diff --git a/apps/sim/app/api/auth/accounts/route.ts b/apps/sim/app/api/auth/accounts/route.ts
index a51d8585c2..aebb5d6a28 100644
--- a/apps/sim/app/api/auth/accounts/route.ts
+++ b/apps/sim/app/api/auth/accounts/route.ts
@@ -1,7 +1,7 @@
 import { db } from '@sim/db'
 import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, eq } from 'drizzle-orm'
+import { and, desc, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 
@@ -31,15 +31,13 @@ export async function GET(request: NextRequest) {
       })
       .from(account)
       .where(and(...whereConditions))
-
-    // Use the user's email as the display name (consistent with credential selector)
-    const userEmail = session.user.email
+      .orderBy(desc(account.updatedAt))
 
     const accountsWithDisplayName = accounts.map((acc) => ({
       id: acc.id,
       accountId: acc.accountId,
       providerId: acc.providerId,
-      displayName: userEmail || acc.providerId,
+      displayName: acc.accountId || acc.providerId,
     }))
 
     return NextResponse.json({ accounts: accountsWithDisplayName })
diff --git a/apps/sim/app/api/auth/oauth/credentials/route.ts b/apps/sim/app/api/auth/oauth/credentials/route.ts
index 7809e5543c..8c4b42dc1e 100644
--- a/apps/sim/app/api/auth/oauth/credentials/route.ts
+++ b/apps/sim/app/api/auth/oauth/credentials/route.ts
@@ -1,5 +1,5 @@
 import { db } from '@sim/db'
-import { account, user } from '@sim/db/schema'
+import { account, credential, credentialMember, user } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { jwtDecode } from 'jwt-decode'
@@ -7,8 +7,10 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { syncWorkspaceOAuthCredentialsForUser } from '@/lib/credentials/oauth'
 import { evaluateScopeCoverage, type OAuthProvider, parseProvider } from '@/lib/oauth'
 import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 
 export const dynamic = 'force-dynamic'
 
@@ -18,6 +20,7 @@ const credentialsQuerySchema = z
   .object({
     provider: z.string().nullish(),
     workflowId: z.string().uuid('Workflow ID must be a valid UUID').nullish(),
+    workspaceId: z.string().uuid('Workspace ID must be a valid UUID').nullish(),
     credentialId: z
       .string()
       .min(1, 'Credential ID must not be empty')
@@ -35,6 +38,79 @@ interface GoogleIdToken {
   name?: string
 }
 
+function toCredentialResponse(
+  id: string,
+  displayName: string,
+  providerId: string,
+  updatedAt: Date,
+  scope: string | null
+) {
+  const storedScope = scope?.trim()
+  const grantedScopes = storedScope ? storedScope.split(/[\s,]+/).filter(Boolean) : []
+  const scopeEvaluation = evaluateScopeCoverage(providerId, grantedScopes)
+  const [_, featureType = 'default'] = providerId.split('-')
+
+  return {
+    id,
+    name: displayName,
+    provider: providerId,
+    lastUsed: updatedAt.toISOString(),
+    isDefault: featureType === 'default',
+    scopes: scopeEvaluation.grantedScopes,
+    canonicalScopes: scopeEvaluation.canonicalScopes,
+    missingScopes: scopeEvaluation.missingScopes,
+    extraScopes: scopeEvaluation.extraScopes,
+    requiresReauthorization: scopeEvaluation.requiresReauthorization,
+  }
+}
+
+async function getFallbackDisplayName(
+  requestId: string,
+  providerParam: string | null | undefined,
+  accountRow: {
+    idToken: string | null
+    accountId: string
+    userId: string
+  }
+) {
+  const providerForParse = (providerParam || 'google') as OAuthProvider
+  const { baseProvider } = parseProvider(providerForParse)
+
+  if (accountRow.idToken) {
+    try {
+      const decoded = jwtDecode<GoogleIdToken>(accountRow.idToken)
+      if (decoded.email) return decoded.email
+      if (decoded.name) return decoded.name
+    } catch (_error) {
+      logger.warn(`[${requestId}] Error decoding ID token`, {
+        accountId: accountRow.accountId,
+      })
+    }
+  }
+
+  if (baseProvider === 'github') {
+    return `${accountRow.accountId} (GitHub)`
+  }
+
+  try {
+    const userRecord = await db
+      .select({ email: user.email })
+      .from(user)
+      .where(eq(user.id, accountRow.userId))
+      .limit(1)
+
+    if (userRecord.length > 0) {
+      return userRecord[0].email
+    }
+  } catch (_error) {
+    logger.warn(`[${requestId}] Error fetching user email`, {
+      userId: accountRow.userId,
+    })
+  }
+
+  return `${accountRow.accountId} (${baseProvider})`
+}
+
 /**
  * Get credentials for a specific provider
  */
@@ -46,6 +122,7 @@ export async function GET(request: NextRequest) {
     const rawQuery = {
       provider: searchParams.get('provider'),
       workflowId: searchParams.get('workflowId'),
+      workspaceId: searchParams.get('workspaceId'),
       credentialId: searchParams.get('credentialId'),
     }
 
@@ -78,7 +155,7 @@ export async function GET(request: NextRequest) {
       )
     }
 
-    const { provider: providerParam, workflowId, credentialId } = parseResult.data
+    const { provider: providerParam, workflowId, workspaceId, credentialId } = parseResult.data
 
     // Authenticate requester (supports session and internal JWT)
     const authResult = await checkSessionOrInternalAuth(request)
@@ -88,7 +165,7 @@ export async function GET(request: NextRequest) {
     }
     const requesterUserId = authResult.userId
 
-    const effectiveUserId = requesterUserId
+    let effectiveWorkspaceId = workspaceId ?? undefined
     if (workflowId) {
       const workflowAuthorization = await authorizeWorkflowByWorkspacePermission({
         workflowId,
@@ -106,101 +183,145 @@ export async function GET(request: NextRequest) {
           { status: workflowAuthorization.status }
         )
       }
+      effectiveWorkspaceId = workflowAuthorization.workflow?.workspaceId || undefined
     }
 
-    // Parse the provider to get base provider and feature type (if provider is present)
-    const { baseProvider } = parseProvider((providerParam || 'google') as OAuthProvider)
+    if (effectiveWorkspaceId) {
+      const workspaceAccess = await checkWorkspaceAccess(effectiveWorkspaceId, requesterUserId)
+      if (!workspaceAccess.hasAccess) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
 
     let accountsData
 
+    if (credentialId) {
+      const [platformCredential] = await db
+        .select({
+          id: credential.id,
+          workspaceId: credential.workspaceId,
+          type: credential.type,
+          displayName: credential.displayName,
+          providerId: credential.providerId,
+          accountId: credential.accountId,
+          accountProviderId: account.providerId,
+          accountScope: account.scope,
+          accountUpdatedAt: account.updatedAt,
+        })
+        .from(credential)
+        .leftJoin(account, eq(credential.accountId, account.id))
+        .where(eq(credential.id, credentialId))
+        .limit(1)
+
+      if (platformCredential) {
+        if (platformCredential.type !== 'oauth' || !platformCredential.accountId) {
+          return NextResponse.json({ credentials: [] }, { status: 200 })
+        }
+
+        if (workflowId) {
+          if (!effectiveWorkspaceId || platformCredential.workspaceId !== effectiveWorkspaceId) {
+            return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+          }
+        } else {
+          const [membership] = await db
+            .select({ id: credentialMember.id })
+            .from(credentialMember)
+            .where(
+              and(
+                eq(credentialMember.credentialId, platformCredential.id),
+                eq(credentialMember.userId, requesterUserId),
+                eq(credentialMember.status, 'active')
+              )
+            )
+            .limit(1)
+
+          if (!membership) {
+            return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+          }
+        }
+
+        if (!platformCredential.accountProviderId || !platformCredential.accountUpdatedAt) {
+          return NextResponse.json({ credentials: [] }, { status: 200 })
+        }
+
+        return NextResponse.json(
+          {
+            credentials: [
+              toCredentialResponse(
+                platformCredential.id,
+                platformCredential.displayName,
+                platformCredential.accountProviderId,
+                platformCredential.accountUpdatedAt,
+                platformCredential.accountScope
+              ),
+            ],
+          },
+          { status: 200 }
+        )
+      }
+    }
+
+    if (effectiveWorkspaceId && providerParam) {
+      await syncWorkspaceOAuthCredentialsForUser({
+        workspaceId: effectiveWorkspaceId,
+        userId: requesterUserId,
+      })
+
+      const credentialsData = await db
+        .select({
+          id: credential.id,
+          displayName: credential.displayName,
+          providerId: account.providerId,
+          scope: account.scope,
+          updatedAt: account.updatedAt,
+        })
+        .from(credential)
+        .innerJoin(account, eq(credential.accountId, account.id))
+        .innerJoin(
+          credentialMember,
+          and(
+            eq(credentialMember.credentialId, credential.id),
+            eq(credentialMember.userId, requesterUserId),
+            eq(credentialMember.status, 'active')
+          )
+        )
+        .where(
+          and(
+            eq(credential.workspaceId, effectiveWorkspaceId),
+            eq(credential.type, 'oauth'),
+            eq(account.providerId, providerParam)
+          )
+        )
+
+      return NextResponse.json(
+        {
+          credentials: credentialsData.map((row) =>
+            toCredentialResponse(row.id, row.displayName, row.providerId, row.updatedAt, row.scope)
+          ),
+        },
+        { status: 200 }
+      )
+    }
+
     if (credentialId && workflowId) {
-      // When both workflowId and credentialId are provided, fetch by ID only.
-      // Workspace authorization above already proves access; the credential
-      // may belong to another workspace member (e.g. for display name resolution).
       accountsData = await db.select().from(account).where(eq(account.id, credentialId))
     } else if (credentialId) {
       accountsData = await db
         .select()
         .from(account)
-        .where(and(eq(account.userId, effectiveUserId), eq(account.id, credentialId)))
+        .where(and(eq(account.userId, requesterUserId), eq(account.id, credentialId)))
     } else {
-      // Fetch all credentials for provider and effective user
       accountsData = await db
         .select()
         .from(account)
-        .where(and(eq(account.userId, effectiveUserId), eq(account.providerId, providerParam!)))
+        .where(and(eq(account.userId, requesterUserId), eq(account.providerId, providerParam!)))
     }
 
     // Transform accounts into credentials
     const credentials = await Promise.all(
       accountsData.map(async (acc) => {
-        // Extract the feature type from providerId (e.g., 'google-default' -> 'default')
-        const [_, featureType = 'default'] = acc.providerId.split('-')
-
-        // Try multiple methods to get a user-friendly display name
-        let displayName = ''
-
-        // Method 1: Try to extract email from ID token (works for Google, etc.)
-        if (acc.idToken) {
-          try {
-            const decoded = jwtDecode<GoogleIdToken>(acc.idToken)
-            if (decoded.email) {
-              displayName = decoded.email
-            } else if (decoded.name) {
-              displayName = decoded.name
-            }
-          } catch (_error) {
-            logger.warn(`[${requestId}] Error decoding ID token`, {
-              accountId: acc.id,
-            })
-          }
-        }
-
-        // Method 2: For GitHub, the accountId might be the username
-        if (!displayName && baseProvider === 'github') {
-          displayName = `${acc.accountId} (GitHub)`
-        }
-
-        // Method 3: Try to get the user's email from our database
-        if (!displayName) {
-          try {
-            const userRecord = await db
-              .select({ email: user.email })
-              .from(user)
-              .where(eq(user.id, acc.userId))
-              .limit(1)
-
-            if (userRecord.length > 0) {
-              displayName = userRecord[0].email
-            }
-          } catch (_error) {
-            logger.warn(`[${requestId}] Error fetching user email`, {
-              userId: acc.userId,
-            })
-          }
-        }
-
-        // Fallback: Use accountId with provider type as context
-        if (!displayName) {
-          displayName = `${acc.accountId} (${baseProvider})`
-        }
-
-        const storedScope = acc.scope?.trim()
-        const grantedScopes = storedScope ? storedScope.split(/[\s,]+/).filter(Boolean) : []
-        const scopeEvaluation = evaluateScopeCoverage(acc.providerId, grantedScopes)
-
-        return {
-          id: acc.id,
-          name: displayName,
-          provider: acc.providerId,
-          lastUsed: acc.updatedAt.toISOString(),
-          isDefault: featureType === 'default',
-          scopes: scopeEvaluation.grantedScopes,
-          canonicalScopes: scopeEvaluation.canonicalScopes,
-          missingScopes: scopeEvaluation.missingScopes,
-          extraScopes: scopeEvaluation.extraScopes,
-          requiresReauthorization: scopeEvaluation.requiresReauthorization,
-        }
+        const displayName = await getFallbackDisplayName(requestId, providerParam, acc)
+        return toCredentialResponse(acc.id, displayName, acc.providerId, acc.updatedAt, acc.scope)
       })
     )
 
diff --git a/apps/sim/app/api/auth/oauth/disconnect/route.ts b/apps/sim/app/api/auth/oauth/disconnect/route.ts
index be645aa732..2ac3ff2fc8 100644
--- a/apps/sim/app/api/auth/oauth/disconnect/route.ts
+++ b/apps/sim/app/api/auth/oauth/disconnect/route.ts
@@ -15,6 +15,7 @@ const logger = createLogger('OAuthDisconnectAPI')
 const disconnectSchema = z.object({
   provider: z.string({ required_error: 'Provider is required' }).min(1, 'Provider is required'),
   providerId: z.string().optional(),
+  accountId: z.string().optional(),
 })
 
 /**
@@ -50,15 +51,20 @@ export async function POST(request: NextRequest) {
       )
     }
 
-    const { provider, providerId } = parseResult.data
+    const { provider, providerId, accountId } = parseResult.data
 
     logger.info(`[${requestId}] Processing OAuth disconnect request`, {
       provider,
       hasProviderId: !!providerId,
     })
 
-    // If a specific providerId is provided, delete only that account
-    if (providerId) {
+    // If a specific account row ID is provided, delete that exact account
+    if (accountId) {
+      await db
+        .delete(account)
+        .where(and(eq(account.userId, session.user.id), eq(account.id, accountId)))
+    } else if (providerId) {
+      // If a specific providerId is provided, delete accounts for that provider ID
       await db
         .delete(account)
         .where(and(eq(account.userId, session.user.id), eq(account.providerId, providerId)))
diff --git a/apps/sim/app/api/auth/oauth/microsoft/file/route.ts b/apps/sim/app/api/auth/oauth/microsoft/file/route.ts
index af9d5d47e8..c653d35bf6 100644
--- a/apps/sim/app/api/auth/oauth/microsoft/file/route.ts
+++ b/apps/sim/app/api/auth/oauth/microsoft/file/route.ts
@@ -38,13 +38,18 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status })
     }
 
-    const credential = await getCredential(requestId, credentialId, authz.credentialOwnerUserId)
+    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
+    const credential = await getCredential(
+      requestId,
+      resolvedCredentialId,
+      authz.credentialOwnerUserId
+    )
     if (!credential) {
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
     }
 
     const accessToken = await refreshAccessTokenIfNeeded(
-      credentialId,
+      resolvedCredentialId,
       authz.credentialOwnerUserId,
       requestId
     )
diff --git a/apps/sim/app/api/auth/oauth/microsoft/files/route.ts b/apps/sim/app/api/auth/oauth/microsoft/files/route.ts
index 1a689b808d..23bd2e57e5 100644
--- a/apps/sim/app/api/auth/oauth/microsoft/files/route.ts
+++ b/apps/sim/app/api/auth/oauth/microsoft/files/route.ts
@@ -37,14 +37,19 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status })
     }
 
-    const credential = await getCredential(requestId, credentialId, authz.credentialOwnerUserId)
+    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
+    const credential = await getCredential(
+      requestId,
+      resolvedCredentialId,
+      authz.credentialOwnerUserId
+    )
     if (!credential) {
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
     }
 
     // Refresh access token if needed using the utility function
     const accessToken = await refreshAccessTokenIfNeeded(
-      credentialId,
+      resolvedCredentialId,
       authz.credentialOwnerUserId,
       requestId
     )
diff --git a/apps/sim/app/api/auth/oauth/token/route.test.ts b/apps/sim/app/api/auth/oauth/token/route.test.ts
index 325f4d6c2c..7363578af7 100644
--- a/apps/sim/app/api/auth/oauth/token/route.test.ts
+++ b/apps/sim/app/api/auth/oauth/token/route.test.ts
@@ -351,10 +351,11 @@ describe('OAuth Token API Routes', () => {
    */
   describe('GET handler', () => {
     it('should return access token successfully', async () => {
-      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
-        success: true,
+      mockAuthorizeCredentialUse.mockResolvedValueOnce({
+        ok: true,
         authType: 'session',
-        userId: 'test-user-id',
+        requesterUserId: 'test-user-id',
+        credentialOwnerUserId: 'test-user-id',
       })
       mockGetCredential.mockResolvedValueOnce({
         id: 'credential-id',
@@ -380,8 +381,8 @@ describe('OAuth Token API Routes', () => {
       expect(response.status).toBe(200)
       expect(data).toHaveProperty('accessToken', 'fresh-token')
 
-      expect(mockCheckSessionOrInternalAuth).toHaveBeenCalled()
-      expect(mockGetCredential).toHaveBeenCalledWith(mockRequestId, 'credential-id', 'test-user-id')
+      expect(mockAuthorizeCredentialUse).toHaveBeenCalled()
+      expect(mockGetCredential).toHaveBeenCalled()
       expect(mockRefreshTokenIfNeeded).toHaveBeenCalled()
     })
 
@@ -399,8 +400,8 @@ describe('OAuth Token API Routes', () => {
     })
 
     it('should handle authentication failure', async () => {
-      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
-        success: false,
+      mockAuthorizeCredentialUse.mockResolvedValueOnce({
+        ok: false,
         error: 'Authentication required',
       })
 
@@ -413,15 +414,16 @@ describe('OAuth Token API Routes', () => {
       const response = await GET(req as any)
       const data = await response.json()
 
-      expect(response.status).toBe(401)
+      expect(response.status).toBe(403)
       expect(data).toHaveProperty('error')
     })
 
     it('should handle credential not found', async () => {
-      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
-        success: true,
+      mockAuthorizeCredentialUse.mockResolvedValueOnce({
+        ok: true,
         authType: 'session',
-        userId: 'test-user-id',
+        requesterUserId: 'test-user-id',
+        credentialOwnerUserId: 'test-user-id',
       })
       mockGetCredential.mockResolvedValueOnce(undefined)
 
@@ -439,10 +441,11 @@ describe('OAuth Token API Routes', () => {
     })
 
     it('should handle missing access token', async () => {
-      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
-        success: true,
+      mockAuthorizeCredentialUse.mockResolvedValueOnce({
+        ok: true,
         authType: 'session',
-        userId: 'test-user-id',
+        requesterUserId: 'test-user-id',
+        credentialOwnerUserId: 'test-user-id',
       })
       mockGetCredential.mockResolvedValueOnce({
         id: 'credential-id',
@@ -465,10 +468,11 @@ describe('OAuth Token API Routes', () => {
     })
 
     it('should handle token refresh failure', async () => {
-      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
-        success: true,
+      mockAuthorizeCredentialUse.mockResolvedValueOnce({
+        ok: true,
         authType: 'session',
-        userId: 'test-user-id',
+        requesterUserId: 'test-user-id',
+        credentialOwnerUserId: 'test-user-id',
       })
       mockGetCredential.mockResolvedValueOnce({
         id: 'credential-id',
diff --git a/apps/sim/app/api/auth/oauth/token/route.ts b/apps/sim/app/api/auth/oauth/token/route.ts
index f6728fe696..d8b1b45741 100644
--- a/apps/sim/app/api/auth/oauth/token/route.ts
+++ b/apps/sim/app/api/auth/oauth/token/route.ts
@@ -110,23 +110,35 @@ export async function POST(request: NextRequest) {
       return NextResponse.json({ error: 'Credential ID is required' }, { status: 400 })
     }
 
+    const callerUserId = new URL(request.url).searchParams.get('userId') || undefined
+
     const authz = await authorizeCredentialUse(request, {
       credentialId,
       workflowId: workflowId ?? undefined,
       requireWorkflowIdForInternal: false,
+      callerUserId,
     })
     if (!authz.ok || !authz.credentialOwnerUserId) {
       return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
     }
 
-    const credential = await getCredential(requestId, credentialId, authz.credentialOwnerUserId)
+    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
+    const credential = await getCredential(
+      requestId,
+      resolvedCredentialId,
+      authz.credentialOwnerUserId
+    )
 
     if (!credential) {
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
     }
 
     try {
-      const { accessToken } = await refreshTokenIfNeeded(requestId, credential, credentialId)
+      const { accessToken } = await refreshTokenIfNeeded(
+        requestId,
+        credential,
+        resolvedCredentialId
+      )
 
       let instanceUrl: string | undefined
       if (credential.providerId === 'salesforce' && credential.scope) {
@@ -186,13 +198,20 @@ export async function GET(request: NextRequest) {
 
     const { credentialId } = parseResult.data
 
-    // For GET requests, we only support session-based authentication
-    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
-    if (!auth.success || auth.authType !== 'session' || !auth.userId) {
-      return NextResponse.json({ error: 'User not authenticated' }, { status: 401 })
+    const authz = await authorizeCredentialUse(request, {
+      credentialId,
+      requireWorkflowIdForInternal: false,
+    })
+    if (!authz.ok || authz.authType !== 'session' || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
     }
 
-    const credential = await getCredential(requestId, credentialId, auth.userId)
+    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
+    const credential = await getCredential(
+      requestId,
+      resolvedCredentialId,
+      authz.credentialOwnerUserId
+    )
 
     if (!credential) {
       return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
@@ -204,7 +223,11 @@ export async function GET(request: NextRequest) {
     }
 
     try {
-      const { accessToken } = await refreshTokenIfNeeded(requestId, credential, credentialId)
+      const { accessToken } = await refreshTokenIfNeeded(
+        requestId,
+        credential,
+        resolvedCredentialId
+      )
 
       // For Salesforce, extract instanceUrl from the scope field
       let instanceUrl: string | undefined
diff --git a/apps/sim/app/api/auth/oauth/utils.test.ts b/apps/sim/app/api/auth/oauth/utils.test.ts
index 352ba5e786..7320a7bb9a 100644
--- a/apps/sim/app/api/auth/oauth/utils.test.ts
+++ b/apps/sim/app/api/auth/oauth/utils.test.ts
@@ -62,21 +62,23 @@ describe('OAuth Utils', () => {
 
   describe('getCredential', () => {
     it('should return credential when found', async () => {
-      const mockCredential = { id: 'credential-id', userId: 'test-user-id' }
-      const { mockFrom, mockWhere, mockLimit } = mockSelectChain([mockCredential])
+      const mockCredentialRow = { type: 'oauth', accountId: 'resolved-account-id' }
+      const mockAccountRow = { id: 'resolved-account-id', userId: 'test-user-id' }
+
+      mockSelectChain([mockCredentialRow])
+      mockSelectChain([mockAccountRow])
 
       const credential = await getCredential('request-id', 'credential-id', 'test-user-id')
 
-      expect(mockDb.select).toHaveBeenCalled()
-      expect(mockFrom).toHaveBeenCalled()
-      expect(mockWhere).toHaveBeenCalled()
-      expect(mockLimit).toHaveBeenCalledWith(1)
+      expect(mockDb.select).toHaveBeenCalledTimes(2)
 
-      expect(credential).toEqual(mockCredential)
+      expect(credential).toMatchObject(mockAccountRow)
+      expect(credential).toMatchObject({ resolvedCredentialId: 'resolved-account-id' })
     })
 
     it('should return undefined when credential is not found', async () => {
       mockSelectChain([])
+      mockSelectChain([])
 
       const credential = await getCredential('request-id', 'nonexistent-id', 'test-user-id')
 
@@ -158,15 +160,17 @@ describe('OAuth Utils', () => {
 
   describe('refreshAccessTokenIfNeeded', () => {
     it('should return valid access token without refresh if not expired', async () => {
-      const mockCredential = {
-        id: 'credential-id',
+      const mockCredentialRow = { type: 'oauth', accountId: 'account-id' }
+      const mockAccountRow = {
+        id: 'account-id',
         accessToken: 'valid-token',
         refreshToken: 'refresh-token',
         accessTokenExpiresAt: new Date(Date.now() + 3600 * 1000),
         providerId: 'google',
         userId: 'test-user-id',
       }
-      mockSelectChain([mockCredential])
+      mockSelectChain([mockCredentialRow])
+      mockSelectChain([mockAccountRow])
 
       const token = await refreshAccessTokenIfNeeded('credential-id', 'test-user-id', 'request-id')
 
@@ -175,15 +179,17 @@ describe('OAuth Utils', () => {
     })
 
     it('should refresh token when expired', async () => {
-      const mockCredential = {
-        id: 'credential-id',
+      const mockCredentialRow = { type: 'oauth', accountId: 'account-id' }
+      const mockAccountRow = {
+        id: 'account-id',
         accessToken: 'expired-token',
         refreshToken: 'refresh-token',
         accessTokenExpiresAt: new Date(Date.now() - 3600 * 1000),
         providerId: 'google',
         userId: 'test-user-id',
       }
-      mockSelectChain([mockCredential])
+      mockSelectChain([mockCredentialRow])
+      mockSelectChain([mockAccountRow])
       mockUpdateChain()
 
       mockRefreshOAuthToken.mockResolvedValueOnce({
@@ -201,6 +207,7 @@ describe('OAuth Utils', () => {
 
     it('should return null if credential not found', async () => {
       mockSelectChain([])
+      mockSelectChain([])
 
       const token = await refreshAccessTokenIfNeeded('nonexistent-id', 'test-user-id', 'request-id')
 
@@ -208,15 +215,17 @@ describe('OAuth Utils', () => {
     })
 
     it('should return null if refresh fails', async () => {
-      const mockCredential = {
-        id: 'credential-id',
+      const mockCredentialRow = { type: 'oauth', accountId: 'account-id' }
+      const mockAccountRow = {
+        id: 'account-id',
         accessToken: 'expired-token',
         refreshToken: 'refresh-token',
         accessTokenExpiresAt: new Date(Date.now() - 3600 * 1000),
         providerId: 'google',
         userId: 'test-user-id',
       }
-      mockSelectChain([mockCredential])
+      mockSelectChain([mockCredentialRow])
+      mockSelectChain([mockAccountRow])
 
       mockRefreshOAuthToken.mockResolvedValueOnce(null)
 
diff --git a/apps/sim/app/api/auth/oauth/utils.ts b/apps/sim/app/api/auth/oauth/utils.ts
index 891e4ca4d1..c6a4626813 100644
--- a/apps/sim/app/api/auth/oauth/utils.ts
+++ b/apps/sim/app/api/auth/oauth/utils.ts
@@ -1,5 +1,5 @@
 import { db } from '@sim/db'
-import { account, credentialSetMember } from '@sim/db/schema'
+import { account, credential, credentialSetMember } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, desc, eq, inArray } from 'drizzle-orm'
 import { refreshOAuthToken } from '@/lib/oauth'
@@ -25,6 +25,28 @@ interface AccountInsertData {
   accessTokenExpiresAt?: Date
 }
 
+async function resolveOAuthAccountId(
+  credentialId: string
+): Promise<{ accountId: string; usedCredentialTable: boolean } | null> {
+  const [credentialRow] = await db
+    .select({
+      type: credential.type,
+      accountId: credential.accountId,
+    })
+    .from(credential)
+    .where(eq(credential.id, credentialId))
+    .limit(1)
+
+  if (credentialRow) {
+    if (credentialRow.type !== 'oauth' || !credentialRow.accountId) {
+      return null
+    }
+    return { accountId: credentialRow.accountId, usedCredentialTable: true }
+  }
+
+  return { accountId: credentialId, usedCredentialTable: false }
+}
+
 /**
  * Safely inserts an account record, handling duplicate constraint violations gracefully.
  * If a duplicate is detected (unique constraint violation), logs a warning and returns success.
@@ -52,10 +74,16 @@ export async function safeAccountInsert(
  * Get a credential by ID and verify it belongs to the user
  */
 export async function getCredential(requestId: string, credentialId: string, userId: string) {
+  const resolved = await resolveOAuthAccountId(credentialId)
+  if (!resolved) {
+    logger.warn(`[${requestId}] Credential is not an OAuth credential`)
+    return undefined
+  }
+
   const credentials = await db
     .select()
     .from(account)
-    .where(and(eq(account.id, credentialId), eq(account.userId, userId)))
+    .where(and(eq(account.id, resolved.accountId), eq(account.userId, userId)))
     .limit(1)
 
   if (!credentials.length) {
@@ -63,7 +91,10 @@ export async function getCredential(requestId: string, credentialId: string, use
     return undefined
   }
 
-  return credentials[0]
+  return {
+    ...credentials[0],
+    resolvedCredentialId: resolved.accountId,
+  }
 }
 
 export async function getOAuthToken(userId: string, providerId: string): Promise<string | null> {
@@ -238,7 +269,9 @@ export async function refreshAccessTokenIfNeeded(
       }
 
       // Update the token in the database
-      await db.update(account).set(updateData).where(eq(account.id, credentialId))
+      const resolvedCredentialId =
+        (credential as { resolvedCredentialId?: string }).resolvedCredentialId ?? credentialId
+      await db.update(account).set(updateData).where(eq(account.id, resolvedCredentialId))
 
       logger.info(`[${requestId}] Successfully refreshed access token for credential`)
       return refreshedToken.accessToken
@@ -274,6 +307,8 @@ export async function refreshTokenIfNeeded(
   credential: any,
   credentialId: string
 ): Promise<{ accessToken: string; refreshed: boolean }> {
+  const resolvedCredentialId = credential.resolvedCredentialId ?? credentialId
+
   // Decide if we should refresh: token missing OR expired
   const accessTokenExpiresAt = credential.accessTokenExpiresAt
   const refreshTokenExpiresAt = credential.refreshTokenExpiresAt
@@ -334,7 +369,7 @@ export async function refreshTokenIfNeeded(
       updateData.refreshTokenExpiresAt = getMicrosoftRefreshTokenExpiry()
     }
 
-    await db.update(account).set(updateData).where(eq(account.id, credentialId))
+    await db.update(account).set(updateData).where(eq(account.id, resolvedCredentialId))
 
     logger.info(`[${requestId}] Successfully refreshed access token`)
     return { accessToken: refreshedToken, refreshed: true }
@@ -343,7 +378,7 @@ export async function refreshTokenIfNeeded(
       `[${requestId}] Refresh attempt failed, checking if another concurrent request succeeded`
     )
 
