = 5 min).
    // Using ORCHESTRATION_TIMEOUT_MS + 60 s buffer so the orchestrator can
    // finish or time-out on its own before the transport is torn down.
    await responseCapture.waitForEnd(ORCHESTRATION_TIMEOUT_MS + 60_000)
    return responseCapture.toNextResponse()
  } finally {
    await server.close().catch(() => {})
    await transport.close().catch(() => {})
  }
 }
 export async function GET() {
  // Return 405 to signal that server-initiated SSE notifications are not
  // supported.  Without this, clients like mcp-remote will repeatedly
  // reconnect trying to open an SSE stream, flooding the logs with GETs.
  return new NextResponse(null, { status: 405 })
 }
 export async function POST(request: NextRequest) {
  try {
    let parsedBody: unknown
    try {
      parsedBody = await request.json()
    } catch {
      return NextResponse.json(createError(0, ErrorCode.ParseError, 'Invalid JSON body'), {
        status: 400,
      })
    }
    return await handleMcpRequestWithSdk(request, parsedBody)
  } catch (error) {
    logger.error('Error handling MCP request', { error })
    return NextResponse.json(createError(0, ErrorCode.InternalError, 'Internal error'), {
      status: 500,
    })
  }
 }
 export async function DELETE(request: NextRequest) {
  void request
  return NextResponse.json(createError(0, -32000, 'Method not allowed.'), { status: 405 })
 }
 /**
 * Increment MCP copilot call counter in userStats (fire-and-forget).
 */
 function trackMcpCopilotCall(userId: string): void {
  db.update(userStats)
    .set({
      totalMcpCopilotCalls: sql`total_mcp_copilot_calls + 1`,
      lastActive: new Date(),
    })
    .where(eq(userStats.userId, userId))
    .then(() => {})
    .catch((error) => {
      logger.error('Failed to track MCP copilot call', { error, userId })
    })
 }
 async function handleToolsCall(
  params: { name: string; arguments?: Record<string, unknown> },
  userId: string,
  abortSignal?: AbortSignal
 ): Promise<CallToolResult> {
  const args = params.arguments || {}
  const directTool = DIRECT_TOOL_DEFS.find((tool) => tool.name === params.name)
  if (directTool) {
    return handleDirectToolCall(directTool, args, userId)
  }
  const subagentTool = SUBAGENT_TOOL_DEFS.find((tool) => tool.name === params.name)
  if (subagentTool) {
    return handleSubagentToolCall(subagentTool, args, userId, abortSignal)
  }
  throw new McpError(ErrorCode.MethodNotFound, `Tool not found: ${params.name}`)
 }
 async function handleDirectToolCall(
  toolDef: (typeof DIRECT_TOOL_DEFS)[number],
  args: Record<string, unknown>,
  userId: string
 ): Promise<CallToolResult> {
  try {
    const execContext = await prepareExecutionContext(userId, (args.workflowId as string) || '')
    const toolCall = {
      id: randomUUID(),
      name: toolDef.toolId,
      status: 'pending' as const,
      params: args as Record<string, any>,
      startTime: Date.now(),
    }
    const result = await executeToolServerSide(toolCall, execContext)
    return {
      content: [
        {
          type: 'text',
          text: JSON.stringify(result.output ?? result, null, 2),
        },
      ],
      isError: !result.success,
    }
  } catch (error) {
    logger.error('Direct tool execution failed', { tool: toolDef.name, error })
    return {
      content: [
        {
          type: 'text',
          text: `Tool execution failed: ${error instanceof Error ? error.message : String(error)}`,
        },
      ],
      isError: true,
    }
  }
 }
 /**
 * Build mode uses the main chat orchestrator with the 'fast' command instead of
 * the subagent endpoint. In Go, 'build' is not a registered subagent — it's a mode
 * (ModeFast) on the main chat processor that bypasses subagent orchestration and
 * executes all tools directly.
 */
 async function handleBuildToolCall(
  args: Record<string, unknown>,
  userId: string,
  abortSignal?: AbortSignal
 ): Promise<CallToolResult> {
  try {
    const requestText = (args.request as string) || JSON.stringify(args)
    const { model } = getCopilotModel('chat')
    const workflowId = args.workflowId as string | undefined
    const resolved = workflowId ? { workflowId } : await resolveWorkflowIdForUser(userId)
    if (!resolved?.workflowId) {
      return {
        content: [
          {
            type: 'text',
            text: JSON.stringify(
              {
                success: false,
                error: 'workflowId is required for build. Call create_workflow first.',
              },
              null,
              2
            ),
          },
        ],
        isError: true,
      }
    }
    const chatId = randomUUID()
    const requestPayload = {
      message: requestText,
      workflowId: resolved.workflowId,
      userId,
      model,
      mode: 'agent',
      commands: ['fast'],
      messageId: randomUUID(),
      version: SIM_AGENT_VERSION,
      headless: true,
      chatId,
      source: 'mcp',
    }
    const result = await orchestrateCopilotStream(requestPayload, {
      userId,
      workflowId: resolved.workflowId,
      chatId,
      autoExecuteTools: true,
      timeout: 300000,
      interactive: false,
      abortSignal,
    })
    const responseData = {
      success: result.success,
      content: result.content,
      toolCalls: result.toolCalls,
      error: result.error,
    }
    return {
      content: [{ type: 'text', text: JSON.stringify(responseData, null, 2) }],
      isError: !result.success,
    }
  } catch (error) {
    logger.error('Build tool call failed', { error })
    return {
      content: [
        {
          type: 'text',
          text: `Build failed: ${error instanceof Error ? error.message : String(error)}`,
        },
      ],
      isError: true,
    }
  }
 }
 async function handleSubagentToolCall(
  toolDef: (typeof SUBAGENT_TOOL_DEFS)[number],
  args: Record<string, unknown>,
  userId: string,
  abortSignal?: AbortSignal
 ): Promise<CallToolResult> {
  if (toolDef.agentId === 'build') {
    return handleBuildToolCall(args, userId, abortSignal)
  }
  try {
    const requestText =
      (args.request as string) ||
      (args.message as string) ||
      (args.error as string) ||
      JSON.stringify(args)
    const context = (args.context as Record<string, unknown>) || {}
    if (args.plan && !context.plan) {
      context.plan = args.plan
    }
    const { model } = getCopilotModel('chat')
    const result = await orchestrateSubagentStream(
      toolDef.agentId,
      {
        message: requestText,
        workflowId: args.workflowId,
        workspaceId: args.workspaceId,
        context,
        model,
        headless: true,
        source: 'mcp',
      },
      {
        userId,
        workflowId: args.workflowId as string | undefined,
        workspaceId: args.workspaceId as string | undefined,
        abortSignal,
      }
    )
    let responseData: unknown
    if (result.structuredResult) {
      responseData = {
        success: result.structuredResult.success ?? result.success,
        type: result.structuredResult.type,
        summary: result.structuredResult.summary,
        data: result.structuredResult.data,
      }
    } else if (result.error) {
      responseData = {
        success: false,
        error: result.error,
        errors: result.errors,
      }
    } else {
      responseData = {
        success: result.success,
        content: result.content,
      }
    }
    return {
      content: [
        {
          type: 'text',
          text: JSON.stringify(responseData, null, 2),
        },
      ],
      isError: !result.success,
    }
  } catch (error) {
    logger.error('Subagent tool call failed', {
      tool: toolDef.name,
      agentId: toolDef.agentId,
      error,
    })
    return {
      content: [
        {
          type: 'text',
          text: `Subagent call failed: ${error instanceof Error ? error.message : String(error)}`,
        },
      ],
      isError: true,
    }
  }
 }
--- a/apps/sim/app/api/mcp/events/route.test.ts
+++ b/apps/sim/app/api/mcp/events/route.test.ts
@@ -0,0 +1,98 @@
 /**
 * Tests for MCP SSE events endpoint
 *
 * @vitest-environment node
 */
 import { createMockRequest, mockAuth, mockConsoleLogger } from '@sim/testing'
 import { beforeEach, describe, expect, it, vi } from 'vitest'
 mockConsoleLogger()
 const auth = mockAuth()
 const mockGetUserEntityPermissions = vi.fn()
 vi.doMock('@/lib/workspaces/permissions/utils', () => ({
  getUserEntityPermissions: mockGetUserEntityPermissions,
 }))
 vi.doMock('@/lib/mcp/connection-manager', () => ({
  mcpConnectionManager: null,
 }))
 vi.doMock('@/lib/mcp/pubsub', () => ({
  mcpPubSub: null,
 }))
 const { GET } = await import('./route')
 describe('MCP Events SSE Endpoint', () => {
  beforeEach(() => {
    vi.clearAllMocks()
  })
  it('returns 401 when session is missing', async () => {
    auth.setUnauthenticated()
    const request = createMockRequest(
      'GET',
      undefined,
      {},
      'http://localhost:3000/api/mcp/events?workspaceId=ws-123'
    )
    const response = await GET(request as any)
    expect(response.status).toBe(401)
    const text = await response.text()
    expect(text).toBe('Unauthorized')
  })
  it('returns 400 when workspaceId is missing', async () => {
    auth.setAuthenticated()
    const request = createMockRequest('GET', undefined, {}, 'http://localhost:3000/api/mcp/events')
    const response = await GET(request as any)
    expect(response.status).toBe(400)
    const text = await response.text()
    expect(text).toBe('Missing workspaceId query parameter')
  })
  it('returns 403 when user lacks workspace access', async () => {
    auth.setAuthenticated()
    mockGetUserEntityPermissions.mockResolvedValue(null)
    const request = createMockRequest(
      'GET',
      undefined,
      {},
      'http://localhost:3000/api/mcp/events?workspaceId=ws-123'
    )
    const response = await GET(request as any)
    expect(response.status).toBe(403)
    const text = await response.text()
    expect(text).toBe('Access denied to workspace')
    expect(mockGetUserEntityPermissions).toHaveBeenCalledWith('user-123', 'workspace', 'ws-123')
  })
  it('returns SSE stream when authorized', async () => {
    auth.setAuthenticated()
    mockGetUserEntityPermissions.mockResolvedValue({ read: true })
    const request = createMockRequest(
      'GET',
      undefined,
      {},
      'http://localhost:3000/api/mcp/events?workspaceId=ws-123'
    )
    const response = await GET(request as any)
    expect(response.status).toBe(200)
    expect(response.headers.get('Content-Type')).toBe('text/event-stream')
    expect(response.headers.get('Cache-Control')).toBe('no-cache')
    expect(response.headers.get('Connection')).toBe('keep-alive')
  })
 })
--- a/apps/sim/app/api/mcp/events/route.ts
+++ b/apps/sim/app/api/mcp/events/route.ts
@@ -0,0 +1,111 @@
 /**
 * SSE endpoint for MCP tool-change events.
 *
 * Pushes `tools_changed` events to the browser when:
 *  - An external MCP server sends `notifications/tools/list_changed` (via connection manager)
 *  - A workflow CRUD route modifies workflow MCP server tools (via pub/sub)
 *
 * Auth is handled via session cookies (EventSource sends cookies automatically).
 */
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { SSE_HEADERS } from '@/lib/core/utils/sse'
 import { mcpConnectionManager } from '@/lib/mcp/connection-manager'
 import { mcpPubSub } from '@/lib/mcp/pubsub'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 const logger = createLogger('McpEventsSSE')
 export const dynamic = 'force-dynamic'
 const HEARTBEAT_INTERVAL_MS = 30_000
 export async function GET(request: NextRequest) {
  const session = await getSession()
  if (!session?.user?.id) {
    return new Response('Unauthorized', { status: 401 })
  }
  const { searchParams } = new URL(request.url)
  const workspaceId = searchParams.get('workspaceId')
  if (!workspaceId) {
    return new Response('Missing workspaceId query parameter', { status: 400 })
  }
  const permissions = await getUserEntityPermissions(session.user.id, 'workspace', workspaceId)
  if (!permissions) {
    return new Response('Access denied to workspace', { status: 403 })
  }
  const encoder = new TextEncoder()
  const unsubscribers: Array<() => void> = []
  const stream = new ReadableStream({
    start(controller) {
      const send = (eventName: string, data: Record<string, unknown>) => {
        try {
          controller.enqueue(
            encoder.encode(`event: ${eventName}\ndata: ${JSON.stringify(data)}\n\n`)
          )
        } catch {
          // Stream already closed
        }
      }
      // Subscribe to external MCP server tool changes
      if (mcpConnectionManager) {
        const unsub = mcpConnectionManager.subscribe((event) => {
          if (event.workspaceId !== workspaceId) return
          send('tools_changed', {
            source: 'external',
            serverId: event.serverId,
            timestamp: event.timestamp,
          })
        })
        unsubscribers.push(unsub)
      }
      // Subscribe to workflow CRUD tool changes
      if (mcpPubSub) {
        const unsub = mcpPubSub.onWorkflowToolsChanged((event) => {
          if (event.workspaceId !== workspaceId) return
          send('tools_changed', {
            source: 'workflow',
            serverId: event.serverId,
            timestamp: Date.now(),
          })
        })
        unsubscribers.push(unsub)
      }
      // Heartbeat to keep the connection alive
      const heartbeat = setInterval(() => {
        try {
          controller.enqueue(encoder.encode(': heartbeat\n\n'))
        } catch {
          clearInterval(heartbeat)
        }
      }, HEARTBEAT_INTERVAL_MS)
      unsubscribers.push(() => clearInterval(heartbeat))
      // Cleanup when client disconnects
      request.signal.addEventListener('abort', () => {
        for (const unsub of unsubscribers) {
          unsub()
        }
        try {
          controller.close()
        } catch {
          // Already closed
        }
        logger.info(`SSE connection closed for workspace ${workspaceId}`)
      })
      logger.info(`SSE connection opened for workspace ${workspaceId}`)
    },
  })
  return new Response(stream, { headers: SSE_HEADERS })
 }
--- a/apps/sim/app/api/mcp/workflow-servers/[id]/route.ts
+++ b/apps/sim/app/api/mcp/workflow-servers/[id]/route.ts
@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
 import { mcpPubSub } from '@/lib/mcp/pubsub'
 import { createMcpErrorResponse, createMcpSuccessResponse } from '@/lib/mcp/utils'
 const logger = createLogger('WorkflowMcpServerAPI')
@@ -146,6 +147,8 @@ export const DELETE = withMcpAuth<RouteParams>('admin')(
      logger.info(`[${requestId}] Successfully deleted workflow MCP server: ${serverId}`)
      mcpPubSub?.publishWorkflowToolsChanged({ serverId, workspaceId })
      return createMcpSuccessResponse({ message: `Server ${serverId} deleted successfully` })
    } catch (error) {
      logger.error(`[${requestId}] Error deleting workflow MCP server:`, error)
--- a/apps/sim/app/api/mcp/workflow-servers/[id]/tools/[toolId]/route.ts
+++ b/apps/sim/app/api/mcp/workflow-servers/[id]/tools/[toolId]/route.ts
@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
 import { mcpPubSub } from '@/lib/mcp/pubsub'
 import { createMcpErrorResponse, createMcpSuccessResponse } from '@/lib/mcp/utils'
 import { sanitizeToolName } from '@/lib/mcp/workflow-tool-schema'
@@ -115,6 +116,8 @@ export const PATCH = withMcpAuth<RouteParams>('write')(
      logger.info(`[${requestId}] Successfully updated tool ${toolId}`)
      mcpPubSub?.publishWorkflowToolsChanged({ serverId, workspaceId })
      return createMcpSuccessResponse({ tool: updatedTool })
    } catch (error) {
      logger.error(`[${requestId}] Error updating tool:`, error)
@@ -160,6 +163,8 @@ export const DELETE = withMcpAuth<RouteParams>('write')(
      logger.info(`[${requestId}] Successfully deleted tool ${toolId}`)
      mcpPubSub?.publishWorkflowToolsChanged({ serverId, workspaceId })
      return createMcpSuccessResponse({ message: `Tool ${toolId} deleted successfully` })
    } catch (error) {
      logger.error(`[${requestId}] Error deleting tool:`, error)
--- a/apps/sim/app/api/mcp/workflow-servers/[id]/tools/route.ts
+++ b/apps/sim/app/api/mcp/workflow-servers/[id]/tools/route.ts
@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
 import { mcpPubSub } from '@/lib/mcp/pubsub'
 import { createMcpErrorResponse, createMcpSuccessResponse } from '@/lib/mcp/utils'
 import { sanitizeToolName } from '@/lib/mcp/workflow-tool-schema'
 import { hasValidStartBlock } from '@/lib/workflows/triggers/trigger-utils.server'
@@ -188,6 +189,8 @@ export const POST = withMcpAuth<RouteParams>('write')(
        `[${requestId}] Successfully added tool ${toolName} (workflow: ${body.workflowId}) to server ${serverId}`
      )
      mcpPubSub?.publishWorkflowToolsChanged({ serverId, workspaceId })
      return createMcpSuccessResponse({ tool }, 201)
    } catch (error) {
      logger.error(`[${requestId}] Error adding tool:`, error)
--- a/apps/sim/app/api/mcp/workflow-servers/route.ts
+++ b/apps/sim/app/api/mcp/workflow-servers/route.ts
@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { eq, inArray, sql } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
 import { mcpPubSub } from '@/lib/mcp/pubsub'
 import { createMcpErrorResponse, createMcpSuccessResponse } from '@/lib/mcp/utils'
 import { sanitizeToolName } from '@/lib/mcp/workflow-tool-schema'
 import { hasValidStartBlock } from '@/lib/workflows/triggers/trigger-utils.server'
@@ -174,6 +175,10 @@ export const POST = withMcpAuth('write')(
          `[${requestId}] Added ${addedTools.length} tools to server ${serverId}:`,
          addedTools.map((t) => t.toolName)
        )
        if (addedTools.length > 0) {
          mcpPubSub?.publishWorkflowToolsChanged({ serverId, workspaceId })
        }
      }
      logger.info(
--- a/apps/sim/app/api/memory/[id]/route.ts
+++ b/apps/sim/app/api/memory/[id]/route.ts
@@ -4,7 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
@@ -36,7 +36,7 @@ async function validateMemoryAccess(
  requestId: string,
  action: 'read' | 'write'
 ): Promise<{ userId: string } | { error: NextResponse }> {
-  const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+  const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
  if (!authResult.success || !authResult.userId) {
    logger.warn(`[${requestId}] Unauthorized memory ${action} attempt`)
    return {
--- a/apps/sim/app/api/memory/route.ts
+++ b/apps/sim/app/api/memory/route.ts
@@ -3,7 +3,7 @@ import { memory } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq, isNull, like } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
@@ -16,7 +16,7 @@ export async function GET(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request)
+    const authResult = await checkInternalAuth(request)
    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized memory access attempt`)
      return NextResponse.json(
@@ -89,7 +89,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request)
+    const authResult = await checkInternalAuth(request)
    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized memory creation attempt`)
      return NextResponse.json(
@@ -228,7 +228,7 @@ export async function DELETE(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request)
+    const authResult = await checkInternalAuth(request)
    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized memory deletion attempt`)
      return NextResponse.json(
--- a/apps/sim/app/api/permission-groups/[id]/route.ts
+++ b/apps/sim/app/api/permission-groups/[id]/route.ts
@@ -24,6 +24,7 @@ const configSchema = z.object({
  hideFilesTab: z.boolean().optional(),
  disableMcpTools: z.boolean().optional(),
  disableCustomTools: z.boolean().optional(),
  disableSkills: z.boolean().optional(),
  hideTemplates: z.boolean().optional(),
  disableInvitations: z.boolean().optional(),
  hideDeployApi: z.boolean().optional(),
--- a/apps/sim/app/api/permission-groups/route.ts
+++ b/apps/sim/app/api/permission-groups/route.ts
@@ -25,6 +25,7 @@ const configSchema = z.object({
  hideFilesTab: z.boolean().optional(),
  disableMcpTools: z.boolean().optional(),
  disableCustomTools: z.boolean().optional(),
  disableSkills: z.boolean().optional(),
  hideTemplates: z.boolean().optional(),
  disableInvitations: z.boolean().optional(),
  hideDeployApi: z.boolean().optional(),
--- a/apps/sim/app/api/skills/route.ts
+++ b/apps/sim/app/api/skills/route.ts
@@ -0,0 +1,182 @@
 import { db } from '@sim/db'
 import { skill } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, desc, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { upsertSkills } from '@/lib/workflows/skills/operations'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 const logger = createLogger('SkillsAPI')
 const SkillSchema = z.object({
  skills: z.array(
    z.object({
      id: z.string().optional(),
      name: z
        .string()
        .min(1, 'Skill name is required')
        .max(64)
        .regex(/^[a-z0-9]+(-[a-z0-9]+)*$/, 'Name must be kebab-case (e.g. my-skill)'),
      description: z.string().min(1, 'Description is required').max(1024),
      content: z.string().min(1, 'Content is required').max(50000, 'Content is too large'),
    })
  ),
  workspaceId: z.string().optional(),
 })
 /** GET - Fetch all skills for a workspace */
 export async function GET(request: NextRequest) {
  const requestId = generateRequestId()
  const searchParams = request.nextUrl.searchParams
  const workspaceId = searchParams.get('workspaceId')
  try {
    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized skills access attempt`)
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
    const userId = authResult.userId
    if (!workspaceId) {
      logger.warn(`[${requestId}] Missing workspaceId`)
      return NextResponse.json({ error: 'workspaceId is required' }, { status: 400 })
    }
    const userPermission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
    if (!userPermission) {
      logger.warn(`[${requestId}] User ${userId} does not have access to workspace ${workspaceId}`)
      return NextResponse.json({ error: 'Access denied' }, { status: 403 })
    }
    const result = await db
      .select()
      .from(skill)
      .where(eq(skill.workspaceId, workspaceId))
      .orderBy(desc(skill.createdAt))
    return NextResponse.json({ data: result }, { status: 200 })
  } catch (error) {
    logger.error(`[${requestId}] Error fetching skills:`, error)
    return NextResponse.json({ error: 'Failed to fetch skills' }, { status: 500 })
  }
 }
 /** POST - Create or update skills */
 export async function POST(req: NextRequest) {
  const requestId = generateRequestId()
  try {
    const authResult = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized skills update attempt`)
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
    const userId = authResult.userId
    const body = await req.json()
    try {
      const { skills, workspaceId } = SkillSchema.parse(body)
      if (!workspaceId) {
        logger.warn(`[${requestId}] Missing workspaceId in request body`)
        return NextResponse.json({ error: 'workspaceId is required' }, { status: 400 })
      }
      const userPermission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
      if (!userPermission || (userPermission !== 'admin' && userPermission !== 'write')) {
        logger.warn(
          `[${requestId}] User ${userId} does not have write permission for workspace ${workspaceId}`
        )
        return NextResponse.json({ error: 'Write permission required' }, { status: 403 })
      }
      const resultSkills = await upsertSkills({
        skills,
        workspaceId,
        userId,
        requestId,
      })
      return NextResponse.json({ success: true, data: resultSkills })
    } catch (validationError) {
      if (validationError instanceof z.ZodError) {
        logger.warn(`[${requestId}] Invalid skills data`, {
          errors: validationError.errors,
        })
        return NextResponse.json(
          { error: 'Invalid request data', details: validationError.errors },
          { status: 400 }
        )
      }
      if (validationError instanceof Error && validationError.message.includes('already exists')) {
        return NextResponse.json({ error: validationError.message }, { status: 409 })
      }
      throw validationError
    }
  } catch (error) {
    logger.error(`[${requestId}] Error updating skills`, error)
    return NextResponse.json({ error: 'Failed to update skills' }, { status: 500 })
  }
 }
 /** DELETE - Delete a skill by ID */
 export async function DELETE(request: NextRequest) {
  const requestId = generateRequestId()
  const searchParams = request.nextUrl.searchParams
  const skillId = searchParams.get('id')
  const workspaceId = searchParams.get('workspaceId')
  try {
    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized skill deletion attempt`)
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
    const userId = authResult.userId
    if (!skillId) {
      logger.warn(`[${requestId}] Missing skill ID for deletion`)
      return NextResponse.json({ error: 'Skill ID is required' }, { status: 400 })
    }
    if (!workspaceId) {
      logger.warn(`[${requestId}] Missing workspaceId for deletion`)
      return NextResponse.json({ error: 'workspaceId is required' }, { status: 400 })
    }
    const userPermission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
    if (!userPermission || (userPermission !== 'admin' && userPermission !== 'write')) {
      logger.warn(
        `[${requestId}] User ${userId} does not have write permission for workspace ${workspaceId}`
      )
      return NextResponse.json({ error: 'Write permission required' }, { status: 403 })
    }
    const existingSkill = await db.select().from(skill).where(eq(skill.id, skillId)).limit(1)
    if (existingSkill.length === 0) {
      logger.warn(`[${requestId}] Skill not found: ${skillId}`)
      return NextResponse.json({ error: 'Skill not found' }, { status: 404 })
    }
    if (existingSkill[0].workspaceId !== workspaceId) {
      logger.warn(`[${requestId}] Skill ${skillId} does not belong to workspace ${workspaceId}`)
      return NextResponse.json({ error: 'Skill not found' }, { status: 404 })
    }
    await db.delete(skill).where(and(eq(skill.id, skillId), eq(skill.workspaceId, workspaceId)))
    logger.info(`[${requestId}] Deleted skill: ${skillId}`)
    return NextResponse.json({ success: true })
  } catch (error) {
    logger.error(`[${requestId}] Error deleting skill:`, error)
    return NextResponse.json({ error: 'Failed to delete skill' }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/tools/a2a/cancel-task/route.ts
+++ b/apps/sim/app/api/tools/a2a/cancel-task/route.ts
@@ -3,7 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 const logger = createLogger('A2ACancelTaskAPI')
@@ -20,7 +20,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized A2A cancel task attempt`)
--- a/apps/sim/app/api/tools/a2a/delete-push-notification/route.ts
+++ b/apps/sim/app/api/tools/a2a/delete-push-notification/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -20,7 +20,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(
--- a/apps/sim/app/api/tools/a2a/get-agent-card/route.ts
+++ b/apps/sim/app/api/tools/a2a/get-agent-card/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -18,7 +18,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized A2A get agent card attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/a2a/get-push-notification/route.ts
+++ b/apps/sim/app/api/tools/a2a/get-push-notification/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(
--- a/apps/sim/app/api/tools/a2a/get-task/route.ts
+++ b/apps/sim/app/api/tools/a2a/get-task/route.ts
@@ -3,7 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 export const dynamic = 'force-dynamic'
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized A2A get task attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/a2a/resubscribe/route.ts