-    const freshCredential = await getCredential(requestId, credentialId, credential.userId)
+    const freshCredential = await getCredential(requestId, resolvedCredentialId, credential.userId)
     if (freshCredential?.accessToken) {
       const freshExpiresAt = freshCredential.accessTokenExpiresAt
       const stillValid = !freshExpiresAt || freshExpiresAt > new Date()
diff --git a/apps/sim/app/api/auth/oauth2/shopify/store/route.ts b/apps/sim/app/api/auth/oauth2/shopify/store/route.ts
index cf7aef92a6..85729149b9 100644
--- a/apps/sim/app/api/auth/oauth2/shopify/store/route.ts
+++ b/apps/sim/app/api/auth/oauth2/shopify/store/route.ts
@@ -48,16 +48,21 @@ export async function GET(request: NextRequest) {
 
     const shopData = await shopResponse.json()
     const shopInfo = shopData.shop
+    const stableAccountId = shopInfo.id?.toString() || shopDomain
 
     const existing = await db.query.account.findFirst({
-      where: and(eq(account.userId, session.user.id), eq(account.providerId, 'shopify')),
+      where: and(
+        eq(account.userId, session.user.id),
+        eq(account.providerId, 'shopify'),
+        eq(account.accountId, stableAccountId)
+      ),
     })
 
     const now = new Date()
 
     const accountData = {
       accessToken: accessToken,
-      accountId: shopInfo.id?.toString() || shopDomain,
+      accountId: stableAccountId,
       scope: scope || '',
       updatedAt: now,
       idToken: shopDomain,
diff --git a/apps/sim/app/api/auth/trello/store/route.ts b/apps/sim/app/api/auth/trello/store/route.ts
index fff52b0a84..97fc9b8abc 100644
--- a/apps/sim/app/api/auth/trello/store/route.ts
+++ b/apps/sim/app/api/auth/trello/store/route.ts
@@ -52,7 +52,11 @@ export async function POST(request: NextRequest) {
     const trelloUser = await userResponse.json()
 
     const existing = await db.query.account.findFirst({
-      where: and(eq(account.userId, session.user.id), eq(account.providerId, 'trello')),
+      where: and(
+        eq(account.userId, session.user.id),
+        eq(account.providerId, 'trello'),
+        eq(account.accountId, trelloUser.id)
+      ),
     })
 
     const now = new Date()
diff --git a/apps/sim/app/api/credentials/[id]/members/route.ts b/apps/sim/app/api/credentials/[id]/members/route.ts
new file mode 100644
index 0000000000..11cee7f717
--- /dev/null
+++ b/apps/sim/app/api/credentials/[id]/members/route.ts
@@ -0,0 +1,226 @@
+import { db } from '@sim/db'
+import { credential, credentialMember, user } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { getSession } from '@/lib/auth'
+import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
+
+const logger = createLogger('CredentialMembersAPI')
+
+interface RouteContext {
+  params: Promise<{ id: string }>
+}
+
+async function requireWorkspaceAdminMembership(credentialId: string, userId: string) {
+  const [cred] = await db
+    .select({ id: credential.id, workspaceId: credential.workspaceId })
+    .from(credential)
+    .where(eq(credential.id, credentialId))
+    .limit(1)
+
+  if (!cred) return null
+
+  const perm = await getUserEntityPermissions(userId, 'workspace', cred.workspaceId)
+  if (perm === null) return null
+
+  const [membership] = await db
+    .select({ role: credentialMember.role, status: credentialMember.status })
+    .from(credentialMember)
+    .where(
+      and(eq(credentialMember.credentialId, credentialId), eq(credentialMember.userId, userId))
+    )
+    .limit(1)
+
+  if (!membership || membership.status !== 'active' || membership.role !== 'admin') {
+    return null
+  }
+  return membership
+}
+
+export async function GET(_request: NextRequest, context: RouteContext) {
+  try {
+    const session = await getSession()
+    if (!session?.user?.id) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const { id: credentialId } = await context.params
+
+    const [cred] = await db
+      .select({ id: credential.id, workspaceId: credential.workspaceId })
+      .from(credential)
+      .where(eq(credential.id, credentialId))
+      .limit(1)
+
+    if (!cred) {
+      return NextResponse.json({ members: [] }, { status: 200 })
+    }
+
+    const callerPerm = await getUserEntityPermissions(
+      session.user.id,
+      'workspace',
+      cred.workspaceId
+    )
+    if (callerPerm === null) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+    }
+
+    const members = await db
+      .select({
+        id: credentialMember.id,
+        userId: credentialMember.userId,
+        role: credentialMember.role,
+        status: credentialMember.status,
+        joinedAt: credentialMember.joinedAt,
+        userName: user.name,
+        userEmail: user.email,
+      })
+      .from(credentialMember)
+      .innerJoin(user, eq(credentialMember.userId, user.id))
+      .where(eq(credentialMember.credentialId, credentialId))
+
+    return NextResponse.json({ members })
+  } catch (error) {
+    logger.error('Failed to fetch credential members', { error })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+const addMemberSchema = z.object({
+  userId: z.string().min(1),
+  role: z.enum(['admin', 'member']).default('member'),
+})
+
+export async function POST(request: NextRequest, context: RouteContext) {
+  try {
+    const session = await getSession()
+    if (!session?.user?.id) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const { id: credentialId } = await context.params
+
+    const admin = await requireWorkspaceAdminMembership(credentialId, session.user.id)
+    if (!admin) {
+      return NextResponse.json({ error: 'Admin access required' }, { status: 403 })
+    }
+
+    const body = await request.json()
+    const parsed = addMemberSchema.safeParse(body)
+    if (!parsed.success) {
+      return NextResponse.json({ error: 'Invalid request body' }, { status: 400 })
+    }
+
+    const { userId, role } = parsed.data
+    const now = new Date()
+
+    const [existing] = await db
+      .select({ id: credentialMember.id, status: credentialMember.status })
+      .from(credentialMember)
+      .where(
+        and(eq(credentialMember.credentialId, credentialId), eq(credentialMember.userId, userId))
+      )
+      .limit(1)
+
+    if (existing) {
+      await db
+        .update(credentialMember)
+        .set({ role, status: 'active', updatedAt: now })
+        .where(eq(credentialMember.id, existing.id))
+      return NextResponse.json({ success: true })
+    }
+
+    await db.insert(credentialMember).values({
+      id: crypto.randomUUID(),
+      credentialId,
+      userId,
+      role,
+      status: 'active',
+      joinedAt: now,
+      invitedBy: session.user.id,
+      createdAt: now,
+      updatedAt: now,
+    })
+
+    return NextResponse.json({ success: true }, { status: 201 })
+  } catch (error) {
+    logger.error('Failed to add credential member', { error })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+export async function DELETE(request: NextRequest, context: RouteContext) {
+  try {
+    const session = await getSession()
+    if (!session?.user?.id) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const { id: credentialId } = await context.params
+    const targetUserId = new URL(request.url).searchParams.get('userId')
+    if (!targetUserId) {
+      return NextResponse.json({ error: 'userId query parameter required' }, { status: 400 })
+    }
+
+    const admin = await requireWorkspaceAdminMembership(credentialId, session.user.id)
+    if (!admin) {
+      return NextResponse.json({ error: 'Admin access required' }, { status: 403 })
+    }
+
+    const [target] = await db
+      .select({
+        id: credentialMember.id,
+        role: credentialMember.role,
+      })
+      .from(credentialMember)
+      .where(
+        and(
+          eq(credentialMember.credentialId, credentialId),
+          eq(credentialMember.userId, targetUserId),
+          eq(credentialMember.status, 'active')
+        )
+      )
+      .limit(1)
+
+    if (!target) {
+      return NextResponse.json({ error: 'Member not found' }, { status: 404 })
+    }
+
+    const revoked = await db.transaction(async (tx) => {
+      if (target.role === 'admin') {
+        const activeAdmins = await tx
+          .select({ id: credentialMember.id })
+          .from(credentialMember)
+          .where(
+            and(
+              eq(credentialMember.credentialId, credentialId),
+              eq(credentialMember.role, 'admin'),
+              eq(credentialMember.status, 'active')
+            )
+          )
+
+        if (activeAdmins.length <= 1) {
+          return false
+        }
+      }
+
+      await tx
+        .update(credentialMember)
+        .set({ status: 'revoked', updatedAt: new Date() })
+        .where(eq(credentialMember.id, target.id))
+
+      return true
+    })
+
+    if (!revoked) {
+      return NextResponse.json({ error: 'Cannot remove the last admin' }, { status: 400 })
+    }
+
+    return NextResponse.json({ success: true })
+  } catch (error) {
+    logger.error('Failed to remove credential member', { error })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
diff --git a/apps/sim/app/api/credentials/[id]/route.ts b/apps/sim/app/api/credentials/[id]/route.ts
new file mode 100644
index 0000000000..7da93846c7
--- /dev/null
+++ b/apps/sim/app/api/credentials/[id]/route.ts
@@ -0,0 +1,251 @@
+import { db } from '@sim/db'
+import { credential, credentialMember, environment, workspaceEnvironment } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { getSession } from '@/lib/auth'
+import { getCredentialActorContext } from '@/lib/credentials/access'
+import {
+  syncPersonalEnvCredentialsForUser,
+  syncWorkspaceEnvCredentials,
+} from '@/lib/credentials/environment'
+
+const logger = createLogger('CredentialByIdAPI')
+
+const updateCredentialSchema = z
+  .object({
+    displayName: z.string().trim().min(1).max(255).optional(),
+    description: z.string().trim().max(500).nullish(),
+  })
+  .strict()
+  .refine((data) => data.displayName !== undefined || data.description !== undefined, {
+    message: 'At least one field must be provided',
+    path: ['displayName'],
+  })
+
+async function getCredentialResponse(credentialId: string, userId: string) {
+  const [row] = await db
+    .select({
+      id: credential.id,
+      workspaceId: credential.workspaceId,
+      type: credential.type,
+      displayName: credential.displayName,
+      description: credential.description,
+      providerId: credential.providerId,
+      accountId: credential.accountId,
+      envKey: credential.envKey,
+      envOwnerUserId: credential.envOwnerUserId,
+      createdBy: credential.createdBy,
+      createdAt: credential.createdAt,
+      updatedAt: credential.updatedAt,
+      role: credentialMember.role,
+      status: credentialMember.status,
+    })
+    .from(credential)
+    .innerJoin(
+      credentialMember,
+      and(eq(credentialMember.credentialId, credential.id), eq(credentialMember.userId, userId))
+    )
+    .where(eq(credential.id, credentialId))
+    .limit(1)
+
+  return row ?? null
+}
+
+export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { id } = await params
+
+  try {
+    const access = await getCredentialActorContext(id, session.user.id)
+    if (!access.credential) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+    if (!access.hasWorkspaceAccess || !access.member) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+    }
+
+    const row = await getCredentialResponse(id, session.user.id)
+    return NextResponse.json({ credential: row }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to fetch credential', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+export async function PUT(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { id } = await params
+
+  try {
+    const parseResult = updateCredentialSchema.safeParse(await request.json())
+    if (!parseResult.success) {
+      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
+    }
+
+    const access = await getCredentialActorContext(id, session.user.id)
+    if (!access.credential) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+    if (!access.hasWorkspaceAccess || !access.isAdmin) {
+      return NextResponse.json({ error: 'Credential admin permission required' }, { status: 403 })
+    }
+
+    const updates: Record<string, unknown> = {}
+
+    if (parseResult.data.description !== undefined) {
+      updates.description = parseResult.data.description ?? null
+    }
+
+    if (parseResult.data.displayName !== undefined && access.credential.type === 'oauth') {
+      updates.displayName = parseResult.data.displayName
+    }
+
+    if (Object.keys(updates).length === 0) {
+      if (access.credential.type === 'oauth') {
+        return NextResponse.json(
+          {
+            error: 'No updatable fields provided.',
+          },
+          { status: 400 }
+        )
+      }
+      return NextResponse.json(
+        {
+          error:
+            'Environment credentials cannot be updated via this endpoint. Use the environment value editor in credentials settings.',
+        },
+        { status: 400 }
+      )
+    }
+
+    updates.updatedAt = new Date()
+    await db.update(credential).set(updates).where(eq(credential.id, id))
+
+    const row = await getCredentialResponse(id, session.user.id)
+    return NextResponse.json({ credential: row }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to update credential', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+export async function DELETE(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { id } = await params
+
+  try {
+    const access = await getCredentialActorContext(id, session.user.id)
+    if (!access.credential) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+    if (!access.hasWorkspaceAccess || !access.isAdmin) {
+      return NextResponse.json({ error: 'Credential admin permission required' }, { status: 403 })
+    }
+
+    if (access.credential.type === 'env_personal' && access.credential.envKey) {
+      const ownerUserId = access.credential.envOwnerUserId
+      if (!ownerUserId) {
+        return NextResponse.json({ error: 'Invalid personal secret owner' }, { status: 400 })
+      }
+
+      const [personalRow] = await db
+        .select({ variables: environment.variables })
+        .from(environment)
+        .where(eq(environment.userId, ownerUserId))
+        .limit(1)
+
+      const current = ((personalRow?.variables as Record<string, string> | null) ?? {}) as Record<
+        string,
+        string
+      >
+      if (access.credential.envKey in current) {
+        delete current[access.credential.envKey]
+      }
+
+      await db
+        .insert(environment)
+        .values({
+          id: ownerUserId,
+          userId: ownerUserId,
+          variables: current,
+          updatedAt: new Date(),
+        })
+        .onConflictDoUpdate({
+          target: [environment.userId],
+          set: { variables: current, updatedAt: new Date() },
+        })
+
+      await syncPersonalEnvCredentialsForUser({
+        userId: ownerUserId,
+        envKeys: Object.keys(current),
+      })
+
+      return NextResponse.json({ success: true }, { status: 200 })
+    }
+
+    if (access.credential.type === 'env_workspace' && access.credential.envKey) {
+      const [workspaceRow] = await db
+        .select({
+          id: workspaceEnvironment.id,
+          createdAt: workspaceEnvironment.createdAt,
+          variables: workspaceEnvironment.variables,
+        })
+        .from(workspaceEnvironment)
+        .where(eq(workspaceEnvironment.workspaceId, access.credential.workspaceId))
+        .limit(1)
+
+      const current = ((workspaceRow?.variables as Record<string, string> | null) ?? {}) as Record<
+        string,
+        string
+      >
+      if (access.credential.envKey in current) {
+        delete current[access.credential.envKey]
+      }
+
+      await db
+        .insert(workspaceEnvironment)
+        .values({
+          id: workspaceRow?.id || crypto.randomUUID(),
+          workspaceId: access.credential.workspaceId,
+          variables: current,
+          createdAt: workspaceRow?.createdAt || new Date(),
+          updatedAt: new Date(),
+        })
+        .onConflictDoUpdate({
+          target: [workspaceEnvironment.workspaceId],
+          set: { variables: current, updatedAt: new Date() },
+        })
+
+      await syncWorkspaceEnvCredentials({
+        workspaceId: access.credential.workspaceId,
+        envKeys: Object.keys(current),
+        actingUserId: session.user.id,
+      })
+
+      return NextResponse.json({ success: true }, { status: 200 })
+    }
+
+    await db.delete(credential).where(eq(credential.id, id))
+    return NextResponse.json({ success: true }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to delete credential', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
diff --git a/apps/sim/app/api/credentials/draft/route.ts b/apps/sim/app/api/credentials/draft/route.ts
new file mode 100644
index 0000000000..ac700f088e
--- /dev/null
+++ b/apps/sim/app/api/credentials/draft/route.ts
@@ -0,0 +1,116 @@
+import { db } from '@sim/db'
+import { credential, credentialMember, pendingCredentialDraft } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq, lt } from 'drizzle-orm'
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import { getSession } from '@/lib/auth'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
+
+const logger = createLogger('CredentialDraftAPI')
+
+const DRAFT_TTL_MS = 15 * 60 * 1000
+
+const createDraftSchema = z.object({
+  workspaceId: z.string().min(1),
+  providerId: z.string().min(1),
+  displayName: z.string().min(1),
+  description: z.string().trim().max(500).optional(),
+  credentialId: z.string().min(1).optional(),
+})
+
+export async function POST(request: Request) {
+  try {
+    const session = await getSession()
+    if (!session?.user?.id) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const body = await request.json()
+    const parsed = createDraftSchema.safeParse(body)
+    if (!parsed.success) {
+      return NextResponse.json({ error: 'Invalid request body' }, { status: 400 })
+    }
+
+    const { workspaceId, providerId, displayName, description, credentialId } = parsed.data
+    const userId = session.user.id
+
+    const workspaceAccess = await checkWorkspaceAccess(workspaceId, userId)
+    if (!workspaceAccess.canWrite) {
+      return NextResponse.json({ error: 'Write permission required' }, { status: 403 })
+    }
+
+    if (credentialId) {
+      const [membership] = await db
+        .select({ role: credentialMember.role, status: credentialMember.status })
+        .from(credentialMember)
+        .innerJoin(credential, eq(credential.id, credentialMember.credentialId))
+        .where(
+          and(
+            eq(credentialMember.credentialId, credentialId),
+            eq(credentialMember.userId, userId),
+            eq(credentialMember.status, 'active'),
+            eq(credentialMember.role, 'admin'),
+            eq(credential.workspaceId, workspaceId)
+          )
+        )
+        .limit(1)
+
+      if (!membership) {
+        return NextResponse.json(
+          { error: 'Admin access required on the target credential' },
+          { status: 403 }
+        )
+      }
+    }
+
+    const now = new Date()
+
+    await db
+      .delete(pendingCredentialDraft)
+      .where(
+        and(eq(pendingCredentialDraft.userId, userId), lt(pendingCredentialDraft.expiresAt, now))
+      )
+
+    await db
+      .insert(pendingCredentialDraft)
+      .values({
+        id: crypto.randomUUID(),
+        userId,
+        workspaceId,
+        providerId,
+        displayName,
+        description: description || null,
+        credentialId: credentialId || null,
+        expiresAt: new Date(now.getTime() + DRAFT_TTL_MS),
+        createdAt: now,
+      })
+      .onConflictDoUpdate({
+        target: [
+          pendingCredentialDraft.userId,
+          pendingCredentialDraft.providerId,
+          pendingCredentialDraft.workspaceId,
+        ],
+        set: {
+          displayName,
+          description: description || null,
+          credentialId: credentialId || null,
+          expiresAt: new Date(now.getTime() + DRAFT_TTL_MS),
+          createdAt: now,
+        },
+      })
+
+    logger.info('Credential draft saved', {
+      userId,
+      workspaceId,
+      providerId,
+      displayName,
+      credentialId: credentialId || null,
+    })
+
+    return NextResponse.json({ success: true }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to save credential draft', { error })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
diff --git a/apps/sim/app/api/credentials/memberships/route.ts b/apps/sim/app/api/credentials/memberships/route.ts
new file mode 100644
index 0000000000..4fdf8379fa
--- /dev/null
+++ b/apps/sim/app/api/credentials/memberships/route.ts
@@ -0,0 +1,112 @@
+import { db } from '@sim/db'
+import { credential, credentialMember } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { getSession } from '@/lib/auth'
+
+const logger = createLogger('CredentialMembershipsAPI')
+
+const leaveCredentialSchema = z.object({
+  credentialId: z.string().min(1),
+})
+
+export async function GET() {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  try {
+    const memberships = await db
+      .select({
+        membershipId: credentialMember.id,
+        credentialId: credential.id,
+        workspaceId: credential.workspaceId,
+        type: credential.type,
+        displayName: credential.displayName,
+        providerId: credential.providerId,
+        role: credentialMember.role,
+        status: credentialMember.status,
+        joinedAt: credentialMember.joinedAt,
+      })
+      .from(credentialMember)
+      .innerJoin(credential, eq(credentialMember.credentialId, credential.id))
+      .where(eq(credentialMember.userId, session.user.id))
+
+    return NextResponse.json({ memberships }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to list credential memberships', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+export async function DELETE(request: NextRequest) {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  try {
+    const parseResult = leaveCredentialSchema.safeParse({
+      credentialId: new URL(request.url).searchParams.get('credentialId'),
+    })
+    if (!parseResult.success) {
+      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
+    }
+
+    const { credentialId } = parseResult.data
+    const [membership] = await db
+      .select()
+      .from(credentialMember)
+      .where(
+        and(
+          eq(credentialMember.credentialId, credentialId),
+          eq(credentialMember.userId, session.user.id)
+        )
+      )
+      .limit(1)
+
+    if (!membership) {
+      return NextResponse.json({ error: 'Membership not found' }, { status: 404 })
+    }
+
+    if (membership.status !== 'active') {
+      return NextResponse.json({ success: true }, { status: 200 })
+    }
+
+    if (membership.role === 'admin') {
+      const activeAdmins = await db
+        .select({ id: credentialMember.id })
+        .from(credentialMember)
+        .where(
+          and(
+            eq(credentialMember.credentialId, credentialId),
+            eq(credentialMember.role, 'admin'),
+            eq(credentialMember.status, 'active')
+          )
+        )
+
+      if (activeAdmins.length <= 1) {
+        return NextResponse.json(
+          { error: 'Cannot leave credential as the last active admin' },
+          { status: 400 }
+        )
+      }
+    }
+
+    await db
+      .update(credentialMember)
+      .set({
+        status: 'revoked',
+        updatedAt: new Date(),
+      })
+      .where(eq(credentialMember.id, membership.id))
+
+    return NextResponse.json({ success: true }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to leave credential', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
diff --git a/apps/sim/app/api/credentials/route.ts b/apps/sim/app/api/credentials/route.ts
new file mode 100644
index 0000000000..c0d71d173b
--- /dev/null
+++ b/apps/sim/app/api/credentials/route.ts
@@ -0,0 +1,521 @@
+import { db } from '@sim/db'
+import { account, credential, credentialMember, workspace } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { getSession } from '@/lib/auth'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { getWorkspaceMemberUserIds } from '@/lib/credentials/environment'
+import { syncWorkspaceOAuthCredentialsForUser } from '@/lib/credentials/oauth'
+import { getServiceConfigByProviderId } from '@/lib/oauth'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
+import { isValidEnvVarName } from '@/executor/constants'
+
+const logger = createLogger('CredentialsAPI')
+
+const credentialTypeSchema = z.enum(['oauth', 'env_workspace', 'env_personal'])
+
+function normalizeEnvKeyInput(raw: string): string {
+  const trimmed = raw.trim()
+  const wrappedMatch = /^\{\{\s*([A-Za-z0-9_]+)\s*\}\}$/.exec(trimmed)
+  return wrappedMatch ? wrappedMatch[1] : trimmed
+}
+
+const listCredentialsSchema = z.object({
+  workspaceId: z.string().uuid('Workspace ID must be a valid UUID'),
+  type: credentialTypeSchema.optional(),
+  providerId: z.string().optional(),
+  credentialId: z.string().optional(),
+})
+
+const createCredentialSchema = z
+  .object({
+    workspaceId: z.string().uuid('Workspace ID must be a valid UUID'),
+    type: credentialTypeSchema,
+    displayName: z.string().trim().min(1).max(255).optional(),
+    description: z.string().trim().max(500).optional(),
+    providerId: z.string().trim().min(1).optional(),
+    accountId: z.string().trim().min(1).optional(),
+    envKey: z.string().trim().min(1).optional(),
+    envOwnerUserId: z.string().trim().min(1).optional(),
+  })
+  .superRefine((data, ctx) => {
+    if (data.type === 'oauth') {
+      if (!data.accountId) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          message: 'accountId is required for oauth credentials',
+          path: ['accountId'],
+        })
+      }
+      if (!data.providerId) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          message: 'providerId is required for oauth credentials',
+          path: ['providerId'],
+        })
+      }
+      if (!data.displayName) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          message: 'displayName is required for oauth credentials',
+          path: ['displayName'],
+        })
+      }
+      return
+    }
+
+    const normalizedEnvKey = data.envKey ? normalizeEnvKeyInput(data.envKey) : ''
+    if (!normalizedEnvKey) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'envKey is required for env credentials',
+        path: ['envKey'],
+      })
+      return
+    }
+
+    if (!isValidEnvVarName(normalizedEnvKey)) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'envKey must contain only letters, numbers, and underscores',
+        path: ['envKey'],
+      })
+    }
+  })
+
+interface ExistingCredentialSourceParams {
+  workspaceId: string
+  type: 'oauth' | 'env_workspace' | 'env_personal'
+  accountId?: string | null
+  envKey?: string | null
+  envOwnerUserId?: string | null
+}
+
+async function findExistingCredentialBySource(params: ExistingCredentialSourceParams) {
+  const { workspaceId, type, accountId, envKey, envOwnerUserId } = params
+
+  if (type === 'oauth' && accountId) {
+    const [row] = await db
+      .select()
+      .from(credential)
+      .where(
+        and(
+          eq(credential.workspaceId, workspaceId),
+          eq(credential.type, 'oauth'),
+          eq(credential.accountId, accountId)
+        )
+      )
+      .limit(1)
+    return row ?? null
+  }
+
+  if (type === 'env_workspace' && envKey) {
+    const [row] = await db
+      .select()
+      .from(credential)
+      .where(
+        and(
+          eq(credential.workspaceId, workspaceId),
+          eq(credential.type, 'env_workspace'),
+          eq(credential.envKey, envKey)
+        )
+      )
+      .limit(1)
+    return row ?? null
+  }
+
+  if (type === 'env_personal' && envKey && envOwnerUserId) {
+    const [row] = await db
+      .select()
+      .from(credential)
+      .where(
+        and(
+          eq(credential.workspaceId, workspaceId),
+          eq(credential.type, 'env_personal'),
+          eq(credential.envKey, envKey),
+          eq(credential.envOwnerUserId, envOwnerUserId)
+        )
+      )
+      .limit(1)
+    return row ?? null
+  }
+
+  return null
+}
+
+export async function GET(request: NextRequest) {
+  const requestId = generateRequestId()
+  const session = await getSession()
+
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  try {
+    const { searchParams } = new URL(request.url)
+    const rawWorkspaceId = searchParams.get('workspaceId')
+    const rawType = searchParams.get('type')
+    const rawProviderId = searchParams.get('providerId')
+    const rawCredentialId = searchParams.get('credentialId')
+    const parseResult = listCredentialsSchema.safeParse({
+      workspaceId: rawWorkspaceId?.trim(),
+      type: rawType?.trim() || undefined,
+      providerId: rawProviderId?.trim() || undefined,
+      credentialId: rawCredentialId?.trim() || undefined,
+    })
+
+    if (!parseResult.success) {
+      logger.warn(`[${requestId}] Invalid credential list request`, {
+        workspaceId: rawWorkspaceId,
+        type: rawType,
+        providerId: rawProviderId,
+        errors: parseResult.error.errors,
+      })
+      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
+    }
+
+    const { workspaceId, type, providerId, credentialId: lookupCredentialId } = parseResult.data
+    const workspaceAccess = await checkWorkspaceAccess(workspaceId, session.user.id)
+
+    if (!workspaceAccess.hasAccess) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+    }
+
+    if (lookupCredentialId) {
+      let [row] = await db
+        .select({
+          id: credential.id,
+          displayName: credential.displayName,
+          type: credential.type,
+          providerId: credential.providerId,
+        })
+        .from(credential)
+        .where(and(eq(credential.id, lookupCredentialId), eq(credential.workspaceId, workspaceId)))
+        .limit(1)
+
+      if (!row) {
+        ;[row] = await db
+          .select({
+            id: credential.id,
+            displayName: credential.displayName,
+            type: credential.type,
+            providerId: credential.providerId,
+          })
+          .from(credential)
+          .where(
+            and(
+              eq(credential.accountId, lookupCredentialId),
+              eq(credential.workspaceId, workspaceId)
+            )
+          )
+          .limit(1)
+      }
+
+      return NextResponse.json({ credential: row ?? null })
+    }
+
+    if (!type || type === 'oauth') {
+      await syncWorkspaceOAuthCredentialsForUser({ workspaceId, userId: session.user.id })
+    }
+
+    const whereClauses = [
+      eq(credential.workspaceId, workspaceId),
+      eq(credentialMember.userId, session.user.id),
+      eq(credentialMember.status, 'active'),
+    ]
+
+    if (type) {
+      whereClauses.push(eq(credential.type, type))
+    }
+    if (providerId) {
+      whereClauses.push(eq(credential.providerId, providerId))
+    }
+
+    const credentials = await db
+      .select({
+        id: credential.id,
+        workspaceId: credential.workspaceId,
+        type: credential.type,
+        displayName: credential.displayName,
+        description: credential.description,
+        providerId: credential.providerId,
+        accountId: credential.accountId,
+        envKey: credential.envKey,
+        envOwnerUserId: credential.envOwnerUserId,
+        createdBy: credential.createdBy,
+        createdAt: credential.createdAt,
+        updatedAt: credential.updatedAt,
+        role: credentialMember.role,
+      })
+      .from(credential)
+      .innerJoin(
+        credentialMember,
+        and(
+          eq(credentialMember.credentialId, credential.id),
+          eq(credentialMember.userId, session.user.id),
+          eq(credentialMember.status, 'active')
+        )
+      )
+      .where(and(...whereClauses))
+
+    return NextResponse.json({ credentials })
+  } catch (error) {
+    logger.error(`[${requestId}] Failed to list credentials`, error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+export async function POST(request: NextRequest) {
+  const requestId = generateRequestId()
+  const session = await getSession()
+
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  try {
+    const body = await request.json()
+    const parseResult = createCredentialSchema.safeParse(body)
+
+    if (!parseResult.success) {
+      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
+    }
+
+    const {
+      workspaceId,
+      type,
+      displayName,
+      description,
+      providerId,
+      accountId,
+      envKey,
+      envOwnerUserId,
+    } = parseResult.data
+
+    const workspaceAccess = await checkWorkspaceAccess(workspaceId, session.user.id)
+    if (!workspaceAccess.canWrite) {
+      return NextResponse.json({ error: 'Write permission required' }, { status: 403 })
+    }
+
+    let resolvedDisplayName = displayName?.trim() ?? ''
+    const resolvedDescription = description?.trim() || null
+    let resolvedProviderId: string | null = providerId ?? null
+    let resolvedAccountId: string | null = accountId ?? null
+    const resolvedEnvKey: string | null = envKey ? normalizeEnvKeyInput(envKey) : null
+    let resolvedEnvOwnerUserId: string | null = null
+
+    if (type === 'oauth') {
+      const [accountRow] = await db
+        .select({
+          id: account.id,
+          userId: account.userId,
+          providerId: account.providerId,
+          accountId: account.accountId,
+        })
+        .from(account)
+        .where(eq(account.id, accountId!))
+        .limit(1)
+
+      if (!accountRow) {
+        return NextResponse.json({ error: 'OAuth account not found' }, { status: 404 })
+      }
+
+      if (accountRow.userId !== session.user.id) {
+        return NextResponse.json(
+          { error: 'Only account owners can create oauth credentials for an account' },
+          { status: 403 }
+        )
+      }
+
+      if (providerId !== accountRow.providerId) {
+        return NextResponse.json(
+          { error: 'providerId does not match the selected OAuth account' },
+          { status: 400 }
+        )
+      }
+      if (!resolvedDisplayName) {
+        resolvedDisplayName =
+          getServiceConfigByProviderId(accountRow.providerId)?.name || accountRow.providerId
+      }
+    } else if (type === 'env_personal') {
+      resolvedEnvOwnerUserId = envOwnerUserId ?? session.user.id
+      if (resolvedEnvOwnerUserId !== session.user.id) {
+        return NextResponse.json(
+          { error: 'Only the current user can create personal env credentials for themselves' },
+          { status: 403 }
+        )
+      }
+      resolvedProviderId = null
+      resolvedAccountId = null
+      resolvedDisplayName = resolvedEnvKey || ''
+    } else {
+      resolvedProviderId = null
+      resolvedAccountId = null
+      resolvedEnvOwnerUserId = null
+      resolvedDisplayName = resolvedEnvKey || ''
+    }
+
+    if (!resolvedDisplayName) {
+      return NextResponse.json({ error: 'Display name is required' }, { status: 400 })
+    }
+
+    const existingCredential = await findExistingCredentialBySource({
+      workspaceId,
+      type,
+      accountId: resolvedAccountId,
+      envKey: resolvedEnvKey,
+      envOwnerUserId: resolvedEnvOwnerUserId,
+    })
+
+    if (existingCredential) {
+      const [membership] = await db
+        .select({
+          id: credentialMember.id,
+          status: credentialMember.status,
+          role: credentialMember.role,
+        })
+        .from(credentialMember)
+        .where(
+          and(
+            eq(credentialMember.credentialId, existingCredential.id),
+            eq(credentialMember.userId, session.user.id)
+          )
+        )
+        .limit(1)
+
+      if (!membership || membership.status !== 'active') {
+        return NextResponse.json(
+          { error: 'A credential with this source already exists in this workspace' },
+          { status: 409 }
+        )
+      }
+
+      const canUpdateExistingCredential = membership.role === 'admin'
+      const shouldUpdateDisplayName =
+        type === 'oauth' &&
+        resolvedDisplayName &&
+        resolvedDisplayName !== existingCredential.displayName
+      const shouldUpdateDescription =
+        typeof description !== 'undefined' &&
+        (existingCredential.description ?? null) !== resolvedDescription
+
+      if (canUpdateExistingCredential && (shouldUpdateDisplayName || shouldUpdateDescription)) {
+        await db
+          .update(credential)
+          .set({
+            ...(shouldUpdateDisplayName ? { displayName: resolvedDisplayName } : {}),
+            ...(shouldUpdateDescription ? { description: resolvedDescription } : {}),
+            updatedAt: new Date(),
+          })
+          .where(eq(credential.id, existingCredential.id))
+
+        const [updatedCredential] = await db
+          .select()
+          .from(credential)
+          .where(eq(credential.id, existingCredential.id))
+          .limit(1)
+
+        return NextResponse.json(
+          { credential: updatedCredential ?? existingCredential },
+          { status: 200 }
+        )
+      }
+
+      return NextResponse.json({ credential: existingCredential }, { status: 200 })
+    }
+
+    const now = new Date()
+    const credentialId = crypto.randomUUID()
+    const [workspaceRow] = await db
+      .select({ ownerId: workspace.ownerId })
+      .from(workspace)
+      .where(eq(workspace.id, workspaceId))
+      .limit(1)
+
+    await db.transaction(async (tx) => {
+      await tx.insert(credential).values({
+        id: credentialId,
+        workspaceId,
+        type,
+        displayName: resolvedDisplayName,
+        description: resolvedDescription,
+        providerId: resolvedProviderId,
+        accountId: resolvedAccountId,
+        envKey: resolvedEnvKey,
+        envOwnerUserId: resolvedEnvOwnerUserId,
+        createdBy: session.user.id,
+        createdAt: now,
+        updatedAt: now,
+      })
+
+      if (type === 'env_workspace' && workspaceRow?.ownerId) {
+        const workspaceUserIds = await getWorkspaceMemberUserIds(workspaceId)
+        if (workspaceUserIds.length > 0) {
+          for (const memberUserId of workspaceUserIds) {
+            await tx.insert(credentialMember).values({
+              id: crypto.randomUUID(),
+              credentialId,
+              userId: memberUserId,
+              role: memberUserId === workspaceRow.ownerId ? 'admin' : 'member',
+              status: 'active',
+              joinedAt: now,
+              invitedBy: session.user.id,
+              createdAt: now,
+              updatedAt: now,
+            })
+          }
+        }
+      } else {
+        await tx.insert(credentialMember).values({
+          id: crypto.randomUUID(),
+          credentialId,
+          userId: session.user.id,
+          role: 'admin',
+          status: 'active',
+          joinedAt: now,
+          invitedBy: session.user.id,
+          createdAt: now,
+          updatedAt: now,
+        })
+      }
+    })
+
+    const [created] = await db
+      .select()
+      .from(credential)
+      .where(eq(credential.id, credentialId))
+      .limit(1)
+
+    return NextResponse.json({ credential: created }, { status: 201 })
+  } catch (error: any) {
+    if (error?.code === '23505') {
+      return NextResponse.json(
+        { error: 'A credential with this source already exists' },
+        { status: 409 }
+      )
+    }
+    if (error?.code === '23503') {
+      return NextResponse.json(
+        { error: 'Invalid credential reference or membership target' },
+        { status: 400 }
+      )
+    }
+    if (error?.code === '23514') {
+      return NextResponse.json(
+        { error: 'Credential source data failed validation checks' },
+        { status: 400 }
+      )
+    }
+    logger.error(`[${requestId}] Credential create failure details`, {
+      code: error?.code,
+      detail: error?.detail,
+      constraint: error?.constraint,
+      table: error?.table,
+      message: error?.message,
+    })
+    logger.error(`[${requestId}] Failed to create credential`, error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
diff --git a/apps/sim/app/api/environment/route.ts b/apps/sim/app/api/environment/route.ts
index ad2818b0d1..c8e8604d23 100644
--- a/apps/sim/app/api/environment/route.ts
+++ b/apps/sim/app/api/environment/route.ts
@@ -7,6 +7,7 @@ import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { syncPersonalEnvCredentialsForUser } from '@/lib/credentials/environment'
 import type { EnvironmentVariable } from '@/stores/settings/environment'
 
 const logger = createLogger('EnvironmentAPI')
@@ -53,6 +54,11 @@ export async function POST(req: NextRequest) {
           },
         })
 