+++ b/apps/sim/app/api/tools/a2a/resubscribe/route.ts
@@ -10,7 +10,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient, extractTextContent, isTerminalState } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 const logger = createLogger('A2AResubscribeAPI')
@@ -27,7 +27,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized A2A resubscribe attempt`)
--- a/apps/sim/app/api/tools/a2a/send-message/route.ts
+++ b/apps/sim/app/api/tools/a2a/send-message/route.ts
@@ -3,7 +3,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient, extractTextContent, isTerminalState } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
@@ -32,7 +32,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized A2A send message attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/a2a/set-push-notification/route.ts
+++ b/apps/sim/app/api/tools/a2a/set-push-notification/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()
  try {
-    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized A2A set push notification attempt`, {
--- a/apps/sim/app/api/tools/jira/add-attachment/route.ts
+++ b/apps/sim/app/api/tools/jira/add-attachment/route.ts
@@ -90,16 +90,24 @@ export async function POST(request: NextRequest) {
      )
    }
-    const attachments = await response.json()
+    const jiraAttachments = await response.json()
-    const attachmentIds = Array.isArray(attachments)
+    const attachmentsList = Array.isArray(jiraAttachments) ? jiraAttachments : []
-      ? attachments.map((attachment) => attachment.id).filter(Boolean)
+
-      : []
+    const attachmentIds = attachmentsList.map((att: any) => att.id).filter(Boolean)
    const attachments = attachmentsList.map((att: any) => ({
      id: att.id ?? '',
      filename: att.filename ?? '',
      mimeType: att.mimeType ?? '',
      size: att.size ?? 0,
      content: att.content ?? '',
    }))
    return NextResponse.json({
      success: true,
      output: {
        ts: new Date().toISOString(),
        issueKey: validatedData.issueKey,
        attachments,
        attachmentIds,
        files: filesOutput,
      },
--- a/apps/sim/app/api/tools/jira/issue/route.ts
+++ b/apps/sim/app/api/tools/jira/issue/route.ts
@@ -1,111 +0,0 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { validateJiraCloudId, validateJiraIssueKey } from '@/lib/core/security/input-validation'
 import { getJiraCloudId } from '@/tools/jira/utils'
 export const dynamic = 'force-dynamic'
 const logger = createLogger('JiraIssueAPI')
 export async function POST(request: NextRequest) {
  try {
    const auth = await checkSessionOrInternalAuth(request)
    if (!auth.success || !auth.userId) {
      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
    }
    const { domain, accessToken, issueId, cloudId: providedCloudId } = await request.json()
    if (!domain) {
      logger.error('Missing domain in request')
      return NextResponse.json({ error: 'Domain is required' }, { status: 400 })
    }
    if (!accessToken) {
      logger.error('Missing access token in request')
      return NextResponse.json({ error: 'Access token is required' }, { status: 400 })
    }
    if (!issueId) {
      logger.error('Missing issue ID in request')
      return NextResponse.json({ error: 'Issue ID is required' }, { status: 400 })
    }
    const cloudId = providedCloudId || (await getJiraCloudId(domain, accessToken))
    logger.info('Using cloud ID:', cloudId)
    const cloudIdValidation = validateJiraCloudId(cloudId, 'cloudId')
    if (!cloudIdValidation.isValid) {
      return NextResponse.json({ error: cloudIdValidation.error }, { status: 400 })
    }
    const issueIdValidation = validateJiraIssueKey(issueId, 'issueId')
    if (!issueIdValidation.isValid) {
      return NextResponse.json({ error: issueIdValidation.error }, { status: 400 })
    }
    const url = `https://api.atlassian.com/ex/jira/${cloudId}/rest/api/3/issue/${issueId}`
    logger.info('Fetching Jira issue from:', url)
    const response = await fetch(url, {
      method: 'GET',
      headers: {
        Authorization: `Bearer ${accessToken}`,
        Accept: 'application/json',
      },
    })
    if (!response.ok) {
      logger.error('Jira API error:', {
        status: response.status,
        statusText: response.statusText,
      })
      let errorMessage
      try {
        const errorData = await response.json()
        logger.error('Error details:', errorData)
        errorMessage = errorData.message || `Failed to fetch issue (${response.status})`
      } catch (_e) {
        errorMessage = `Failed to fetch issue: ${response.status} ${response.statusText}`
      }
      return NextResponse.json({ error: errorMessage }, { status: response.status })
    }
    const data = await response.json()
    logger.info('Successfully fetched issue:', data.key)
    const issueInfo: any = {
      id: data.key,
      name: data.fields.summary,
      mimeType: 'jira/issue',
      url: `https://${domain}/browse/${data.key}`,
      modifiedTime: data.fields.updated,
      webViewLink: `https://${domain}/browse/${data.key}`,
      status: data.fields.status?.name,
      description: data.fields.description,
      priority: data.fields.priority?.name,
      assignee: data.fields.assignee?.displayName,
      reporter: data.fields.reporter?.displayName,
      project: {
        key: data.fields.project?.key,
        name: data.fields.project?.name,
      },
    }
    return NextResponse.json({
      issue: issueInfo,
      cloudId,
    })
  } catch (error) {
    logger.error('Error processing request:', error)
    return NextResponse.json(
      {
        error: 'Failed to retrieve Jira issue',
        details: (error as Error).message,
      },
      { status: 500 }
    )
  }
 }
--- a/apps/sim/app/api/tools/jira/update/route.ts
+++ b/apps/sim/app/api/tools/jira/update/route.ts
@@ -16,9 +16,16 @@ const jiraUpdateSchema = z.object({
  summary: z.string().optional(),
  title: z.string().optional(),
  description: z.string().optional(),
  status: z.string().optional(),
  priority: z.string().optional(),
  assignee: z.string().optional(),
  labels: z.array(z.string()).optional(),
  components: z.array(z.string()).optional(),
  duedate: z.string().optional(),
  fixVersions: z.array(z.string()).optional(),
  environment: z.string().optional(),
  customFieldId: z.string().optional(),
  customFieldValue: z.string().optional(),
  notifyUsers: z.boolean().optional(),
  cloudId: z.string().optional(),
 })
@@ -45,9 +52,16 @@ export async function PUT(request: NextRequest) {
      summary,
      title,
      description,
      status,
      priority,
      assignee,
      labels,
      components,
      duedate,
      fixVersions,
      environment,
      customFieldId,
      customFieldValue,
      notifyUsers,
      cloudId: providedCloudId,
    } = validation.data
@@ -64,7 +78,8 @@ export async function PUT(request: NextRequest) {
      return NextResponse.json({ error: issueKeyValidation.error }, { status: 400 })
    }
-    const url = `https://api.atlassian.com/ex/jira/${cloudId}/rest/api/3/issue/${issueKey}`
+    const notifyParam = notifyUsers === false ? '?notifyUsers=false' : ''
    const url = `https://api.atlassian.com/ex/jira/${cloudId}/rest/api/3/issue/${issueKey}${notifyParam}`
    logger.info('Updating Jira issue at:', url)
@@ -93,24 +108,65 @@ export async function PUT(request: NextRequest) {
      }
    }
    if (status !== undefined && status !== null && status !== '') {
      fields.status = {
        name: status,
      }
    }
    if (priority !== undefined && priority !== null && priority !== '') {
-      fields.priority = {
+      const isNumericId = /^\d+$/.test(priority)
-        name: priority,
+      fields.priority = isNumericId ? { id: priority } : { name: priority }
      }
    }
    if (assignee !== undefined && assignee !== null && assignee !== '') {
      fields.assignee = {
-        id: assignee,
+        accountId: assignee,
      }
    }
    if (labels !== undefined && labels !== null && labels.length > 0) {
      fields.labels = labels
    }
    if (components !== undefined && components !== null && components.length > 0) {
      fields.components = components.map((name) => ({ name }))
    }
    if (duedate !== undefined && duedate !== null && duedate !== '') {
      fields.duedate = duedate
    }
    if (fixVersions !== undefined && fixVersions !== null && fixVersions.length > 0) {
      fields.fixVersions = fixVersions.map((name) => ({ name }))
    }
    if (environment !== undefined && environment !== null && environment !== '') {
      fields.environment = {
        type: 'doc',
        version: 1,
        content: [
          {
            type: 'paragraph',
            content: [
              {
                type: 'text',
                text: environment,
              },
            ],
          },
        ],
      }
    }
    if (
      customFieldId !== undefined &&
      customFieldId !== null &&
      customFieldId !== '' &&
      customFieldValue !== undefined &&
      customFieldValue !== null &&
      customFieldValue !== ''
    ) {
      const fieldId = customFieldId.startsWith('customfield_')
        ? customFieldId
        : `customfield_${customFieldId}`
      fields[fieldId] = customFieldValue
    }
    const requestBody = { fields }
    const response = await fetch(url, {
--- a/apps/sim/app/api/tools/jira/write/route.ts
+++ b/apps/sim/app/api/tools/jira/write/route.ts
@@ -32,6 +32,8 @@ export async function POST(request: NextRequest) {
      environment,
      customFieldId,
      customFieldValue,
      components,
      fixVersions,
    } = await request.json()
    if (!domain) {
@@ -73,10 +75,9 @@ export async function POST(request: NextRequest) {
    logger.info('Creating Jira issue at:', url)
    const isNumericProjectId = /^\d+$/.test(projectId)
    const fields: Record<string, any> = {
-      project: {
+      project: isNumericProjectId ? { id: projectId } : { key: projectId },
        id: projectId,
      },
      issuetype: {
        name: normalizedIssueType,
      },
@@ -114,13 +115,31 @@ export async function POST(request: NextRequest) {
      fields.labels = labels
    }
    if (
      components !== undefined &&
      components !== null &&
      Array.isArray(components) &&
      components.length > 0
    ) {
      fields.components = components.map((name: string) => ({ name }))
    }
    if (duedate !== undefined && duedate !== null && duedate !== '') {
      fields.duedate = duedate
    }
    if (
      fixVersions !== undefined &&
      fixVersions !== null &&
      Array.isArray(fixVersions) &&
      fixVersions.length > 0
    ) {
      fields.fixVersions = fixVersions.map((name: string) => ({ name }))
    }
    if (reporter !== undefined && reporter !== null && reporter !== '') {
      fields.reporter = {
-        id: reporter,
+        accountId: reporter,
      }
    }
@@ -220,8 +239,10 @@ export async function POST(request: NextRequest) {
      success: true,
      output: {
        ts: new Date().toISOString(),
        id: responseData.id || '',
        issueKey: issueKey,
-        summary: responseData.fields?.summary || 'Issue created',
+        self: responseData.self || '',
        summary: responseData.fields?.summary || summary || 'Issue created',
        success: true,
        url: `https://${domain}/browse/${issueKey}`,
        ...(assigneeId && { assigneeId }),
--- a/apps/sim/app/api/tools/jsm/approvals/route.ts
+++ b/apps/sim/app/api/tools/jsm/approvals/route.ts
@@ -165,8 +165,26 @@ export async function POST(request: NextRequest) {
          issueIdOrKey,
          approvalId,
          decision,
-          success: true,
+          id: data.id ?? null,
          name: data.name ?? null,
          finalDecision: data.finalDecision ?? null,
          canAnswerApproval: data.canAnswerApproval ?? null,
          approvers: (data.approvers ?? []).map((a: Record<string, unknown>) => {
            const approver = a.approver as Record<string, unknown> | undefined
            return {
              approver: {
                accountId: approver?.accountId ?? null,
                displayName: approver?.displayName ?? null,
                emailAddress: approver?.emailAddress ?? null,
                active: approver?.active ?? null,
              },
              approverDecision: a.approverDecision ?? null,
            }
          }),
          createdDate: data.createdDate ?? null,
          completedDate: data.completedDate ?? null,
          approval: data,
          success: true,
        },
      })
    }
--- a/apps/sim/app/api/tools/jsm/comment/route.ts
+++ b/apps/sim/app/api/tools/jsm/comment/route.ts
@@ -95,6 +95,14 @@ export async function POST(request: NextRequest) {
        commentId: data.id,
        body: data.body,
        isPublic: data.public,
        author: data.author
          ? {
              accountId: data.author.accountId ?? null,
              displayName: data.author.displayName ?? null,
              emailAddress: data.author.emailAddress ?? null,
            }
          : null,
        createdDate: data.created ?? null,
        success: true,
      },
    })
--- a/apps/sim/app/api/tools/jsm/comments/route.ts
+++ b/apps/sim/app/api/tools/jsm/comments/route.ts
@@ -23,6 +23,7 @@ export async function POST(request: NextRequest) {
      issueIdOrKey,
      isPublic,
      internal,
      expand,
      start,
      limit,
    } = body
@@ -57,8 +58,9 @@ export async function POST(request: NextRequest) {
    const baseUrl = getJsmApiBaseUrl(cloudId)
    const params = new URLSearchParams()
-    if (isPublic) params.append('public', isPublic)
+    if (isPublic !== undefined) params.append('public', String(isPublic))
-    if (internal) params.append('internal', internal)
+    if (internal !== undefined) params.append('internal', String(internal))
    if (expand) params.append('expand', expand)
    if (start) params.append('start', start)
    if (limit) params.append('limit', limit)
--- a/apps/sim/app/api/tools/jsm/customers/route.ts
+++ b/apps/sim/app/api/tools/jsm/customers/route.ts
@@ -24,6 +24,7 @@ export async function POST(request: NextRequest) {
      query,
      start,
      limit,
      accountIds,
      emails,
    } = body
@@ -56,24 +57,27 @@ export async function POST(request: NextRequest) {
    const baseUrl = getJsmApiBaseUrl(cloudId)
-    const parsedEmails = emails
+    const rawIds = accountIds || emails
-      ? typeof emails === 'string'
+    const parsedAccountIds = rawIds
-        ? emails
+      ? typeof rawIds === 'string'
        ? rawIds
            .split(',')
-            .map((email: string) => email.trim())
+            .map((id: string) => id.trim())
-            .filter((email: string) => email)
+            .filter((id: string) => id)
-        : emails
+        : Array.isArray(rawIds)
          ? rawIds
          : []
      : []
-    const isAddOperation = parsedEmails.length > 0
+    const isAddOperation = parsedAccountIds.length > 0
    if (isAddOperation) {
      const url = `${baseUrl}/servicedesk/${serviceDeskId}/customer`
-      logger.info('Adding customers to:', url, { emails: parsedEmails })
+      logger.info('Adding customers to:', url, { accountIds: parsedAccountIds })
      const requestBody: Record<string, unknown> = {
-        usernames: parsedEmails,
+        accountIds: parsedAccountIds,
      }
      const response = await fetch(url, {
--- a/apps/sim/app/api/tools/jsm/request/route.ts
+++ b/apps/sim/app/api/tools/jsm/request/route.ts
@@ -31,6 +31,9 @@ export async function POST(request: NextRequest) {
      description,
      raiseOnBehalfOf,
      requestFieldValues,
      requestParticipants,
      channel,
      expand,
    } = body
    if (!domain) {
@@ -80,6 +83,19 @@ export async function POST(request: NextRequest) {
      if (raiseOnBehalfOf) {
        requestBody.raiseOnBehalfOf = raiseOnBehalfOf
      }
      if (requestParticipants) {
        requestBody.requestParticipants = Array.isArray(requestParticipants)
          ? requestParticipants
          : typeof requestParticipants === 'string'
            ? requestParticipants
                .split(',')
                .map((id: string) => id.trim())
                .filter(Boolean)
            : []
      }
      if (channel) {
        requestBody.channel = channel
      }
      const response = await fetch(url, {
        method: 'POST',
@@ -111,6 +127,21 @@ export async function POST(request: NextRequest) {
          issueKey: data.issueKey,
          requestTypeId: data.requestTypeId,
          serviceDeskId: data.serviceDeskId,
          createdDate: data.createdDate ?? null,
          currentStatus: data.currentStatus
            ? {
                status: data.currentStatus.status ?? null,
                statusCategory: data.currentStatus.statusCategory ?? null,
                statusDate: data.currentStatus.statusDate ?? null,
              }
            : null,
          reporter: data.reporter
            ? {
                accountId: data.reporter.accountId ?? null,
                displayName: data.reporter.displayName ?? null,
                emailAddress: data.reporter.emailAddress ?? null,
              }
            : null,
          success: true,
          url: `https://${domain}/browse/${data.issueKey}`,
        },
@@ -126,7 +157,10 @@ export async function POST(request: NextRequest) {
      return NextResponse.json({ error: issueIdOrKeyValidation.error }, { status: 400 })
    }
-    const url = `${baseUrl}/request/${issueIdOrKey}`
+    const params = new URLSearchParams()
    if (expand) params.append('expand', expand)
    const url = `${baseUrl}/request/${issueIdOrKey}${params.toString() ? `?${params.toString()}` : ''}`
    logger.info('Fetching request from:', url)
@@ -155,6 +189,32 @@ export async function POST(request: NextRequest) {
      success: true,
      output: {
        ts: new Date().toISOString(),
        issueId: data.issueId ?? null,
        issueKey: data.issueKey ?? null,
        requestTypeId: data.requestTypeId ?? null,
        serviceDeskId: data.serviceDeskId ?? null,
        createdDate: data.createdDate ?? null,
        currentStatus: data.currentStatus
          ? {
              status: data.currentStatus.status ?? null,
              statusCategory: data.currentStatus.statusCategory ?? null,
              statusDate: data.currentStatus.statusDate ?? null,
            }
          : null,
        reporter: data.reporter
          ? {
              accountId: data.reporter.accountId ?? null,
              displayName: data.reporter.displayName ?? null,
              emailAddress: data.reporter.emailAddress ?? null,
              active: data.reporter.active ?? true,
            }
          : null,
        requestFieldValues: (data.requestFieldValues ?? []).map((fv: Record<string, unknown>) => ({
          fieldId: fv.fieldId ?? null,
          label: fv.label ?? null,
          value: fv.value ?? null,
        })),
        url: `https://${domain}/browse/${data.issueKey}`,
        request: data,
      },
    })
--- a/apps/sim/app/api/tools/jsm/requests/route.ts
+++ b/apps/sim/app/api/tools/jsm/requests/route.ts
@@ -1,7 +1,11 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
-import { validateAlphanumericId, validateJiraCloudId } from '@/lib/core/security/input-validation'
+import {
  validateAlphanumericId,
  validateEnum,
  validateJiraCloudId,
 } from '@/lib/core/security/input-validation'
 import { getJiraCloudId, getJsmApiBaseUrl, getJsmHeaders } from '@/tools/jsm/utils'
 export const dynamic = 'force-dynamic'
@@ -23,7 +27,9 @@ export async function POST(request: NextRequest) {
      serviceDeskId,
      requestOwnership,
      requestStatus,
      requestTypeId,
      searchTerm,
      expand,
      start,
      limit,
    } = body
@@ -52,17 +58,45 @@ export async function POST(request: NextRequest) {
      }
    }
    const VALID_REQUEST_OWNERSHIP = [
      'OWNED_REQUESTS',
      'PARTICIPATED_REQUESTS',
      'APPROVER',
      'ALL_REQUESTS',
    ] as const
    const VALID_REQUEST_STATUS = ['OPEN_REQUESTS', 'CLOSED_REQUESTS', 'ALL_REQUESTS'] as const
    if (requestOwnership) {
      const ownershipValidation = validateEnum(
        requestOwnership,
        VALID_REQUEST_OWNERSHIP,
        'requestOwnership'
      )
      if (!ownershipValidation.isValid) {
        return NextResponse.json({ error: ownershipValidation.error }, { status: 400 })
      }
    }
    if (requestStatus) {
      const statusValidation = validateEnum(requestStatus, VALID_REQUEST_STATUS, 'requestStatus')
      if (!statusValidation.isValid) {
        return NextResponse.json({ error: statusValidation.error }, { status: 400 })
      }
    }
    const baseUrl = getJsmApiBaseUrl(cloudId)
    const params = new URLSearchParams()
    if (serviceDeskId) params.append('serviceDeskId', serviceDeskId)
-    if (requestOwnership && requestOwnership !== 'ALL_REQUESTS') {
+    if (requestOwnership) {
      params.append('requestOwnership', requestOwnership)
    }
-    if (requestStatus && requestStatus !== 'ALL') {
+    if (requestStatus) {
      params.append('requestStatus', requestStatus)
    }
    if (requestTypeId) params.append('requestTypeId', requestTypeId)
    if (searchTerm) params.append('searchTerm', searchTerm)
    if (expand) params.append('expand', expand)
    if (start) params.append('start', start)
    if (limit) params.append('limit', limit)
--- a/apps/sim/app/api/tools/jsm/requesttypefields/route.ts
+++ b/apps/sim/app/api/tools/jsm/requesttypefields/route.ts
@@ -0,0 +1,119 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { validateAlphanumericId, validateJiraCloudId } from '@/lib/core/security/input-validation'
 import { getJiraCloudId, getJsmApiBaseUrl, getJsmHeaders } from '@/tools/jsm/utils'
 export const dynamic = 'force-dynamic'
 const logger = createLogger('JsmRequestTypeFieldsAPI')
 export async function POST(request: NextRequest) {
  const auth = await checkInternalAuth(request)
  if (!auth.success || !auth.userId) {
    return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
  }
  try {
    const body = await request.json()
    const { domain, accessToken, cloudId: cloudIdParam, serviceDeskId, requestTypeId } = body
    if (!domain) {
      logger.error('Missing domain in request')
      return NextResponse.json({ error: 'Domain is required' }, { status: 400 })
    }
    if (!accessToken) {
      logger.error('Missing access token in request')
      return NextResponse.json({ error: 'Access token is required' }, { status: 400 })
    }
    if (!serviceDeskId) {
      logger.error('Missing serviceDeskId in request')
      return NextResponse.json({ error: 'Service Desk ID is required' }, { status: 400 })
    }
    if (!requestTypeId) {
      logger.error('Missing requestTypeId in request')
      return NextResponse.json({ error: 'Request Type ID is required' }, { status: 400 })
    }
    const cloudId = cloudIdParam || (await getJiraCloudId(domain, accessToken))
    const cloudIdValidation = validateJiraCloudId(cloudId, 'cloudId')
    if (!cloudIdValidation.isValid) {
      return NextResponse.json({ error: cloudIdValidation.error }, { status: 400 })
    }
    const serviceDeskIdValidation = validateAlphanumericId(serviceDeskId, 'serviceDeskId')
    if (!serviceDeskIdValidation.isValid) {
      return NextResponse.json({ error: serviceDeskIdValidation.error }, { status: 400 })
    }
    const requestTypeIdValidation = validateAlphanumericId(requestTypeId, 'requestTypeId')
    if (!requestTypeIdValidation.isValid) {
      return NextResponse.json({ error: requestTypeIdValidation.error }, { status: 400 })
    }
    const baseUrl = getJsmApiBaseUrl(cloudId)
    const url = `${baseUrl}/servicedesk/${serviceDeskId}/requesttype/${requestTypeId}/field`
    logger.info('Fetching request type fields from:', url)
    const response = await fetch(url, {
      method: 'GET',
      headers: getJsmHeaders(accessToken),
    })
    if (!response.ok) {
      const errorText = await response.text()
      logger.error('JSM API error:', {
        status: response.status,
        statusText: response.statusText,
        error: errorText,
      })
      return NextResponse.json(
        { error: `JSM API error: ${response.status} ${response.statusText}`, details: errorText },
        { status: response.status }
      )
    }
    const data = await response.json()
    return NextResponse.json({
      success: true,
      output: {
        ts: new Date().toISOString(),
        serviceDeskId,
        requestTypeId,
        canAddRequestParticipants: data.canAddRequestParticipants ?? false,
        canRaiseOnBehalfOf: data.canRaiseOnBehalfOf ?? false,
        requestTypeFields: (data.requestTypeFields ?? []).map((field: Record<string, unknown>) => ({
          fieldId: field.fieldId ?? null,
          name: field.name ?? null,
          description: field.description ?? null,
          required: field.required ?? false,
          visible: field.visible ?? true,
          validValues: field.validValues ?? [],
          presetValues: field.presetValues ?? [],
          defaultValues: field.defaultValues ?? [],
          jiraSchema: field.jiraSchema ?? null,
        })),
      },
    })
  } catch (error) {
    logger.error('Error fetching request type fields:', {
      error: error instanceof Error ? error.message : String(error),
      stack: error instanceof Error ? error.stack : undefined,
    })
    return NextResponse.json(
      {
        error: error instanceof Error ? error.message : 'Internal server error',
        success: false,
      },
      { status: 500 }
    )
  }
 }
--- a/apps/sim/app/api/tools/jsm/requesttypes/route.ts
+++ b/apps/sim/app/api/tools/jsm/requesttypes/route.ts
@@ -16,7 +16,17 @@ export async function POST(request: NextRequest) {
  try {
    const body = await request.json()
-    const { domain, accessToken, cloudId: cloudIdParam, serviceDeskId, start, limit } = body
+    const {
      domain,
      accessToken,
      cloudId: cloudIdParam,
      serviceDeskId,
      searchQuery,
      groupId,
      expand,
      start,
      limit,
    } = body
    if (!domain) {
      logger.error('Missing domain in request')
@@ -48,6 +58,9 @@ export async function POST(request: NextRequest) {
    const baseUrl = getJsmApiBaseUrl(cloudId)
    const params = new URLSearchParams()
    if (searchQuery) params.append('searchQuery', searchQuery)
    if (groupId) params.append('groupId', groupId)
    if (expand) params.append('expand', expand)
    if (start) params.append('start', start)
    if (limit) params.append('limit', limit)
--- a/apps/sim/app/api/tools/jsm/servicedesks/route.ts
+++ b/apps/sim/app/api/tools/jsm/servicedesks/route.ts
@@ -16,7 +16,7 @@ export async function POST(request: NextRequest) {
  try {
    const body = await request.json()
-    const { domain, accessToken, cloudId: cloudIdParam, start, limit } = body
+    const { domain, accessToken, cloudId: cloudIdParam, expand, start, limit } = body
    if (!domain) {
      logger.error('Missing domain in request')
@@ -38,6 +38,7 @@ export async function POST(request: NextRequest) {
    const baseUrl = getJsmApiBaseUrl(cloudId)
    const params = new URLSearchParams()
    if (expand) params.append('expand', expand)
    if (start) params.append('start', start)
    if (limit) params.append('limit', limit)
--- a/apps/sim/app/api/tools/jsm/transitions/route.ts
+++ b/apps/sim/app/api/tools/jsm/transitions/route.ts
@@ -16,7 +16,7 @@ export async function POST(request: NextRequest) {
  try {
    const body = await request.json()
-    const { domain, accessToken, cloudId: cloudIdParam, issueIdOrKey } = body
+    const { domain, accessToken, cloudId: cloudIdParam, issueIdOrKey, start, limit } = body
    if (!domain) {
      logger.error('Missing domain in request')
@@ -47,7 +47,11 @@ export async function POST(request: NextRequest) {
    const baseUrl = getJsmApiBaseUrl(cloudId)
-    const url = `${baseUrl}/request/${issueIdOrKey}/transition`
+    const params = new URLSearchParams()
    if (start) params.append('start', start)
    if (limit) params.append('limit', limit)
    const url = `${baseUrl}/request/${issueIdOrKey}/transition${params.toString() ? `?${params.toString()}` : ''}`
    logger.info('Fetching transitions from:', url)
@@ -78,6 +82,8 @@ export async function POST(request: NextRequest) {
        ts: new Date().toISOString(),
        issueIdOrKey,
        transitions: data.values || [],
        total: data.size || 0,
        isLastPage: data.isLastPage ?? true,
      },
    })
  } catch (error) {
--- a/apps/sim/app/api/tools/onepassword/create-item/route.ts
+++ b/apps/sim/app/api/tools/onepassword/create-item/route.ts
@@ -0,0 +1,113 @@
 import { randomUUID } from 'crypto'
 import type { ItemCreateParams } from '@1password/sdk'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  connectRequest,
  createOnePasswordClient,
  normalizeSdkItem,
  resolveCredentials,
  toSdkCategory,
  toSdkFieldType,
 } from '../utils'
 const logger = createLogger('OnePasswordCreateItemAPI')
 const CreateItemSchema = z.object({
  connectionMode: z.enum(['service_account', 'connect']).nullish(),
  serviceAccountToken: z.string().nullish(),
  serverUrl: z.string().nullish(),
  apiKey: z.string().nullish(),
  vaultId: z.string().min(1, 'Vault ID is required'),
  category: z.string().min(1, 'Category is required'),
  title: z.string().nullish(),
  tags: z.string().nullish(),
  fields: z.string().nullish(),
 })
 export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  const auth = await checkInternalAuth(request)
  if (!auth.success || !auth.userId) {
    logger.warn(`[${requestId}] Unauthorized 1Password create-item attempt`)
    return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
  }
  try {
    const body = await request.json()
    const params = CreateItemSchema.parse(body)
    const creds = resolveCredentials(params)
    logger.info(`[${requestId}] Creating item in vault ${params.vaultId} (${creds.mode} mode)`)
    if (creds.mode === 'service_account') {
      const client = await createOnePasswordClient(creds.serviceAccountToken!)
      const parsedTags = params.tags
        ? params.tags
            .split(',')
            .map((t) => t.trim())
            .filter(Boolean)
        : undefined
      const parsedFields = params.fields
        ? (JSON.parse(params.fields) as Array<Record<string, any>>).map((f) => ({
            id: f.id || randomUUID().slice(0, 8),
            title: f.label || f.title || '',
            fieldType: toSdkFieldType(f.type || 'STRING'),
            value: f.value || '',
            sectionId: f.section?.id ?? f.sectionId,
          }))
        : undefined
      const item = await client.items.create({
        vaultId: params.vaultId,
        category: toSdkCategory(params.category),
        title: params.title || '',
        tags: parsedTags,
        fields: parsedFields,
      } as ItemCreateParams)
      return NextResponse.json(normalizeSdkItem(item))
    }
    const connectBody: Record<string, unknown> = {
      vault: { id: params.vaultId },
      category: params.category,
    }
    if (params.title) connectBody.title = params.title
    if (params.tags) connectBody.tags = params.tags.split(',').map((t) => t.trim())
    if (params.fields) connectBody.fields = JSON.parse(params.fields)
    const response = await connectRequest({
      serverUrl: creds.serverUrl!,
      apiKey: creds.apiKey!,
      path: `/v1/vaults/${params.vaultId}/items`,
      method: 'POST',
      body: connectBody,
    })
    const data = await response.json()
    if (!response.ok) {
      return NextResponse.json(
        { error: data.message || 'Failed to create item' },
        { status: response.status }
      )
    }
    return NextResponse.json(data)
  } catch (error) {
    if (error instanceof z.ZodError) {
      return NextResponse.json(
        { error: 'Invalid request data', details: error.errors },
        { status: 400 }
      )
    }
    const message = error instanceof Error ? error.message : 'Unknown error'
    logger.error(`[${requestId}] Create item failed:`, error)
    return NextResponse.json({ error: `Failed to create item: ${message}` }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/tools/onepassword/delete-item/route.ts
+++ b/apps/sim/app/api/tools/onepassword/delete-item/route.ts
@@ -0,0 +1,70 @@
 import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { connectRequest, createOnePasswordClient, resolveCredentials } from '../utils'
 const logger = createLogger('OnePasswordDeleteItemAPI')
 const DeleteItemSchema = z.object({
  connectionMode: z.enum(['service_account', 'connect']).nullish(),
  serviceAccountToken: z.string().nullish(),
  serverUrl: z.string().nullish(),
  apiKey: z.string().nullish(),
  vaultId: z.string().min(1, 'Vault ID is required'),
  itemId: z.string().min(1, 'Item ID is required'),
 })
 export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  const auth = await checkInternalAuth(request)
  if (!auth.success || !auth.userId) {
    logger.warn(`[${requestId}] Unauthorized 1Password delete-item attempt`)
    return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
  }
  try {
    const body = await request.json()
    const params = DeleteItemSchema.parse(body)
    const creds = resolveCredentials(params)
    logger.info(
      `[${requestId}] Deleting item ${params.itemId} from vault ${params.vaultId} (${creds.mode} mode)`
    )
    if (creds.mode === 'service_account') {
      const client = await createOnePasswordClient(creds.serviceAccountToken!)