+      await syncPersonalEnvCredentialsForUser({
+        userId: session.user.id,
+        envKeys: Object.keys(variables),
+      })
+
       return NextResponse.json({ success: true })
     } catch (validationError) {
       if (validationError instanceof z.ZodError) {
diff --git a/apps/sim/app/api/organizations/[id]/invitations/[invitationId]/route.ts b/apps/sim/app/api/organizations/[id]/invitations/[invitationId]/route.ts
index d28e545fdf..bf98510580 100644
--- a/apps/sim/app/api/organizations/[id]/invitations/[invitationId]/route.ts
+++ b/apps/sim/app/api/organizations/[id]/invitations/[invitationId]/route.ts
@@ -11,6 +11,7 @@ import {
   user,
   userStats,
   type WorkspaceInvitationStatus,
+  workspaceEnvironment,
   workspaceInvitation,
 } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
@@ -23,6 +24,7 @@ import { hasAccessControlAccess } from '@/lib/billing'
 import { syncUsageLimitsFromSubscription } from '@/lib/billing/core/usage'
 import { requireStripeClient } from '@/lib/billing/stripe-client'
 import { getBaseUrl } from '@/lib/core/utils/urls'
+import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
 import { sendEmail } from '@/lib/messaging/email/mailer'
 
 const logger = createLogger('OrganizationInvitation')
@@ -495,6 +497,34 @@ export async function PUT(
       }
     })
 
+    if (status === 'accepted') {
+      const acceptedWsInvitations = await db
+        .select({ workspaceId: workspaceInvitation.workspaceId })
+        .from(workspaceInvitation)
+        .where(
+          and(
+            eq(workspaceInvitation.orgInvitationId, invitationId),
+            eq(workspaceInvitation.status, 'accepted' as WorkspaceInvitationStatus)
+          )
+        )
+
+      for (const wsInv of acceptedWsInvitations) {
+        const [wsEnvRow] = await db
+          .select({ variables: workspaceEnvironment.variables })
+          .from(workspaceEnvironment)
+          .where(eq(workspaceEnvironment.workspaceId, wsInv.workspaceId))
+          .limit(1)
+        const wsEnvKeys = Object.keys((wsEnvRow?.variables as Record<string, string>) || {})
+        if (wsEnvKeys.length > 0) {
+          await syncWorkspaceEnvCredentials({
+            workspaceId: wsInv.workspaceId,
+            envKeys: wsEnvKeys,
+            actingUserId: session.user.id,
+          })
+        }
+      }
+    }
+
     // Handle Pro subscription cancellation after transaction commits
     if (personalProToCancel) {
       try {
diff --git a/apps/sim/app/api/v1/admin/workspaces/[id]/members/[memberId]/route.ts b/apps/sim/app/api/v1/admin/workspaces/[id]/members/[memberId]/route.ts
index 49092d86df..30afdda571 100644
--- a/apps/sim/app/api/v1/admin/workspaces/[id]/members/[memberId]/route.ts
+++ b/apps/sim/app/api/v1/admin/workspaces/[id]/members/[memberId]/route.ts
@@ -25,6 +25,7 @@ import { db } from '@sim/db'
 import { permissions, user, workspace } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
+import { revokeWorkspaceCredentialMemberships } from '@/lib/credentials/access'
 import { withAdminAuthParams } from '@/app/api/v1/admin/middleware'
 import {
   badRequestResponse,
@@ -215,6 +216,8 @@ export const DELETE = withAdminAuthParams<RouteParams>(async (_, context) => {
 
     await db.delete(permissions).where(eq(permissions.id, memberId))
 
+    await revokeWorkspaceCredentialMemberships(workspaceId, existingMember.userId)
+
     logger.info(`Admin API: Removed member ${memberId} from workspace ${workspaceId}`, {
       userId: existingMember.userId,
     })
diff --git a/apps/sim/app/api/v1/admin/workspaces/[id]/members/route.ts b/apps/sim/app/api/v1/admin/workspaces/[id]/members/route.ts
index 687198506c..78298feb49 100644
--- a/apps/sim/app/api/v1/admin/workspaces/[id]/members/route.ts
+++ b/apps/sim/app/api/v1/admin/workspaces/[id]/members/route.ts
@@ -32,9 +32,10 @@
 
 import crypto from 'crypto'
 import { db } from '@sim/db'
-import { permissions, user, workspace } from '@sim/db/schema'
+import { permissions, user, workspace, workspaceEnvironment } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, count, eq } from 'drizzle-orm'
+import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
 import { withAdminAuthParams } from '@/app/api/v1/admin/middleware'
 import {
   badRequestResponse,
@@ -232,6 +233,20 @@ export const POST = withAdminAuthParams<RouteParams>(async (request, context) =>
       permissionId,
     })
 
+    const [wsEnvRow] = await db
+      .select({ variables: workspaceEnvironment.variables })
+      .from(workspaceEnvironment)
+      .where(eq(workspaceEnvironment.workspaceId, workspaceId))
+      .limit(1)
+    const wsEnvKeys = Object.keys((wsEnvRow?.variables as Record<string, string>) || {})
+    if (wsEnvKeys.length > 0) {
+      await syncWorkspaceEnvCredentials({
+        workspaceId,
+        envKeys: wsEnvKeys,
+        actingUserId: body.userId,
+      })
+    }
+
     return singleResponse({
       id: permissionId,
       workspaceId,
diff --git a/apps/sim/app/api/workflows/[id]/execute/route.ts b/apps/sim/app/api/workflows/[id]/execute/route.ts
index b6ed6bd8b3..b0ceb9a2c6 100644
--- a/apps/sim/app/api/workflows/[id]/execute/route.ts
+++ b/apps/sim/app/api/workflows/[id]/execute/route.ts
@@ -536,6 +536,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
           useDraftState: shouldUseDraftState,
           startTime: new Date().toISOString(),
           isClientSession,
+          enforceCredentialAccess: useAuthenticatedUserAsActor,
           workflowStateOverride: effectiveWorkflowStateOverride,
         }
 
@@ -885,6 +886,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
             useDraftState: shouldUseDraftState,
             startTime: new Date().toISOString(),
             isClientSession,
+            enforceCredentialAccess: useAuthenticatedUserAsActor,
             workflowStateOverride: effectiveWorkflowStateOverride,
           }
 
diff --git a/apps/sim/app/api/workspaces/[id]/environment/route.ts b/apps/sim/app/api/workspaces/[id]/environment/route.ts
index f11da0ecc9..a66849448d 100644
--- a/apps/sim/app/api/workspaces/[id]/environment/route.ts
+++ b/apps/sim/app/api/workspaces/[id]/environment/route.ts
@@ -1,12 +1,14 @@
 import { db } from '@sim/db'
-import { environment, workspaceEnvironment } from '@sim/db/schema'
+import { workspaceEnvironment } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
-import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
+import { encryptSecret } from '@/lib/core/security/encryption'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
+import { getPersonalAndWorkspaceEnv } from '@/lib/environment/utils'
 import { getUserEntityPermissions, getWorkspaceById } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('WorkspaceEnvironmentAPI')
@@ -44,44 +46,10 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
-    // Workspace env (encrypted)
-    const wsEnvRow = await db
-      .select()
-      .from(workspaceEnvironment)
-      .where(eq(workspaceEnvironment.workspaceId, workspaceId))
-      .limit(1)
-
-    const wsEncrypted: Record<string, string> = (wsEnvRow[0]?.variables as any) || {}
-
-    // Personal env (encrypted)
-    const personalRow = await db
-      .select()
-      .from(environment)
-      .where(eq(environment.userId, userId))
-      .limit(1)
-
-    const personalEncrypted: Record<string, string> = (personalRow[0]?.variables as any) || {}
-
-    // Decrypt both for UI
-    const decryptAll = async (src: Record<string, string>) => {
-      const out: Record<string, string> = {}
-      for (const [k, v] of Object.entries(src)) {
-        try {
-          const { decrypted } = await decryptSecret(v)
-          out[k] = decrypted
-        } catch {
-          out[k] = ''
-        }
-      }
-      return out
-    }
-
-    const [workspaceDecrypted, personalDecrypted] = await Promise.all([
-      decryptAll(wsEncrypted),
-      decryptAll(personalEncrypted),
-    ])
-
-    const conflicts = Object.keys(personalDecrypted).filter((k) => k in workspaceDecrypted)
+    const { workspaceDecrypted, personalDecrypted, conflicts } = await getPersonalAndWorkspaceEnv(
+      userId,
+      workspaceId
+    )
 
     return NextResponse.json(
       {
@@ -156,6 +124,12 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
         set: { variables: merged, updatedAt: new Date() },
       })
 
+    await syncWorkspaceEnvCredentials({
+      workspaceId,
+      envKeys: Object.keys(merged),
+      actingUserId: userId,
+    })
+
     return NextResponse.json({ success: true })
   } catch (error: any) {
     logger.error(`[${requestId}] Workspace env PUT error`, error)
@@ -222,6 +196,12 @@ export async function DELETE(
         set: { variables: current, updatedAt: new Date() },
       })
 
+    await syncWorkspaceEnvCredentials({
+      workspaceId,
+      envKeys: Object.keys(current),
+      actingUserId: userId,
+    })
+
     return NextResponse.json({ success: true })
   } catch (error: any) {
     logger.error(`[${requestId}] Workspace env DELETE error`, error)
diff --git a/apps/sim/app/api/workspaces/[id]/permissions/route.ts b/apps/sim/app/api/workspaces/[id]/permissions/route.ts
index 0025c90fc0..a9fbc0f065 100644
--- a/apps/sim/app/api/workspaces/[id]/permissions/route.ts
+++ b/apps/sim/app/api/workspaces/[id]/permissions/route.ts
@@ -1,11 +1,12 @@
 import crypto from 'crypto'
 import { db } from '@sim/db'
-import { permissions, workspace } from '@sim/db/schema'
+import { permissions, workspace, workspaceEnvironment } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
+import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
 import {
   getUsersWithPermissions,
   hasWorkspaceAdminAccess,
@@ -154,6 +155,20 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
       }
     })
 
+    const [wsEnvRow] = await db
+      .select({ variables: workspaceEnvironment.variables })
+      .from(workspaceEnvironment)
+      .where(eq(workspaceEnvironment.workspaceId, workspaceId))
+      .limit(1)
+    const wsEnvKeys = Object.keys((wsEnvRow?.variables as Record<string, string>) || {})
+    if (wsEnvKeys.length > 0) {
+      await syncWorkspaceEnvCredentials({
+        workspaceId,
+        envKeys: wsEnvKeys,
+        actingUserId: session.user.id,
+      })
+    }
+
     const updatedUsers = await getUsersWithPermissions(workspaceId)
 
     return NextResponse.json({
diff --git a/apps/sim/app/api/workspaces/invitations/[invitationId]/route.test.ts b/apps/sim/app/api/workspaces/invitations/[invitationId]/route.test.ts
index 389de676cd..c1238a6b0c 100644
--- a/apps/sim/app/api/workspaces/invitations/[invitationId]/route.test.ts
+++ b/apps/sim/app/api/workspaces/invitations/[invitationId]/route.test.ts
@@ -8,15 +8,27 @@ const mockHasWorkspaceAdminAccess = vi.fn()
 let dbSelectResults: any[] = []
 let dbSelectCallIndex = 0
 
-const mockDbSelect = vi.fn().mockImplementation(() => ({
-  from: vi.fn().mockReturnThis(),
-  where: vi.fn().mockReturnThis(),
-  then: vi.fn().mockImplementation((callback: (rows: any[]) => any) => {
-    const result = dbSelectResults[dbSelectCallIndex] || []
-    dbSelectCallIndex++
-    return Promise.resolve(callback ? callback(result) : result)
-  }),
-}))
+const mockDbSelect = vi.fn().mockImplementation(() => {
+  const makeThen = () =>
+    vi.fn().mockImplementation((callback: (rows: any[]) => any) => {
+      const result = dbSelectResults[dbSelectCallIndex] || []
+      dbSelectCallIndex++
+      return Promise.resolve(callback ? callback(result) : result)
+    })
+  const makeLimit = () =>
+    vi.fn().mockImplementation(() => {
+      const result = dbSelectResults[dbSelectCallIndex] || []
+      dbSelectCallIndex++
+      return Promise.resolve(result)
+    })
+
+  const chain: any = {}
+  chain.from = vi.fn().mockReturnValue(chain)
+  chain.where = vi.fn().mockReturnValue(chain)
+  chain.limit = makeLimit()
+  chain.then = makeThen()
+  return chain
+})
 
 const mockDbInsert = vi.fn().mockImplementation(() => ({
   values: vi.fn().mockResolvedValue(undefined),
@@ -53,6 +65,10 @@ vi.mock('@/lib/workspaces/permissions/utils', () => ({
     mockHasWorkspaceAdminAccess(userId, workspaceId),
 }))
 
+vi.mock('@/lib/credentials/environment', () => ({
+  syncWorkspaceEnvCredentials: vi.fn().mockResolvedValue(undefined),
+}))
+
 vi.mock('@sim/logger', () => loggerMock)
 
 vi.mock('@/lib/core/utils/urls', () => ({
@@ -95,6 +111,10 @@ vi.mock('@sim/db/schema', () => ({
     userId: 'userId',
     permissionType: 'permissionType',
   },
+  workspaceEnvironment: {
+    workspaceId: 'workspaceId',
+    variables: 'variables',
+  },
 }))
 
 vi.mock('drizzle-orm', () => ({
@@ -207,6 +227,7 @@ describe('Workspace Invitation [invitationId] API Route', () => {
         [mockWorkspace],
         [{ ...mockUser, email: 'invited@example.com' }],
         [],
+        [],
       ]
 
       const request = new NextRequest(
@@ -460,6 +481,7 @@ describe('Workspace Invitation [invitationId] API Route', () => {
         [mockWorkspace],
         [{ ...mockUser, email: 'invited@example.com' }],
         [],
+        [],
       ]
 
       const request2 = new NextRequest(
diff --git a/apps/sim/app/api/workspaces/invitations/[invitationId]/route.ts b/apps/sim/app/api/workspaces/invitations/[invitationId]/route.ts
index c7574a61e2..1fbc1bbda4 100644
--- a/apps/sim/app/api/workspaces/invitations/[invitationId]/route.ts
+++ b/apps/sim/app/api/workspaces/invitations/[invitationId]/route.ts
@@ -6,6 +6,7 @@ import {
   user,
   type WorkspaceInvitationStatus,
   workspace,
+  workspaceEnvironment,
   workspaceInvitation,
 } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
@@ -14,6 +15,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { WorkspaceInvitationEmail } from '@/components/emails'
 import { getSession } from '@/lib/auth'
 import { getBaseUrl } from '@/lib/core/utils/urls'
+import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
 import { sendEmail } from '@/lib/messaging/email/mailer'
 import { getFromEmailAddress } from '@/lib/messaging/email/utils'
 import { hasWorkspaceAdminAccess } from '@/lib/workspaces/permissions/utils'
@@ -162,6 +164,20 @@ export async function GET(
           .where(eq(workspaceInvitation.id, invitation.id))
       })
 
+      const [wsEnvRow] = await db
+        .select({ variables: workspaceEnvironment.variables })
+        .from(workspaceEnvironment)
+        .where(eq(workspaceEnvironment.workspaceId, invitation.workspaceId))
+        .limit(1)
+      const wsEnvKeys = Object.keys((wsEnvRow?.variables as Record<string, string>) || {})
+      if (wsEnvKeys.length > 0) {
+        await syncWorkspaceEnvCredentials({
+          workspaceId: invitation.workspaceId,
+          envKeys: wsEnvKeys,
+          actingUserId: session.user.id,
+        })
+      }
+
       return NextResponse.redirect(new URL(`/workspace/${invitation.workspaceId}/w`, getBaseUrl()))
     }
 
diff --git a/apps/sim/app/api/workspaces/members/[id]/route.ts b/apps/sim/app/api/workspaces/members/[id]/route.ts
index ec990da241..9d9364807b 100644
--- a/apps/sim/app/api/workspaces/members/[id]/route.ts
+++ b/apps/sim/app/api/workspaces/members/[id]/route.ts
@@ -5,6 +5,7 @@ import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
+import { revokeWorkspaceCredentialMemberships } from '@/lib/credentials/access'
 import { hasWorkspaceAdminAccess } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('WorkspaceMemberAPI')
@@ -101,6 +102,8 @@ export async function DELETE(req: NextRequest, { params }: { params: Promise<{ i
         )
       )
 
+    await revokeWorkspaceCredentialMemberships(workspaceId, userId)
+
     return NextResponse.json({ success: true })
   } catch (error) {
     logger.error('Error removing workspace member:', error)
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal.tsx
index 4888a9684c..671a7c3f62 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal.tsx
@@ -30,6 +30,7 @@ export interface OAuthRequiredModalProps {
   requiredScopes?: string[]
   serviceId: string
   newScopes?: string[]
+  onConnect?: () => Promise<void> | void
 }
 
 const SCOPE_DESCRIPTIONS: Record<string, string> = {
@@ -314,6 +315,7 @@ export function OAuthRequiredModal({
   requiredScopes = [],
   serviceId,
   newScopes = [],
+  onConnect,
 }: OAuthRequiredModalProps) {
   const [error, setError] = useState<string | null>(null)
   const { baseProvider } = parseProvider(provider)
@@ -359,6 +361,12 @@ export function OAuthRequiredModal({
     setError(null)
 
     try {
+      if (onConnect) {
+        await onConnect()
+        onClose()
+        return
+      }
+
       const providerId = getProviderIdFromServiceId(serviceId)
 
       logger.info('Linking OAuth2:', {
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/credential-selector.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/credential-selector.tsx
index 378a9baed3..539d5a198a 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/credential-selector.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/credential-selector.tsx
@@ -1,12 +1,13 @@
 'use client'
 
 import { createElement, useCallback, useEffect, useMemo, useState } from 'react'
-import { createLogger } from '@sim/logger'
 import { ExternalLink, Users } from 'lucide-react'
+import { useParams } from 'next/navigation'
 import { Button, Combobox } from '@/components/emcn/components'
 import { getSubscriptionStatus } from '@/lib/billing/client'
 import { getEnv, isTruthy } from '@/lib/core/config/env'
 import { getPollingProviderFromOAuth } from '@/lib/credential-sets/providers'
+import { writePendingCredentialCreateRequest } from '@/lib/credentials/client-state'
 import {
   getCanonicalScopesForProvider,
   getProviderIdFromServiceId,
@@ -18,15 +19,14 @@ import { OAuthRequiredModal } from '@/app/workspace/[workspaceId]/w/[workflowId]
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import type { SubBlockConfig } from '@/blocks/types'
-import { CREDENTIAL, CREDENTIAL_SET } from '@/executor/constants'
+import { CREDENTIAL_SET } from '@/executor/constants'
 import { useCredentialSets } from '@/hooks/queries/credential-sets'
-import { useOAuthCredentialDetail, useOAuthCredentials } from '@/hooks/queries/oauth-credentials'
+import { useOAuthCredentials } from '@/hooks/queries/oauth-credentials'
 import { useOrganizations } from '@/hooks/queries/organization'
 import { useSubscriptionData } from '@/hooks/queries/subscription'
 import { getMissingRequiredScopes } from '@/hooks/use-oauth-scope-status'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
 
-const logger = createLogger('CredentialSelector')
 const isBillingEnabled = isTruthy(getEnv('NEXT_PUBLIC_BILLING_ENABLED'))
 
 interface CredentialSelectorProps {
@@ -46,6 +46,8 @@ export function CredentialSelector({
   previewValue,
   previewContextValues,
 }: CredentialSelectorProps) {
+  const params = useParams()
+  const workspaceId = (params?.workspaceId as string) || ''
   const [showOAuthModal, setShowOAuthModal] = useState(false)
   const [editingValue, setEditingValue] = useState('')
   const [isEditing, setIsEditing] = useState(false)
@@ -96,64 +98,64 @@ export function CredentialSelector({
     data: credentials = [],
     isFetching: credentialsLoading,
     refetch: refetchCredentials,
-  } = useOAuthCredentials(effectiveProviderId, Boolean(effectiveProviderId))
+  } = useOAuthCredentials(effectiveProviderId, {
+    enabled: Boolean(effectiveProviderId),
+    workspaceId,
+    workflowId: activeWorkflowId || undefined,
+  })
 
   const selectedCredential = useMemo(
     () => credentials.find((cred) => cred.id === selectedId),
     [credentials, selectedId]
   )
 
-  const shouldFetchForeignMeta =
-    Boolean(selectedId) &&
-    !selectedCredential &&
-    Boolean(activeWorkflowId) &&
-    Boolean(effectiveProviderId)
-
-  const { data: foreignCredentials = [], isFetching: foreignMetaLoading } =
-    useOAuthCredentialDetail(
-      shouldFetchForeignMeta ? selectedId : undefined,
-      activeWorkflowId || undefined,
-      shouldFetchForeignMeta
-    )
-
-  const hasForeignMeta = foreignCredentials.length > 0
-  const isForeign = Boolean(selectedId && !selectedCredential && hasForeignMeta)
-
   const selectedCredentialSet = useMemo(
     () => credentialSets.find((cs) => cs.id === selectedCredentialSetId),
     [credentialSets, selectedCredentialSetId]
   )
 
-  const isForeignCredentialSet = Boolean(isCredentialSetSelected && !selectedCredentialSet)
+  const [inaccessibleCredentialName, setInaccessibleCredentialName] = useState<string | null>(null)
+
+  useEffect(() => {
+    if (!selectedId || selectedCredential || credentialsLoading || !workspaceId) {
+      setInaccessibleCredentialName(null)
+      return
+    }
+
+    let cancelled = false
+    ;(async () => {
+      try {
+        const response = await fetch(
+          `/api/credentials?workspaceId=${encodeURIComponent(workspaceId)}&credentialId=${encodeURIComponent(selectedId)}`
+        )
+        if (!response.ok || cancelled) return
+        const data = await response.json()
+        if (!cancelled && data.credential?.displayName) {
+          if (data.credential.id !== selectedId) {
+            setStoreValue(data.credential.id)
+          }
+          setInaccessibleCredentialName(data.credential.displayName)
+        }
+      } catch {
+        // Ignore fetch errors
+      }
+    })()
+
+    return () => {
+      cancelled = true
+    }
+  }, [selectedId, selectedCredential, credentialsLoading, workspaceId])
 
   const resolvedLabel = useMemo(() => {
     if (selectedCredentialSet) return selectedCredentialSet.name
-    if (isForeignCredentialSet) return CREDENTIAL.FOREIGN_LABEL
     if (selectedCredential) return selectedCredential.name
-    if (isForeign) return CREDENTIAL.FOREIGN_LABEL
+    if (inaccessibleCredentialName) return inaccessibleCredentialName
     return ''
-  }, [selectedCredentialSet, isForeignCredentialSet, selectedCredential, isForeign])
+  }, [selectedCredentialSet, selectedCredential, inaccessibleCredentialName])
 
   const displayValue = isEditing ? editingValue : resolvedLabel
 
-  const invalidSelection =
-    !isPreview &&
-    Boolean(selectedId) &&
-    !selectedCredential &&
-    !hasForeignMeta &&
-    !credentialsLoading &&
-    !foreignMetaLoading
-
-  useEffect(() => {
-    if (!invalidSelection) return
-    logger.info('Clearing invalid credential selection - credential was disconnected', {
-      selectedId,
-      provider: effectiveProviderId,
-    })
-    setStoreValue('')
-  }, [invalidSelection, selectedId, effectiveProviderId, setStoreValue])
-
-  useCredentialRefreshTriggers(refetchCredentials)
+  useCredentialRefreshTriggers(refetchCredentials, effectiveProviderId, workspaceId)
 
   const handleOpenChange = useCallback(
     (isOpen: boolean) => {
@@ -195,8 +197,18 @@ export function CredentialSelector({
   )
 
   const handleAddCredential = useCallback(() => {
-    setShowOAuthModal(true)
-  }, [])
+    writePendingCredentialCreateRequest({
+      workspaceId,
+      type: 'oauth',
+      providerId: effectiveProviderId,
+      displayName: '',
+      serviceId,
+      requiredScopes: getCanonicalScopesForProvider(effectiveProviderId),
+      requestedAt: Date.now(),
+    })
+
+    window.dispatchEvent(new CustomEvent('open-settings', { detail: { tab: 'credentials' } }))
+  }, [workspaceId, effectiveProviderId, serviceId])
 
   const getProviderIcon = useCallback((providerName: OAuthProvider) => {
     const { baseProvider } = parseProvider(providerName)
@@ -251,23 +263,18 @@ export function CredentialSelector({
         label: cred.name,
         value: cred.id,
       }))
+      credentialItems.push({
+        label:
+          credentials.length > 0
+            ? `Connect another ${getProviderName(provider)} account`
+            : `Connect ${getProviderName(provider)} account`,
+        value: '__connect_account__',
+      })
 
-      if (credentialItems.length > 0) {
-        groups.push({
-          section: 'Personal Credential',
-          items: credentialItems,
-        })
-      } else {
-        groups.push({
-          section: 'Personal Credential',
-          items: [
-            {
-              label: `Connect ${getProviderName(provider)} account`,
-              value: '__connect_account__',
-            },
-          ],
-        })
-      }
+      groups.push({
+        section: 'Personal Credential',
+        items: credentialItems,
+      })
 
       return { comboboxOptions: [], comboboxGroups: groups }
     }
@@ -277,12 +284,13 @@ export function CredentialSelector({
       value: cred.id,
     }))
 
-    if (credentials.length === 0) {
-      options.push({
-        label: `Connect ${getProviderName(provider)} account`,
-        value: '__connect_account__',
-      })
-    }
+    options.push({
+      label:
+        credentials.length > 0
+          ? `Connect another ${getProviderName(provider)} account`
+          : `Connect ${getProviderName(provider)} account`,
+      value: '__connect_account__',
+    })
 
     return { comboboxOptions: options, comboboxGroups: undefined }
   }, [
@@ -368,7 +376,7 @@ export function CredentialSelector({
         }
         disabled={effectiveDisabled}
         editable={true}
-        filterOptions={!isForeign && !isForeignCredentialSet}
+        filterOptions={true}
         isLoading={credentialsLoading}
         overlayContent={overlayContent}
         className={selectedId || isCredentialSetSelected ? 'pl-[28px]' : ''}
@@ -380,15 +388,13 @@ export function CredentialSelector({
             <span className='mr-[6px] inline-block h-[6px] w-[6px] rounded-[2px] bg-amber-500' />
             Additional permissions required
           </div>
-          {!isForeign && (
-            <Button
-              variant='active'
-              onClick={() => setShowOAuthModal(true)}
-              className='w-full px-[8px] py-[4px] font-medium text-[12px]'
-            >
-              Update access
-            </Button>
-          )}
+          <Button
+            variant='active'
+            onClick={() => setShowOAuthModal(true)}
+            className='w-full px-[8px] py-[4px] font-medium text-[12px]'
+          >
+            Update access
+          </Button>
         </div>
       )}
 
@@ -407,7 +413,11 @@ export function CredentialSelector({
   )
 }
 
-function useCredentialRefreshTriggers(refetchCredentials: () => Promise<unknown>) {
+function useCredentialRefreshTriggers(
+  refetchCredentials: () => Promise<unknown>,
+  providerId: string,
+  workspaceId: string
+) {
   useEffect(() => {
     const refresh = () => {
       void refetchCredentials()
@@ -425,12 +435,29 @@ function useCredentialRefreshTriggers(refetchCredentials: () => Promise<unknown>
       }
     }
 
+    const handleCredentialsUpdated = (
+      event: CustomEvent<{ providerId?: string; workspaceId?: string }>
+    ) => {
+      if (event.detail?.providerId && event.detail.providerId !== providerId) {
+        return
+      }
+      if (event.detail?.workspaceId && workspaceId && event.detail.workspaceId !== workspaceId) {
+        return
+      }
+      refresh()
+    }
+
     document.addEventListener('visibilitychange', handleVisibilityChange)
     window.addEventListener('pageshow', handlePageShow)
+    window.addEventListener('oauth-credentials-updated', handleCredentialsUpdated as EventListener)
 
     return () => {
       document.removeEventListener('visibilitychange', handleVisibilityChange)
       window.removeEventListener('pageshow', handlePageShow)
+      window.removeEventListener(
+        'oauth-credentials-updated',
+        handleCredentialsUpdated as EventListener
+      )
     }
-  }, [refetchCredentials])
+  }, [providerId, workspaceId, refetchCredentials])
 }
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/env-var-dropdown.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/env-var-dropdown.tsx
index 32a6dd33c4..416e07950e 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/env-var-dropdown.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/env-var-dropdown.tsx
@@ -9,6 +9,7 @@ import {
   PopoverSection,
 } from '@/components/emcn'
 import { cn } from '@/lib/core/utils/cn'
+import { writePendingCredentialCreateRequest } from '@/lib/credentials/client-state'
 import {
   usePersonalEnvironment,
   useWorkspaceEnvironment,
@@ -168,7 +169,15 @@ export const EnvVarDropdown: React.FC<EnvVarDropdownProps> = ({
   }, [searchTerm])
 
   const openEnvironmentSettings = () => {
-    window.dispatchEvent(new CustomEvent('open-settings', { detail: { tab: 'environment' } }))
+    if (workspaceId) {
+      writePendingCredentialCreateRequest({
+        workspaceId,
+        type: 'env_personal',
+        envKey: searchTerm.trim(),
+        requestedAt: Date.now(),
+      })
+    }
+    window.dispatchEvent(new CustomEvent('open-settings', { detail: { tab: 'credentials' } }))
     onClose?.()
   }
 
@@ -302,7 +311,7 @@ export const EnvVarDropdown: React.FC<EnvVarDropdownProps> = ({
               }}
             >
               <Plus className='h-3 w-3' />
-              <span>Create environment variable</span>
+              <span>Create Secret</span>
             </PopoverItem>
           </PopoverScrollArea>
         ) : (
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/file-selector/file-selector-input.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/file-selector/file-selector-input.tsx
index 730f01b248..506eacc0dc 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/file-selector/file-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/file-selector/file-selector-input.tsx
@@ -7,7 +7,6 @@ import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { buildCanonicalIndex, resolveDependencyValue } from '@/lib/workflows/subblocks/visibility'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
-import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import { getBlock } from '@/blocks/registry'
@@ -125,8 +124,6 @@ export function FileSelectorInput({
   const serviceId = subBlock.serviceId || ''
   const effectiveProviderId = useMemo(() => getProviderIdFromServiceId(serviceId), [serviceId])
 
-  const { isForeignCredential } = useForeignCredential(effectiveProviderId, normalizedCredentialId)
-
   const selectorResolution = useMemo<SelectorResolution | null>(() => {
     return resolveSelectorForSubBlock(subBlock, {
       workflowId: workflowIdFromUrl,
@@ -168,7 +165,6 @@ export function FileSelectorInput({
 
   const disabledReason =
     finalDisabled ||
-    isForeignCredential ||
     missingCredential ||
     missingDomain ||
     missingProject ||
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/folder-selector/components/folder-selector-input.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/folder-selector/components/folder-selector-input.tsx
index 4be4a8da3f..25fec739bc 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/folder-selector/components/folder-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/folder-selector/components/folder-selector-input.tsx
@@ -4,7 +4,6 @@ import { useCallback, useEffect, useMemo, useState } from 'react'
 import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
-import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import type { SubBlockConfig } from '@/blocks/types'
@@ -47,10 +46,6 @@ export function FolderSelectorInput({
     subBlock.canonicalParamId === 'copyDestinationId' ||
     subBlock.id === 'copyDestinationFolder' ||
     subBlock.id === 'manualCopyDestinationFolder'
-  const { isForeignCredential } = useForeignCredential(
-    effectiveProviderId,
-    (connectedCredential as string) || ''
-  )
 