      await client.items.delete(params.vaultId, params.itemId)
      return NextResponse.json({ success: true })
    }
    const response = await connectRequest({
      serverUrl: creds.serverUrl!,
      apiKey: creds.apiKey!,
      path: `/v1/vaults/${params.vaultId}/items/${params.itemId}`,
      method: 'DELETE',
    })
    if (!response.ok) {
      const data = await response.json().catch(() => ({}))
      return NextResponse.json(
        { error: (data as Record<string, string>).message || 'Failed to delete item' },
        { status: response.status }
      )
    }
    return NextResponse.json({ success: true })
  } catch (error) {
    if (error instanceof z.ZodError) {
      return NextResponse.json(
        { error: 'Invalid request data', details: error.errors },
        { status: 400 }
      )
    }
    const message = error instanceof Error ? error.message : 'Unknown error'
    logger.error(`[${requestId}] Delete item failed:`, error)
    return NextResponse.json({ error: `Failed to delete item: ${message}` }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/tools/onepassword/get-item/route.ts
+++ b/apps/sim/app/api/tools/onepassword/get-item/route.ts
@@ -0,0 +1,75 @@
 import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  connectRequest,
  createOnePasswordClient,
  normalizeSdkItem,
  resolveCredentials,
 } from '../utils'
 const logger = createLogger('OnePasswordGetItemAPI')
 const GetItemSchema = z.object({
  connectionMode: z.enum(['service_account', 'connect']).nullish(),
  serviceAccountToken: z.string().nullish(),
  serverUrl: z.string().nullish(),
  apiKey: z.string().nullish(),
  vaultId: z.string().min(1, 'Vault ID is required'),
  itemId: z.string().min(1, 'Item ID is required'),
 })
 export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  const auth = await checkInternalAuth(request)
  if (!auth.success || !auth.userId) {
    logger.warn(`[${requestId}] Unauthorized 1Password get-item attempt`)
    return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
  }
  try {
    const body = await request.json()
    const params = GetItemSchema.parse(body)
    const creds = resolveCredentials(params)
    logger.info(
      `[${requestId}] Getting item ${params.itemId} from vault ${params.vaultId} (${creds.mode} mode)`
    )
    if (creds.mode === 'service_account') {
      const client = await createOnePasswordClient(creds.serviceAccountToken!)
      const item = await client.items.get(params.vaultId, params.itemId)
      return NextResponse.json(normalizeSdkItem(item))
    }
    const response = await connectRequest({
      serverUrl: creds.serverUrl!,
      apiKey: creds.apiKey!,
      path: `/v1/vaults/${params.vaultId}/items/${params.itemId}`,
      method: 'GET',
    })
    const data = await response.json()
    if (!response.ok) {
      return NextResponse.json(
        { error: data.message || 'Failed to get item' },
        { status: response.status }
      )
    }
    return NextResponse.json(data)
  } catch (error) {
    if (error instanceof z.ZodError) {
      return NextResponse.json(
        { error: 'Invalid request data', details: error.errors },
        { status: 400 }
      )
    }
    const message = error instanceof Error ? error.message : 'Unknown error'
    logger.error(`[${requestId}] Get item failed:`, error)
    return NextResponse.json({ error: `Failed to get item: ${message}` }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/tools/onepassword/get-vault/route.ts
+++ b/apps/sim/app/api/tools/onepassword/get-vault/route.ts
@@ -0,0 +1,78 @@
 import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  connectRequest,
  createOnePasswordClient,
  normalizeSdkVault,
  resolveCredentials,
 } from '../utils'
 const logger = createLogger('OnePasswordGetVaultAPI')
 const GetVaultSchema = z.object({
  connectionMode: z.enum(['service_account', 'connect']).nullish(),
  serviceAccountToken: z.string().nullish(),
  serverUrl: z.string().nullish(),
  apiKey: z.string().nullish(),
  vaultId: z.string().min(1, 'Vault ID is required'),
 })
 export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  const auth = await checkInternalAuth(request)
  if (!auth.success || !auth.userId) {
    logger.warn(`[${requestId}] Unauthorized 1Password get-vault attempt`)
    return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
  }
  try {
    const body = await request.json()
    const params = GetVaultSchema.parse(body)
    const creds = resolveCredentials(params)
    logger.info(`[${requestId}] Getting 1Password vault ${params.vaultId} (${creds.mode} mode)`)
    if (creds.mode === 'service_account') {
      const client = await createOnePasswordClient(creds.serviceAccountToken!)
      const vaults = await client.vaults.list()
      const vault = vaults.find((v) => v.id === params.vaultId)
      if (!vault) {
        return NextResponse.json({ error: 'Vault not found' }, { status: 404 })
      }
      return NextResponse.json(normalizeSdkVault(vault))
    }
    const response = await connectRequest({
      serverUrl: creds.serverUrl!,
      apiKey: creds.apiKey!,
      path: `/v1/vaults/${params.vaultId}`,
      method: 'GET',
    })
    const data = await response.json()
    if (!response.ok) {
      return NextResponse.json(
        { error: data.message || 'Failed to get vault' },
        { status: response.status }
      )
    }
    return NextResponse.json(data)
  } catch (error) {
    if (error instanceof z.ZodError) {
      return NextResponse.json(
        { error: 'Invalid request data', details: error.errors },
        { status: 400 }
      )
    }
    const message = error instanceof Error ? error.message : 'Unknown error'
    logger.error(`[${requestId}] Get vault failed:`, error)
    return NextResponse.json({ error: `Failed to get vault: ${message}` }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/tools/onepassword/list-items/route.ts
+++ b/apps/sim/app/api/tools/onepassword/list-items/route.ts
@@ -0,0 +1,87 @@
 import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  connectRequest,
  createOnePasswordClient,
  normalizeSdkItemOverview,
  resolveCredentials,
 } from '../utils'
 const logger = createLogger('OnePasswordListItemsAPI')
 const ListItemsSchema = z.object({
  connectionMode: z.enum(['service_account', 'connect']).nullish(),
  serviceAccountToken: z.string().nullish(),
  serverUrl: z.string().nullish(),
  apiKey: z.string().nullish(),
  vaultId: z.string().min(1, 'Vault ID is required'),
  filter: z.string().nullish(),
 })
 export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  const auth = await checkInternalAuth(request)
  if (!auth.success || !auth.userId) {
    logger.warn(`[${requestId}] Unauthorized 1Password list-items attempt`)
    return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
  }
  try {
    const body = await request.json()
    const params = ListItemsSchema.parse(body)
    const creds = resolveCredentials(params)
    logger.info(`[${requestId}] Listing items in vault ${params.vaultId} (${creds.mode} mode)`)
    if (creds.mode === 'service_account') {
      const client = await createOnePasswordClient(creds.serviceAccountToken!)
      const items = await client.items.list(params.vaultId)
      const normalized = items.map(normalizeSdkItemOverview)
      if (params.filter) {
        const filterLower = params.filter.toLowerCase()
        const filtered = normalized.filter(
          (item) =>
            item.title?.toLowerCase().includes(filterLower) ||
            item.id?.toLowerCase().includes(filterLower)
        )
        return NextResponse.json(filtered)
      }
      return NextResponse.json(normalized)
    }
    const query = params.filter ? `filter=${encodeURIComponent(params.filter)}` : undefined
    const response = await connectRequest({
      serverUrl: creds.serverUrl!,
      apiKey: creds.apiKey!,
      path: `/v1/vaults/${params.vaultId}/items`,
      method: 'GET',
      query,
    })
    const data = await response.json()
    if (!response.ok) {
      return NextResponse.json(
        { error: data.message || 'Failed to list items' },
        { status: response.status }
      )
    }
    return NextResponse.json(data)
  } catch (error) {
    if (error instanceof z.ZodError) {
      return NextResponse.json(
        { error: 'Invalid request data', details: error.errors },
        { status: 400 }
      )
    }
    const message = error instanceof Error ? error.message : 'Unknown error'
    logger.error(`[${requestId}] List items failed:`, error)
    return NextResponse.json({ error: `Failed to list items: ${message}` }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/tools/onepassword/list-vaults/route.ts
+++ b/apps/sim/app/api/tools/onepassword/list-vaults/route.ts
@@ -0,0 +1,85 @@
 import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  connectRequest,
  createOnePasswordClient,
  normalizeSdkVault,
  resolveCredentials,
 } from '../utils'
 const logger = createLogger('OnePasswordListVaultsAPI')
 const ListVaultsSchema = z.object({
  connectionMode: z.enum(['service_account', 'connect']).nullish(),
  serviceAccountToken: z.string().nullish(),
  serverUrl: z.string().nullish(),
  apiKey: z.string().nullish(),
  filter: z.string().nullish(),
 })
 export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  const auth = await checkInternalAuth(request)
  if (!auth.success || !auth.userId) {
    logger.warn(`[${requestId}] Unauthorized 1Password list-vaults attempt`)
    return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
  }
  try {
    const body = await request.json()
    const params = ListVaultsSchema.parse(body)
    const creds = resolveCredentials(params)
    logger.info(`[${requestId}] Listing 1Password vaults (${creds.mode} mode)`)
    if (creds.mode === 'service_account') {
      const client = await createOnePasswordClient(creds.serviceAccountToken!)
      const vaults = await client.vaults.list()
      const normalized = vaults.map(normalizeSdkVault)
      if (params.filter) {
        const filterLower = params.filter.toLowerCase()
        const filtered = normalized.filter(
          (v) =>
            v.name?.toLowerCase().includes(filterLower) || v.id?.toLowerCase().includes(filterLower)
        )
        return NextResponse.json(filtered)
      }
      return NextResponse.json(normalized)
    }
    const query = params.filter ? `filter=${encodeURIComponent(params.filter)}` : undefined
    const response = await connectRequest({
      serverUrl: creds.serverUrl!,
      apiKey: creds.apiKey!,
      path: '/v1/vaults',
      method: 'GET',
      query,
    })
    const data = await response.json()
    if (!response.ok) {
      return NextResponse.json(
        { error: data.message || 'Failed to list vaults' },
        { status: response.status }
      )
    }
    return NextResponse.json(data)
  } catch (error) {
    if (error instanceof z.ZodError) {
      return NextResponse.json(
        { error: 'Invalid request data', details: error.errors },
        { status: 400 }
      )
    }
    const message = error instanceof Error ? error.message : 'Unknown error'
    logger.error(`[${requestId}] List vaults failed:`, error)
    return NextResponse.json({ error: `Failed to list vaults: ${message}` }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/tools/onepassword/replace-item/route.ts
+++ b/apps/sim/app/api/tools/onepassword/replace-item/route.ts
@@ -0,0 +1,117 @@
 import { randomUUID } from 'crypto'
 import type { Item } from '@1password/sdk'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  connectRequest,
  createOnePasswordClient,
  normalizeSdkItem,
  resolveCredentials,
  toSdkCategory,
  toSdkFieldType,
 } from '../utils'
 const logger = createLogger('OnePasswordReplaceItemAPI')
 const ReplaceItemSchema = z.object({
  connectionMode: z.enum(['service_account', 'connect']).nullish(),
  serviceAccountToken: z.string().nullish(),
  serverUrl: z.string().nullish(),
  apiKey: z.string().nullish(),
  vaultId: z.string().min(1, 'Vault ID is required'),
  itemId: z.string().min(1, 'Item ID is required'),
  item: z.string().min(1, 'Item JSON is required'),
 })
 export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  const auth = await checkInternalAuth(request)
  if (!auth.success || !auth.userId) {
    logger.warn(`[${requestId}] Unauthorized 1Password replace-item attempt`)
    return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
  }
  try {
    const body = await request.json()
    const params = ReplaceItemSchema.parse(body)
    const creds = resolveCredentials(params)
    const itemData = JSON.parse(params.item)
    logger.info(
      `[${requestId}] Replacing item ${params.itemId} in vault ${params.vaultId} (${creds.mode} mode)`
    )
    if (creds.mode === 'service_account') {
      const client = await createOnePasswordClient(creds.serviceAccountToken!)
      const existing = await client.items.get(params.vaultId, params.itemId)
      const sdkItem = {
        ...existing,
        id: params.itemId,
        title: itemData.title || existing.title,
        category: itemData.category ? toSdkCategory(itemData.category) : existing.category,
        vaultId: params.vaultId,
        fields: itemData.fields
          ? (itemData.fields as Array<Record<string, any>>).map((f) => ({
              id: f.id || randomUUID().slice(0, 8),
              title: f.label || f.title || '',
              fieldType: toSdkFieldType(f.type || 'STRING'),
              value: f.value || '',
              sectionId: f.section?.id ?? f.sectionId,
            }))
          : existing.fields,
        sections: itemData.sections
          ? (itemData.sections as Array<Record<string, any>>).map((s) => ({
              id: s.id || '',
              title: s.label || s.title || '',
            }))
          : existing.sections,
        notes: itemData.notes ?? existing.notes,
        tags: itemData.tags ?? existing.tags,
        websites:
          itemData.urls || itemData.websites
            ? (itemData.urls ?? itemData.websites ?? []).map((u: Record<string, any>) => ({
                url: u.href || u.url || '',
                label: u.label || '',
                autofillBehavior: 'AnywhereOnWebsite' as const,
              }))
            : existing.websites,
      } as Item
      const result = await client.items.put(sdkItem)
      return NextResponse.json(normalizeSdkItem(result))
    }
    const response = await connectRequest({
      serverUrl: creds.serverUrl!,
      apiKey: creds.apiKey!,
      path: `/v1/vaults/${params.vaultId}/items/${params.itemId}`,
      method: 'PUT',
      body: itemData,
    })
    const data = await response.json()
    if (!response.ok) {
      return NextResponse.json(
        { error: data.message || 'Failed to replace item' },
        { status: response.status }
      )
    }
    return NextResponse.json(data)
  } catch (error) {
    if (error instanceof z.ZodError) {
      return NextResponse.json(
        { error: 'Invalid request data', details: error.errors },
        { status: 400 }
      )
    }
    const message = error instanceof Error ? error.message : 'Unknown error'
    logger.error(`[${requestId}] Replace item failed:`, error)
    return NextResponse.json({ error: `Failed to replace item: ${message}` }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/tools/onepassword/resolve-secret/route.ts
+++ b/apps/sim/app/api/tools/onepassword/resolve-secret/route.ts
@@ -0,0 +1,59 @@
 import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createOnePasswordClient, resolveCredentials } from '../utils'
 const logger = createLogger('OnePasswordResolveSecretAPI')
 const ResolveSecretSchema = z.object({
  connectionMode: z.enum(['service_account', 'connect']).nullish(),
  serviceAccountToken: z.string().nullish(),
  serverUrl: z.string().nullish(),
  apiKey: z.string().nullish(),
  secretReference: z.string().min(1, 'Secret reference is required'),
 })
 export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  const auth = await checkInternalAuth(request)
  if (!auth.success || !auth.userId) {
    logger.warn(`[${requestId}] Unauthorized 1Password resolve-secret attempt`)
    return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
  }
  try {
    const body = await request.json()
    const params = ResolveSecretSchema.parse(body)
    const creds = resolveCredentials(params)
    if (creds.mode !== 'service_account') {
      return NextResponse.json(
        { error: 'Resolve Secret is only available in Service Account mode' },
        { status: 400 }
      )
    }
    logger.info(`[${requestId}] Resolving secret reference (service_account mode)`)
    const client = await createOnePasswordClient(creds.serviceAccountToken!)