   // Central dependsOn gating
   const { finalDisabled } = useDependsOnGate(blockId, subBlock, {
@@ -119,9 +114,7 @@ export function FolderSelectorInput({
       selectorContext={
         selectorResolution?.context ?? { credentialId, workflowId: activeWorkflowId || '' }
       }
-      disabled={
-        finalDisabled || isForeignCredential || missingCredential || !selectorResolution?.key
-      }
+      disabled={finalDisabled || missingCredential || !selectorResolution?.key}
       isPreview={isPreview}
       previewValue={previewValue ?? null}
       placeholder={subBlock.placeholder || 'Select folder'}
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/project-selector/project-selector-input.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/project-selector/project-selector-input.tsx
index e5b7c5d930..3df3acd464 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/project-selector/project-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/project-selector/project-selector-input.tsx
@@ -7,7 +7,6 @@ import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { buildCanonicalIndex, resolveDependencyValue } from '@/lib/workflows/subblocks/visibility'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
-import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import { getBlock } from '@/blocks/registry'
@@ -73,11 +72,6 @@ export function ProjectSelectorInput({
 
   const serviceId = subBlock.serviceId || ''
   const effectiveProviderId = useMemo(() => getProviderIdFromServiceId(serviceId), [serviceId])
-
-  const { isForeignCredential } = useForeignCredential(
-    effectiveProviderId,
-    (connectedCredential as string) || ''
-  )
   const workflowIdFromUrl = (params?.workflowId as string) || activeWorkflowId || ''
   const { finalDisabled } = useDependsOnGate(blockId, subBlock, {
     disabled,
@@ -123,7 +117,7 @@ export function ProjectSelectorInput({
               subBlock={subBlock}
               selectorKey={selectorResolution.key}
               selectorContext={selectorResolution.context}
-              disabled={finalDisabled || isForeignCredential || missingCredential}
+              disabled={finalDisabled || missingCredential}
               isPreview={isPreview}
               previewValue={previewValue ?? null}
               placeholder={subBlock.placeholder || 'Select project'}
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/sheet-selector/sheet-selector-input.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/sheet-selector/sheet-selector-input.tsx
index bfb9dbe4f6..ee33b320a6 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/sheet-selector/sheet-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/sheet-selector/sheet-selector-input.tsx
@@ -7,7 +7,6 @@ import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { buildCanonicalIndex, resolveDependencyValue } from '@/lib/workflows/subblocks/visibility'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
-import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import { getBlock } from '@/blocks/registry'
 import type { SubBlockConfig } from '@/blocks/types'
@@ -87,8 +86,6 @@ export function SheetSelectorInput({
   const serviceId = subBlock.serviceId || ''
   const effectiveProviderId = useMemo(() => getProviderIdFromServiceId(serviceId), [serviceId])
 
-  const { isForeignCredential } = useForeignCredential(effectiveProviderId, normalizedCredentialId)
-
   const selectorResolution = useMemo<SelectorResolution | null>(() => {
     return resolveSelectorForSubBlock(subBlock, {
       workflowId: workflowIdFromUrl,
@@ -101,11 +98,7 @@ export function SheetSelectorInput({
   const missingSpreadsheet = !normalizedSpreadsheetId
 
   const disabledReason =
-    finalDisabled ||
-    isForeignCredential ||
-    missingCredential ||
-    missingSpreadsheet ||
-    !selectorResolution?.key
+    finalDisabled || missingCredential || missingSpreadsheet || !selectorResolution?.key
 
   if (!selectorResolution?.key) {
     return (
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/slack-selector/slack-selector-input.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/slack-selector/slack-selector-input.tsx
index b99c26bff2..e3e4e21485 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/slack-selector/slack-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/slack-selector/slack-selector-input.tsx
@@ -6,7 +6,6 @@ import { Tooltip } from '@/components/emcn'
 import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
-import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import type { SubBlockConfig } from '@/blocks/types'
@@ -85,11 +84,6 @@ export function SlackSelectorInput({
       ? (effectiveBotToken as string) || ''
       : (effectiveCredential as string) || ''
 
-  const { isForeignCredential } = useForeignCredential(
-    effectiveProviderId,
-    (effectiveAuthMethod as string) === 'bot_token' ? '' : (effectiveCredential as string) || ''
-  )
-
   useEffect(() => {
     const val = isPreview && previewValue !== undefined ? previewValue : storeValue
     if (typeof val === 'string') {
@@ -99,7 +93,7 @@ export function SlackSelectorInput({
 
   const requiresCredential = dependsOn.includes('credential')
   const missingCredential = !credential || credential.trim().length === 0
-  const shouldForceDisable = requiresCredential && (missingCredential || isForeignCredential)
+  const shouldForceDisable = requiresCredential && missingCredential
 
   const context: SelectorContext = useMemo(
     () => ({
@@ -136,7 +130,7 @@ export function SlackSelectorInput({
             subBlock={subBlock}
             selectorKey={config.selectorKey}
             selectorContext={context}
-            disabled={finalDisabled || shouldForceDisable || isForeignCredential}
+            disabled={finalDisabled || shouldForceDisable}
             isPreview={isPreview}
             previewValue={previewValue ?? null}
             placeholder={subBlock.placeholder || config.placeholder}
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/tools/credential-selector.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/tools/credential-selector.tsx
index 255d859079..773673457c 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/tools/credential-selector.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/tools/credential-selector.tsx
@@ -1,6 +1,8 @@
 import { createElement, useCallback, useEffect, useMemo, useState } from 'react'
 import { ExternalLink } from 'lucide-react'
+import { useParams } from 'next/navigation'
 import { Button, Combobox } from '@/components/emcn/components'
+import { writePendingCredentialCreateRequest } from '@/lib/credentials/client-state'
 import {
   getCanonicalScopesForProvider,
   getProviderIdFromServiceId,
@@ -11,8 +13,7 @@ import {
   parseProvider,
 } from '@/lib/oauth'
 import { OAuthRequiredModal } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal'
-import { CREDENTIAL } from '@/executor/constants'
-import { useOAuthCredentialDetail, useOAuthCredentials } from '@/hooks/queries/oauth-credentials'
+import { useOAuthCredentials } from '@/hooks/queries/oauth-credentials'
 import { getMissingRequiredScopes } from '@/hooks/use-oauth-scope-status'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
 
@@ -64,6 +65,8 @@ export function ToolCredentialSelector({
   serviceId,
   disabled = false,
 }: ToolCredentialSelectorProps) {
+  const params = useParams()
+  const workspaceId = (params?.workspaceId as string) || ''
   const [showOAuthModal, setShowOAuthModal] = useState(false)
   const [editingInputValue, setEditingInputValue] = useState('')
   const [isEditing, setIsEditing] = useState(false)
@@ -78,50 +81,58 @@ export function ToolCredentialSelector({
     data: credentials = [],
     isFetching: credentialsLoading,
     refetch: refetchCredentials,
-  } = useOAuthCredentials(effectiveProviderId, Boolean(effectiveProviderId))
+  } = useOAuthCredentials(effectiveProviderId, {
+    enabled: Boolean(effectiveProviderId),
+    workspaceId,
+    workflowId: activeWorkflowId || undefined,
+  })
 
   const selectedCredential = useMemo(
     () => credentials.find((cred) => cred.id === selectedId),
     [credentials, selectedId]
   )
 
-  const shouldFetchForeignMeta =
-    Boolean(selectedId) &&
-    !selectedCredential &&
-    Boolean(activeWorkflowId) &&
-    Boolean(effectiveProviderId)
-
-  const { data: foreignCredentials = [], isFetching: foreignMetaLoading } =
-    useOAuthCredentialDetail(
-      shouldFetchForeignMeta ? selectedId : undefined,
-      activeWorkflowId || undefined,
-      shouldFetchForeignMeta
-    )
+  const [inaccessibleCredentialName, setInaccessibleCredentialName] = useState<string | null>(null)
 
-  const hasForeignMeta = foreignCredentials.length > 0
-  const isForeign = Boolean(selectedId && !selectedCredential && hasForeignMeta)
+  useEffect(() => {
+    if (!selectedId || selectedCredential || credentialsLoading || !workspaceId) {
+      setInaccessibleCredentialName(null)
+      return
+    }
+
+    let cancelled = false
+    ;(async () => {
+      try {
+        const response = await fetch(
+          `/api/credentials?workspaceId=${encodeURIComponent(workspaceId)}&credentialId=${encodeURIComponent(selectedId)}`
+        )
+        if (!response.ok || cancelled) return
+        const data = await response.json()
+        if (!cancelled && data.credential?.displayName) {
+          if (data.credential.id !== selectedId) {
+            onChange(data.credential.id)
+          }
+          setInaccessibleCredentialName(data.credential.displayName)
+        }
+      } catch {
+        // Ignore fetch errors
+      }
+    })()
+
+    return () => {
+      cancelled = true
+    }
+  }, [selectedId, selectedCredential, credentialsLoading, workspaceId])
 
   const resolvedLabel = useMemo(() => {
     if (selectedCredential) return selectedCredential.name
-    if (isForeign) return CREDENTIAL.FOREIGN_LABEL
+    if (inaccessibleCredentialName) return inaccessibleCredentialName
     return ''
-  }, [selectedCredential, isForeign])
+  }, [selectedCredential, inaccessibleCredentialName])
 
   const inputValue = isEditing ? editingInputValue : resolvedLabel
 
-  const invalidSelection =
-    Boolean(selectedId) &&
-    !selectedCredential &&
-    !hasForeignMeta &&
-    !credentialsLoading &&
-    !foreignMetaLoading
-
-  useEffect(() => {
-    if (!invalidSelection) return
-    onChange('')
-  }, [invalidSelection, onChange])
-
-  useCredentialRefreshTriggers(refetchCredentials)
+  useCredentialRefreshTriggers(refetchCredentials, effectiveProviderId, workspaceId)
 
   const handleOpenChange = useCallback(
     (isOpen: boolean) => {
@@ -149,8 +160,18 @@ export function ToolCredentialSelector({
   )
 
   const handleAddCredential = useCallback(() => {
-    setShowOAuthModal(true)
-  }, [])
+    writePendingCredentialCreateRequest({
+      workspaceId,
+      type: 'oauth',
+      providerId: effectiveProviderId,
+      displayName: '',
+      serviceId,
+      requiredScopes: getCanonicalScopesForProvider(effectiveProviderId),
+      requestedAt: Date.now(),
+    })
+
+    window.dispatchEvent(new CustomEvent('open-settings', { detail: { tab: 'credentials' } }))
+  }, [workspaceId, effectiveProviderId, serviceId])
 
   const comboboxOptions = useMemo(() => {
     const options = credentials.map((cred) => ({
@@ -158,12 +179,13 @@ export function ToolCredentialSelector({
       value: cred.id,
     }))
 
-    if (credentials.length === 0) {
-      options.push({
-        label: `Connect ${getProviderName(provider)} account`,
-        value: '__connect_account__',
-      })
-    }
+    options.push({
+      label:
+        credentials.length > 0
+          ? `Connect another ${getProviderName(provider)} account`
+          : `Connect ${getProviderName(provider)} account`,
+      value: '__connect_account__',
+    })
 
     return options
   }, [credentials, provider])
@@ -213,7 +235,7 @@ export function ToolCredentialSelector({
         placeholder={effectiveLabel}
         disabled={disabled}
         editable={true}
-        filterOptions={!isForeign}
+        filterOptions={true}
         isLoading={credentialsLoading}
         overlayContent={overlayContent}
         className={selectedId ? 'pl-[28px]' : ''}
@@ -225,15 +247,13 @@ export function ToolCredentialSelector({
             <span className='mr-[6px] inline-block h-[6px] w-[6px] rounded-[2px] bg-amber-500' />
             Additional permissions required
           </div>
-          {!isForeign && (
-            <Button
-              variant='active'
-              onClick={() => setShowOAuthModal(true)}
-              className='w-full px-[8px] py-[4px] font-medium text-[12px]'
-            >
-              Update access
-            </Button>
-          )}
+          <Button
+            variant='active'
+            onClick={() => setShowOAuthModal(true)}
+            className='w-full px-[8px] py-[4px] font-medium text-[12px]'
+          >
+            Update access
+          </Button>
         </div>
       )}
 
@@ -252,7 +272,11 @@ export function ToolCredentialSelector({
   )
 }
 
-function useCredentialRefreshTriggers(refetchCredentials: () => Promise<unknown>) {
+function useCredentialRefreshTriggers(
+  refetchCredentials: () => Promise<unknown>,
+  providerId: string,
+  workspaceId: string
+) {
   useEffect(() => {
     const refresh = () => {
       void refetchCredentials()
@@ -270,12 +294,29 @@ function useCredentialRefreshTriggers(refetchCredentials: () => Promise<unknown>
       }
     }
 
+    const handleCredentialsUpdated = (
+      event: CustomEvent<{ providerId?: string; workspaceId?: string }>
+    ) => {
+      if (event.detail?.providerId && event.detail.providerId !== providerId) {
+        return
+      }
+      if (event.detail?.workspaceId && workspaceId && event.detail.workspaceId !== workspaceId) {
+        return
+      }
+      refresh()
+    }
+
     document.addEventListener('visibilitychange', handleVisibilityChange)
     window.addEventListener('pageshow', handlePageShow)
+    window.addEventListener('oauth-credentials-updated', handleCredentialsUpdated as EventListener)
 
     return () => {
       document.removeEventListener('visibilitychange', handleVisibilityChange)
       window.removeEventListener('pageshow', handlePageShow)
+      window.removeEventListener(
+        'oauth-credentials-updated',
+        handleCredentialsUpdated as EventListener
+      )
     }
-  }, [refetchCredentials])
+  }, [providerId, workspaceId, refetchCredentials])
 }
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential.ts b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential.ts
deleted file mode 100644
index 727b09da22..0000000000
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential.ts
+++ /dev/null
@@ -1,50 +0,0 @@
-import { useEffect, useMemo, useState } from 'react'
-
-export function useForeignCredential(
-  provider: string | undefined,
-  credentialId: string | undefined
-) {
-  const [isForeign, setIsForeign] = useState<boolean>(false)
-  const [loading, setLoading] = useState<boolean>(false)
-  const [error, setError] = useState<string | null>(null)
-
-  const normalizedProvider = useMemo(() => (provider || '').toString(), [provider])
-  const normalizedCredentialId = useMemo(() => credentialId || '', [credentialId])
-
-  useEffect(() => {
-    let cancelled = false
-    async function check() {
-      setLoading(true)
-      setError(null)
-      try {
-        if (!normalizedProvider || !normalizedCredentialId) {
-          if (!cancelled) setIsForeign(false)
-          return
-        }
-        const res = await fetch(
-          `/api/auth/oauth/credentials?provider=${encodeURIComponent(normalizedProvider)}`
-        )
-        if (!res.ok) {
-          if (!cancelled) setIsForeign(true)
-          return
-        }
-        const data = await res.json()
-        const isOwn = (data.credentials || []).some((c: any) => c.id === normalizedCredentialId)
-        if (!cancelled) setIsForeign(!isOwn)
-      } catch (e) {
-        if (!cancelled) {
-          setIsForeign(true)
-          setError((e as Error).message)
-        }
-      } finally {
-        if (!cancelled) setLoading(false)
-      }
-    }
-    void check()
-    return () => {
-      cancelled = true
-    }
-  }, [normalizedProvider, normalizedCredentialId])
-
-  return { isForeignCredential: isForeign, loading, error }
-}
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/workflow.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/workflow.tsx
index 66fa0ee164..a4f7648fa7 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/workflow.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/workflow.tsx
@@ -255,6 +255,69 @@ const WorkflowContent = React.memo(() => {
 
   const addNotification = useNotificationStore((state) => state.addNotification)
 
+  useEffect(() => {
+    const OAUTH_CONNECT_PENDING_KEY = 'sim.oauth-connect-pending'
+    const pending = window.sessionStorage.getItem(OAUTH_CONNECT_PENDING_KEY)
+    if (!pending) return
+    window.sessionStorage.removeItem(OAUTH_CONNECT_PENDING_KEY)
+
+    ;(async () => {
+      try {
+        const {
+          displayName,
+          providerId,
+          preCount,
+          workspaceId: wsId,
+          reconnect,
+        } = JSON.parse(pending) as {
+          displayName: string
+          providerId: string
+          preCount: number
+          workspaceId: string
+          reconnect?: boolean
+        }
+
+        if (reconnect) {
+          addNotification({
+            level: 'info',
+            message: `"${displayName}" reconnected successfully.`,
+          })
+          window.dispatchEvent(
+            new CustomEvent('oauth-credentials-updated', {
+              detail: { providerId, workspaceId: wsId },
+            })
+          )
+          return
+        }
+
+        const response = await fetch(
+          `/api/credentials?workspaceId=${encodeURIComponent(wsId)}&type=oauth`
+        )
+        const data = response.ok ? await response.json() : { credentials: [] }
+        const oauthCredentials = (data.credentials ?? []) as Array<{
+          displayName: string
+          providerId: string | null
+        }>
+
+        if (oauthCredentials.length > preCount) {
+          addNotification({
+            level: 'info',
+            message: `"${displayName}" credential connected successfully.`,
+          })
+        } else {
+          const existing = oauthCredentials.find((c) => c.providerId === providerId)
+          const existingName = existing?.displayName || displayName
+          addNotification({
+            level: 'info',
+            message: `This account is already connected as "${existingName}".`,
+          })
+        }
+      } catch {
+        // Ignore malformed sessionStorage data
+      }
+    })()
+  }, [])
+
   const {
     workflows,
     activeWorkflowId,
diff --git a/apps/sim/app/workspace/[workspaceId]/w/components/preview/components/preview-editor/preview-editor.tsx b/apps/sim/app/workspace/[workspaceId]/w/components/preview/components/preview-editor/preview-editor.tsx
index 936e8f1146..87b042b695 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/components/preview/components/preview-editor/preview-editor.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/preview/components/preview-editor/preview-editor.tsx
@@ -473,7 +473,7 @@ function ConnectionsSection({
           </div>
         )}
 
-        {/* Environment Variables */}
+        {/* Secrets */}
         {envVars.length > 0 && (
           <div className='mb-[2px] last:mb-0'>
             <div
@@ -489,7 +489,7 @@ function ConnectionsSection({
                   'text-[var(--text-secondary)] group-hover:text-[var(--text-primary)]'
                 )}
               >
-                Environment Variables
+                Secrets
               </span>
               <ChevronDownIcon
                 className={cn(
diff --git a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/api-keys/api-keys.tsx b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/api-keys/api-keys.tsx
index 8e3862eccc..cc7e925499 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/api-keys/api-keys.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/api-keys/api-keys.tsx
@@ -31,10 +31,9 @@ const logger = createLogger('ApiKeys')
 
 interface ApiKeysProps {
   onOpenChange?: (open: boolean) => void
-  registerCloseHandler?: (handler: (open: boolean) => void) => void
 }
 
-export function ApiKeys({ onOpenChange, registerCloseHandler }: ApiKeysProps) {
+export function ApiKeys({ onOpenChange }: ApiKeysProps) {
   const { data: session } = useSession()
   const userId = session?.user?.id
   const params = useParams()
@@ -118,12 +117,6 @@ export function ApiKeys({ onOpenChange, registerCloseHandler }: ApiKeysProps) {
     onOpenChange?.(open)
   }
 