    const secret = await client.secrets.resolve(params.secretReference)
    return NextResponse.json({
      value: secret,
      reference: params.secretReference,
    })
  } catch (error) {
    if (error instanceof z.ZodError) {
      return NextResponse.json(
        { error: 'Invalid request data', details: error.errors },
        { status: 400 }
      )
    }
    const message = error instanceof Error ? error.message : 'Unknown error'
    logger.error(`[${requestId}] Resolve secret failed:`, error)
    return NextResponse.json({ error: `Failed to resolve secret: ${message}` }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/tools/onepassword/update-item/route.ts
+++ b/apps/sim/app/api/tools/onepassword/update-item/route.ts
@@ -0,0 +1,136 @@
 import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  connectRequest,
  createOnePasswordClient,
  normalizeSdkItem,
  resolveCredentials,
 } from '../utils'
 const logger = createLogger('OnePasswordUpdateItemAPI')
 const UpdateItemSchema = z.object({
  connectionMode: z.enum(['service_account', 'connect']).nullish(),
  serviceAccountToken: z.string().nullish(),
  serverUrl: z.string().nullish(),
  apiKey: z.string().nullish(),
  vaultId: z.string().min(1, 'Vault ID is required'),
  itemId: z.string().min(1, 'Item ID is required'),
  operations: z.string().min(1, 'Patch operations are required'),
 })
 export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)
  const auth = await checkInternalAuth(request)
  if (!auth.success || !auth.userId) {
    logger.warn(`[${requestId}] Unauthorized 1Password update-item attempt`)
    return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
  }
  try {
    const body = await request.json()
    const params = UpdateItemSchema.parse(body)
    const creds = resolveCredentials(params)
    const ops = JSON.parse(params.operations) as JsonPatchOperation[]
    logger.info(
      `[${requestId}] Updating item ${params.itemId} in vault ${params.vaultId} (${creds.mode} mode)`
    )
    if (creds.mode === 'service_account') {
      const client = await createOnePasswordClient(creds.serviceAccountToken!)
      const item = await client.items.get(params.vaultId, params.itemId)
      for (const op of ops) {
        applyPatch(item, op)
      }
      const result = await client.items.put(item)
      return NextResponse.json(normalizeSdkItem(result))
    }
    const response = await connectRequest({
      serverUrl: creds.serverUrl!,
      apiKey: creds.apiKey!,
      path: `/v1/vaults/${params.vaultId}/items/${params.itemId}`,
      method: 'PATCH',
      body: ops,
    })
    const data = await response.json()
    if (!response.ok) {
      return NextResponse.json(
        { error: data.message || 'Failed to update item' },
        { status: response.status }
      )
    }
    return NextResponse.json(data)
  } catch (error) {
    if (error instanceof z.ZodError) {
      return NextResponse.json(
        { error: 'Invalid request data', details: error.errors },
        { status: 400 }
      )
    }
    const message = error instanceof Error ? error.message : 'Unknown error'
    logger.error(`[${requestId}] Update item failed:`, error)
    return NextResponse.json({ error: `Failed to update item: ${message}` }, { status: 500 })
  }
 }
 interface JsonPatchOperation {
  op: 'add' | 'remove' | 'replace'
  path: string
  value?: unknown
 }
 /** Apply a single RFC6902 JSON Patch operation to a mutable object. */
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 function applyPatch(item: Record<string, any>, op: JsonPatchOperation) {
  const segments = op.path.split('/').filter(Boolean)
  if (segments.length === 1) {
    const key = segments[0]
    if (op.op === 'replace' || op.op === 'add') {
      item[key] = op.value
    } else if (op.op === 'remove') {
      delete item[key]
    }
    return
  }
  let target = item
  for (let i = 0; i < segments.length - 1; i++) {
    const seg = segments[i]
    if (Array.isArray(target)) {
      target = target[Number(seg)]
    } else {
      target = target[seg]
    }
    if (target === undefined || target === null) return
  }
  const lastSeg = segments[segments.length - 1]
  if (op.op === 'replace' || op.op === 'add') {
    if (Array.isArray(target) && lastSeg === '-') {
      target.push(op.value)
    } else if (Array.isArray(target)) {
      target[Number(lastSeg)] = op.value
    } else {
      target[lastSeg] = op.value
    }
  } else if (op.op === 'remove') {
    if (Array.isArray(target)) {
      target.splice(Number(lastSeg), 1)
    } else {
      delete target[lastSeg]
    }
  }
 }
--- a/apps/sim/app/api/tools/onepassword/utils.ts
+++ b/apps/sim/app/api/tools/onepassword/utils.ts
@@ -0,0 +1,357 @@
 import type {
  Item,
  ItemCategory,
  ItemField,
  ItemFieldType,
  ItemOverview,
  ItemSection,
  VaultOverview,
  Website,
 } from '@1password/sdk'
 /** Connect-format field type strings returned by normalization. */
 type ConnectFieldType =
  | 'STRING'
  | 'CONCEALED'
  | 'EMAIL'
  | 'URL'
  | 'OTP'
  | 'PHONE'
  | 'DATE'
  | 'MONTH_YEAR'
  | 'MENU'
  | 'ADDRESS'
  | 'REFERENCE'
  | 'SSHKEY'
  | 'CREDIT_CARD_NUMBER'
  | 'CREDIT_CARD_TYPE'
 /** Connect-format category strings returned by normalization. */
 type ConnectCategory =
  | 'LOGIN'
  | 'PASSWORD'
  | 'API_CREDENTIAL'
  | 'SECURE_NOTE'
  | 'SERVER'
  | 'DATABASE'
  | 'CREDIT_CARD'
  | 'IDENTITY'
  | 'SSH_KEY'
  | 'DOCUMENT'
  | 'SOFTWARE_LICENSE'
  | 'EMAIL_ACCOUNT'
  | 'MEMBERSHIP'
  | 'PASSPORT'
  | 'REWARD_PROGRAM'
  | 'DRIVER_LICENSE'
  | 'BANK_ACCOUNT'
  | 'MEDICAL_RECORD'
  | 'OUTDOOR_LICENSE'
  | 'WIRELESS_ROUTER'
  | 'SOCIAL_SECURITY_NUMBER'
  | 'CUSTOM'
 /** Normalized vault shape matching the Connect API response. */
 export interface NormalizedVault {
  id: string
  name: string
  description: null
  attributeVersion: number
  contentVersion: number
  items: number
  type: string
  createdAt: string | null
  updatedAt: string | null
 }
 /** Normalized item overview shape matching the Connect API response. */
 export interface NormalizedItemOverview {
  id: string
  title: string
  vault: { id: string }
  category: ConnectCategory
  urls: Array<{ href: string; label: string | null; primary: boolean }>
  favorite: boolean
  tags: string[]
  version: number
  state: string | null
  createdAt: string | null
  updatedAt: string | null
  lastEditedBy: null
 }
 /** Normalized field shape matching the Connect API response. */
 export interface NormalizedField {
  id: string
  label: string
  type: ConnectFieldType
  purpose: string
  value: string | null
  section: { id: string } | null
  generate: boolean
  recipe: null
  entropy: null
 }
 /** Normalized full item shape matching the Connect API response. */
 export interface NormalizedItem extends NormalizedItemOverview {
  fields: NormalizedField[]
  sections: Array<{ id: string; label: string }>
 }
 /**
 * SDK field type string values → Connect field type mapping.
 * Uses string literals instead of enum imports to avoid loading the WASM module at build time.
 */
 const SDK_TO_CONNECT_FIELD_TYPE: Record<string, ConnectFieldType> = {
  Text: 'STRING',
  Concealed: 'CONCEALED',
  Email: 'EMAIL',
  Url: 'URL',
  Totp: 'OTP',
  Phone: 'PHONE',
  Date: 'DATE',
  MonthYear: 'MONTH_YEAR',
  Menu: 'MENU',
  Address: 'ADDRESS',
  Reference: 'REFERENCE',
  SshKey: 'SSHKEY',
  CreditCardNumber: 'CREDIT_CARD_NUMBER',
  CreditCardType: 'CREDIT_CARD_TYPE',
 }
 /** SDK category string values → Connect category mapping. */
 const SDK_TO_CONNECT_CATEGORY: Record<string, ConnectCategory> = {
  Login: 'LOGIN',
  Password: 'PASSWORD',
  ApiCredentials: 'API_CREDENTIAL',
  SecureNote: 'SECURE_NOTE',
  Server: 'SERVER',
  Database: 'DATABASE',
  CreditCard: 'CREDIT_CARD',
  Identity: 'IDENTITY',
  SshKey: 'SSH_KEY',
  Document: 'DOCUMENT',
  SoftwareLicense: 'SOFTWARE_LICENSE',
  Email: 'EMAIL_ACCOUNT',
  Membership: 'MEMBERSHIP',
  Passport: 'PASSPORT',
  Rewards: 'REWARD_PROGRAM',
  DriverLicense: 'DRIVER_LICENSE',
  BankAccount: 'BANK_ACCOUNT',
  MedicalRecord: 'MEDICAL_RECORD',
  OutdoorLicense: 'OUTDOOR_LICENSE',
  Router: 'WIRELESS_ROUTER',
  SocialSecurityNumber: 'SOCIAL_SECURITY_NUMBER',
  CryptoWallet: 'CUSTOM',
  Person: 'CUSTOM',
  Unsupported: 'CUSTOM',
 }
 /** Connect category → SDK category string mapping. */
 const CONNECT_TO_SDK_CATEGORY: Record<string, `${ItemCategory}`> = {
  LOGIN: 'Login',
  PASSWORD: 'Password',
  API_CREDENTIAL: 'ApiCredentials',
  SECURE_NOTE: 'SecureNote',
  SERVER: 'Server',
  DATABASE: 'Database',
  CREDIT_CARD: 'CreditCard',
  IDENTITY: 'Identity',
  SSH_KEY: 'SshKey',
  DOCUMENT: 'Document',
  SOFTWARE_LICENSE: 'SoftwareLicense',
  EMAIL_ACCOUNT: 'Email',
  MEMBERSHIP: 'Membership',
  PASSPORT: 'Passport',
  REWARD_PROGRAM: 'Rewards',
  DRIVER_LICENSE: 'DriverLicense',
  BANK_ACCOUNT: 'BankAccount',
  MEDICAL_RECORD: 'MedicalRecord',
  OUTDOOR_LICENSE: 'OutdoorLicense',
  WIRELESS_ROUTER: 'Router',
  SOCIAL_SECURITY_NUMBER: 'SocialSecurityNumber',
 }
 /** Connect field type → SDK field type string mapping. */
 const CONNECT_TO_SDK_FIELD_TYPE: Record<string, `${ItemFieldType}`> = {
  STRING: 'Text',
  CONCEALED: 'Concealed',
  EMAIL: 'Email',
  URL: 'Url',
  OTP: 'Totp',
  TOTP: 'Totp',
  PHONE: 'Phone',
  DATE: 'Date',
  MONTH_YEAR: 'MonthYear',
  MENU: 'Menu',
  ADDRESS: 'Address',
  REFERENCE: 'Reference',
  SSHKEY: 'SshKey',
  CREDIT_CARD_NUMBER: 'CreditCardNumber',
  CREDIT_CARD_TYPE: 'CreditCardType',
 }
 export type ConnectionMode = 'service_account' | 'connect'
 export interface CredentialParams {
  connectionMode?: ConnectionMode | null
  serviceAccountToken?: string | null
  serverUrl?: string | null
  apiKey?: string | null
 }
 export interface ResolvedCredentials {
  mode: ConnectionMode
  serviceAccountToken?: string
  serverUrl?: string
  apiKey?: string
 }
 /** Determine which backend to use based on provided credentials. */
 export function resolveCredentials(params: CredentialParams): ResolvedCredentials {
  const mode = params.connectionMode ?? (params.serviceAccountToken ? 'service_account' : 'connect')
  if (mode === 'service_account') {
    if (!params.serviceAccountToken) {
      throw new Error('Service Account token is required for Service Account mode')
    }
    return { mode, serviceAccountToken: params.serviceAccountToken }
  }
  if (!params.serverUrl || !params.apiKey) {
    throw new Error('Server URL and Connect token are required for Connect Server mode')
  }
  return { mode, serverUrl: params.serverUrl, apiKey: params.apiKey }
 }
 /**
 * Create a 1Password SDK client from a service account token.
 * Uses dynamic import to avoid loading the WASM module at build time.