-  useEffect(() => {
-    if (registerCloseHandler) {
-      registerCloseHandler(handleModalClose)
-    }
-  }, [registerCloseHandler])
-
   useEffect(() => {
     if (shouldScrollToBottom && scrollContainerRef.current) {
       scrollContainerRef.current.scrollTo({
diff --git a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials-manager.tsx b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials-manager.tsx
new file mode 100644
index 0000000000..c2e6960f34
--- /dev/null
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials-manager.tsx
@@ -0,0 +1,1692 @@
+'use client'
+
+import { createElement, useCallback, useEffect, useMemo, useState } from 'react'
+import { createLogger } from '@sim/logger'
+import { AlertTriangle, Check, Copy, Plus, RefreshCw, Search, Share2, Trash2 } from 'lucide-react'
+import { useParams } from 'next/navigation'
+import {
+  Badge,
+  Button,
+  ButtonGroup,
+  ButtonGroupItem,
+  Combobox,
+  Input,
+  Label,
+  Modal,
+  ModalBody,
+  ModalContent,
+  ModalFooter,
+  ModalHeader,
+  Textarea,
+  Tooltip,
+} from '@/components/emcn'
+import { Skeleton } from '@/components/ui'
+import { useSession } from '@/lib/auth/auth-client'
+import { cn } from '@/lib/core/utils/cn'
+import {
+  clearPendingCredentialCreateRequest,
+  PENDING_CREDENTIAL_CREATE_REQUEST_EVENT,
+  type PendingCredentialCreateRequest,
+  readPendingCredentialCreateRequest,
+} from '@/lib/credentials/client-state'
+import {
+  getCanonicalScopesForProvider,
+  getServiceConfigByProviderId,
+  type OAuthProvider,
+} from '@/lib/oauth'
+import { OAuthRequiredModal } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal'
+import { isValidEnvVarName } from '@/executor/constants'
+import {
+  useCreateWorkspaceCredential,
+  useDeleteWorkspaceCredential,
+  useRemoveWorkspaceCredentialMember,
+  useUpdateWorkspaceCredential,
+  useUpsertWorkspaceCredentialMember,
+  useWorkspaceCredentialMembers,
+  useWorkspaceCredentials,
+  type WorkspaceCredential,
+  type WorkspaceCredentialRole,
+} from '@/hooks/queries/credentials'
+import {
+  usePersonalEnvironment,
+  useSavePersonalEnvironment,
+  useUpsertWorkspaceEnvironment,
+  useWorkspaceEnvironment,
+} from '@/hooks/queries/environment'
+import {
+  useConnectOAuthService,
+  useDisconnectOAuthService,
+  useOAuthConnections,
+} from '@/hooks/queries/oauth-connections'
+import { useWorkspacePermissionsQuery } from '@/hooks/queries/workspace'
+
+const logger = createLogger('CredentialsManager')
+
+const roleOptions = [
+  { value: 'member', label: 'Member' },
+  { value: 'admin', label: 'Admin' },
+] as const
+
+type CreateCredentialType = 'oauth' | 'secret'
+type SecretScope = 'workspace' | 'personal'
+type SecretInputMode = 'single' | 'bulk'
+
+const createTypeOptions = [
+  { value: 'oauth', label: 'OAuth Account' },
+  { value: 'secret', label: 'Secret' },
+] as const
+
+interface ParsedEnvEntry {
+  key: string
+  value: string
+}
+
+/**
+ * Parses `.env`-style text into key-value pairs.
+ * Supports `KEY=VALUE`, quoted values, comments (#), and blank lines.
+ */
+function parseEnvText(text: string): { entries: ParsedEnvEntry[]; errors: string[] } {
+  const entries: ParsedEnvEntry[] = []
+  const errors: string[] = []
+  const seenKeys = new Set<string>()
+
+  const lines = text.split('\n')
+  for (let i = 0; i < lines.length; i++) {
+    const raw = lines[i].trim()
+    if (!raw || raw.startsWith('#')) continue
+
+    const eqIndex = raw.indexOf('=')
+    if (eqIndex === -1) {
+      errors.push(`Line ${i + 1}: missing "=" separator`)
+      continue
+    }
+
+    const key = raw.slice(0, eqIndex).trim()
+    let value = raw.slice(eqIndex + 1).trim()
+
+    if (!key) {
+      errors.push(`Line ${i + 1}: empty key`)
+      continue
+    }
+
+    if (!isValidEnvVarName(key)) {
+      errors.push(`Line ${i + 1}: "${key}" must contain only letters, numbers, and underscores`)
+      continue
+    }
+
+    if (
+      (value.startsWith('"') && value.endsWith('"')) ||
+      (value.startsWith("'") && value.endsWith("'"))
+    ) {
+      value = value.slice(1, -1)
+    }
+
+    if (!value) {
+      errors.push(`Line ${i + 1}: "${key}" has an empty value`)
+      continue
+    }
+
+    if (seenKeys.has(key.toUpperCase())) {
+      errors.push(`Line ${i + 1}: duplicate key "${key}"`)
+      continue
+    }
+
+    seenKeys.add(key.toUpperCase())
+    entries.push({ key, value })
+  }
+
+  return { entries, errors }
+}
+
+function getSecretCredentialType(
+  scope: SecretScope
+): Extract<WorkspaceCredential['type'], 'env_workspace' | 'env_personal'> {
+  return scope === 'workspace' ? 'env_workspace' : 'env_personal'
+}
+
+function typeBadgeVariant(type: WorkspaceCredential['type']): 'blue' | 'amber' | 'gray-secondary' {
+  if (type === 'oauth') return 'blue'
+  if (type === 'env_workspace') return 'amber'
+  return 'gray-secondary'
+}
+
+function typeLabel(type: WorkspaceCredential['type']): string {
+  if (type === 'oauth') return 'OAuth'
+  if (type === 'env_workspace') return 'Workspace Secret'
+  return 'Personal Secret'
+}
+
+function normalizeEnvKeyInput(raw: string): string {
+  const trimmed = raw.trim()
+  const wrappedMatch = /^\{\{\s*([A-Za-z0-9_]+)\s*\}\}$/.exec(trimmed)
+  return wrappedMatch ? wrappedMatch[1] : trimmed
+}
+
+export function CredentialsManager() {
+  const params = useParams()
+  const workspaceId = (params?.workspaceId as string) || ''
+
+  const [searchTerm, setSearchTerm] = useState('')
+  const [selectedCredentialId, setSelectedCredentialId] = useState<string | null>(null)
+  const [memberRole, setMemberRole] = useState<WorkspaceCredentialRole>('admin')
+  const [memberUserId, setMemberUserId] = useState('')
+  const [showCreateModal, setShowCreateModal] = useState(false)
+  const [createType, setCreateType] = useState<CreateCredentialType>('oauth')
+  const [createSecretScope, setCreateSecretScope] = useState<SecretScope>('workspace')
+  const [createDisplayName, setCreateDisplayName] = useState('')
+  const [createDescription, setCreateDescription] = useState('')
+  const [createEnvKey, setCreateEnvKey] = useState('')
+  const [createEnvValue, setCreateEnvValue] = useState('')
+  const [createOAuthProviderId, setCreateOAuthProviderId] = useState('')
+  const [createSecretInputMode, setCreateSecretInputMode] = useState<SecretInputMode>('single')
+  const [createBulkText, setCreateBulkText] = useState('')
+  const [createError, setCreateError] = useState<string | null>(null)
+  const [detailsError, setDetailsError] = useState<string | null>(null)
+  const [selectedEnvValueDraft, setSelectedEnvValueDraft] = useState('')
+  const [isEditingEnvValue, setIsEditingEnvValue] = useState(false)
+  const [selectedDescriptionDraft, setSelectedDescriptionDraft] = useState('')
+  const [selectedDisplayNameDraft, setSelectedDisplayNameDraft] = useState('')
+  const [showCreateOAuthRequiredModal, setShowCreateOAuthRequiredModal] = useState(false)
+  const [copyIdSuccess, setCopyIdSuccess] = useState(false)
+  const { data: session } = useSession()
+  const currentUserId = session?.user?.id || ''
+
+  const {
+    data: credentials = [],
+    isPending: credentialsLoading,
+    refetch: refetchCredentials,
+  } = useWorkspaceCredentials({
+    workspaceId,
+    enabled: Boolean(workspaceId),
+  })
+
+  const { data: oauthConnections = [] } = useOAuthConnections()
+  const connectOAuthService = useConnectOAuthService()
+  const disconnectOAuthService = useDisconnectOAuthService()
+  const savePersonalEnvironment = useSavePersonalEnvironment()
+  const upsertWorkspaceEnvironment = useUpsertWorkspaceEnvironment()
+  const { data: personalEnvironment = {} } = usePersonalEnvironment()
+  const { data: workspaceEnvironmentData } = useWorkspaceEnvironment(workspaceId, {
+    select: (data) => data,
+  })
+
+  const { data: workspacePermissions } = useWorkspacePermissionsQuery(workspaceId || null)
+  const selectedCredential = useMemo(
+    () => credentials.find((credential) => credential.id === selectedCredentialId) || null,
+    [credentials, selectedCredentialId]
+  )
+
+  const { data: members = [], isPending: membersLoading } = useWorkspaceCredentialMembers(
+    selectedCredential?.id
+  )
+
+  const createCredential = useCreateWorkspaceCredential()
+  const updateCredential = useUpdateWorkspaceCredential()
+  const deleteCredential = useDeleteWorkspaceCredential()
+  const upsertMember = useUpsertWorkspaceCredentialMember()
+  const removeMember = useRemoveWorkspaceCredentialMember()
+  const oauthServiceNameByProviderId = useMemo(
+    () => new Map(oauthConnections.map((service) => [service.providerId, service.name])),
+    [oauthConnections]
+  )
+  const resolveProviderLabel = (providerId?: string | null): string => {
+    if (!providerId) return ''
+    return oauthServiceNameByProviderId.get(providerId) || providerId
+  }
+
+  const filteredCredentials = useMemo(() => {
+    if (!searchTerm.trim()) return credentials
+    const normalized = searchTerm.toLowerCase()
+    return credentials.filter((credential) => {
+      return (
+        credential.displayName.toLowerCase().includes(normalized) ||
+        (credential.description || '').toLowerCase().includes(normalized) ||
+        (credential.providerId || '').toLowerCase().includes(normalized) ||
+        resolveProviderLabel(credential.providerId).toLowerCase().includes(normalized) ||
+        typeLabel(credential.type).toLowerCase().includes(normalized)
+      )
+    })
+  }, [credentials, searchTerm, oauthConnections])
+
+  const sortedCredentials = useMemo(() => {
+    return [...filteredCredentials].sort((a, b) => {
+      const aDate = new Date(a.updatedAt).getTime()
+      const bDate = new Date(b.updatedAt).getTime()
+      return bDate - aDate
+    })
+  }, [filteredCredentials])
+
+  const oauthServiceOptions = useMemo(
+    () =>
+      oauthConnections.map((service) => ({
+        value: service.providerId,
+        label: service.name,
+      })),
+    [oauthConnections]
+  )
+
+  const activeMembers = useMemo(
+    () => members.filter((member) => member.status === 'active'),
+    [members]
+  )
+  const adminMemberCount = useMemo(
+    () => activeMembers.filter((member) => member.role === 'admin').length,
+    [activeMembers]
+  )
+
+  const workspaceUserOptions = useMemo(() => {
+    const activeMemberUserIds = new Set(activeMembers.map((member) => member.userId))
+    return (workspacePermissions?.users || [])
+      .filter((user) => !activeMemberUserIds.has(user.userId))
+      .map((user) => ({
+        value: user.userId,
+        label: user.name || user.email,
+      }))
+  }, [workspacePermissions?.users, activeMembers])
+
+  const selectedOAuthService = useMemo(
+    () => oauthConnections.find((service) => service.providerId === createOAuthProviderId) || null,
+    [oauthConnections, createOAuthProviderId]
+  )
+  const createOAuthRequiredScopes = useMemo(() => {
+    if (!createOAuthProviderId) return []
+    if (selectedOAuthService?.scopes?.length) {
+      return selectedOAuthService.scopes
+    }
+    return getCanonicalScopesForProvider(createOAuthProviderId)
+  }, [selectedOAuthService, createOAuthProviderId])
+  const createSecretType = useMemo(
+    () => getSecretCredentialType(createSecretScope),
+    [createSecretScope]
+  )
+  const selectedExistingEnvCredential = useMemo(() => {
+    if (createType !== 'secret' || createSecretInputMode !== 'single') return null
+    const envKey = normalizeEnvKeyInput(createEnvKey)
+    if (!envKey) return null
+    return (
+      credentials.find(
+        (row) =>
+          row.type === createSecretType && (row.envKey || '').toLowerCase() === envKey.toLowerCase()
+      ) ?? null
+    )
+  }, [credentials, createEnvKey, createSecretType, createType, createSecretInputMode])
+
+  const crossScopeEnvConflict = useMemo(() => {
+    if (createType !== 'secret' || createSecretInputMode !== 'single') return null
+    if (createSecretScope !== 'personal') return null
+    const envKey = normalizeEnvKeyInput(createEnvKey)
+    if (!envKey) return null
+    return (
+      credentials.find(
+        (row) =>
+          row.type === 'env_workspace' && (row.envKey || '').toLowerCase() === envKey.toLowerCase()
+      ) ?? null
+    )
+  }, [credentials, createEnvKey, createSecretScope, createType, createSecretInputMode])
+
+  const existingOAuthDisplayName = useMemo(() => {
+    if (createType !== 'oauth') return null
+    const name = createDisplayName.trim()
+    if (!name) return null
+    return (
+      credentials.find(
+        (row) => row.type === 'oauth' && row.displayName.toLowerCase() === name.toLowerCase()
+      ) ?? null
+    )
+  }, [credentials, createDisplayName, createType])
+  const selectedEnvCurrentValue = useMemo(() => {
+    if (!selectedCredential || selectedCredential.type === 'oauth') return ''
+    const envKey = selectedCredential.envKey || ''
+    if (!envKey) return ''
+
+    if (selectedCredential.type === 'env_workspace') {
+      return workspaceEnvironmentData?.workspace?.[envKey] || ''
+    }
+
+    if (selectedCredential.envOwnerUserId && selectedCredential.envOwnerUserId !== currentUserId) {
+      return ''
+    }
+
+    return personalEnvironment[envKey]?.value || workspaceEnvironmentData?.personal?.[envKey] || ''
+  }, [selectedCredential, workspaceEnvironmentData, personalEnvironment, currentUserId])
+  const isEnvValueDirty = useMemo(() => {
+    if (!selectedCredential || selectedCredential.type === 'oauth') return false
+    return selectedEnvValueDraft !== selectedEnvCurrentValue
+  }, [selectedCredential, selectedEnvValueDraft, selectedEnvCurrentValue])
+
+  const isDescriptionDirty = useMemo(() => {
+    if (!selectedCredential) return false
+    return selectedDescriptionDraft !== (selectedCredential.description || '')
+  }, [selectedCredential, selectedDescriptionDraft])
+
+  const isDisplayNameDirty = useMemo(() => {
+    if (!selectedCredential) return false
+    return selectedDisplayNameDraft !== selectedCredential.displayName
+  }, [selectedCredential, selectedDisplayNameDraft])
+
+  const isDetailsDirty = isEnvValueDirty || isDescriptionDirty || isDisplayNameDirty
+  const [isSavingDetails, setIsSavingDetails] = useState(false)
+
+  const handleSaveDetails = async () => {
+    if (!selectedCredential || !isSelectedAdmin || !isDetailsDirty) return
+    setDetailsError(null)
+    setIsSavingDetails(true)
+
+    try {
+      if (isDisplayNameDirty || isDescriptionDirty) {
+        await updateCredential.mutateAsync({
+          credentialId: selectedCredential.id,
+          ...(isDisplayNameDirty && selectedCredential.type === 'oauth'
+            ? { displayName: selectedDisplayNameDraft.trim() }
+            : {}),
+          ...(isDescriptionDirty ? { description: selectedDescriptionDraft.trim() || null } : {}),
+        })
+      }
+
+      if (isEnvValueDirty && canEditSelectedEnvValue) {
+        const envKey = selectedCredential.envKey || ''
+        if (envKey) {
+          if (selectedCredential.type === 'env_workspace') {
+            await upsertWorkspaceEnvironment.mutateAsync({
+              workspaceId,
+              variables: { [envKey]: selectedEnvValueDraft },
+            })
+          } else {
+            const personalVariables = Object.entries(personalEnvironment).reduce(
+              (acc, [key, value]) => ({
+                ...acc,
+                [key]: value.value,
+              }),
+              {} as Record<string, string>
+            )
+            await savePersonalEnvironment.mutateAsync({
+              variables: { ...personalVariables, [envKey]: selectedEnvValueDraft },
+            })
+          }
+        }
+      }
+
+      await refetchCredentials()
+    } catch (error: unknown) {
+      const message = error instanceof Error ? error.message : 'Failed to save changes'
+      setDetailsError(message)
+      logger.error('Failed to save credential details', error)
+    } finally {
+      setIsSavingDetails(false)
+    }
+  }
+
+  useEffect(() => {
+    if (createType !== 'oauth') return
+    if (createOAuthProviderId || oauthConnections.length === 0) return
+    setCreateOAuthProviderId(oauthConnections[0]?.providerId || '')
+  }, [createType, createOAuthProviderId, oauthConnections])
+
+  useEffect(() => {
+    setCreateError(null)
+  }, [createOAuthProviderId])
+
+  const applyPendingCredentialCreateRequest = useCallback(
+    (request: PendingCredentialCreateRequest) => {
+      if (request.workspaceId !== workspaceId) {
+        return
+      }
+
+      if (Date.now() - request.requestedAt > 15 * 60 * 1000) {
+        clearPendingCredentialCreateRequest()
+        return
+      }
+
+      setShowCreateModal(true)
+      setShowCreateOAuthRequiredModal(false)
+      setCreateError(null)
+      setCreateDescription('')
+      setCreateEnvValue('')
+
+      if (request.type === 'oauth') {
+        setCreateType('oauth')
+        setCreateOAuthProviderId(request.providerId)
+        setCreateDisplayName(request.displayName)
+        setCreateEnvKey('')
+      } else {
+        setCreateType('secret')
+        setCreateSecretScope(request.type === 'env_workspace' ? 'workspace' : 'personal')
+        setCreateOAuthProviderId('')
+        setCreateDisplayName('')
+        setCreateEnvKey(request.envKey || '')
+      }
+
+      clearPendingCredentialCreateRequest()
+    },
+    [workspaceId]
+  )
+
+  useEffect(() => {
+    if (!workspaceId) return
+    const request = readPendingCredentialCreateRequest()
+    if (!request) return
+    applyPendingCredentialCreateRequest(request)
+  }, [workspaceId, applyPendingCredentialCreateRequest])
+
+  useEffect(() => {
+    if (!workspaceId) return
+
+    const handlePendingCreateRequest = (event: Event) => {
+      const request = (event as CustomEvent<PendingCredentialCreateRequest>).detail
+      if (!request) return
+      applyPendingCredentialCreateRequest(request)
+    }
+
+    window.addEventListener(
+      PENDING_CREDENTIAL_CREATE_REQUEST_EVENT,
+      handlePendingCreateRequest as EventListener
+    )
+
+    return () => {
+      window.removeEventListener(
+        PENDING_CREDENTIAL_CREATE_REQUEST_EVENT,
+        handlePendingCreateRequest as EventListener
+      )
+    }
+  }, [workspaceId, applyPendingCredentialCreateRequest])
+
+  useEffect(() => {
+    if (!selectedCredential) {
+      setSelectedEnvValueDraft('')
+      setIsEditingEnvValue(false)
+      setSelectedDescriptionDraft('')
+      setSelectedDisplayNameDraft('')
+      return
+    }
+
+    setDetailsError(null)
+    setSelectedDescriptionDraft(selectedCredential.description || '')
+    setSelectedDisplayNameDraft(selectedCredential.displayName)
+
+    if (selectedCredential.type === 'oauth') {
+      setSelectedEnvValueDraft('')
+      setIsEditingEnvValue(false)
+      return
+    }
+
+    const envKey = selectedCredential.envKey || ''
+    if (!envKey) {
+      setSelectedEnvValueDraft('')
+      return
+    }
+
+    setSelectedEnvValueDraft(selectedEnvCurrentValue)
+    setIsEditingEnvValue(false)
+  }, [selectedCredential, selectedEnvCurrentValue])
+
+  const isSelectedAdmin = selectedCredential?.role === 'admin'
+  const selectedOAuthServiceConfig = useMemo(() => {
+    if (
+      !selectedCredential ||
+      selectedCredential.type !== 'oauth' ||
+      !selectedCredential.providerId
+    ) {
+      return null
+    }
+
+    return getServiceConfigByProviderId(selectedCredential.providerId)
+  }, [selectedCredential])
+
+  const resetCreateForm = () => {
+    setCreateType('oauth')
+    setCreateSecretScope('workspace')
+    setCreateSecretInputMode('single')
+    setCreateDisplayName('')
+    setCreateDescription('')
+    setCreateEnvKey('')
+    setCreateEnvValue('')
+    setCreateBulkText('')
+    setCreateOAuthProviderId('')
+    setCreateError(null)
+    setShowCreateOAuthRequiredModal(false)
+  }
+
+  const handleSelectCredential = (credential: WorkspaceCredential) => {
+    setSelectedCredentialId(credential.id)
+    setDetailsError(null)
+  }
+
+  const canEditSelectedEnvValue = useMemo(() => {
+    if (!selectedCredential || selectedCredential.type === 'oauth') return false
+    if (!isSelectedAdmin) return false
+    if (selectedCredential.type === 'env_workspace') return true
+    return Boolean(
+      selectedCredential.envOwnerUserId &&
+        currentUserId &&
+        selectedCredential.envOwnerUserId === currentUserId
+    )
+  }, [selectedCredential, isSelectedAdmin, currentUserId])
+
+  const handleCreateCredential = async () => {
+    if (!workspaceId) return
+    setCreateError(null)
+    const normalizedDescription = createDescription.trim()
+
+    try {
+      if (createType === 'oauth') {
+        if (!selectedOAuthService) {
+          setCreateError('Select an OAuth service before connecting.')
+          return
+        }
+        if (!createDisplayName.trim()) {
+          setCreateError('Display name is required.')
+          return
+        }
+        setShowCreateOAuthRequiredModal(true)
+        return
+      }
+
+      if (createSecretInputMode === 'bulk') {
+        await handleBulkCreateSecrets()
+        return
+      }
+
+      if (!createEnvKey.trim()) return
+      const normalizedEnvKey = normalizeEnvKeyInput(createEnvKey)
+      if (!isValidEnvVarName(normalizedEnvKey)) {
+        setCreateError('Secret key must contain only letters, numbers, and underscores.')
+        return
+      }
+      if (!createEnvValue.trim()) {
+        setCreateError('Secret value is required.')
+        return
+      }
+
+      if (createSecretType === 'env_personal') {
+        const personalVariables = Object.entries(personalEnvironment).reduce(
+          (acc, [key, value]) => ({
+            ...acc,
+            [key]: value.value,
+          }),
+          {} as Record<string, string>
+        )
+
+        await savePersonalEnvironment.mutateAsync({
+          variables: {
+            ...personalVariables,
+            [normalizedEnvKey]: createEnvValue.trim(),
+          },
+        })
+      } else {
+        const workspaceVariables = workspaceEnvironmentData?.workspace ?? {}
+        await upsertWorkspaceEnvironment.mutateAsync({
+          workspaceId,
+          variables: {
+            ...workspaceVariables,
+            [normalizedEnvKey]: createEnvValue.trim(),
+          },
+        })
+      }
+
+      const response = await createCredential.mutateAsync({
+        workspaceId,
+        type: createSecretType,
+        envKey: normalizedEnvKey,
+        description: normalizedDescription || undefined,
+      })
+      const credentialId = response?.credential?.id
+      if (credentialId) {
+        setSelectedCredentialId(credentialId)
+      }
+
+      await refetchCredentials()
+
+      setShowCreateModal(false)
+      resetCreateForm()
+    } catch (error: unknown) {
+      const message = error instanceof Error ? error.message : 'Failed to create credential'
+      setCreateError(message)
+      logger.error('Failed to create credential', error)
+    }
+  }
+
+  const handleBulkCreateSecrets = async () => {
+    if (!workspaceId) return
+    setCreateError(null)
+
+    const { entries, errors } = parseEnvText(createBulkText)
+    if (errors.length > 0) {
+      setCreateError(errors.join('\n'))
+      return
+    }
+
+    if (entries.length === 0) {
+      setCreateError('No valid KEY=VALUE pairs found. Add one per line, e.g. API_KEY=sk-abc123')
+      return
+    }
+
+    try {
+      const newVars: Record<string, string> = {}
+      for (const entry of entries) {
+        newVars[entry.key] = entry.value
+      }
+
+      if (createSecretType === 'env_personal') {
+        const personalVariables = Object.entries(personalEnvironment).reduce(
+          (acc, [key, value]) => ({
+            ...acc,
+            [key]: value.value,
+          }),
+          {} as Record<string, string>
+        )
+
+        await savePersonalEnvironment.mutateAsync({
+          variables: { ...personalVariables, ...newVars },
+        })
+      } else {
+        const workspaceVariables = workspaceEnvironmentData?.workspace ?? {}
+        await upsertWorkspaceEnvironment.mutateAsync({
+          workspaceId,
+          variables: { ...workspaceVariables, ...newVars },
+        })
+      }
+
+      let lastCredentialId: string | null = null
+      for (const entry of entries) {
+        const response = await createCredential.mutateAsync({
+          workspaceId,
+          type: createSecretType,
+          envKey: entry.key,
+        })
+        if (response?.credential?.id) {
+          lastCredentialId = response.credential.id
+        }
+      }
+
+      if (lastCredentialId) {
+        setSelectedCredentialId(lastCredentialId)
+      }
+
+      await refetchCredentials()
+
+      setShowCreateModal(false)
+      resetCreateForm()
+    } catch (error: unknown) {
+      const message = error instanceof Error ? error.message : 'Failed to create secrets'
+      setCreateError(message)
+      logger.error('Failed to bulk create secrets', error)
+    }
+  }
+
+  const handleConnectOAuthService = async () => {
+    if (!selectedOAuthService) {
+      setCreateError('Select an OAuth service before connecting.')
+      return
+    }
+
+    const displayName = createDisplayName.trim()
+    if (!displayName) {
+      setCreateError('Display name is required.')
+      return
+    }
+
+    setCreateError(null)
+    try {
+      await fetch('/api/credentials/draft', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          workspaceId,
+          providerId: selectedOAuthService.providerId,
+          displayName,
+          description: createDescription.trim() || undefined,
+        }),
+      })
+
+      window.sessionStorage.setItem(
+        'sim.oauth-connect-pending',
+        JSON.stringify({
+          displayName,
+          providerId: selectedOAuthService.providerId,
+          preCount: credentials.filter((c) => c.type === 'oauth').length,
+          workspaceId,
+        })
+      )
+
+      await connectOAuthService.mutateAsync({
+        providerId: selectedOAuthService.providerId,
+        callbackURL: window.location.href,
+      })
+    } catch (error: unknown) {
+      const message = error instanceof Error ? error.message : 'Failed to start OAuth connection'
+      setCreateError(message)
+      logger.error('Failed to connect OAuth service', error)
+    }
+  }
+
+  const handleDeleteCredential = async () => {
+    if (!selectedCredential) return
+    if (selectedCredential.type === 'oauth') {
+      await handleDisconnectSelectedCredential()
+      return
+    }
+    try {
+      await deleteCredential.mutateAsync(selectedCredential.id)
+      setSelectedCredentialId(null)
+    } catch (error) {
+      logger.error('Failed to delete credential', error)
+    }
+  }
+
+  const [isPromoting, setIsPromoting] = useState(false)
+  const [isShareingWithWorkspace, setIsSharingWithWorkspace] = useState(false)
+
+  const handleShareWithWorkspace = async () => {
+    if (!selectedCredential || !isSelectedAdmin) return
+    const usersToAdd = workspaceUserOptions
+    if (usersToAdd.length === 0) return
+
+    setDetailsError(null)
+    setIsSharingWithWorkspace(true)
+
+    try {
+      for (const user of usersToAdd) {
+        await upsertMember.mutateAsync({
+          credentialId: selectedCredential.id,
+          userId: user.value,
+          role: 'member',
+        })
+      }
+    } catch (error: unknown) {
+      const message = error instanceof Error ? error.message : 'Failed to share with workspace'
+      setDetailsError(message)
+      logger.error('Failed to share credential with workspace', error)
+    } finally {
+      setIsSharingWithWorkspace(false)
+    }
+  }
+
+  const handlePromoteToWorkspace = async () => {
+    if (!selectedCredential || selectedCredential.type !== 'env_personal' || !workspaceId) return
+    const envKey = selectedCredential.envKey || ''
+    if (!envKey) return
+
+    setDetailsError(null)
+    setIsPromoting(true)
+
+    try {
+      const currentValue =
+        personalEnvironment[envKey]?.value || workspaceEnvironmentData?.personal?.[envKey] || ''
+
+      if (!currentValue) {
+        setDetailsError('Cannot promote: secret value is empty.')
+        setIsPromoting(false)
+        return
+      }
+
+      const workspaceVariables = workspaceEnvironmentData?.workspace ?? {}
+      await upsertWorkspaceEnvironment.mutateAsync({
+        workspaceId,
+        variables: { ...workspaceVariables, [envKey]: currentValue },
+      })
+
+      const response = await createCredential.mutateAsync({
+        workspaceId,
+        type: 'env_workspace',
+        envKey,
+        description: selectedCredential.description || undefined,
+      })
+
+      await deleteCredential.mutateAsync(selectedCredential.id)
+
+      const newCredentialId = response?.credential?.id
+      if (newCredentialId) {
+        setSelectedCredentialId(newCredentialId)
+      } else {
+        setSelectedCredentialId(null)
+      }
+
+      await refetchCredentials()
+    } catch (error: unknown) {
+      const message = error instanceof Error ? error.message : 'Failed to promote secret'
+      setDetailsError(message)
+      logger.error('Failed to promote personal secret to workspace', error)
+    } finally {
+      setIsPromoting(false)
+    }
+  }
+
+  const handleDisconnectSelectedCredential = async () => {
+    if (!selectedCredential || selectedCredential.type !== 'oauth' || !selectedCredential.accountId)
+      return
+    if (!selectedCredential.providerId) return
+
+    try {
+      await disconnectOAuthService.mutateAsync({
+        provider: selectedCredential.providerId.split('-')[0] || selectedCredential.providerId,
+        providerId: selectedCredential.providerId,
+        serviceId: selectedCredential.providerId,
+        accountId: selectedCredential.accountId,
+      })
+
+      setSelectedCredentialId(null)
+      await refetchCredentials()
+      window.dispatchEvent(
+        new CustomEvent('oauth-credentials-updated', {
+          detail: { providerId: selectedCredential.providerId, workspaceId },
+        })
+      )
+    } catch (error) {
+      logger.error('Failed to disconnect credential account', error)
+    }
+  }
+
+  const handleReconnectOAuth = async () => {
+    if (
+      !selectedCredential ||
+      selectedCredential.type !== 'oauth' ||
+      !selectedCredential.providerId ||
+      !workspaceId
+    )
+      return
+
+    setDetailsError(null)
+
+    try {
+      await fetch('/api/credentials/draft', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          workspaceId,
+          providerId: selectedCredential.providerId,
+          displayName: selectedCredential.displayName,
+          description: selectedCredential.description || undefined,
+          credentialId: selectedCredential.id,
+        }),
+      })
+
+      window.sessionStorage.setItem(
+        'sim.oauth-connect-pending',
+        JSON.stringify({
+          displayName: selectedCredential.displayName,
+          providerId: selectedCredential.providerId,
+          preCount: credentials.filter((c) => c.type === 'oauth').length,
+          workspaceId,
+          reconnect: true,
+        })
+      )
+
+      await connectOAuthService.mutateAsync({
+        providerId: selectedCredential.providerId,
+        callbackURL: window.location.href,
+      })
+    } catch (error: unknown) {
+      const message = error instanceof Error ? error.message : 'Failed to start reconnect'
+      setDetailsError(message)
+      logger.error('Failed to reconnect OAuth credential', error)
+    }
+  }
+
+  const handleAddMember = async () => {
+    if (!selectedCredential || !memberUserId) return
+    try {
+      await upsertMember.mutateAsync({
+        credentialId: selectedCredential.id,
+        userId: memberUserId,
+        role: memberRole,
+      })
+      setMemberUserId('')
+      setMemberRole('admin')
+    } catch (error) {
+      logger.error('Failed to add credential member', error)
+    }
+  }
+
+  const handleChangeMemberRole = async (userId: string, role: WorkspaceCredentialRole) => {
+    if (!selectedCredential) return
+    const currentMember = activeMembers.find((member) => member.userId === userId)
+    if (currentMember?.role === role) return
+    try {
+      await upsertMember.mutateAsync({
+        credentialId: selectedCredential.id,
+        userId,
+        role,
+      })
+    } catch (error) {
+      logger.error('Failed to change member role', error)
+    }
+  }
+
+  const handleRemoveMember = async (userId: string) => {
+    if (!selectedCredential) return
+    try {
+      await removeMember.mutateAsync({
+        credentialId: selectedCredential.id,
+        userId,
+      })
+    } catch (error) {
+      logger.error('Failed to remove credential member', error)
+    }
+  }
+
+  return (
+    <div className='flex h-full min-h-0 gap-[16px]'>
+      <div className='flex w-[320px] min-w-[320px] flex-col gap-[12px] border-[var(--border-1)] border-r pr-[16px]'>
+        <div className='flex items-center gap-[8px]'>
+          <div className='relative flex-1'>
+            <Search className='-translate-y-1/2 absolute top-1/2 left-[10px] h-[14px] w-[14px] text-[var(--text-tertiary)]' />
+            <Input
+              value={searchTerm}
+              onChange={(event) => setSearchTerm(event.target.value)}
+              placeholder='Search credentials...'
+              className='pl-[32px]'
+            />
+          </div>
+          <Button variant='active' onClick={() => setShowCreateModal(true)}>
+            <Plus className='h-[14px] w-[14px]' />
+          </Button>
+        </div>
+
+        <div className='min-h-0 flex-1 overflow-y-auto'>
+          {credentialsLoading ? (
+            <div className='flex flex-col gap-[8px]'>
+              <Skeleton className='h-[64px] w-full rounded-[8px]' />
+              <Skeleton className='h-[64px] w-full rounded-[8px]' />
+              <Skeleton className='h-[64px] w-full rounded-[8px]' />
+            </div>
+          ) : sortedCredentials.length === 0 ? (
+            <div className='rounded-[8px] border border-[var(--border-1)] px-[12px] py-[10px] text-[12px] text-[var(--text-tertiary)]'>
+              No credentials available for this workspace.
+            </div>
+          ) : (
+            <div className='flex flex-col gap-[8px]'>
+              {sortedCredentials.map((credential) => (
+                <button
+                  key={credential.id}
+                  type='button'
+                  className={cn(
+                    'w-full rounded-[8px] border px-[10px] py-[10px] text-left transition-colors',
+                    selectedCredentialId === credential.id
+                      ? 'border-[var(--brand-9)] bg-[var(--surface-3)]'
+                      : 'border-[var(--border-1)] hover:bg-[var(--surface-2)]'
+                  )}
+                  onClick={() => handleSelectCredential(credential)}
+                >
+                  <div className='mb-[6px] flex items-center justify-between gap-[8px]'>
+                    <p className='min-w-0 truncate font-medium text-[13px] text-[var(--text-primary)]'>
+                      {credential.displayName}
+                    </p>
+                    <Badge
+                      variant={typeBadgeVariant(credential.type)}
+                      className='shrink-0 whitespace-nowrap'
+                    >
+                      {typeLabel(credential.type)}
+                    </Badge>
+                  </div>
+                  <p className='truncate text-[12px] text-[var(--text-tertiary)]'>
+                    {credential.type === 'oauth'
+                      ? resolveProviderLabel(credential.providerId)
+                      : credential.envKey || credential.id}
+                  </p>
+                </button>
+              ))}
+            </div>
+          )}
+        </div>
+      </div>
+
+      <div className='min-h-0 flex-1 overflow-y-auto'>
+        {!selectedCredential ? (
+          <div className='rounded-[8px] border border-[var(--border-1)] px-[14px] py-[12px] text-[13px] text-[var(--text-tertiary)]'>
+            Select a credential to manage members.
+          </div>
+        ) : (
+          <div className='flex flex-col gap-[16px]'>
+            <div className='rounded-[8px] border border-[var(--border-1)] p-[12px]'>
+              <div className='mb-[10px] flex items-center justify-between gap-[12px]'>
+                <div className='flex items-center gap-[8px]'>
+                  <Badge variant={typeBadgeVariant(selectedCredential.type)}>
+                    {typeLabel(selectedCredential.type)}
+                  </Badge>
+                  {selectedCredential.role && (
+                    <Badge
+                      variant={selectedCredential.role === 'admin' ? 'blue' : 'gray-secondary'}
+                    >
+                      {selectedCredential.role}
+                    </Badge>
+                  )}
+                </div>
+                {isSelectedAdmin && (
+                  <div className='flex items-center gap-[8px]'>
+                    <Button
+                      variant='tertiary'
+                      onClick={handleSaveDetails}
+                      disabled={!isDetailsDirty || isSavingDetails}
+                    >
+                      {isSavingDetails ? 'Saving...' : 'Save'}
+                    </Button>
+                    {selectedCredential.type === 'oauth' && (
+                      <Tooltip.Root>
+                        <Tooltip.Trigger asChild>
+                          <Button
+                            variant='ghost'
+                            onClick={handleReconnectOAuth}
+                            disabled={connectOAuthService.isPending}
+                          >
+                            <RefreshCw className='h-[14px] w-[14px]' />
+                          </Button>
+                        </Tooltip.Trigger>
+                        <Tooltip.Content>Reconnect account</Tooltip.Content>
+                      </Tooltip.Root>
+                    )}
+                    {selectedCredential.type === 'env_personal' && (
+                      <Tooltip.Root>
+                        <Tooltip.Trigger asChild>
+                          <Button
+                            variant='ghost'
+                            onClick={handlePromoteToWorkspace}
+                            disabled={isPromoting || deleteCredential.isPending}
+                          >
+                            <Share2 className='h-[14px] w-[14px]' />
+                          </Button>
+                        </Tooltip.Trigger>
+                        <Tooltip.Content>Promote to Workspace Secret</Tooltip.Content>
+                      </Tooltip.Root>
+                    )}
+                    {selectedCredential.type === 'oauth' &&
+                      (workspaceUserOptions.length > 0 || isShareingWithWorkspace) && (
+                        <Tooltip.Root>
+                          <Tooltip.Trigger asChild>
+                            <Button
+                              variant='ghost'
+                              onClick={handleShareWithWorkspace}
+                              disabled={
+                                isShareingWithWorkspace || workspaceUserOptions.length === 0
+                              }
+                            >
+                              <Share2 className='h-[14px] w-[14px]' />
+                            </Button>
+                          </Tooltip.Trigger>
+                          <Tooltip.Content>
+                            {isShareingWithWorkspace ? 'Sharing...' : 'Share with workspace'}
+                          </Tooltip.Content>
+                        </Tooltip.Root>
+                      )}
+                    <Tooltip.Root>
+                      <Tooltip.Trigger asChild>
+                        <Button
+                          variant='destructive'
+                          onClick={handleDeleteCredential}
+                          disabled={
+                            deleteCredential.isPending ||
+                            isPromoting ||
+                            disconnectOAuthService.isPending
+                          }
+                        >
+                          <Trash2 className='h-[14px] w-[14px]' />
+                        </Button>
+                      </Tooltip.Trigger>
+                      <Tooltip.Content>
+                        {selectedCredential.type === 'oauth'
+                          ? 'Disconnect account'
+                          : 'Delete credential'}
+                      </Tooltip.Content>
+                    </Tooltip.Root>
+                  </div>
+                )}
+              </div>
+
+              {selectedCredential.type === 'oauth' ? (
+                <div className='flex flex-col gap-[10px]'>
+                  <div>
+                    <div className='flex items-center gap-[6px]'>
+                      <Label htmlFor='credential-display-name'>Display Name</Label>
+                      <Tooltip.Root>
+                        <Tooltip.Trigger asChild>
+                          <Button
+                            variant='ghost'
+                            className='h-[20px] w-[20px] p-0'
+                            onClick={() => {
+                              navigator.clipboard.writeText(selectedCredential.id)
+                              setCopyIdSuccess(true)
+                              setTimeout(() => setCopyIdSuccess(false), 2000)
+                            }}
+                          >
+                            {copyIdSuccess ? (
+                              <Check className='h-[11px] w-[11px]' />
+                            ) : (
+                              <Copy className='h-[11px] w-[11px]' />
+                            )}
+                          </Button>
+                        </Tooltip.Trigger>
+                        <Tooltip.Content>Copy credential ID</Tooltip.Content>
+                      </Tooltip.Root>
+                    </div>
+                    <Input
+                      id='credential-display-name'
+                      value={selectedDisplayNameDraft}
+                      onChange={(event) => setSelectedDisplayNameDraft(event.target.value)}
+                      autoComplete='off'
+                      disabled={!isSelectedAdmin}
+                      className='mt-[6px]'
+                    />
+                  </div>
+                  <div>
+                    <Label htmlFor='credential-description'>Description</Label>
+                    <Textarea
+                      id='credential-description'
+                      value={selectedDescriptionDraft}
+                      onChange={(event) => setSelectedDescriptionDraft(event.target.value)}
+                      placeholder='Add a description...'
+                      maxLength={500}
+                      autoComplete='off'
+                      disabled={!isSelectedAdmin}
+                      className='mt-[6px] min-h-[60px] resize-none'
+                    />
+                  </div>
+                  <div>
+                    <Label>Connected service</Label>
+                    <div className='mt-[6px] flex items-center gap-[10px] rounded-[8px] border border-[var(--border-1)] px-[10px] py-[8px]'>
+                      <div className='flex h-8 w-8 flex-shrink-0 items-center justify-center overflow-hidden rounded-[6px] bg-[var(--surface-5)]'>
+                        {selectedOAuthServiceConfig ? (
+                          createElement(selectedOAuthServiceConfig.icon, { className: 'h-4 w-4' })
+                        ) : (
+                          <span className='font-medium text-[12px] text-[var(--text-tertiary)]'>
+                            {resolveProviderLabel(selectedCredential.providerId).slice(0, 1)}
+                          </span>
+                        )}
+                      </div>
+                      <span className='text-[12px] text-[var(--text-primary)]'>
+                        {resolveProviderLabel(selectedCredential.providerId) || 'Unknown service'}
+                      </span>
+                    </div>
+                  </div>
+                </div>
+              ) : (
+                <div className='flex flex-col gap-[10px]'>
+                  <Label htmlFor='credential-env-key'>Secret key</Label>
+                  <Input
+                    id='credential-env-key'
+                    value={selectedCredential.envKey || ''}
+                    readOnly
+                    disabled
+                    autoComplete='off'
+                    className='mt-[6px]'
+                  />
+                  <div>
+                    <div className='flex items-center justify-between'>
+                      <Label htmlFor='credential-env-value'>Secret value</Label>
+                      {canEditSelectedEnvValue && (
+                        <Button
+                          variant='ghost'
+                          onClick={() => setIsEditingEnvValue((value) => !value)}
+                        >
+                          {isEditingEnvValue ? 'Hide' : 'Edit'}
+                        </Button>
+                      )}
+                    </div>
+                    <Input
+                      id='credential-env-value'
+                      type={isEditingEnvValue ? 'text' : 'password'}
+                      value={selectedEnvValueDraft}
+                      onChange={(event) => setSelectedEnvValueDraft(event.target.value)}
+                      onFocus={() => {
+                        if (canEditSelectedEnvValue) {
+                          setIsEditingEnvValue(true)
+                        }
+                      }}
+                      autoComplete='new-password'
+                      autoCapitalize='none'
+                      autoCorrect='off'
+                      spellCheck={false}
+                      data-lpignore='true'
+                      data-1p-ignore='true'
+                      readOnly={!canEditSelectedEnvValue || !isEditingEnvValue}
+                      disabled={!canEditSelectedEnvValue}
+                      className='mt-[6px]'
+                    />
+                  </div>
+                  <div>
+                    <Label htmlFor='credential-description'>Description</Label>
+                    <Textarea
+                      id='credential-description'
+                      value={selectedDescriptionDraft}
+                      onChange={(event) => setSelectedDescriptionDraft(event.target.value)}
+                      placeholder='Add a description...'
+                      maxLength={500}
+                      autoComplete='off'
+                      disabled={!isSelectedAdmin}
+                      className='mt-[6px] min-h-[60px] resize-none'
+                    />
+                  </div>
+                </div>
+              )}
+              {detailsError && (
+                <div className='mt-[8px] rounded-[8px] border border-[var(--status-red)]/40 bg-[var(--status-red)]/10 px-[10px] py-[8px] text-[12px] text-[var(--status-red)]'>
+                  {detailsError}
+                </div>
+              )}
+            </div>
+
+            <div className='rounded-[8px] border border-[var(--border-1)] p-[12px]'>
+              <h3 className='mb-[10px] font-medium text-[13px] text-[var(--text-primary)]'>
+                Members
+              </h3>
+
+              {membersLoading ? (
+                <div className='flex flex-col gap-[8px]'>
+                  <Skeleton className='h-[44px] w-full rounded-[8px]' />
+                  <Skeleton className='h-[44px] w-full rounded-[8px]' />
+                </div>
+              ) : (
+                <div className='flex flex-col gap-[8px]'>
+                  {activeMembers.map((member) => (
+                    <div
+                      key={member.id}
+                      className='grid grid-cols-[1fr_120px_auto] items-center gap-[8px] rounded-[8px] border border-[var(--border-1)] px-[10px] py-[8px]'
+                    >
+                      <div className='min-w-0'>
+                        <p className='truncate font-medium text-[12px] text-[var(--text-primary)]'>
+                          {member.userName || member.userEmail || member.userId}
+                        </p>
+                        <p className='truncate text-[11px] text-[var(--text-tertiary)]'>
+                          {member.userEmail || member.userId}
+                        </p>
+                      </div>
+
+                      {isSelectedAdmin ? (
+                        <>
+                          <Combobox
+                            options={roleOptions.map((option) => ({
+                              value: option.value,
+                              label: option.label,
+                            }))}
+                            value={
+                              roleOptions.find((option) => option.value === member.role)?.label ||
+                              ''
+                            }
+                            selectedValue={member.role}
+                            onChange={(value) =>
+                              handleChangeMemberRole(
+                                member.userId,
+                                value as WorkspaceCredentialRole
+                              )
+                            }
+                            placeholder='Role'
+                            disabled={member.role === 'admin' && adminMemberCount <= 1}
+                            size='sm'
+                          />
+                          {selectedCredential.type !== 'env_workspace' ? (
+                            <Button
+                              variant='ghost'
+                              onClick={() => handleRemoveMember(member.userId)}
+                              disabled={member.role === 'admin' && adminMemberCount <= 1}
+                            >
+                              Remove
+                            </Button>
+                          ) : (
+                            <div />
+                          )}
+                        </>
+                      ) : (
+                        <>
+                          <Badge variant={member.role === 'admin' ? 'blue' : 'gray-secondary'}>
+                            {member.role}
+                          </Badge>
+                          <div />
+                        </>
+                      )}
+                    </div>
+                  ))}
+                </div>
+              )}
+
+              {isSelectedAdmin && selectedCredential.type !== 'env_workspace' && (
+                <div className='mt-[10px] rounded-[8px] border border-[var(--border-1)] p-[10px]'>
+                  <Label>Add member</Label>
+                  <div className='mt-[6px] grid grid-cols-[1fr_120px_auto] gap-[8px]'>
+                    <Combobox
+                      options={workspaceUserOptions}
+                      value={
+                        workspaceUserOptions.find((option) => option.value === memberUserId)
+                          ?.label || ''
+                      }
+                      selectedValue={memberUserId}
+                      onChange={setMemberUserId}
+                      placeholder='Select user'
+                    />
+                    <Combobox
+                      options={roleOptions.map((option) => ({
+                        value: option.value,
+                        label: option.label,
+                      }))}
+                      value={roleOptions.find((option) => option.value === memberRole)?.label || ''}
+                      selectedValue={memberRole}
+                      onChange={(value) => setMemberRole(value as WorkspaceCredentialRole)}
+                      placeholder='Role'
+                    />
+                    <Button
+                      variant='active'
+                      onClick={handleAddMember}
+                      disabled={!memberUserId || upsertMember.isPending}
+                    >
+                      Add
+                    </Button>
+                  </div>
+                </div>
+              )}
+            </div>
+          </div>
+        )}
+      </div>
+
+      <Modal
+        open={showCreateModal}
+        onOpenChange={(open) => {
+          setShowCreateModal(open)
+          if (!open) resetCreateForm()
+        }}
+      >
+        <ModalContent size='md'>
+          <ModalHeader>Create Credential</ModalHeader>
+          <ModalBody>
+            <div className='flex flex-col gap-[12px]'>
+              <div>
+                <Label>Type</Label>
+                <div className='mt-[6px]'>
+                  <Combobox
+                    options={createTypeOptions.map((option) => ({
+                      value: option.value,
+                      label: option.label,
+                    }))}
+                    value={
+                      createTypeOptions.find((option) => option.value === createType)?.label || ''
+                    }
+                    selectedValue={createType}
+                    onChange={(value) => {
+                      setCreateType(value as CreateCredentialType)
+                      setCreateError(null)
+                    }}
+                    placeholder='Select credential type'
+                  />
+                </div>
+              </div>
+
+              {createType === 'oauth' ? (
+                <div className='flex flex-col gap-[10px]'>
+                  <div>
+                    <Label>Display name</Label>
+                    <Input
+                      value={createDisplayName}
+                      onChange={(event) => setCreateDisplayName(event.target.value)}
+                      placeholder='Credential name'
+                      autoComplete='off'
+                      className='mt-[6px]'
+                    />
+                  </div>
+                  <div>
+                    <Label>Description</Label>
+                    <Textarea
+                      value={createDescription}
+                      onChange={(event) => setCreateDescription(event.target.value)}
+                      placeholder='Optional description'
+                      maxLength={500}
+                      autoComplete='off'
+                      className='mt-[6px] min-h-[80px] resize-none'
+                    />
+                  </div>
+                  <div>
+                    <Label>OAuth service</Label>
+                    <div className='mt-[6px]'>
+                      <Combobox
+                        options={oauthServiceOptions}
+                        value={
+                          oauthServiceOptions.find(
+                            (option) => option.value === createOAuthProviderId
+                          )?.label || ''
+                        }
+                        selectedValue={createOAuthProviderId}
+                        onChange={setCreateOAuthProviderId}
+                        placeholder='Select OAuth service'
+                      />
+                    </div>
+                  </div>
+                  {existingOAuthDisplayName && (
+                    <div className='rounded-[8px] border border-red-500/50 bg-red-50 p-[12px] dark:bg-red-950/30'>
+                      <div className='flex items-start gap-[10px]'>
+                        <AlertTriangle className='mt-[1px] h-4 w-4 flex-shrink-0 text-red-600 dark:text-red-400' />
+                        <p className='text-[12px] text-red-700 dark:text-red-300'>
+                          A credential named{' '}
+                          <span className='font-medium'>
+                            {existingOAuthDisplayName.displayName}
+                          </span>{' '}
+                          already exists.
+                        </p>
+                      </div>
+                    </div>
+                  )}
+                </div>
+              ) : (
+                <div className='flex flex-col gap-[10px]'>
+                  <div>
+                    <Label className='block'>Scope</Label>
+                    <div className='mt-[6px]'>
+                      <ButtonGroup
+                        value={createSecretScope}
+                        onValueChange={(value) => setCreateSecretScope(value as SecretScope)}
+                      >
+                        <ButtonGroupItem
+                          value='workspace'
+                          className='h-[28px] min-w-[80px] px-[10px] py-0 text-[12px]'
+                        >
+                          Workspace
+                        </ButtonGroupItem>
+                        <ButtonGroupItem
+                          value='personal'
+                          className='h-[28px] min-w-[72px] px-[10px] py-0 text-[12px]'
+                        >
+                          Personal
+                        </ButtonGroupItem>
+                      </ButtonGroup>
+                    </div>
+                  </div>
+                  <div>
+                    <Label className='block'>Mode</Label>
+                    <div className='mt-[6px]'>
+                      <ButtonGroup
+                        value={createSecretInputMode}
+                        onValueChange={(value) => {
+                          setCreateSecretInputMode(value as SecretInputMode)
+                          setCreateError(null)
+                        }}
+                      >
+                        <ButtonGroupItem
+                          value='single'
+                          className='h-[28px] min-w-[56px] px-[10px] py-0 text-[12px]'
+                        >
+                          Single
+                        </ButtonGroupItem>
+                        <ButtonGroupItem
+                          value='bulk'
+                          className='h-[28px] min-w-[56px] px-[10px] py-0 text-[12px]'
+                        >
+                          Bulk
+                        </ButtonGroupItem>
+                      </ButtonGroup>
+                    </div>
+                  </div>
+
+                  {createSecretInputMode === 'single' ? (
+                    <>
+                      <div>
+                        <Label>Secret key</Label>
+                        <Input
+                          value={createEnvKey}
+                          onChange={(event) => {
+                            setCreateEnvKey(event.target.value)
+                          }}
+                          placeholder='API_KEY'
+                          autoComplete='off'
+                          autoCapitalize='none'
+                          autoCorrect='off'
+                          spellCheck={false}
+                          data-lpignore='true'
+                          data-1p-ignore='true'
+                          className='mt-[6px]'
+                        />
+                        <p className='mt-[4px] text-[11px] text-[var(--text-tertiary)]'>
+                          Use it in blocks as {'{{KEY}}'}, for example {'{{API_KEY}}'}.
+                        </p>
+                      </div>
+                      <div>
+                        <Label>Secret value</Label>
+                        <Input
+                          type='password'
+                          value={createEnvValue}
+                          onChange={(event) => setCreateEnvValue(event.target.value)}
+                          placeholder='Enter secret value'
+                          autoComplete='new-password'
+                          autoCapitalize='none'
+                          autoCorrect='off'
+                          spellCheck={false}
+                          data-lpignore='true'
+                          data-1p-ignore='true'
+                          className='mt-[6px]'
+                        />
+                      </div>
+                      <div>
+                        <Label>Description</Label>
+                        <Textarea
+                          value={createDescription}
+                          onChange={(event) => setCreateDescription(event.target.value)}
+                          placeholder='Optional description'
+                          maxLength={500}
+                          autoComplete='off'
+                          className='mt-[6px] min-h-[80px] resize-none'
+                        />
+                      </div>
+
+                      {selectedExistingEnvCredential && (
+                        <div className='rounded-[8px] border border-red-500/50 bg-red-50 p-[12px] dark:bg-red-950/30'>
+                          <div className='flex items-start gap-[10px]'>
+                            <AlertTriangle className='mt-[1px] h-4 w-4 flex-shrink-0 text-red-600 dark:text-red-400' />
+                            <p className='text-[12px] text-red-700 dark:text-red-300'>
+                              A secret with key{' '}
+                              <span className='font-medium'>
+                                {selectedExistingEnvCredential.displayName}
+                              </span>{' '}
+                              already exists.
+                            </p>
+                          </div>
+                        </div>
+                      )}
+                      {!selectedExistingEnvCredential && crossScopeEnvConflict && (
+                        <div className='rounded-[8px] border border-amber-500/50 bg-amber-50 p-[12px] dark:bg-amber-950/30'>
+                          <div className='flex items-start gap-[10px]'>
+                            <AlertTriangle className='mt-[1px] h-4 w-4 flex-shrink-0 text-amber-600 dark:text-amber-400' />
+                            <p className='text-[12px] text-amber-700 dark:text-amber-300'>
+                              A workspace secret with key{' '}
+                              <span className='font-medium'>{crossScopeEnvConflict.envKey}</span>{' '}
+                              already exists. Workspace secrets take precedence at runtime.
+                            </p>
+                          </div>
+                        </div>
+                      )}
+                    </>
+                  ) : (
+                    <div>
+                      <Label>Secrets</Label>
+                      <Textarea
+                        value={createBulkText}
+                        onChange={(event) => {
+                          setCreateBulkText(event.target.value)
+                          setCreateError(null)
+                        }}
+                        placeholder={
+                          'OPENAI_API_KEY=sk-abc123\nANTHROPIC_API_KEY=sk-ant-xyz\nSTRIPE_SECRET=sk_live_...'
+                        }
+                        autoComplete='off'
+                        spellCheck={false}
+                        className='mt-[6px] min-h-[160px] resize-none font-mono text-[12px]'
+                      />
+                      <p className='mt-[4px] text-[11px] text-[var(--text-tertiary)]'>
+                        Paste KEY=VALUE pairs, one per line. Lines starting with # are ignored.
+                      </p>
+                      {createBulkText.trim()
+                        ? (() => {
+                            const { entries } = parseEnvText(createBulkText)
+                            return entries.length > 0 ? (
+                              <p className='mt-[2px] text-[11px] text-[var(--text-secondary)]'>
+                                {entries.length} secret{entries.length === 1 ? '' : 's'} detected
+                              </p>
+                            ) : null
+                          })()
+                        : null}
+                    </div>
+                  )}
+                </div>
+              )}
+
+              {createError && (
+                <div className='rounded-[8px] border border-red-500/50 bg-red-50 p-[12px] dark:bg-red-950/30'>
+                  <div className='flex items-start gap-[10px]'>
+                    <AlertTriangle className='mt-[1px] h-4 w-4 flex-shrink-0 text-red-600 dark:text-red-400' />
+                    <p className='whitespace-pre-wrap text-[12px] text-red-700 dark:text-red-300'>
+                      {createError}
+                    </p>
+                  </div>
+                </div>
+              )}
+            </div>
+          </ModalBody>
+          <ModalFooter>
+            <Button variant='default' onClick={() => setShowCreateModal(false)}>
+              Cancel
+            </Button>
+            <Button
+              variant='tertiary'
+              onClick={handleCreateCredential}
+              disabled={
+                (createType === 'oauth'
+                  ? !createOAuthProviderId ||
+                    !createDisplayName.trim() ||
+                    connectOAuthService.isPending ||
+                    Boolean(existingOAuthDisplayName)
+                  : createSecretInputMode === 'bulk'
+                    ? !createBulkText.trim()
+                    : !createEnvKey.trim() ||
+                      !createEnvValue.trim() ||
+                      Boolean(selectedExistingEnvCredential)) ||
+                createCredential.isPending ||
+                savePersonalEnvironment.isPending ||
+                upsertWorkspaceEnvironment.isPending ||
+                disconnectOAuthService.isPending
+              }
+            >
+              {createType === 'oauth'
+                ? connectOAuthService.isPending
+                  ? 'Connecting...'
+                  : 'Connect'
+                : createSecretInputMode === 'bulk'
+                  ? createCredential.isPending ||
+                    savePersonalEnvironment.isPending ||
+                    upsertWorkspaceEnvironment.isPending
+                    ? 'Importing...'
+                    : 'Import all'
+                  : 'Create'}
+            </Button>
+          </ModalFooter>
+        </ModalContent>
+      </Modal>
+      {showCreateOAuthRequiredModal && createOAuthProviderId && (
+        <OAuthRequiredModal
+          isOpen={showCreateOAuthRequiredModal}
+          onClose={() => setShowCreateOAuthRequiredModal(false)}
+          provider={createOAuthProviderId as OAuthProvider}
+          toolName={resolveProviderLabel(createOAuthProviderId)}
+          requiredScopes={createOAuthRequiredScopes}
+          newScopes={[]}
+          serviceId={selectedOAuthService?.id || createOAuthProviderId}
+          onConnect={async () => {
+            await handleConnectOAuthService()
+          }}
+        />
+      )}
+    </div>
+  )
+}
diff --git a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials.tsx b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials.tsx
new file mode 100644
index 0000000000..14c83662ab
--- /dev/null
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials.tsx
@@ -0,0 +1,15 @@
+'use client'
+
+import { CredentialsManager } from '@/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials-manager'
+
+interface CredentialsProps {
+  onOpenChange?: (open: boolean) => void
+}
+
+export function Credentials(_props: CredentialsProps) {
+  return (
+    <div className='h-full min-h-0'>
+      <CredentialsManager />
+    </div>
+  )
+}
diff --git a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/environment/environment.tsx b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/environment/environment.tsx
deleted file mode 100644
index 026d646cad..0000000000
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/environment/environment.tsx
+++ /dev/null
@@ -1,864 +0,0 @@
-'use client'
-
-import { useCallback, useEffect, useMemo, useRef, useState } from 'react'
-import { createLogger } from '@sim/logger'
-import { Plus, Search, Share2, Undo2 } from 'lucide-react'
-import { useParams } from 'next/navigation'
-import {
-  Button,
-  Input as EmcnInput,
-  Modal,
-  ModalBody,
-  ModalContent,
-  ModalFooter,
-  ModalHeader,
-  Tooltip,
-} from '@/components/emcn'
-import { Trash } from '@/components/emcn/icons/trash'
-import { Input, Skeleton } from '@/components/ui'
-import { isValidEnvVarName } from '@/executor/constants'
-import {
-  usePersonalEnvironment,
-  useRemoveWorkspaceEnvironment,
-  useSavePersonalEnvironment,
-  useUpsertWorkspaceEnvironment,
-  useWorkspaceEnvironment,
-  type WorkspaceEnvironmentData,
-} from '@/hooks/queries/environment'
-
-const logger = createLogger('EnvironmentVariables')
-
-const GRID_COLS = 'grid grid-cols-[minmax(0,1fr)_8px_minmax(0,1fr)_auto] items-center'
-
-const generateRowId = (() => {
-  let counter = 0
-  return () => {
-    counter += 1
-    return Date.now() + counter
-  }
-})()
-
-const createEmptyEnvVar = (): UIEnvironmentVariable => ({
-  key: '',
-  value: '',
-  id: generateRowId(),
-})
-
-interface UIEnvironmentVariable {
-  key: string
-  value: string
-  id?: number
-}
-
-/**
- * Validates an environment variable key.
- * Returns an error message if invalid, undefined if valid.
- */
-function validateEnvVarKey(key: string): string | undefined {
-  if (!key) return undefined
-  if (key.includes(' ')) return 'Spaces are not allowed'
-  if (!isValidEnvVarName(key)) return 'Only letters, numbers, and underscores allowed'
-  return undefined
-}
-
-interface EnvironmentVariablesProps {
-  registerBeforeLeaveHandler?: (handler: (onProceed: () => void) => void) => void
-}
-
-interface WorkspaceVariableRowProps {
-  envKey: string
-  value: string
-  renamingKey: string | null
-  pendingKeyValue: string
-  isNewlyPromoted: boolean
-  onRenameStart: (key: string) => void
-  onPendingKeyChange: (value: string) => void
-  onRenameEnd: (key: string, value: string) => void
-  onDelete: (key: string) => void
-  onDemote: (key: string, value: string) => void
-}
-
-function WorkspaceVariableRow({
-  envKey,
-  value,
-  renamingKey,
-  pendingKeyValue,
-  isNewlyPromoted,
-  onRenameStart,
-  onPendingKeyChange,
-  onRenameEnd,
-  onDelete,
-  onDemote,
-}: WorkspaceVariableRowProps) {
-  return (
-    <div className={GRID_COLS}>
-      <EmcnInput
-        value={renamingKey === envKey ? pendingKeyValue : envKey}
-        onChange={(e) => {
-          if (renamingKey !== envKey) onRenameStart(envKey)
-          onPendingKeyChange(e.target.value)
-        }}
-        onBlur={() => onRenameEnd(envKey, value)}
-        name={`workspace_env_key_${envKey}_${Math.random()}`}
-        autoComplete='off'
-        autoCapitalize='off'
-        spellCheck='false'
-        readOnly
-        onFocus={(e) => e.target.removeAttribute('readOnly')}
-        className='h-9'
-      />
-      <div />
-      <EmcnInput
-        value={value ? '•'.repeat(value.length) : ''}
-        readOnly
-        autoComplete='off'
-        autoCorrect='off'
-        autoCapitalize='off'
-        spellCheck='false'
-        className='h-9'
-      />
-      <div className='ml-[8px] flex'>
-        {isNewlyPromoted && (
-          <Tooltip.Root>
-            <Tooltip.Trigger asChild>
-              <Button variant='ghost' onClick={() => onDemote(envKey, value)} className='h-9 w-9'>
-                <Undo2 className='h-3.5 w-3.5' />
-              </Button>
-            </Tooltip.Trigger>
-            <Tooltip.Content>Change to personal scope</Tooltip.Content>
-          </Tooltip.Root>
-        )}
-        <Tooltip.Root>
-          <Tooltip.Trigger asChild>
-            <Button variant='ghost' onClick={() => onDelete(envKey)} className='h-9 w-9'>
-              <Trash />
-            </Button>
-          </Tooltip.Trigger>
-          <Tooltip.Content>Delete environment variable</Tooltip.Content>
-        </Tooltip.Root>
-      </div>
-    </div>
-  )
-}
-
-export function EnvironmentVariables({ registerBeforeLeaveHandler }: EnvironmentVariablesProps) {
-  const params = useParams()
-  const workspaceId = (params?.workspaceId as string) || ''
-
-  const { data: personalEnvData, isLoading: isPersonalLoading } = usePersonalEnvironment()
-  const { data: workspaceEnvData, isLoading: isWorkspaceLoading } = useWorkspaceEnvironment(
-    workspaceId,
-    {
-      select: useCallback(
-        (data: WorkspaceEnvironmentData): WorkspaceEnvironmentData => ({
-          workspace: data.workspace || {},
-          personal: data.personal || {},
-          conflicts: data.conflicts || [],
-        }),
-        []
-      ),
-    }
-  )
-  const savePersonalMutation = useSavePersonalEnvironment()
-  const upsertWorkspaceMutation = useUpsertWorkspaceEnvironment()
-  const removeWorkspaceMutation = useRemoveWorkspaceEnvironment()
-
-  const isLoading = isPersonalLoading || isWorkspaceLoading
-  const variables = useMemo(() => personalEnvData || {}, [personalEnvData])
-
-  const [envVars, setEnvVars] = useState<UIEnvironmentVariable[]>([])
-  const [searchTerm, setSearchTerm] = useState('')
-  const [focusedValueIndex, setFocusedValueIndex] = useState<number | null>(null)
-  const [showUnsavedChanges, setShowUnsavedChanges] = useState(false)
-  const [shouldScrollToBottom, setShouldScrollToBottom] = useState(false)
-  const [workspaceVars, setWorkspaceVars] = useState<Record<string, string>>({})
-  const [conflicts, setConflicts] = useState<string[]>([])
-  const [renamingKey, setRenamingKey] = useState<string | null>(null)
-  const [pendingKeyValue, setPendingKeyValue] = useState<string>('')
-  const [changeToken, setChangeToken] = useState(0)
-
-  const initialWorkspaceVarsRef = useRef<Record<string, string>>({})
-  const scrollContainerRef = useRef<HTMLDivElement>(null)
-  const pendingProceedCallback = useRef<(() => void) | null>(null)
-  const initialVarsRef = useRef<UIEnvironmentVariable[]>([])
-  const hasChangesRef = useRef(false)
-  const hasSavedRef = useRef(false)
-
-  const filteredEnvVars = useMemo(() => {
-    const mapped = envVars.map((envVar, index) => ({ envVar, originalIndex: index }))
-    if (!searchTerm.trim()) return mapped
-    const term = searchTerm.toLowerCase()
-    return mapped.filter(({ envVar }) => envVar.key.toLowerCase().includes(term))
-  }, [envVars, searchTerm])
-
-  const filteredWorkspaceEntries = useMemo(() => {
-    const entries = Object.entries(workspaceVars)
-    if (!searchTerm.trim()) return entries
-    const term = searchTerm.toLowerCase()
-    return entries.filter(([key]) => key.toLowerCase().includes(term))
-  }, [workspaceVars, searchTerm])
-
-  const hasChanges = useMemo(() => {
-    const initialVars = initialVarsRef.current.filter((v) => v.key || v.value)
-    const currentVars = envVars.filter((v) => v.key || v.value)
-    const initialMap = new Map(initialVars.map((v) => [v.key, v.value]))
-    const currentMap = new Map(currentVars.map((v) => [v.key, v.value]))
-
-    if (initialMap.size !== currentMap.size) return true
-
-    for (const [key, value] of currentMap) {
-      if (initialMap.get(key) !== value) return true
-    }
-
-    for (const key of initialMap.keys()) {
-      if (!currentMap.has(key)) return true
-    }
-
-    const before = initialWorkspaceVarsRef.current
-    const after = workspaceVars
-    const allKeys = new Set([...Object.keys(before), ...Object.keys(after)])
-
-    if (Object.keys(before).length !== Object.keys(after).length) return true
-
-    for (const key of allKeys) {
-      if (before[key] !== after[key]) return true
-    }
-
-    return false
-  }, [envVars, workspaceVars, changeToken])
-
-  const hasConflicts = useMemo(() => {
-    return envVars.some((envVar) => !!envVar.key && Object.hasOwn(workspaceVars, envVar.key))
-  }, [envVars, workspaceVars])
-
-  const hasInvalidKeys = useMemo(() => {
-    return envVars.some((envVar) => !!envVar.key && validateEnvVarKey(envVar.key))
-  }, [envVars])
-
-  useEffect(() => {
-    hasChangesRef.current = hasChanges
-  }, [hasChanges])
-
-  const handleBeforeLeave = useCallback((onProceed: () => void) => {
-    if (hasChangesRef.current) {
-      setShowUnsavedChanges(true)
-      pendingProceedCallback.current = onProceed
-    } else {
-      onProceed()
-    }
-  }, [])
-
-  useEffect(() => {
-    if (hasSavedRef.current) return
-
-    const existingVars = Object.values(variables)
-    const initialVars = existingVars.length
-      ? existingVars.map((envVar) => ({
-          ...envVar,
-          id: generateRowId(),
-        }))
-      : [createEmptyEnvVar()]
-    initialVarsRef.current = JSON.parse(JSON.stringify(initialVars))
-    setEnvVars(JSON.parse(JSON.stringify(initialVars)))
-    pendingProceedCallback.current = null
-  }, [variables])
-
-  useEffect(() => {
-    if (workspaceEnvData) {
-      if (hasSavedRef.current) {
-        setConflicts(workspaceEnvData?.conflicts || [])
-        hasSavedRef.current = false
-      } else {
-        setWorkspaceVars(workspaceEnvData?.workspace || {})
-        initialWorkspaceVarsRef.current = workspaceEnvData?.workspace || {}
-        setConflicts(workspaceEnvData?.conflicts || [])
-      }
-    }
-  }, [workspaceEnvData])
-
-  useEffect(() => {
-    if (registerBeforeLeaveHandler) {
-      registerBeforeLeaveHandler(handleBeforeLeave)
-    }
-  }, [registerBeforeLeaveHandler, handleBeforeLeave])
-
-  useEffect(() => {
-    if (shouldScrollToBottom && scrollContainerRef.current) {
-      scrollContainerRef.current.scrollTo({
-        top: scrollContainerRef.current.scrollHeight,
-        behavior: 'smooth',
-      })
-      setShouldScrollToBottom(false)
-    }
-  }, [shouldScrollToBottom])
-
-  useEffect(() => {
-    const personalKeys = envVars.map((envVar) => envVar.key.trim()).filter((key) => key.length > 0)
-
-    const uniquePersonalKeys = Array.from(new Set(personalKeys))
-
-    const computedConflicts = uniquePersonalKeys.filter((key) => Object.hasOwn(workspaceVars, key))
-
-    setConflicts((prev) => {
-      if (prev.length === computedConflicts.length) {
-        const sameKeys = prev.every((key) => computedConflicts.includes(key))
-        if (sameKeys) return prev
-      }
-      return computedConflicts
-    })
-  }, [envVars, workspaceVars])
-
-  const handleWorkspaceKeyRename = useCallback(
-    (currentKey: string, currentValue: string) => {
-      const newKey = pendingKeyValue.trim()
-      if (!renamingKey || renamingKey !== currentKey) return
-      setRenamingKey(null)
-      if (!newKey || newKey === currentKey) return
-
-      setWorkspaceVars((prev) => {
-        const next = { ...prev }
-        delete next[currentKey]
-        next[newKey] = currentValue
-        return next
-      })
-    },
-    [pendingKeyValue, renamingKey]
-  )
-
-  const handleDeleteWorkspaceVar = useCallback((key: string) => {
-    setWorkspaceVars((prev) => {
-      const next = { ...prev }
-      delete next[key]
-      return next
-    })
-  }, [])
-
-  const addEnvVar = useCallback(() => {
-    setEnvVars((prev) => [...prev, createEmptyEnvVar()])
-    setSearchTerm('')
-    setShouldScrollToBottom(true)
-  }, [])
-
-  const updateEnvVar = useCallback((index: number, field: 'key' | 'value', value: string) => {
-    setEnvVars((prev) => {
-      const newEnvVars = [...prev]
-      newEnvVars[index][field] = value
-      return newEnvVars
-    })
-  }, [])
-
-  const removeEnvVar = useCallback((index: number) => {
-    setEnvVars((prev) => {
-      const newEnvVars = prev.filter((_, i) => i !== index)
-      return newEnvVars.length ? newEnvVars : [createEmptyEnvVar()]
-    })
-  }, [])
-
-  const handleValueFocus = useCallback((index: number, e: React.FocusEvent<HTMLInputElement>) => {
-    setFocusedValueIndex(index)
-    e.target.scrollLeft = 0
-  }, [])
-
-  const handleValueClick = useCallback((e: React.MouseEvent<HTMLInputElement>) => {
-    e.preventDefault()
-    e.currentTarget.scrollLeft = 0
-  }, [])
-
-  const parseEnvVarLine = useCallback((line: string): UIEnvironmentVariable | null => {
-    const trimmed = line.trim()
-
-    if (!trimmed || trimmed.startsWith('#')) return null
-
-    const withoutExport = trimmed.replace(/^export\s+/, '')
-
-    const equalIndex = withoutExport.indexOf('=')
-    if (equalIndex === -1 || equalIndex === 0) return null
-
-    const potentialKey = withoutExport.substring(0, equalIndex).trim()
-    if (!isValidEnvVarName(potentialKey)) return null
-
-    let value = withoutExport.substring(equalIndex + 1)
-
-    const looksLikeBase64Key = /^[A-Za-z0-9+/]+$/.test(potentialKey) && !potentialKey.includes('_')
-    const valueIsJustPadding = /^=+$/.test(value.trim())
-    if (looksLikeBase64Key && valueIsJustPadding && potentialKey.length > 20) {
-      return null
-    }
-
-    const trimmedValue = value.trim()
-    if (
-      !trimmedValue.startsWith('"') &&
-      !trimmedValue.startsWith("'") &&
-      !trimmedValue.startsWith('`')
-    ) {
-      const commentIndex = value.search(/\s#/)
-      if (commentIndex !== -1) {
-        value = value.substring(0, commentIndex)
-      }
-    }
-
-    value = value.trim()
-
-    if (
-      (value.startsWith('"') && value.endsWith('"')) ||
-      (value.startsWith("'") && value.endsWith("'")) ||
-      (value.startsWith('`') && value.endsWith('`'))
-    ) {
-      value = value.slice(1, -1)
-    }
-
-    return { key: potentialKey, value, id: generateRowId() }
-  }, [])
-
-  const handleSingleValuePaste = useCallback(
-    (text: string, index: number, inputType: 'key' | 'value') => {
-      setEnvVars((prev) => {
-        const newEnvVars = [...prev]
-        newEnvVars[index][inputType] = text
-        return newEnvVars
-      })
-    },
-    []
-  )
-
-  const handleKeyValuePaste = useCallback(
-    (lines: string[]) => {
-      const parsedVars = lines
-        .map(parseEnvVarLine)
-        .filter((parsed): parsed is UIEnvironmentVariable => parsed !== null)
-        .filter(({ key, value }) => key && value)
-
-      if (parsedVars.length > 0) {
-        setEnvVars((prev) => {
-          const existingVars = prev.filter((v) => v.key || v.value)
-          return [...existingVars, ...parsedVars]
-        })
-        setShouldScrollToBottom(true)
-      }
-    },
-    [parseEnvVarLine]
-  )
-
-  const handlePaste = useCallback(
-    (e: React.ClipboardEvent<HTMLInputElement>, index: number) => {
-      const text = e.clipboardData.getData('text').trim()
-      if (!text) return
-
-      const lines = text.split('\n').filter((line) => line.trim())
-      if (lines.length === 0) return
-
-      e.preventDefault()
-
-      const inputType = (e.target as HTMLInputElement).getAttribute('data-input-type') as
-        | 'key'
-        | 'value'
-
-      if (inputType) {
-        const hasValidEnvVarPattern = lines.some((line) => parseEnvVarLine(line) !== null)
-        if (!hasValidEnvVarPattern) {
-          handleSingleValuePaste(text, index, inputType)
-          return
-        }
-      }
-
-      handleKeyValuePaste(lines)
-    },
-    [parseEnvVarLine, handleSingleValuePaste, handleKeyValuePaste]
-  )
-
-  const handleCancel = useCallback(() => {
-    setEnvVars(JSON.parse(JSON.stringify(initialVarsRef.current)))
-    setWorkspaceVars({ ...initialWorkspaceVarsRef.current })
-    setShowUnsavedChanges(false)
-
-    pendingProceedCallback.current?.()
-    pendingProceedCallback.current = null
-  }, [])
-
-  const handleSave = useCallback(async () => {
-    const onProceed = pendingProceedCallback.current
-
-    const prevInitialVars = [...initialVarsRef.current]
-    const prevInitialWorkspaceVars = { ...initialWorkspaceVarsRef.current }
-
-    try {
-      setShowUnsavedChanges(false)
-      hasSavedRef.current = true
-
-      initialWorkspaceVarsRef.current = { ...workspaceVars }
-      initialVarsRef.current = JSON.parse(JSON.stringify(envVars.filter((v) => v.key && v.value)))
-
-      setChangeToken((prev) => prev + 1)
-
-      const validVariables = envVars
-        .filter((v) => v.key && v.value)
-        .reduce<Record<string, string>>((acc, { key, value }) => ({ ...acc, [key]: value }), {})
-
-      await savePersonalMutation.mutateAsync({ variables: validVariables })
-
-      const before = prevInitialWorkspaceVars
-      const after = workspaceVars
-      const toUpsert: Record<string, string> = {}
-      const toDelete: string[] = []
-
-      for (const [k, v] of Object.entries(after)) {
-        if (!(k in before) || before[k] !== v) {
-          toUpsert[k] = v
-        }
-      }
-
-      for (const k of Object.keys(before)) {
-        if (!(k in after)) toDelete.push(k)
-      }
-
-      if (workspaceId) {
-        if (Object.keys(toUpsert).length) {
-          await upsertWorkspaceMutation.mutateAsync({ workspaceId, variables: toUpsert })
-        }
-        if (toDelete.length) {
-          await removeWorkspaceMutation.mutateAsync({ workspaceId, keys: toDelete })
-        }
-      }
-
-      onProceed?.()
-      pendingProceedCallback.current = null
-    } catch (error) {
-      hasSavedRef.current = false
-      initialVarsRef.current = prevInitialVars
-      initialWorkspaceVarsRef.current = prevInitialWorkspaceVars
-      logger.error('Failed to save environment variables:', error)
-    }
-  }, [
-    envVars,
-    workspaceVars,
-    workspaceId,
-    savePersonalMutation,
-    upsertWorkspaceMutation,
-    removeWorkspaceMutation,
-  ])
-
-  const promoteToWorkspace = useCallback(
-    (envVar: UIEnvironmentVariable) => {
-      if (!envVar.key || !envVar.value || !workspaceId) return
-      setWorkspaceVars((prev) => ({ ...prev, [envVar.key]: envVar.value }))
-      setEnvVars((prev) => {
-        const filtered = prev.filter((entry) => entry !== envVar)
-        return filtered.length ? filtered : [createEmptyEnvVar()]
-      })
-    },
-    [workspaceId]
-  )
-
-  const demoteToPersonal = useCallback((key: string, value: string) => {
-    if (!key) return
-    setWorkspaceVars((prev) => {
-      const next = { ...prev }
-      delete next[key]
-      return next
-    })
-    setEnvVars((prev) => [...prev, { key, value, id: generateRowId() }])
-  }, [])
-
-  const conflictClassName = 'border-[var(--text-error)] bg-[#F6D2D2] dark:bg-[#442929]'
-
-  const renderEnvVarRow = useCallback(
-    (envVar: UIEnvironmentVariable, originalIndex: number) => {
-      const isConflict = !!envVar.key && Object.hasOwn(workspaceVars, envVar.key)
-      const keyError = validateEnvVarKey(envVar.key)
-      const maskedValueStyle =
-        focusedValueIndex !== originalIndex && !isConflict
-          ? ({ WebkitTextSecurity: 'disc' } as React.CSSProperties)
-          : undefined
-
-      return (
-        <>
-          <div className={GRID_COLS}>
-            <EmcnInput
-              data-input-type='key'
-              value={envVar.key}
-              onChange={(e) => updateEnvVar(originalIndex, 'key', e.target.value)}
-              onPaste={(e) => handlePaste(e, originalIndex)}
-              placeholder='API_KEY'
-              name={`env_variable_name_${envVar.id || originalIndex}_${Math.random()}`}
-              autoComplete='off'
-              autoCapitalize='off'
-              spellCheck='false'
-              readOnly
-              onFocus={(e) => e.target.removeAttribute('readOnly')}
-              className={`h-9 ${isConflict ? conflictClassName : ''} ${keyError ? 'border-[var(--text-error)]' : ''}`}
-            />
-            <div />
-            <EmcnInput
-              data-input-type='value'
-              value={envVar.value}
-              onChange={(e) => updateEnvVar(originalIndex, 'value', e.target.value)}
-              type='text'
-              onFocus={(e) => {
-                if (!isConflict) {
-                  e.target.removeAttribute('readOnly')
-                  handleValueFocus(originalIndex, e)
-                }
-              }}
-              onClick={handleValueClick}
-              onBlur={() => setFocusedValueIndex(null)}
-              onPaste={(e) => handlePaste(e, originalIndex)}
-              placeholder={isConflict ? 'Workspace override active' : 'Enter value'}
-              disabled={isConflict}
-              aria-disabled={isConflict}
-              name={`env_variable_value_${envVar.id || originalIndex}_${Math.random()}`}
-              autoComplete='off'
-              autoCapitalize='off'
-              spellCheck='false'
-              readOnly={isConflict}
-              style={maskedValueStyle}
-              className={`h-9 ${isConflict ? `cursor-not-allowed ${conflictClassName}` : ''}`}
-            />
-            <div className='ml-[8px] flex items-center'>
-              <Tooltip.Root>
-                <Tooltip.Trigger asChild>
-                  <Button
-                    variant='ghost'
-                    disabled={!envVar.key || !envVar.value || isConflict || !workspaceId}
-                    onClick={() => promoteToWorkspace(envVar)}
-                    className='h-9 w-9'
-                  >
-                    <Share2 className='h-3.5 w-3.5' />
-                  </Button>
-                </Tooltip.Trigger>
-                <Tooltip.Content>Change to workspace scope</Tooltip.Content>
-              </Tooltip.Root>
-              <Tooltip.Root>
-                <Tooltip.Trigger asChild>
-                  <Button
-                    variant='ghost'
-                    onClick={() => removeEnvVar(originalIndex)}
-                    className='h-9 w-9'
-                  >
-                    <Trash />
-                  </Button>
-                </Tooltip.Trigger>
-                <Tooltip.Content>Delete environment variable</Tooltip.Content>
-              </Tooltip.Root>
-            </div>
-          </div>
-          {keyError && (
-            <div className='col-span-3 mt-[4px] text-[12px] text-[var(--text-error)] leading-tight'>
-              {keyError}
-            </div>
-          )}
-          {isConflict && !keyError && (
-            <div className='col-span-3 mt-[4px] text-[12px] text-[var(--text-error)] leading-tight'>
-              Workspace variable with the same name overrides this. Rename your personal key to use
-              it.
-            </div>
-          )}
-        </>
-      )
-    },
-    [
-      workspaceVars,
-      workspaceId,
-      focusedValueIndex,
-      updateEnvVar,
-      handlePaste,
-      handleValueFocus,
-      handleValueClick,
-      promoteToWorkspace,
-      removeEnvVar,
-    ]
-  )
-
-  return (
-    <>
-      <div className='flex h-full flex-col gap-[16px]'>
-        <div className='hidden'>
-          <input
-            type='text'
-            name='fakeusernameremembered'
-            autoComplete='username'
-            tabIndex={-1}
-            readOnly
-          />
-          <input
-            type='password'
-            name='fakepasswordremembered'
-            autoComplete='current-password'
-            tabIndex={-1}
-            readOnly
-          />
-          <input
-            type='email'
-            name='fakeemailremembered'
-            autoComplete='email'
-            tabIndex={-1}
-            readOnly
-          />
-        </div>
-        <div className='flex items-center gap-[8px]'>
-          <div className='flex flex-1 items-center gap-[8px] rounded-[8px] border border-[var(--border)] bg-transparent px-[8px] py-[5px] transition-colors duration-100 dark:bg-[var(--surface-4)] dark:hover:border-[var(--border-1)] dark:hover:bg-[var(--surface-5)]'>
-            <Search
-              className='h-[14px] w-[14px] flex-shrink-0 text-[var(--text-tertiary)]'
-              strokeWidth={2}
-            />
-            <Input
-              placeholder='Search variables...'
-              value={searchTerm}
-              onChange={(e) => setSearchTerm(e.target.value)}
-              name='env_search_field'
-              autoComplete='off'
-              autoCapitalize='off'
-              spellCheck='false'
-              readOnly
-              onFocus={(e) => e.target.removeAttribute('readOnly')}
-              className='h-auto flex-1 border-0 bg-transparent p-0 font-base leading-none placeholder:text-[var(--text-tertiary)] focus-visible:ring-0 focus-visible:ring-offset-0'
-            />
-          </div>
-          <Button onClick={addEnvVar} variant='tertiary' disabled={isLoading}>
-            <Plus className='mr-[6px] h-[13px] w-[13px]' />
-            Add
-          </Button>
-          <Tooltip.Root>
-            <Tooltip.Trigger asChild>
-              <Button
-                onClick={handleSave}
-                disabled={isLoading || !hasChanges || hasConflicts || hasInvalidKeys}
-                variant='tertiary'
-                className={`${hasConflicts || hasInvalidKeys ? 'cursor-not-allowed opacity-50' : ''}`}
-              >
-                Save
-              </Button>
-            </Tooltip.Trigger>
-            {hasConflicts && <Tooltip.Content>Resolve all conflicts before saving</Tooltip.Content>}
-            {hasInvalidKeys && !hasConflicts && (
-              <Tooltip.Content>Fix invalid variable names before saving</Tooltip.Content>
-            )}
-          </Tooltip.Root>
-        </div>
-
-        <div ref={scrollContainerRef} className='min-h-0 flex-1 overflow-y-auto'>
-          <div className='flex flex-col gap-[16px]'>
-            {isLoading ? (
-              <>
-                <div className='flex flex-col gap-[8px]'>
-                  <Skeleton className='h-5 w-[70px]' />
-                  <div className='text-[13px] text-[var(--text-muted)]'>
-                    <Skeleton className='h-5 w-[160px]' />
-                  </div>
-                </div>
-                <div className='flex flex-col gap-[8px]'>
-                  <Skeleton className='h-5 w-[55px]' />
-                  {Array.from({ length: 2 }, (_, i) => (
-                    <div key={`personal-${i}`} className={GRID_COLS}>
-                      <Skeleton className='h-9 rounded-[6px]' />
-                      <div />
-                      <Skeleton className='h-9 rounded-[6px]' />
-                      <div className='ml-[8px] flex items-center gap-0'>
-                        <Skeleton className='h-9 w-9 rounded-[6px]' />
-                        <Skeleton className='h-9 w-9 rounded-[6px]' />
-                      </div>
-                    </div>
-                  ))}
-                </div>
-              </>
-            ) : (
-              <>
-                {(!searchTerm.trim() || filteredWorkspaceEntries.length > 0) && (
-                  <div className='flex flex-col gap-[8px]'>
-                    <div className='font-medium text-[13px] text-[var(--text-secondary)]'>
-                      Workspace
-                    </div>
-                    {!searchTerm.trim() && Object.keys(workspaceVars).length === 0 ? (
-                      <div className='text-[13px] text-[var(--text-muted)]'>
-                        No workspace variables yet
-                      </div>
-                    ) : (
-                      (searchTerm.trim()
-                        ? filteredWorkspaceEntries
-                        : Object.entries(workspaceVars)
-                      ).map(([key, value]) => (
-                        <WorkspaceVariableRow
-                          key={key}
-                          envKey={key}
-                          value={value}
-                          renamingKey={renamingKey}
-                          pendingKeyValue={pendingKeyValue}
-                          isNewlyPromoted={!Object.hasOwn(initialWorkspaceVarsRef.current, key)}
-                          onRenameStart={setRenamingKey}
-                          onPendingKeyChange={setPendingKeyValue}
-                          onRenameEnd={handleWorkspaceKeyRename}
-                          onDelete={handleDeleteWorkspaceVar}
-                          onDemote={demoteToPersonal}
-                        />
-                      ))
-                    )}
-                  </div>
-                )}
-
-                {(!searchTerm.trim() || filteredEnvVars.length > 0) && (
-                  <div className='flex flex-col gap-[8px]'>
-                    <div className='font-medium text-[13px] text-[var(--text-secondary)]'>
-                      Personal
-                    </div>
-                    {filteredEnvVars.map(({ envVar, originalIndex }) => (
-                      <div key={envVar.id || originalIndex}>
-                        {renderEnvVarRow(envVar, originalIndex)}
-                      </div>
-                    ))}
-                  </div>
-                )}
-                {searchTerm.trim() &&
-                  filteredEnvVars.length === 0 &&
-                  filteredWorkspaceEntries.length === 0 &&
-                  (envVars.length > 0 || Object.keys(workspaceVars).length > 0) && (
-                    <div className='py-[16px] text-center text-[13px] text-[var(--text-muted)]'>
-                      No environment variables found matching "{searchTerm}"
-                    </div>
-                  )}
-              </>
-            )}
-          </div>
-        </div>
-      </div>
-
-      <Modal open={showUnsavedChanges} onOpenChange={setShowUnsavedChanges}>
-        <ModalContent size='sm'>
-          <ModalHeader>Unsaved Changes</ModalHeader>
-          <ModalBody>
-            <p className='text-[12px] text-[var(--text-secondary)]'>
-              {hasConflicts || hasInvalidKeys
-                ? `You have unsaved changes, but ${hasConflicts ? 'conflicts must be resolved' : 'invalid variable names must be fixed'} before saving. You can discard your changes to close the modal.`
-                : 'You have unsaved changes. Do you want to save them before closing?'}
-            </p>
-          </ModalBody>
-          <ModalFooter>
-            <Button variant='destructive' onClick={handleCancel}>
-              Discard Changes
-            </Button>
-            {hasConflicts || hasInvalidKeys ? (
-              <Tooltip.Root>
-                <Tooltip.Trigger asChild>
-                  <Button
-                    disabled={true}
-                    variant='tertiary'
-                    className='cursor-not-allowed opacity-50'
-                  >
-                    Save Changes
-                  </Button>
-                </Tooltip.Trigger>
-                <Tooltip.Content>
-                  {hasConflicts
-                    ? 'Resolve all conflicts before saving'
-                    : 'Fix invalid variable names before saving'}
-                </Tooltip.Content>
-              </Tooltip.Root>
-            ) : (
-              <Button onClick={handleSave} variant='tertiary'>
-                Save Changes
-              </Button>
-            )}
-          </ModalFooter>
-        </ModalContent>
-      </Modal>
-    </>
-  )
-}
diff --git a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/index.ts b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/index.ts
index 744e1be4e1..c19f269fe7 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/index.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/index.ts
@@ -2,12 +2,11 @@ export { ApiKeys } from './api-keys/api-keys'
 export { BYOK } from './byok/byok'
 export { Copilot } from './copilot/copilot'
 export { CredentialSets } from './credential-sets/credential-sets'
+export { Credentials } from './credentials/credentials'
 export { CustomTools } from './custom-tools/custom-tools'
 export { Debug } from './debug/debug'
-export { EnvironmentVariables } from './environment/environment'
 export { Files as FileUploads } from './files/files'
 export { General } from './general/general'
-export { Integrations } from './integrations/integrations'
 export { MCP } from './mcp/mcp'
 export { Skills } from './skills/skills'
 export { Subscription } from './subscription/subscription'
diff --git a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/integrations/integrations.tsx b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/integrations/integrations.tsx
deleted file mode 100644
index dabdfc03f8..0000000000
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/integrations/integrations.tsx
+++ /dev/null
@@ -1,417 +0,0 @@
-'use client'
-
-import { createElement, useEffect, useRef, useState } from 'react'
-import { createLogger } from '@sim/logger'
-import { Check, ChevronDown, ExternalLink, Search } from 'lucide-react'
-import { useRouter, useSearchParams } from 'next/navigation'
-import {
-  Button,
-  Label,
-  Modal,
-  ModalBody,
-  ModalContent,
-  ModalFooter,
-  ModalHeader,
-} from '@/components/emcn'
-import { Input, Skeleton } from '@/components/ui'
-import { cn } from '@/lib/core/utils/cn'
-import { OAUTH_PROVIDERS } from '@/lib/oauth'
-import {
-  type ServiceInfo,
-  useConnectOAuthService,
-  useDisconnectOAuthService,
-  useOAuthConnections,
-} from '@/hooks/queries/oauth-connections'
-import { usePermissionConfig } from '@/hooks/use-permission-config'
-
-const logger = createLogger('Integrations')
-
-/**
- * Static skeleton structure matching OAUTH_PROVIDERS layout
- * Each entry: [providerName, serviceCount]
- */
-const SKELETON_STRUCTURE: [string, number][] = [
-  ['Google', 7],
-  ['Microsoft', 6],
-  ['GitHub', 1],
-  ['X', 1],
-  ['Confluence', 1],
-  ['Jira', 1],
-  ['Airtable', 1],
-  ['Notion', 1],
-  ['Linear', 1],
-  ['Slack', 1],
-  ['Reddit', 1],
-  ['Wealthbox', 1],
-  ['Webflow', 1],
-  ['Trello', 1],
-  ['Asana', 1],
-  ['Pipedrive', 1],
-  ['HubSpot', 1],
-  ['Salesforce', 1],
-]
-
-function IntegrationsSkeleton() {
-  return (
-    <div className='flex h-full flex-col gap-[16px]'>
-      <div className='flex w-full items-center gap-[8px] rounded-[8px] border border-[var(--border)] bg-transparent px-[8px] py-[5px] transition-colors duration-100 dark:bg-[var(--surface-4)] dark:hover:border-[var(--border-1)] dark:hover:bg-[var(--surface-5)]'>
-        <Search className='h-[14px] w-[14px] flex-shrink-0 text-[var(--text-tertiary)]' />
-        <Input
-          placeholder='Search integrations...'
-          disabled
-          className='h-auto flex-1 border-0 bg-transparent p-0 font-base leading-none placeholder:text-[var(--text-tertiary)] focus-visible:ring-0 focus-visible:ring-offset-0'
-        />
-      </div>
-
-      <div className='min-h-0 flex-1 overflow-y-auto'>
-        <div className='flex flex-col gap-[16px]'>
-          {SKELETON_STRUCTURE.map(([providerName, serviceCount]) => (
-            <div key={providerName} className='flex flex-col gap-[8px]'>
-              <Skeleton className='h-[14px] w-[60px]' />
-              {Array.from({ length: serviceCount }).map((_, index) => (
-                <div key={index} className='flex items-center justify-between'>
-                  <div className='flex items-center gap-[12px]'>
-                    <Skeleton className='h-9 w-9 flex-shrink-0 rounded-[6px]' />
-                    <div className='flex flex-col justify-center gap-[1px]'>
-                      <Skeleton className='h-[14px] w-[100px]' />
-                      <Skeleton className='h-[13px] w-[200px]' />
-                    </div>
-                  </div>
-                  <Skeleton className='h-[32px] w-[72px] rounded-[6px]' />
-                </div>
-              ))}
-            </div>
-          ))}
-        </div>
-      </div>
-    </div>
-  )
-}
-
-interface IntegrationsProps {
-  onOpenChange?: (open: boolean) => void
-  registerCloseHandler?: (handler: (open: boolean) => void) => void
-}
-
-export function Integrations({ onOpenChange, registerCloseHandler }: IntegrationsProps) {
-  const router = useRouter()
-  const searchParams = useSearchParams()
-  const pendingServiceRef = useRef<HTMLDivElement>(null)
-
-  const { data: services = [], isPending } = useOAuthConnections()
-  const connectService = useConnectOAuthService()
-  const disconnectService = useDisconnectOAuthService()
-  const { config: permissionConfig } = usePermissionConfig()
-
-  const [searchTerm, setSearchTerm] = useState('')
-  const [pendingService, setPendingService] = useState<string | null>(null)
-  const [authSuccess, setAuthSuccess] = useState(false)
-  const [showActionRequired, setShowActionRequired] = useState(false)
-  const prevConnectedIdsRef = useRef<Set<string>>(new Set())
-  const connectionAddedRef = useRef<boolean>(false)
-
-  // Disconnect confirmation dialog state
-  const [showDisconnectDialog, setShowDisconnectDialog] = useState(false)
-  const [serviceToDisconnect, setServiceToDisconnect] = useState<{
-    service: ServiceInfo
-    accountId: string
-  } | null>(null)
-
-  // Check for OAuth callback - just show success message
-  useEffect(() => {
-    const code = searchParams.get('code')
-    const state = searchParams.get('state')
-    const error = searchParams.get('error')
-
-    if (code && state) {
-      logger.info('OAuth callback successful')
-      setAuthSuccess(true)
-
-      // Clear URL parameters without changing the page
-      const url = new URL(window.location.href)
-      url.searchParams.delete('code')
-      url.searchParams.delete('state')
-      router.replace(url.pathname + url.search)
-    } else if (error) {
-      logger.error('OAuth error:', { error })
-    }
-  }, [searchParams, router])
-
-  // Track when a new connection is added compared to previous render
-  useEffect(() => {
-    try {
-      const currentConnected = new Set<string>()
-      services.forEach((svc) => {
-        if (svc.isConnected) currentConnected.add(svc.id)
-      })
-      // Detect new connections by comparing to previous connected set
-      for (const id of currentConnected) {
-        if (!prevConnectedIdsRef.current.has(id)) {
-          connectionAddedRef.current = true
-          break
-        }
-      }
-      prevConnectedIdsRef.current = currentConnected
-    } catch {}
-  }, [services])
-
-  // On mount, register a close handler so the parent modal can delegate close events here
-  useEffect(() => {
-    if (!registerCloseHandler) return
-    const handle = (open: boolean) => {
-      if (open) return
-      try {
-        if (typeof window !== 'undefined') {
-          window.dispatchEvent(
-            new CustomEvent('oauth-integration-closed', {
-              detail: { success: connectionAddedRef.current === true },
-            })
-          )
-        }
-      } catch {}
-      onOpenChange?.(open)
-    }
-    registerCloseHandler(handle)
-  }, [registerCloseHandler, onOpenChange])
-
-  // Handle connect button click
-  const handleConnect = async (service: ServiceInfo) => {
-    try {
-      logger.info('Connecting service:', {
-        serviceId: service.id,
-        providerId: service.providerId,
-        scopes: service.scopes,
-      })
-
-      // better-auth will automatically redirect back to this URL after OAuth
-      await connectService.mutateAsync({
-        providerId: service.providerId,
-        callbackURL: window.location.href,
-      })
-    } catch (error) {
-      logger.error('OAuth connection error:', { error })
-    }
-  }
-
-  /**
-   * Opens the disconnect confirmation dialog for a service.
-   */
-  const handleDisconnect = (service: ServiceInfo, accountId: string) => {
-    setServiceToDisconnect({ service, accountId })
-    setShowDisconnectDialog(true)
-  }
-
-  /**
-   * Confirms and executes the service disconnection.
-   */
-  const confirmDisconnect = async () => {
-    if (!serviceToDisconnect) return
-
-    setShowDisconnectDialog(false)
-    const { service, accountId } = serviceToDisconnect
-    setServiceToDisconnect(null)
-
-    try {
-      await disconnectService.mutateAsync({
-        provider: service.providerId.split('-')[0],
-        providerId: service.providerId,
-        serviceId: service.id,
-        accountId,
-      })
-    } catch (error) {
-      logger.error('Error disconnecting service:', { error })
-    }
-  }
-
-  // Group services by provider, filtering by permission config
-  const groupedServices = services.reduce(
-    (acc, service) => {
-      // Filter based on allowedIntegrations
-      if (
-        permissionConfig.allowedIntegrations !== null &&
-        !permissionConfig.allowedIntegrations.includes(service.id)
-      ) {
-        return acc
-      }
-
-      // Find the provider for this service
-      const providerKey =
-        Object.keys(OAUTH_PROVIDERS).find((key) =>
-          Object.keys(OAUTH_PROVIDERS[key].services).includes(service.id)
-        ) || 'other'
-
-      if (!acc[providerKey]) {
-        acc[providerKey] = []
-      }
-
-      acc[providerKey].push(service)
-      return acc
-    },
-    {} as Record<string, ServiceInfo[]>
-  )
-
-  // Filter services based on search term
-  const filteredGroupedServices = Object.entries(groupedServices).reduce(
-    (acc, [providerKey, providerServices]) => {
-      const filteredServices = providerServices.filter(
-        (service) =>
-          service.name.toLowerCase().includes(searchTerm.toLowerCase()) ||
-          service.description.toLowerCase().includes(searchTerm.toLowerCase())
-      )
-
-      if (filteredServices.length > 0) {
-        acc[providerKey] = filteredServices
-      }
-
-      return acc
-    },
-    {} as Record<string, ServiceInfo[]>
-  )
-
-  const scrollToHighlightedService = () => {
-    if (pendingServiceRef.current) {
-      pendingServiceRef.current.scrollIntoView({
-        behavior: 'smooth',
-        block: 'center',
-      })
-    }
-  }
-
-  if (isPending) {
-    return <IntegrationsSkeleton />
-  }
-
-  return (
-    <>
-      <div className='flex h-full flex-col gap-[16px]'>
-        <div className='flex w-full items-center gap-[8px] rounded-[8px] border border-[var(--border)] bg-transparent px-[8px] py-[5px] transition-colors duration-100 dark:bg-[var(--surface-4)] dark:hover:border-[var(--border-1)] dark:hover:bg-[var(--surface-5)]'>
-          <Search className='h-[14px] w-[14px] flex-shrink-0 text-[var(--text-tertiary)]' />
-          <Input
-            placeholder='Search services...'
-            value={searchTerm}
-            onChange={(e) => setSearchTerm(e.target.value)}
-            className='h-auto flex-1 border-0 bg-transparent p-0 font-base leading-none placeholder:text-[var(--text-tertiary)] focus-visible:ring-0 focus-visible:ring-offset-0'
-          />
-        </div>
-
-        <div className='min-h-0 flex-1 overflow-y-auto'>
-          <div className='flex flex-col gap-[16px]'>
-            {authSuccess && (
-              <div className='flex items-center gap-[12px] rounded-[8px] border border-green-200 bg-green-50 p-[12px]'>
-                <Check className='h-4 w-4 flex-shrink-0 text-green-500' />
-                <p className='font-medium text-[13px] text-green-800'>
-                  Account connected successfully!
-                </p>
-              </div>
-            )}
-
-            {pendingService && showActionRequired && (
-              <div className='flex items-start gap-[12px] rounded-[8px] border border-[var(--border)] bg-[var(--bg)] p-[12px]'>
-                <ExternalLink className='mt-0.5 h-4 w-4 flex-shrink-0 text-[var(--text-muted)]' />
-                <div className='flex flex-1 flex-col gap-[8px]'>
-                  <p className='text-[13px] text-[var(--text-muted)]'>
-                    <span className='font-medium text-[var(--text-primary)]'>Action Required:</span>{' '}
-                    Please connect your account to enable the requested features.
-                  </p>
-                  <Button variant='outline' onClick={scrollToHighlightedService}>
-                    <span>Go to service</span>
-                    <ChevronDown className='h-3 w-3' />
-                  </Button>
-                </div>
-              </div>
-            )}
-
-            <div className='flex flex-col gap-[16px]'>
-              {Object.entries(filteredGroupedServices).map(([providerKey, providerServices]) => (
-                <div key={providerKey} className='flex flex-col gap-[8px]'>
-                  <Label className='text-[12px] text-[var(--text-tertiary)]'>
-                    {OAUTH_PROVIDERS[providerKey]?.name || 'Other Services'}
-                  </Label>
-                  {providerServices.map((service) => (
-                    <div
-                      key={service.id}
-                      className={cn(
-                        'flex items-center justify-between',
-                        pendingService === service.id &&
-                          '-m-[8px] rounded-[8px] bg-[var(--bg)] p-[8px]'
-                      )}
-                      ref={pendingService === service.id ? pendingServiceRef : undefined}
-                    >
-                      <div className='flex items-center gap-[12px]'>
-                        <div className='flex h-9 w-9 flex-shrink-0 items-center justify-center overflow-hidden rounded-[6px] bg-[var(--surface-5)]'>
-                          {createElement(service.icon, { className: 'h-4 w-4' })}
-                        </div>
-                        <div className='flex flex-col justify-center gap-[1px]'>
-                          <span className='font-medium text-[14px]'>{service.name}</span>
-                          {service.accounts && service.accounts.length > 0 ? (
-                            <p className='truncate text-[13px] text-[var(--text-muted)]'>
-                              {service.accounts.map((a) => a.name).join(', ')}
-                            </p>
-                          ) : (
-                            <p className='truncate text-[13px] text-[var(--text-muted)]'>
-                              {service.description}
-                            </p>
-                          )}
-                        </div>
-                      </div>
-
-                      {service.accounts && service.accounts.length > 0 ? (
-                        <Button
-                          variant='ghost'
-                          onClick={() => handleDisconnect(service, service.accounts![0].id)}
-                          disabled={disconnectService.isPending}
-                        >
-                          Disconnect
-                        </Button>
-                      ) : (
-                        <Button
-                          variant='tertiary'
-                          onClick={() => handleConnect(service)}
-                          disabled={connectService.isPending}
-                        >
-                          Connect
-                        </Button>
-                      )}
-                    </div>
-                  ))}
-                </div>
-              ))}
-
-              {searchTerm.trim() && Object.keys(filteredGroupedServices).length === 0 && (
-                <div className='py-[16px] text-center text-[13px] text-[var(--text-muted)]'>
-                  No services found matching "{searchTerm}"
-                </div>
-              )}
-            </div>
-          </div>
-        </div>
-      </div>
-
-      <Modal open={showDisconnectDialog} onOpenChange={setShowDisconnectDialog}>
-        <ModalContent size='sm'>
-          <ModalHeader>Disconnect Service</ModalHeader>
-          <ModalBody>
-            <p className='text-[12px] text-[var(--text-secondary)]'>
-              Are you sure you want to disconnect{' '}
-              <span className='font-medium text-[var(--text-primary)]'>
-                {serviceToDisconnect?.service.name}
-              </span>
-              ?{' '}
-              <span className='text-[var(--text-error)]'>
-                This will revoke access and you will need to reconnect to use this service.
-              </span>
-            </p>
-          </ModalBody>
-          <ModalFooter>
-            <Button variant='default' onClick={() => setShowDisconnectDialog(false)}>
-              Cancel
-            </Button>
-            <Button variant='destructive' onClick={confirmDisconnect}>
-              Disconnect
-            </Button>
-          </ModalFooter>
-        </ModalContent>
-      </Modal>
-    </>
-  )
-}
diff --git a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/settings-modal.tsx b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/settings-modal.tsx
index 84ef6a61e1..2222b26909 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/settings-modal.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/settings-modal.tsx
@@ -1,6 +1,6 @@
 'use client'
 