 */
 export async function createOnePasswordClient(serviceAccountToken: string) {
  const { createClient } = await import('@1password/sdk')
  return createClient({
    auth: serviceAccountToken,
    integrationName: 'Sim Studio',
    integrationVersion: '1.0.0',
  })
 }
 /** Proxy a request to the 1Password Connect Server. */
 export async function connectRequest(options: {
  serverUrl: string
  apiKey: string
  path: string
  method: string
  body?: unknown
  query?: string
 }): Promise<Response> {
  const base = options.serverUrl.replace(/\/$/, '')
  const queryStr = options.query ? `?${options.query}` : ''
  const url = `${base}${options.path}${queryStr}`
  const headers: Record<string, string> = {
    Authorization: `Bearer ${options.apiKey}`,
  }
  if (options.body) {
    headers['Content-Type'] = 'application/json'
  }
  return fetch(url, {
    method: options.method,
    headers,
    body: options.body ? JSON.stringify(options.body) : undefined,
  })
 }
 /** Normalize an SDK VaultOverview to match Connect API vault shape. */
 export function normalizeSdkVault(vault: VaultOverview): NormalizedVault {
  return {
    id: vault.id,
    name: vault.title,
    description: null,
    attributeVersion: 0,
    contentVersion: 0,
    items: 0,
    type: 'USER_CREATED',
    createdAt:
      vault.createdAt instanceof Date ? vault.createdAt.toISOString() : (vault.createdAt ?? null),
    updatedAt:
      vault.updatedAt instanceof Date ? vault.updatedAt.toISOString() : (vault.updatedAt ?? null),
  }
 }
 /** Normalize an SDK ItemOverview to match Connect API item summary shape. */
 export function normalizeSdkItemOverview(item: ItemOverview): NormalizedItemOverview {
  return {
    id: item.id,
    title: item.title,
    vault: { id: item.vaultId },
    category: SDK_TO_CONNECT_CATEGORY[item.category] ?? 'CUSTOM',
    urls: (item.websites ?? []).map((w: Website) => ({
      href: w.url,
      label: w.label ?? null,
      primary: false,
    })),
    favorite: false,
    tags: item.tags ?? [],
    version: 0,
    state: item.state === 'archived' ? 'ARCHIVED' : null,
    createdAt:
      item.createdAt instanceof Date ? item.createdAt.toISOString() : (item.createdAt ?? null),
    updatedAt:
      item.updatedAt instanceof Date ? item.updatedAt.toISOString() : (item.updatedAt ?? null),
    lastEditedBy: null,
  }
 }
 /** Normalize a full SDK Item to match Connect API FullItem shape. */
 export function normalizeSdkItem(item: Item): NormalizedItem {
  return {
    id: item.id,
    title: item.title,
    vault: { id: item.vaultId },
    category: SDK_TO_CONNECT_CATEGORY[item.category] ?? 'CUSTOM',
    urls: (item.websites ?? []).map((w: Website) => ({
      href: w.url,
      label: w.label ?? null,
      primary: false,
    })),
    favorite: false,
    tags: item.tags ?? [],
    version: item.version ?? 0,
    state: null,
    fields: (item.fields ?? []).map((field: ItemField) => ({
      id: field.id,
      label: field.title,
      type: SDK_TO_CONNECT_FIELD_TYPE[field.fieldType] ?? 'STRING',
      purpose: '',
      value: field.value ?? null,
      section: field.sectionId ? { id: field.sectionId } : null,
      generate: false,
      recipe: null,
      entropy: null,
    })),
    sections: (item.sections ?? []).map((section: ItemSection) => ({
      id: section.id,
      label: section.title,
    })),
    createdAt:
      item.createdAt instanceof Date ? item.createdAt.toISOString() : (item.createdAt ?? null),
    updatedAt:
      item.updatedAt instanceof Date ? item.updatedAt.toISOString() : (item.updatedAt ?? null),
    lastEditedBy: null,
  }
 }
 /** Convert a Connect-style category string to the SDK category string. */
 export function toSdkCategory(category: string): `${ItemCategory}` {
  return CONNECT_TO_SDK_CATEGORY[category] ?? 'Login'
 }
 /** Convert a Connect-style field type string to the SDK field type string. */
 export function toSdkFieldType(type: string): `${ItemFieldType}` {
  return CONNECT_TO_SDK_FIELD_TYPE[type] ?? 'Text'
 }
--- a/apps/sim/app/api/users/me/usage-logs/route.ts
+++ b/apps/sim/app/api/users/me/usage-logs/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { getUserUsageLogs, type UsageLogSource } from '@/lib/billing/core/usage-log'
 const logger = createLogger('UsageLogsAPI')
@@ -20,7 +20,7 @@ const QuerySchema = z.object({
 */
 export async function GET(req: NextRequest) {
  try {
-    const auth = await checkHybridAuth(req, { requireWorkflowId: false })
+    const auth = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
    if (!auth.success || !auth.userId) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/v1/copilot/chat/route.ts
+++ b/apps/sim/app/api/v1/copilot/chat/route.ts
@@ -0,0 +1,114 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getCopilotModel } from '@/lib/copilot/config'
 import { SIM_AGENT_VERSION } from '@/lib/copilot/constants'
 import { COPILOT_REQUEST_MODES } from '@/lib/copilot/models'
 import { orchestrateCopilotStream } from '@/lib/copilot/orchestrator'
 import { resolveWorkflowIdForUser } from '@/lib/workflows/utils'
 import { authenticateV1Request } from '@/app/api/v1/auth'
 const logger = createLogger('CopilotHeadlessAPI')
 const RequestSchema = z.object({
  message: z.string().min(1, 'message is required'),
  workflowId: z.string().optional(),
  workflowName: z.string().optional(),
  chatId: z.string().optional(),
  mode: z.enum(COPILOT_REQUEST_MODES).optional().default('agent'),
  model: z.string().optional(),
  autoExecuteTools: z.boolean().optional().default(true),
  timeout: z.number().optional().default(300000),
 })
 /**
 * POST /api/v1/copilot/chat
 * Headless copilot endpoint for server-side orchestration.
 *
 * workflowId is optional - if not provided:
 * - If workflowName is provided, finds that workflow
 * - Otherwise uses the user's first workflow as context
 * - The copilot can still operate on any workflow using list_user_workflows
 */
 export async function POST(req: NextRequest) {
  const auth = await authenticateV1Request(req)
  if (!auth.authenticated || !auth.userId) {
    return NextResponse.json(
      { success: false, error: auth.error || 'Unauthorized' },
      { status: 401 }
    )
  }
  try {
    const body = await req.json()
    const parsed = RequestSchema.parse(body)
    const defaults = getCopilotModel('chat')
    const selectedModel = parsed.model || defaults.model
    // Resolve workflow ID
    const resolved = await resolveWorkflowIdForUser(
      auth.userId,
      parsed.workflowId,
      parsed.workflowName
    )
    if (!resolved) {
      return NextResponse.json(
        {
          success: false,
          error: 'No workflows found. Create a workflow first or provide a valid workflowId.',
        },
        { status: 400 }
      )
    }
    // Transform mode to transport mode (same as client API)
    // build and agent both map to 'agent' on the backend
    const effectiveMode = parsed.mode === 'agent' ? 'build' : parsed.mode
    const transportMode = effectiveMode === 'build' ? 'agent' : effectiveMode
    // Always generate a chatId - required for artifacts system to work with subagents
    const chatId = parsed.chatId || crypto.randomUUID()
    const requestPayload = {
      message: parsed.message,
      workflowId: resolved.workflowId,
      userId: auth.userId,
      model: selectedModel,
      mode: transportMode,
      messageId: crypto.randomUUID(),
      version: SIM_AGENT_VERSION,
      headless: true,
      chatId,
    }
    const result = await orchestrateCopilotStream(requestPayload, {
      userId: auth.userId,
      workflowId: resolved.workflowId,
      chatId,
      autoExecuteTools: parsed.autoExecuteTools,
      timeout: parsed.timeout,
      interactive: false,
    })
    return NextResponse.json({
      success: result.success,
      content: result.content,
      toolCalls: result.toolCalls,
      chatId: result.chatId || chatId, // Return the chatId for conversation continuity
      conversationId: result.conversationId,
      error: result.error,
    })
  } catch (error) {
    if (error instanceof z.ZodError) {
      return NextResponse.json(
        { success: false, error: 'Invalid request', details: error.errors },
        { status: 400 }
      )
    }
    logger.error('Headless copilot request failed', {
      error: error instanceof Error ? error.message : String(error),
    })
    return NextResponse.json({ success: false, error: 'Internal server error' }, { status: 500 })
  }
 }
--- a/apps/sim/app/api/workflows/[id]/execute/route.ts
+++ b/apps/sim/app/api/workflows/[id]/execute/route.ts
@@ -33,7 +33,11 @@ import { createHttpResponseFromBlock, workflowHasResponseBlock } from '@/lib/wor
 import { executeWorkflowJob, type WorkflowExecutionPayload } from '@/background/workflow-execution'
 import { normalizeName } from '@/executor/constants'
 import { ExecutionSnapshot } from '@/executor/execution/snapshot'
-import type { ExecutionMetadata, IterationContext } from '@/executor/execution/types'
+import type {
  ExecutionMetadata,
  IterationContext,
  SerializableExecutionState,
 } from '@/executor/execution/types'
 import type { NormalizedBlockOutput, StreamingExecution } from '@/executor/types'
 import { hasExecutionResult } from '@/executor/utils/errors'
 import { Serializer } from '@/serializer'
@@ -62,20 +66,23 @@ const ExecuteWorkflowSchema = z.object({
  runFromBlock: z
    .object({
      startBlockId: z.string().min(1, 'Start block ID is required'),
-      sourceSnapshot: z.object({
+      sourceSnapshot: z
-        blockStates: z.record(z.any()),
+        .object({
-        executedBlocks: z.array(z.string()),
+          blockStates: z.record(z.any()),
-        blockLogs: z.array(z.any()),
+          executedBlocks: z.array(z.string()),
-        decisions: z.object({
+          blockLogs: z.array(z.any()),
-          router: z.record(z.string()),
+          decisions: z.object({
-          condition: z.record(z.string()),
+            router: z.record(z.string()),
-        }),
+            condition: z.record(z.string()),
-        completedLoops: z.array(z.string()),
+          }),
-        loopExecutions: z.record(z.any()).optional(),
+          completedLoops: z.array(z.string()),
-        parallelExecutions: z.record(z.any()).optional(),
+          loopExecutions: z.record(z.any()).optional(),
-        parallelBlockMapping: z.record(z.any()).optional(),
+          parallelExecutions: z.record(z.any()).optional(),
-        activeExecutionPath: z.array(z.string()),
+          parallelBlockMapping: z.record(z.any()).optional(),
-      }),
+          activeExecutionPath: z.array(z.string()),
        })
        .optional(),
      executionId: z.string().optional(),
    })
    .optional(),
 })
@@ -269,9 +276,47 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
      base64MaxBytes,
      workflowStateOverride,
      stopAfterBlockId,
-      runFromBlock,
+      runFromBlock: rawRunFromBlock,
    } = validation.data
    // Resolve runFromBlock snapshot from executionId if needed
    let resolvedRunFromBlock:
      | { startBlockId: string; sourceSnapshot: SerializableExecutionState }
      | undefined
    if (rawRunFromBlock) {
      if (rawRunFromBlock.sourceSnapshot) {
        resolvedRunFromBlock = {
          startBlockId: rawRunFromBlock.startBlockId,
          sourceSnapshot: rawRunFromBlock.sourceSnapshot as SerializableExecutionState,
        }
      } else if (rawRunFromBlock.executionId) {
        const { getExecutionState, getLatestExecutionState } = await import(
          '@/lib/workflows/executor/execution-state'
        )
        const snapshot =
          rawRunFromBlock.executionId === 'latest'
            ? await getLatestExecutionState(workflowId)
            : await getExecutionState(rawRunFromBlock.executionId)
        if (!snapshot) {
          return NextResponse.json(
            {
              error: `No execution state found for ${rawRunFromBlock.executionId === 'latest' ? 'workflow' : `execution ${rawRunFromBlock.executionId}`}. Run the full workflow first.`,
            },
            { status: 400 }
          )
        }
        resolvedRunFromBlock = {
          startBlockId: rawRunFromBlock.startBlockId,
          sourceSnapshot: snapshot,
        }
      } else {
        return NextResponse.json(
          { error: 'runFromBlock requires either sourceSnapshot or executionId' },
          { status: 400 }
        )
      }
    }
    // For API key and internal JWT auth, the entire body is the input (except for our control fields)
    // For session auth, the input is explicitly provided in the input field
    const input =
@@ -325,6 +370,11 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
      requestId
    )
    // Client-side sessions and personal API keys bill/permission-check the
    // authenticated user, not the workspace billed account.