-import { useCallback, useEffect, useMemo, useRef, useState } from 'react'
+import { useCallback, useEffect, useMemo, useState } from 'react'
 import * as DialogPrimitive from '@radix-ui/react-dialog'
 import * as VisuallyHidden from '@radix-ui/react-visually-hidden'
 import { useQueryClient } from '@tanstack/react-query'
@@ -20,7 +20,6 @@ import {
 import {
   Card,
   Connections,
-  FolderCode,
   HexSimple,
   Key,
   SModal,
@@ -45,12 +44,11 @@ import {
   BYOK,
   Copilot,
   CredentialSets,
+  Credentials,
   CustomTools,
   Debug,
-  EnvironmentVariables,
   FileUploads,
   General,
-  Integrations,
   MCP,
   Skills,
   Subscription,
@@ -80,9 +78,8 @@ interface SettingsModalProps {
 
 type SettingsSection =
   | 'general'
-  | 'environment'
+  | 'credentials'
   | 'template-profile'
-  | 'integrations'
   | 'credential-sets'
   | 'access-control'
   | 'apikeys'
@@ -156,11 +153,10 @@ const allNavigationItems: NavigationItem[] = [
     requiresHosted: true,
     requiresTeam: true,
   },
-  { id: 'integrations', label: 'Integrations', icon: Connections, section: 'tools' },
+  { id: 'credentials', label: 'Credentials', icon: Connections, section: 'tools' },
   { id: 'custom-tools', label: 'Custom Tools', icon: Wrench, section: 'tools' },
   { id: 'skills', label: 'Skills', icon: AgentSkillsIcon, section: 'tools' },
   { id: 'mcp', label: 'MCP Tools', icon: McpIcon, section: 'tools' },
-  { id: 'environment', label: 'Environment', icon: FolderCode, section: 'system' },
   { id: 'apikeys', label: 'API Keys', icon: Key, section: 'system' },
   { id: 'workflow-mcp-servers', label: 'MCP Servers', icon: Server, section: 'system' },
   {
@@ -218,8 +214,6 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
 
   const activeOrganization = organizationsData?.activeOrganization
   const { config: permissionConfig } = usePermissionConfig()
-  const environmentBeforeLeaveHandler = useRef<((onProceed: () => void) => void) | null>(null)
-  const integrationsCloseHandler = useRef<((open: boolean) => void) | null>(null)
 
   const userEmail = session?.user?.email
   const userId = session?.user?.id
@@ -256,9 +250,6 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
       if (item.id === 'apikeys' && permissionConfig.hideApiKeysTab) {
         return false
       }
-      if (item.id === 'environment' && permissionConfig.hideEnvironmentTab) {
-        return false
-      }
       if (item.id === 'files' && permissionConfig.hideFilesTab) {
         return false
       }
@@ -327,26 +318,9 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
     return activeSection
   }, [activeSection])
 
-  const registerEnvironmentBeforeLeaveHandler = useCallback(
-    (handler: (onProceed: () => void) => void) => {
-      environmentBeforeLeaveHandler.current = handler
-    },
-    []
-  )
-
-  const registerIntegrationsCloseHandler = useCallback((handler: (open: boolean) => void) => {
-    integrationsCloseHandler.current = handler
-  }, [])
-
   const handleSectionChange = useCallback(
     (sectionId: SettingsSection) => {
       if (sectionId === effectiveActiveSection) return
-
-      if (effectiveActiveSection === 'environment' && environmentBeforeLeaveHandler.current) {
-        environmentBeforeLeaveHandler.current(() => setActiveSection(sectionId))
-        return
-      }
-
       setActiveSection(sectionId)
     },
     [effectiveActiveSection]
@@ -475,23 +449,8 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
     }
   }
 
-  // Handle dialog close - delegate to environment component if it's active
   const handleDialogOpenChange = (newOpen: boolean) => {
-    if (
-      !newOpen &&
-      effectiveActiveSection === 'environment' &&
-      environmentBeforeLeaveHandler.current
-    ) {
-      environmentBeforeLeaveHandler.current(() => onOpenChange(false))
-    } else if (
-      !newOpen &&
-      effectiveActiveSection === 'integrations' &&
-      integrationsCloseHandler.current
-    ) {
-      integrationsCloseHandler.current(newOpen)
-    } else {
-      onOpenChange(newOpen)
-    }
+    onOpenChange(newOpen)
   }
 
   return (
@@ -502,7 +461,7 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
         </VisuallyHidden.Root>
         <VisuallyHidden.Root>
           <DialogPrimitive.Description>
-            Configure your workspace settings, environment variables, integrations, and preferences
+            Configure your workspace settings, credentials, and preferences
           </DialogPrimitive.Description>
         </VisuallyHidden.Root>
 