    const useAuthenticatedUserAsActor =
      isClientSession || (auth.authType === 'api_key' && auth.apiKeyType === 'personal')
    const preprocessResult = await preprocessExecution({
      workflowId,
      userId,
@@ -334,6 +384,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
      checkDeployment: !shouldUseDraftState,
      loggingSession,
      useDraftState: shouldUseDraftState,
      useAuthenticatedUserAsActor,
    })
    if (!preprocessResult.success) {
@@ -490,7 +541,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
          includeFileBase64,
          base64MaxBytes,
          stopAfterBlockId,
-          runFromBlock,
+          runFromBlock: resolvedRunFromBlock,
          abortSignal: timeoutController.signal,
        })
@@ -831,7 +882,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
            includeFileBase64,
            base64MaxBytes,
            stopAfterBlockId,
-            runFromBlock,
+            runFromBlock: resolvedRunFromBlock,
          })
          if (result.status === 'paused') {
--- a/apps/sim/app/workspace/[workspaceId]/logs/components/log-details/components/file-download/file-download.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/logs/components/log-details/components/file-download/file-download.tsx
@@ -74,8 +74,7 @@ function FileCard({ file, isExecutionFile = false, workspaceId }: FileCardProps)
      }
      if (isExecutionFile) {
-        const serveUrl =
+        const serveUrl = `/api/files/serve/${encodeURIComponent(file.key)}?context=execution`
          file.url || `/api/files/serve/${encodeURIComponent(file.key)}?context=execution`
        window.open(serveUrl, '_blank')
        logger.info(`Opened execution file serve URL: ${serveUrl}`)
      } else {
@@ -88,16 +87,12 @@ function FileCard({ file, isExecutionFile = false, workspaceId }: FileCardProps)
          logger.warn(
            `Could not construct viewer URL for file: ${file.name}, falling back to serve URL`
          )
-          const serveUrl =
+          const serveUrl = `/api/files/serve/${encodeURIComponent(file.key)}?context=workspace`
            file.url || `/api/files/serve/${encodeURIComponent(file.key)}?context=workspace`
          window.open(serveUrl, '_blank')
        }
      }
    } catch (error) {
      logger.error(`Failed to download file ${file.name}:`, error)
      if (file.url) {
        window.open(file.url, '_blank')
      }
    } finally {
      setIsDownloading(false)
    }
@@ -198,8 +193,7 @@ export function FileDownload({
      }
      if (isExecutionFile) {
-        const serveUrl =
+        const serveUrl = `/api/files/serve/${encodeURIComponent(file.key)}?context=execution`
          file.url || `/api/files/serve/${encodeURIComponent(file.key)}?context=execution`
        window.open(serveUrl, '_blank')
        logger.info(`Opened execution file serve URL: ${serveUrl}`)
      } else {
@@ -212,16 +206,12 @@ export function FileDownload({
          logger.warn(
            `Could not construct viewer URL for file: ${file.name}, falling back to serve URL`
          )
-          const serveUrl =
+          const serveUrl = `/api/files/serve/${encodeURIComponent(file.key)}?context=workspace`
            file.url || `/api/files/serve/${encodeURIComponent(file.key)}?context=workspace`
          window.open(serveUrl, '_blank')
        }
      }
    } catch (error) {
      logger.error(`Failed to download file ${file.name}:`, error)
      if (file.url) {
        window.open(file.url, '_blank')
      }
    } finally {
      setIsDownloading(false)
    }
--- a/apps/sim/app/workspace/[workspaceId]/logs/components/logs-toolbar/components/notifications/components/workflow-selector/workflow-selector.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/logs/components/logs-toolbar/components/notifications/components/workflow-selector/workflow-selector.tsx
@@ -89,7 +89,7 @@ export function WorkflowSelector({
            onMouseDown={(e) => handleRemove(e, w.id)}
          >
            {w.name}
-            <X className='h-3 w-3' />
+            <X className='!text-[var(--text-primary)] h-4 w-4 flex-shrink-0 opacity-50' />
          </Badge>
        ))}
        {selectedWorkflows.length > 2 && (
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/chat/components/output-select/output-select.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/chat/components/output-select/output-select.tsx
@@ -4,11 +4,8 @@ import type React from 'react'
 import { useMemo } from 'react'
 import { RepeatIcon, SplitIcon } from 'lucide-react'
 import { Combobox, type ComboboxOptionGroup } from '@/components/emcn'
-import {
+import { getEffectiveBlockOutputs } from '@/lib/workflows/blocks/block-outputs'
-  extractFieldsFromSchema,
+import { hasTriggerCapability } from '@/lib/workflows/triggers/trigger-utils'
  parseResponseFormatSafely,
 } from '@/lib/core/utils/response-format'
 import { getToolOutputs } from '@/lib/workflows/blocks/block-outputs'
 import { getBlock } from '@/blocks'
 import { useWorkflowDiffStore } from '@/stores/workflow-diff/store'
 import { useSubBlockStore } from '@/stores/workflows/subblock/store'
@@ -124,42 +121,27 @@ export function OutputSelect({
          : `block-${block.id}`
      const blockConfig = getBlock(block.type)
-      const responseFormatValue =
+      const isTriggerCapable = blockConfig ? hasTriggerCapability(blockConfig) : false
-        shouldUseBaseline && baselineWorkflow
+      const effectiveTriggerMode = Boolean(block.triggerMode && isTriggerCapable)
          ? baselineWorkflow.blocks?.[block.id]?.subBlocks?.responseFormat?.value
          : subBlockValues?.[block.id]?.responseFormat
      const responseFormat = parseResponseFormatSafely(responseFormatValue, block.id)
      let outputsToProcess: Record<string, unknown> = {}
-
+      const rawSubBlockValues =
-      if (responseFormat) {
+        shouldUseBaseline && baselineWorkflow
-        const schemaFields = extractFieldsFromSchema(responseFormat)
+          ? baselineWorkflow.blocks?.[block.id]?.subBlocks
-        if (schemaFields.length > 0) {
+          : subBlockValues?.[block.id]
-          schemaFields.forEach((field) => {
+      const subBlocks: Record<string, { value: unknown }> = {}
-            outputsToProcess[field.name] = { type: field.type }
+      if (rawSubBlockValues && typeof rawSubBlockValues === 'object') {
-          })
+        for (const [key, val] of Object.entries(rawSubBlockValues)) {
-        } else {
+          // Handle both { value: ... } and raw value formats
-          outputsToProcess = blockConfig?.outputs || {}
+          subBlocks[key] = val && typeof val === 'object' && 'value' in val ? val : { value: val }
        }
      } else {
        // Build subBlocks object for tool selector
        const rawSubBlockValues =
          shouldUseBaseline && baselineWorkflow
            ? baselineWorkflow.blocks?.[block.id]?.subBlocks
            : subBlockValues?.[block.id]
        const subBlocks: Record<string, { value: unknown }> = {}
        if (rawSubBlockValues && typeof rawSubBlockValues === 'object') {
          for (const [key, val] of Object.entries(rawSubBlockValues)) {
            // Handle both { value: ... } and raw value formats
            subBlocks[key] = val && typeof val === 'object' && 'value' in val ? val : { value: val }
          }
        }
        const toolOutputs = blockConfig ? getToolOutputs(blockConfig, subBlocks) : {}
        outputsToProcess =
          Object.keys(toolOutputs).length > 0 ? toolOutputs : blockConfig?.outputs || {}
      }
      outputsToProcess = getEffectiveBlockOutputs(block.type, subBlocks, {
        triggerMode: effectiveTriggerMode,
        preferToolOutputs: !effectiveTriggerMode,
      }) as Record<string, unknown>
      if (Object.keys(outputsToProcess).length === 0) return
      const addOutput = (path: string, outputObj: unknown, prefix = '') => {
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Vikhyath Mondreti	dd7111dc1a	make evaluator metrics only	2026-02-09 23:08:33 -08:00
Vikhyath Mondreti	1e80633397	address greptile comments	2026-02-09 22:52:16 -08:00
Vikhyath Mondreti	e1c57376c8	update tests	2026-02-09 20:09:22 -08:00
Vikhyath Mondreti	454127f001	fix	2026-02-09 19:51:31 -08:00
Vikhyath Mondreti	f25505a636	merge conflict resolution	2026-02-09 19:45:33 -08:00
Vikhyath Mondreti	34bdb4fa1c	Merge remote-tracking branch 'origin/staging' into improvement/schema-derivation Co-authored-by: Cursor <cursoragent@cursor.com> # Conflicts: # apps/sim/lib/copilot/tools/client/workflow/block-output-utils.ts	2026-02-09 19:39:00 -08:00
Waleed	8b4b3af120	fix(mcp): harden notification system against race conditions (#3168 ) * fix(mcp): harden notification system against race conditions - Guard concurrent connect() calls in connection manager with connectingServers Set - Suppress post-disconnect notification handler firing in MCP client - Clean up Redis event listeners in pub/sub dispose() - Add tests for all three hardening fixes (11 new tests) * updated tests * plugged in new mcp event based system and create sse route to publish notifs * ack commetns * fix reconnect timer * cleanup when running onClose * fixed spacing on mcp settings tab * keep error listeners before quiet in redis	2026-02-09 19:36:01 -08:00
Siddharth Ganesan	190f12fd77	feat(copilot): copilot mcp + server side copilot execution (#3173 ) * v0 * v1 * Basic ss tes * Ss tests * Stuff * Add mcp * mcp v1 * Improvement * Fix * BROKEN * Checkpoint * Streaming * Fix abort * Things are broken * Streaming seems to work but copilot is dumb * Fix edge issue * LUAAAA * Fix stream buffer * Fix lint * Checkpoint * Initial temp state, in the middle of a refactor * Initial test shows diff store still working * Tool refactor * First cleanup pass complete - untested * Continued cleanup * Refactor * Refactor complete - no testing yet * Fix - cursor makes me sad * Fix mcp * Clean up mcp * Updated mcp * Add respond to subagents * Fix definitions * Add tools * Add tools * Add copilot mcp tracking * Fix lint * Fix mcp * Fix * Updates * Clean up mcp * Fix copilot mcp tool names to be sim prefixed * Add opus 4.6 * Fix discovery tool * Fix * Remove logs * Fix go side tool rendering * Update docs * Fix hydration * Fix tool call resolution * Fix * Fix lint * Fix superagent and autoallow integrations * Fix always allow * Update block * Remove plan docs * Fix hardcoded ff * Fix dropped provider * Fix lint * Fix tests * Fix dead messages array * Fix discovery * Fix run workflow * Fix run block * Fix run from block in copilot * Fix lint * Fix skip and mtb * Fix typing * Fix tool call * Bump api version * Fix bun lock * Nuke bad files	2026-02-09 19:33:29 -08:00
Waleed	e5d30494cb	fix(slack): resolve file metadata via files.info when event payload is partial (#3176 )	2026-02-09 19:29:38 -08:00
Waleed	b3dbb4487f	improvement(jsm): destructured outputs for jsm, jira, and added 1password integration (#3174 ) * improvement(jsm): destructured outputs for jsm, jira, and added 1password integration * update 1password to support cloud & locally hosted * updated & tested 1pass * added an additional wandConfig for OnePassword & jira search issues * finished jira * removed unused route * updated types * restore old outputs * updated types	2026-02-09 19:28:34 -08:00
Vikhyath Mondreti	2ffdcb4e6c	address greptile comments	2026-02-09 19:07:52 -08:00
Vikhyath Mondreti	b32d4e4e48	remove unused code	2026-02-09 19:04:32 -08:00
Vikhyath Mondreti	606f0f3b8c	address bugbot comments	2026-02-09 17:25:55 -08:00
Vikhyath Mondreti	089b8dfc93	improvement(schema): centralize derivation of block schemas	2026-02-09 17:05:41 -08:00
Waleed	622d0cad22	Merge pull request #3172 from simstudioai/fix/notifs fix(notifications): throw notification on runtime errors, move predeploy checks to update in deploy modal	2026-02-09 11:49:58 -08:00
Vikhyath Mondreti	c74922997c	fix(triggers): id resolution for tools with trigger mode (#3170 )	2026-02-09 10:28:34 -08:00
Emir Karabeg	4193007ab7	improvement(ui): deploy modal, terminal (#3167 ) * improvement(deploy-modal): error and warning ui * fix(ui): terminal top border render	2026-02-08 11:08:54 -08:00
Waleed	f9b885f6d5	fix(models): add request sanitization (#3165 )	2026-02-07 19:04:15 -08:00
Vikhyath Mondreti	0cb6714496	fix(rooms): cleanup edge case for 1hr ttl (#3163 ) * fix(rooms): cleanup edge case for 1hr ttl * revert feature flags * address comments * remove console log	2026-02-07 12:18:07 -08:00
Waleed	7b36f9257e	improvement(models): reorder models dropdown (#3164 )	2026-02-07 12:05:10 -08:00
Waleed	99ae5435e3	feat(models): updated model configs, updated anthropic provider to propagate errors back to user if any (#3159 ) * feat(models): updated model configs, updated anthropic provider to propagate errors back to user if any * moved max tokens to advanced * updated model configs and testesd * removed default in max config for output tokens * moved more stuff to advanced mode in the agent block * stronger typing * move api key under model, update mistral and groq * update openrouter, fixed serializer to allow ollama/vllm models without api key * removed ollama handling	2026-02-06 22:35:57 -08:00
Vikhyath Mondreti	925f06add7	improvement(preview): render nested values like input format correctly in workflow execution preview (#3154 ) * improvement(preview): nested workflow snapshots/preview when not executed * improvements to resolve nested subblock values * few more things * add try catch * fix fallback case * deps	2026-02-06 22:12:40 -08:00
Vikhyath Mondreti	193b95cfec	fix(auth): swap out hybrid auth in relevant callsites (#3160 ) * fix(logs): execution files should always use our internal route * correct degree of access control * fix tests * fix tag defs flag * fix type check * fix mcp tools * make webhooks consistent * fix ollama and vllm visibility * remove dup test	2026-02-06 22:07:55 -08:00
Waleed	0ca25bbab6	fix(function): isolated-vm worker pool to prevent single-worker bottleneck + execution user id resolution (#3155 ) * fix(executor): isolated-vm worker pool to prevent single-worker bottleneck * chore(helm): add isolated-vm worker pool env vars to values.yaml * fix(userid): resolution for fair scheduling * add fallback back * add to helm charts * remove constant fallbacks * fix * address bugbot comments * fix fallbacks * one more bugbot comment --------- Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai>	2026-02-06 18:34:03 -08:00
Waleed	1edaf197b2	fix(azure): add azure-anthropic support to router, evaluator, copilot, and tokenization (#3158 ) * fix(azure): add azure-anthropic support to router, evaluator, copilot, and tokenization * added azure anthropic values to env * fix(azure): make anthropic-version configurable for azure-anthropic provider * fix(azure): thread provider credentials through guardrails and fix translate missing bedrockAccessKeyId * updated guardrails * ack'd PR comments * fix(azure): unify credential passing pattern across all LLM handlers - Pass all provider credentials unconditionally in router, evaluator (matching agent pattern) - Remove conditional if-branching on providerId for credential fields - Thread workspaceId through guardrails → hallucination validator for BYOK key resolution - Remove getApiKey() from hallucination validator, let executeProviderRequest handle it - Resolve vertex OAuth credentials in hallucination validator matching agent handler pattern Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-06 15:26:10 -08:00
Waleed	474b1af145	improvement(ui): improved skills UI, validation, and permissions (#3156 ) * improvement(ui): improved skills UI, validation, and permissions * stronger typing for Skill interface * added missing docs description * ack comment	2026-02-06 13:11:56 -08:00
Ewan Tauran	1e21ec1fa3	feat(airweave): add airweave block (#3079 ) * feat(icons): add Airweave icon and update registry with Airweave block and tool * feat(icons): add Airweave icon and update icon mapping and metadata * fix(search): update API key header from Authorization to X-API-Key for Airweave search tool * refactor(icon-mapping): reorder icon imports for consistency and formatting improvements; update airweave block retrieval strategy description formatting; add newline at end of meta.json * refactor(search): update visibility settings for retrieval strategy and query options to allow access for both users and LLMs	2026-02-06 11:43:06 -08:00
Waleed	71bd535d04	feat(skills): added skills to agent block (#3149 ) * feat(skills): added skills to agent block * improvement(skills): audit fixes, docs, icon, and UX polish * fix(skills): consolidate redundant permission checks in POST and DELETE * more friendly error for duplicate skills in the same workspace * fix(executor): loop sentinel-end wrongly queued (#3148) * fix(executor): loop sentinel-end wrongly queued * fix nested subflow error highlighting * fix(linear): align tool outputs, queries, and pagination with API (#3150) * fix(linear): align tool outputs, queries, and pagination with API * fix(linear): coerce first param to number, remove duplicate conditions, add null guard * fix(resolver): response format and evaluator metrics in deactivated branch (#3152) * fix(resolver): response format in deactivated branch * add evaluator metrics too * add child workflow id to the workflow block outputs * cleanup typing * feat(slack): add file attachment support to slack webhook trigger (#3151) * feat(slack): add file attachment support to slack webhook trigger * additional file handling * lint * ack comment * fix(skills): hide skill selection when disabled, remove dead code --------- Co-authored-by: Vikhyath Mondreti <vikhyathvikku@gmail.com>	2026-02-06 11:38:38 -08:00