@@ -539,18 +498,10 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
           </SModalMainHeader>
           <SModalMainBody>
             {effectiveActiveSection === 'general' && <General onOpenChange={onOpenChange} />}
-            {effectiveActiveSection === 'environment' && (
-              <EnvironmentVariables
-                registerBeforeLeaveHandler={registerEnvironmentBeforeLeaveHandler}
-              />
+            {effectiveActiveSection === 'credentials' && (
+              <Credentials onOpenChange={onOpenChange} />
             )}
             {effectiveActiveSection === 'template-profile' && <TemplateProfile />}
-            {effectiveActiveSection === 'integrations' && (
-              <Integrations
-                onOpenChange={onOpenChange}
-                registerCloseHandler={registerIntegrationsCloseHandler}
-              />
-            )}
             {effectiveActiveSection === 'credential-sets' && <CredentialSets />}
             {effectiveActiveSection === 'access-control' && <AccessControl />}
             {effectiveActiveSection === 'apikeys' && <ApiKeys onOpenChange={onOpenChange} />}
diff --git a/apps/sim/blocks/blocks/agent.ts b/apps/sim/blocks/blocks/agent.ts
index 84355f92b8..fc1c3d0522 100644
--- a/apps/sim/blocks/blocks/agent.ts
+++ b/apps/sim/blocks/blocks/agent.ts
@@ -142,6 +142,8 @@ Return ONLY the JSON array.`,
       title: 'Google Cloud Account',
       type: 'oauth-input',
       serviceId: 'vertex-ai',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       requiredScopes: ['https://www.googleapis.com/auth/cloud-platform'],
       placeholder: 'Select Google Cloud account',
       required: true,
@@ -150,6 +152,19 @@ Return ONLY the JSON array.`,
         value: providers.vertex.models,
       },
     },
+    {
+      id: 'manualCredential',
+      title: 'Google Cloud Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+      condition: {
+        field: 'model',
+        value: providers.vertex.models,
+      },
+    },
     {
       id: 'reasoningEffort',
       title: 'Reasoning Effort',
@@ -748,6 +763,7 @@ Example 3 (Array Input):
     apiKey: { type: 'string', description: 'Provider API key' },
     azureEndpoint: { type: 'string', description: 'Azure endpoint URL' },
     azureApiVersion: { type: 'string', description: 'Azure API version' },
+    oauthCredential: { type: 'string', description: 'OAuth credential for Vertex AI' },
     vertexProject: { type: 'string', description: 'Google Cloud project ID for Vertex AI' },
     vertexLocation: { type: 'string', description: 'Google Cloud location for Vertex AI' },
     bedrockAccessKeyId: { type: 'string', description: 'AWS Access Key ID for Bedrock' },
diff --git a/apps/sim/blocks/blocks/airtable.ts b/apps/sim/blocks/blocks/airtable.ts
index 502032c870..03a4a6f7b7 100644
--- a/apps/sim/blocks/blocks/airtable.ts
+++ b/apps/sim/blocks/blocks/airtable.ts
@@ -32,6 +32,8 @@ export const AirtableBlock: BlockConfig<AirtableResponse> = {
       id: 'credential',
       title: 'Airtable Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       serviceId: 'airtable',
       requiredScopes: [
         'data.records:read',
@@ -42,6 +44,15 @@ export const AirtableBlock: BlockConfig<AirtableResponse> = {
       placeholder: 'Select Airtable account',
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'Airtable Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     {
       id: 'baseId',
       title: 'Base ID',
@@ -219,7 +230,7 @@ Return ONLY the valid JSON object - no explanations, no markdown.`,
         }
       },
       params: (params) => {
-        const { credential, records, fields, ...rest } = params
+        const { oauthCredential, records, fields, ...rest } = params
         let parsedRecords: any | undefined
         let parsedFields: any | undefined
 
@@ -237,7 +248,7 @@ Return ONLY the valid JSON object - no explanations, no markdown.`,
 
         // Construct parameters based on operation
         const baseParams = {
-          credential,
+          credential: oauthCredential,
           ...rest,
         }
 
@@ -255,7 +266,7 @@ Return ONLY the valid JSON object - no explanations, no markdown.`,
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Airtable access token' },
+    oauthCredential: { type: 'string', description: 'Airtable access token' },
     baseId: { type: 'string', description: 'Airtable base identifier' },
     tableId: { type: 'string', description: 'Airtable table identifier' },
     // Conditional inputs
diff --git a/apps/sim/blocks/blocks/asana.ts b/apps/sim/blocks/blocks/asana.ts
index d91bfba168..1276e8d572 100644
--- a/apps/sim/blocks/blocks/asana.ts
+++ b/apps/sim/blocks/blocks/asana.ts
@@ -32,12 +32,22 @@ export const AsanaBlock: BlockConfig<AsanaResponse> = {
       id: 'credential',
       title: 'Asana Account',
       type: 'oauth-input',
-
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       required: true,
       serviceId: 'asana',
       requiredScopes: ['default'],
       placeholder: 'Select Asana account',
     },
+    {
+      id: 'manualCredential',
+      title: 'Asana Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     {
       id: 'workspace',
       title: 'Workspace GID',
@@ -215,7 +225,7 @@ Return ONLY the date string in YYYY-MM-DD format - no explanations, no quotes, n
         }
       },
       params: (params) => {
-        const { credential, operation } = params
+        const { oauthCredential, operation } = params
 
         const projectsArray = params.projects
           ? params.projects
@@ -225,7 +235,7 @@ Return ONLY the date string in YYYY-MM-DD format - no explanations, no quotes, n
           : undefined
 
         const baseParams = {
-          accessToken: credential?.accessToken,
+          accessToken: oauthCredential?.accessToken,
         }
 
         switch (operation) {
@@ -284,6 +294,7 @@ Return ONLY the date string in YYYY-MM-DD format - no explanations, no quotes, n
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
+    oauthCredential: { type: 'string', description: 'Asana OAuth credential' },
     workspace: { type: 'string', description: 'Workspace GID' },
     taskGid: { type: 'string', description: 'Task GID' },
     getTasks_workspace: { type: 'string', description: 'Workspace GID for getting tasks' },
diff --git a/apps/sim/blocks/blocks/calcom.ts b/apps/sim/blocks/blocks/calcom.ts
index 17b33aaa4d..a294c40b63 100644
--- a/apps/sim/blocks/blocks/calcom.ts
+++ b/apps/sim/blocks/blocks/calcom.ts
@@ -49,9 +49,20 @@ export const CalComBlock: BlockConfig<ToolResponse> = {
       title: 'Cal.com Account',
       type: 'oauth-input',
       serviceId: 'calcom',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       placeholder: 'Select Cal.com account',
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'Cal.com Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
 
     // === Create Booking fields ===
     {
@@ -555,7 +566,7 @@ Return ONLY valid JSON - no explanations.`,
       params: (params) => {
         const {
           operation,
-          credential,
+          oauthCredential,
           attendeeName,
           attendeeEmail,
           attendeeTimeZone,
@@ -745,7 +756,7 @@ Return ONLY valid JSON - no explanations.`,
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Cal.com OAuth credential' },
+    oauthCredential: { type: 'string', description: 'Cal.com OAuth credential' },
     eventTypeId: { type: 'number', description: 'Event type ID' },
     start: { type: 'string', description: 'Start time (ISO 8601)' },
     end: { type: 'string', description: 'End time (ISO 8601)' },
diff --git a/apps/sim/blocks/blocks/confluence.ts b/apps/sim/blocks/blocks/confluence.ts
index 7b7968843b..4ab5c690c2 100644
--- a/apps/sim/blocks/blocks/confluence.ts
+++ b/apps/sim/blocks/blocks/confluence.ts
@@ -51,6 +51,8 @@ export const ConfluenceBlock: BlockConfig<ConfluenceResponse> = {
       id: 'credential',
       title: 'Confluence Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       serviceId: 'confluence',
       requiredScopes: [
         'read:confluence-content.all',
@@ -85,6 +87,15 @@ export const ConfluenceBlock: BlockConfig<ConfluenceResponse> = {
       placeholder: 'Select Confluence account',
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'Confluence Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     {
       id: 'pageId',
       title: 'Select Page',
@@ -287,7 +298,7 @@ export const ConfluenceBlock: BlockConfig<ConfluenceResponse> = {
       },
       params: (params) => {
         const {
-          credential,
+          oauthCredential,
           pageId,
           operation,
           attachmentFile,
@@ -300,7 +311,7 @@ export const ConfluenceBlock: BlockConfig<ConfluenceResponse> = {
 
         if (operation === 'upload_attachment') {
           return {
-            credential,
+            credential: oauthCredential,
             pageId: effectivePageId,
             operation,
             file: attachmentFile,
@@ -311,7 +322,7 @@ export const ConfluenceBlock: BlockConfig<ConfluenceResponse> = {
         }
 
         return {
-          credential,
+          credential: oauthCredential,
           pageId: effectivePageId || undefined,
           operation,
           ...rest,
@@ -322,7 +333,7 @@ export const ConfluenceBlock: BlockConfig<ConfluenceResponse> = {
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
     domain: { type: 'string', description: 'Confluence domain' },
-    credential: { type: 'string', description: 'Confluence access token' },
+    oauthCredential: { type: 'string', description: 'Confluence access token' },
     pageId: { type: 'string', description: 'Page identifier (canonical param)' },
     spaceId: { type: 'string', description: 'Space identifier' },
     title: { type: 'string', description: 'Page title' },
@@ -428,6 +439,8 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
       id: 'credential',
       title: 'Confluence Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       serviceId: 'confluence',
       requiredScopes: [
         'read:confluence-content.all',
@@ -462,6 +475,15 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
       placeholder: 'Select Confluence account',
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'Confluence Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     {
       id: 'domain',
       title: 'Domain',
@@ -943,7 +965,7 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
       },
       params: (params) => {
         const {
-          credential,
+          oauthCredential,
           pageId,
           operation,
           attachmentFile,
@@ -968,7 +990,7 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
 
         if (operation === 'add_label') {
           return {
-            credential,
+            credential: oauthCredential,
             pageId: effectivePageId,
             operation,
             prefix: labelPrefix || 'global',
@@ -978,7 +1000,7 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
 
         if (operation === 'create_blogpost') {
           return {
-            credential,
+            credential: oauthCredential,
             operation,
             status: blogPostStatus || 'current',
             ...rest,
@@ -987,7 +1009,7 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
 
         if (operation === 'delete') {
           return {
-            credential,
+            credential: oauthCredential,
             pageId: effectivePageId,
             operation,
             purge: purge || false,
@@ -997,7 +1019,7 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
 
         if (operation === 'list_comments') {
           return {
-            credential,
+            credential: oauthCredential,
             pageId: effectivePageId,
             operation,
             bodyFormat: bodyFormat || 'storage',
@@ -1023,7 +1045,7 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
 
         if (supportsCursor.includes(operation) && cursor) {
           return {
-            credential,
+            credential: oauthCredential,
             pageId: effectivePageId || undefined,
             operation,
             cursor,
@@ -1036,7 +1058,7 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
             throw new Error('Property key is required for this operation.')
           }
           return {
-            credential,
+            credential: oauthCredential,
             pageId: effectivePageId,
             operation,
             key: propertyKey,
@@ -1047,7 +1069,7 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
 
         if (operation === 'delete_page_property') {
           return {
-            credential,
+            credential: oauthCredential,
             pageId: effectivePageId,
             operation,
             propertyId,
@@ -1057,7 +1079,7 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
 
         if (operation === 'get_pages_by_label') {
           return {
-            credential,
+            credential: oauthCredential,
             operation,
             labelId,
             cursor: cursor || undefined,
@@ -1067,7 +1089,7 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
 
         if (operation === 'list_space_labels') {
           return {
-            credential,
+            credential: oauthCredential,
             operation,
             cursor: cursor || undefined,
             ...rest,
@@ -1080,7 +1102,7 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
             throw new Error('File is required for upload attachment operation.')
           }
           return {
-            credential,
+            credential: oauthCredential,
             pageId: effectivePageId,
             operation,
             file: normalizedFile,
@@ -1091,7 +1113,7 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
         }
 
         return {
-          credential,
+          credential: oauthCredential,
           pageId: effectivePageId || undefined,
           blogPostId: blogPostId || undefined,
           versionNumber: versionNumber ? Number.parseInt(String(versionNumber), 10) : undefined,
@@ -1104,7 +1126,7 @@ export const ConfluenceV2Block: BlockConfig<ConfluenceResponse> = {
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
     domain: { type: 'string', description: 'Confluence domain' },
-    credential: { type: 'string', description: 'Confluence access token' },
+    oauthCredential: { type: 'string', description: 'Confluence access token' },
     pageId: { type: 'string', description: 'Page identifier (canonical param)' },
     spaceId: { type: 'string', description: 'Space identifier' },
     blogPostId: { type: 'string', description: 'Blog post identifier' },
diff --git a/apps/sim/blocks/blocks/dropbox.ts b/apps/sim/blocks/blocks/dropbox.ts
index 90be6e74fd..da64165c96 100644
--- a/apps/sim/blocks/blocks/dropbox.ts
+++ b/apps/sim/blocks/blocks/dropbox.ts
@@ -38,6 +38,8 @@ export const DropboxBlock: BlockConfig<DropboxResponse> = {
       id: 'credential',
       title: 'Dropbox Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       serviceId: 'dropbox',
       requiredScopes: [
         'account_info.read',
@@ -51,6 +53,15 @@ export const DropboxBlock: BlockConfig<DropboxResponse> = {
       placeholder: 'Select Dropbox account',
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'Dropbox Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     // Upload operation inputs
     {
       id: 'path',
@@ -352,7 +363,7 @@ Return ONLY the timestamp string - no explanations, no quotes, no extra text.`,
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Dropbox OAuth credential' },
+    oauthCredential: { type: 'string', description: 'Dropbox OAuth credential' },
     // Common inputs
     path: { type: 'string', description: 'Path in Dropbox' },
     autorename: { type: 'boolean', description: 'Auto-rename on conflict' },
diff --git a/apps/sim/blocks/blocks/gmail.ts b/apps/sim/blocks/blocks/gmail.ts
index 4a6d66e37b..d0ab76a8eb 100644
--- a/apps/sim/blocks/blocks/gmail.ts
+++ b/apps/sim/blocks/blocks/gmail.ts
@@ -76,6 +76,8 @@ export const GmailBlock: BlockConfig<GmailToolResponse> = {
       id: 'credential',
       title: 'Gmail Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       serviceId: 'gmail',
       requiredScopes: [
         'https://www.googleapis.com/auth/gmail.send',
@@ -85,6 +87,15 @@ export const GmailBlock: BlockConfig<GmailToolResponse> = {
       placeholder: 'Select Gmail account',
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'Gmail Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     // Send Email Fields
     {
       id: 'to',
@@ -406,7 +417,7 @@ Return ONLY the search query - no explanations, no extra text.`,
       tool: selectGmailToolId,
       params: (params) => {
         const {
-          credential,
+          oauthCredential,
           folder,
           addLabelIds,
           removeLabelIds,
@@ -467,7 +478,7 @@ Return ONLY the search query - no explanations, no extra text.`,
 
         return {
           ...rest,
-          credential,
+          oauthCredential,
           ...(normalizedAttachments && { attachments: normalizedAttachments }),
         }
       },
@@ -475,7 +486,7 @@ Return ONLY the search query - no explanations, no extra text.`,
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Gmail access token' },
+    oauthCredential: { type: 'string', description: 'Gmail access token' },
     // Send operation inputs
     to: { type: 'string', description: 'Recipient email address' },
     subject: { type: 'string', description: 'Email subject' },
diff --git a/apps/sim/blocks/blocks/google_calendar.ts b/apps/sim/blocks/blocks/google_calendar.ts
index 2c28ebebad..abbce2f181 100644
--- a/apps/sim/blocks/blocks/google_calendar.ts
+++ b/apps/sim/blocks/blocks/google_calendar.ts
@@ -39,11 +39,22 @@ export const GoogleCalendarBlock: BlockConfig<GoogleCalendarResponse> = {
       id: 'credential',
       title: 'Google Calendar Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       required: true,
       serviceId: 'google-calendar',
       requiredScopes: ['https://www.googleapis.com/auth/calendar'],
       placeholder: 'Select Google Calendar account',
     },
+    {
+      id: 'manualCredential',
+      title: 'Google Calendar Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     // Calendar selector (basic mode) - not needed for list_calendars
     {
       id: 'calendarId',
@@ -512,7 +523,7 @@ Return ONLY the natural language event text - no explanations.`,
       },
       params: (params) => {
         const {
-          credential,
+          oauthCredential,
           operation,
           attendees,
           replaceExisting,
@@ -576,7 +587,7 @@ Return ONLY the natural language event text - no explanations.`,
         }
 
         return {
-          credential,
+          oauthCredential,
           ...processedParams,
         }
       },
@@ -584,7 +595,7 @@ Return ONLY the natural language event text - no explanations.`,
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Google Calendar access token' },
+    oauthCredential: { type: 'string', description: 'Google Calendar access token' },
     calendarId: { type: 'string', description: 'Calendar identifier (canonical param)' },
 
     // Create/Update operation inputs
diff --git a/apps/sim/blocks/blocks/google_docs.ts b/apps/sim/blocks/blocks/google_docs.ts
index 2a780fd789..83449a2524 100644
--- a/apps/sim/blocks/blocks/google_docs.ts
+++ b/apps/sim/blocks/blocks/google_docs.ts
@@ -32,6 +32,8 @@ export const GoogleDocsBlock: BlockConfig<GoogleDocsResponse> = {
       id: 'credential',
       title: 'Google Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       required: true,
       serviceId: 'google-docs',
       requiredScopes: [
@@ -40,6 +42,15 @@ export const GoogleDocsBlock: BlockConfig<GoogleDocsResponse> = {
       ],
       placeholder: 'Select Google account',
     },
+    {
+      id: 'manualCredential',
+      title: 'Google Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     // Document selector (basic mode)
     {
       id: 'documentId',
@@ -157,7 +168,7 @@ Return ONLY the document content - no explanations, no extra text.`,
         }
       },
       params: (params) => {
-        const { credential, documentId, folderId, ...rest } = params
+        const { oauthCredential, documentId, folderId, ...rest } = params
 
         const effectiveDocumentId = documentId ? String(documentId).trim() : ''
         const effectiveFolderId = folderId ? String(folderId).trim() : ''
@@ -166,14 +177,14 @@ Return ONLY the document content - no explanations, no extra text.`,
           ...rest,
           documentId: effectiveDocumentId || undefined,
           folderId: effectiveFolderId || undefined,
-          credential,
+          oauthCredential,
         }
       },
     },
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Google Docs access token' },
+    oauthCredential: { type: 'string', description: 'Google Docs access token' },
     documentId: { type: 'string', description: 'Document identifier (canonical param)' },
     title: { type: 'string', description: 'Document title' },
     folderId: { type: 'string', description: 'Parent folder identifier (canonical param)' },
diff --git a/apps/sim/blocks/blocks/google_drive.ts b/apps/sim/blocks/blocks/google_drive.ts
index 3c44d80927..182246bc30 100644
--- a/apps/sim/blocks/blocks/google_drive.ts
+++ b/apps/sim/blocks/blocks/google_drive.ts
@@ -44,6 +44,8 @@ export const GoogleDriveBlock: BlockConfig<GoogleDriveResponse> = {
       id: 'credential',
       title: 'Google Drive Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       required: true,
       serviceId: 'google-drive',
       requiredScopes: [
@@ -52,6 +54,15 @@ export const GoogleDriveBlock: BlockConfig<GoogleDriveResponse> = {
       ],
       placeholder: 'Select Google Drive account',
     },
+    {
+      id: 'manualCredential',
+      title: 'Google Drive Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     // Create/Upload File Fields
     {
       id: 'fileName',
@@ -786,7 +797,7 @@ Return ONLY the message text - no subject line, no greetings/signatures, no extr
       },
       params: (params) => {
         const {
-          credential,
+          oauthCredential,
           // Folder canonical params (per-operation)
           uploadFolderId,
           createFolderParentId,
@@ -873,7 +884,7 @@ Return ONLY the message text - no subject line, no greetings/signatures, no extr
           sendNotification === 'true' ? true : sendNotification === 'false' ? false : undefined
 
         return {
-          credential,
+          oauthCredential,
           folderId: effectiveFolderId,
           fileId: effectiveFileId,
           destinationFolderId: effectiveDestinationFolderId,
@@ -891,7 +902,7 @@ Return ONLY the message text - no subject line, no greetings/signatures, no extr
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Google Drive access token' },
+    oauthCredential: { type: 'string', description: 'Google Drive access token' },
     // Folder canonical params (per-operation)
     uploadFolderId: { type: 'string', description: 'Parent folder for upload/create' },
     createFolderParentId: { type: 'string', description: 'Parent folder for create folder' },
diff --git a/apps/sim/blocks/blocks/google_forms.ts b/apps/sim/blocks/blocks/google_forms.ts
index 435259c579..840dbe2eb8 100644
--- a/apps/sim/blocks/blocks/google_forms.ts
+++ b/apps/sim/blocks/blocks/google_forms.ts
@@ -34,6 +34,8 @@ export const GoogleFormsBlock: BlockConfig = {
       id: 'credential',
       title: 'Google Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       required: true,
       serviceId: 'google-forms',
       requiredScopes: [
@@ -45,6 +47,15 @@ export const GoogleFormsBlock: BlockConfig = {
       ],
       placeholder: 'Select Google account',
     },
+    {
+      id: 'manualCredential',
+      title: 'Google Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     // Form selector (basic mode)
     {
       id: 'formSelector',
@@ -233,7 +244,7 @@ Example for "Add a required multiple choice question about favorite color":
       },
       params: (params) => {
         const {
-          credential,
+          oauthCredential,
           operation,
           formId, // Canonical param from formSelector (basic) or manualFormId (advanced)
           responseId,
@@ -251,7 +262,7 @@ Example for "Add a required multiple choice question about favorite color":
           ...rest
         } = params
 
-        const baseParams = { ...rest, credential }
+        const baseParams = { ...rest, oauthCredential }
         const effectiveFormId = formId ? String(formId).trim() : undefined
 
         switch (operation) {
@@ -309,7 +320,7 @@ Example for "Add a required multiple choice question about favorite color":
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Google OAuth credential' },
+    oauthCredential: { type: 'string', description: 'Google OAuth credential' },
     formId: { type: 'string', description: 'Google Form ID' },
     responseId: { type: 'string', description: 'Specific response ID' },
     pageSize: { type: 'string', description: 'Max responses to retrieve' },
diff --git a/apps/sim/blocks/blocks/google_groups.ts b/apps/sim/blocks/blocks/google_groups.ts
index 2e847d8c71..b72a48e568 100644
--- a/apps/sim/blocks/blocks/google_groups.ts
+++ b/apps/sim/blocks/blocks/google_groups.ts
@@ -42,6 +42,8 @@ export const GoogleGroupsBlock: BlockConfig = {
       id: 'credential',
       title: 'Google Groups Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       required: true,
       serviceId: 'google-groups',
       requiredScopes: [
@@ -50,6 +52,15 @@ export const GoogleGroupsBlock: BlockConfig = {
       ],
       placeholder: 'Select Google Workspace account',
     },
+    {
+      id: 'manualCredential',
+      title: 'Google Groups Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
 
     {
       id: 'customer',
@@ -311,12 +322,12 @@ Return ONLY the description text - no explanations, no quotes, no extra text.`,
         }
       },
       params: (params) => {
-        const { credential, operation, ...rest } = params
+        const { oauthCredential, operation, ...rest } = params
 
         switch (operation) {
           case 'list_groups':
             return {
-              credential,
+              oauthCredential,
               customer: rest.customer,
               domain: rest.domain,
               query: rest.query,
@@ -325,19 +336,19 @@ Return ONLY the description text - no explanations, no quotes, no extra text.`,
           case 'get_group':
           case 'delete_group':
             return {
-              credential,
+              credential: oauthCredential,
               groupKey: rest.groupKey,
             }
           case 'create_group':
             return {
-              credential,
+              credential: oauthCredential,
               email: rest.email,
               name: rest.name,
               description: rest.description,
             }
           case 'update_group':
             return {
-              credential,
+              credential: oauthCredential,
               groupKey: rest.groupKey,
               name: rest.newName,
               email: rest.newEmail,
@@ -345,7 +356,7 @@ Return ONLY the description text - no explanations, no quotes, no extra text.`,
             }
           case 'list_members':
             return {
-              credential,
+              credential: oauthCredential,
               groupKey: rest.groupKey,
               maxResults: rest.maxResults ? Number(rest.maxResults) : undefined,
               roles: rest.roles,
@@ -353,66 +364,66 @@ Return ONLY the description text - no explanations, no quotes, no extra text.`,
           case 'get_member':
           case 'remove_member':
             return {
-              credential,
+              credential: oauthCredential,
               groupKey: rest.groupKey,
               memberKey: rest.memberKey,
             }
           case 'add_member':
             return {
-              credential,
+              credential: oauthCredential,
               groupKey: rest.groupKey,
               email: rest.memberEmail,
               role: rest.role,
             }
           case 'update_member':
             return {
-              credential,
+              credential: oauthCredential,
               groupKey: rest.groupKey,
               memberKey: rest.memberKey,
               role: rest.role,
             }
           case 'has_member':
             return {
-              credential,
+              credential: oauthCredential,
               groupKey: rest.groupKey,
               memberKey: rest.memberKey,
             }
           case 'list_aliases':
             return {
-              credential,
+              credential: oauthCredential,
               groupKey: rest.groupKey,
             }
           case 'add_alias':
             return {
-              credential,
+              credential: oauthCredential,
               groupKey: rest.groupKey,
               alias: rest.alias,
             }
           case 'remove_alias':
             return {
-              credential,
+              oauthCredential,
               groupKey: rest.groupKey,
               alias: rest.alias,
             }
           case 'get_settings':
             return {
-              credential,
+              oauthCredential,
               groupEmail: rest.groupEmail,
             }
           case 'update_settings':
             return {
-              credential,
+              oauthCredential,
               groupEmail: rest.groupEmail,
             }
           default:
-            return { credential, ...rest }
+            return { oauthCredential, ...rest }
         }
       },
     },
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Google Workspace OAuth credential' },
+    oauthCredential: { type: 'string', description: 'Google Workspace OAuth credential' },
     customer: { type: 'string', description: 'Customer ID for listing groups' },
     domain: { type: 'string', description: 'Domain filter for listing groups' },
     query: { type: 'string', description: 'Search query for filtering groups' },
diff --git a/apps/sim/blocks/blocks/google_sheets.ts b/apps/sim/blocks/blocks/google_sheets.ts
index 3294f00365..bde2bec45d 100644
--- a/apps/sim/blocks/blocks/google_sheets.ts
+++ b/apps/sim/blocks/blocks/google_sheets.ts
@@ -36,6 +36,8 @@ export const GoogleSheetsBlock: BlockConfig<GoogleSheetsResponse> = {
       id: 'credential',
       title: 'Google Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       required: true,
       serviceId: 'google-sheets',
       requiredScopes: [
@@ -44,6 +46,15 @@ export const GoogleSheetsBlock: BlockConfig<GoogleSheetsResponse> = {
       ],
       placeholder: 'Select Google account',
     },
+    {
+      id: 'manualCredential',
+      title: 'Google Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     // Spreadsheet Selector
     {
       id: 'spreadsheetId',
@@ -246,7 +257,7 @@ Return ONLY the JSON array - no explanations, no markdown, no extra text.`,
         }
       },
       params: (params) => {
-        const { credential, values, spreadsheetId, ...rest } = params
+        const { oauthCredential, values, spreadsheetId, ...rest } = params
 
         const parsedValues = values ? JSON.parse(values as string) : undefined
 
@@ -260,14 +271,14 @@ Return ONLY the JSON array - no explanations, no markdown, no extra text.`,
           ...rest,
           spreadsheetId: effectiveSpreadsheetId,
           values: parsedValues,
-          credential,
+          oauthCredential,
         }
       },
     },
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Google Sheets access token' },
+    oauthCredential: { type: 'string', description: 'Google Sheets access token' },
     spreadsheetId: { type: 'string', description: 'Spreadsheet identifier (canonical param)' },
     range: { type: 'string', description: 'Cell range' },
     values: { type: 'string', description: 'Cell values data' },
@@ -323,6 +334,8 @@ export const GoogleSheetsV2Block: BlockConfig<GoogleSheetsV2Response> = {
       id: 'credential',
       title: 'Google Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       required: true,
       serviceId: 'google-sheets',
       requiredScopes: [
@@ -331,6 +344,15 @@ export const GoogleSheetsV2Block: BlockConfig<GoogleSheetsV2Response> = {
       ],
       placeholder: 'Select Google account',
     },
+    {
+      id: 'manualCredential',
+      title: 'Google Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     // Spreadsheet Selector (basic mode) - not for create operation
     {
       id: 'spreadsheetId',
@@ -715,7 +737,7 @@ Return ONLY the JSON array - no explanations, no markdown, no extra text.`,
       }),
       params: (params) => {
         const {
-          credential,
+          oauthCredential,
           values,
           spreadsheetId,
           sheetName,
@@ -739,7 +761,7 @@ Return ONLY the JSON array - no explanations, no markdown, no extra text.`,
           return {
             title: (title as string)?.trim(),
             sheetTitles: sheetTitlesArray,
-            credential,
+            oauthCredential,
           }
         }
 
@@ -753,7 +775,7 @@ Return ONLY the JSON array - no explanations, no markdown, no extra text.`,
         if (operation === 'get_info') {
           return {
             spreadsheetId: effectiveSpreadsheetId,
-            credential,
+            oauthCredential,
           }
         }
 
@@ -763,7 +785,7 @@ Return ONLY the JSON array - no explanations, no markdown, no extra text.`,
           return {
             spreadsheetId: effectiveSpreadsheetId,
             ranges: parsedRanges,
-            credential,
+            oauthCredential,
           }
         }
 
@@ -774,7 +796,7 @@ Return ONLY the JSON array - no explanations, no markdown, no extra text.`,
             ...rest,
             spreadsheetId: effectiveSpreadsheetId,
             data: parsedData,
-            credential,
+            oauthCredential,
           }
         }
 
@@ -784,7 +806,7 @@ Return ONLY the JSON array - no explanations, no markdown, no extra text.`,
           return {
             spreadsheetId: effectiveSpreadsheetId,
             ranges: parsedRanges,
-            credential,
+            oauthCredential,
           }
         }
 
@@ -794,7 +816,7 @@ Return ONLY the JSON array - no explanations, no markdown, no extra text.`,
             sourceSpreadsheetId: effectiveSpreadsheetId,
             sheetId: Number.parseInt(sheetId as string, 10),
             destinationSpreadsheetId: (destinationSpreadsheetId as string)?.trim(),
-            credential,
+            oauthCredential,
           }
         }
 
@@ -813,14 +835,14 @@ Return ONLY the JSON array - no explanations, no markdown, no extra text.`,
           sheetName: effectiveSheetName,
           cellRange: cellRange ? (cellRange as string).trim() : undefined,
           values: parsedValues,
-          credential,
+          oauthCredential,
         }
       },
     },
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Google Sheets access token' },
+    oauthCredential: { type: 'string', description: 'Google Sheets access token' },
     spreadsheetId: { type: 'string', description: 'Spreadsheet identifier (canonical param)' },
     sheetName: { type: 'string', description: 'Name of the sheet/tab (canonical param)' },
     cellRange: { type: 'string', description: 'Cell range (e.g., A1:D10)' },
diff --git a/apps/sim/blocks/blocks/google_slides.ts b/apps/sim/blocks/blocks/google_slides.ts
index baa890a2ad..b341d2cfbc 100644
--- a/apps/sim/blocks/blocks/google_slides.ts
+++ b/apps/sim/blocks/blocks/google_slides.ts
@@ -46,6 +46,8 @@ export const GoogleSlidesBlock: BlockConfig<GoogleSlidesResponse> = {
       id: 'credential',
       title: 'Google Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       required: true,
       serviceId: 'google-drive',
       requiredScopes: [
@@ -54,6 +56,15 @@ export const GoogleSlidesBlock: BlockConfig<GoogleSlidesResponse> = {
       ],
       placeholder: 'Select Google account',
     },
+    {
+      id: 'manualCredential',
+      title: 'Google Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     // Presentation selector (basic mode) - for operations that need an existing presentation
     {
       id: 'presentationId',
@@ -662,7 +673,7 @@ Return ONLY the text content - no explanations, no markdown formatting markers,
       },
       params: (params) => {
         const {
-          credential,
+          oauthCredential,
           presentationId,
           folderId,
           slideIndex,
@@ -679,7 +690,7 @@ Return ONLY the text content - no explanations, no markdown formatting markers,
         const result: Record<string, any> = {
           ...rest,
           presentationId: effectivePresentationId || undefined,
-          credential,
+          oauthCredential,
         }
 
         // Handle operation-specific params
@@ -799,7 +810,7 @@ Return ONLY the text content - no explanations, no markdown formatting markers,
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Google Slides access token' },
+    oauthCredential: { type: 'string', description: 'Google Slides access token' },
     presentationId: { type: 'string', description: 'Presentation identifier (canonical param)' },
     // Write operation
     slideIndex: { type: 'number', description: 'Slide index to write to' },
diff --git a/apps/sim/blocks/blocks/google_vault.ts b/apps/sim/blocks/blocks/google_vault.ts
index 47e53d56da..4f5183133f 100644
--- a/apps/sim/blocks/blocks/google_vault.ts
+++ b/apps/sim/blocks/blocks/google_vault.ts
@@ -34,6 +34,8 @@ export const GoogleVaultBlock: BlockConfig = {
       id: 'credential',
       title: 'Google Vault Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       required: true,
       serviceId: 'google-vault',
       requiredScopes: [
@@ -42,6 +44,15 @@ export const GoogleVaultBlock: BlockConfig = {
       ],
       placeholder: 'Select Google Vault account',
     },
+    {
+      id: 'manualCredential',
+      title: 'Google Vault Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     // Create Hold inputs
     {
       id: 'matterId',
@@ -438,10 +449,10 @@ Return ONLY the description text - no explanations, no quotes, no extra text.`,
         }
       },
       params: (params) => {
-        const { credential, holdStartTime, holdEndTime, holdTerms, ...rest } = params
+        const { oauthCredential, holdStartTime, holdEndTime, holdTerms, ...rest } = params
         return {
           ...rest,
-          credential,
+          oauthCredential,
           // Map hold-specific fields to their tool parameter names
           ...(holdStartTime && { startTime: holdStartTime }),
           ...(holdEndTime && { endTime: holdEndTime }),
@@ -453,7 +464,7 @@ Return ONLY the description text - no explanations, no quotes, no extra text.`,
   inputs: {
     // Core inputs
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Google Vault OAuth credential' },
+    oauthCredential: { type: 'string', description: 'Google Vault OAuth credential' },
     matterId: { type: 'string', description: 'Matter ID' },
 
     // Create export inputs
diff --git a/apps/sim/blocks/blocks/hubspot.ts b/apps/sim/blocks/blocks/hubspot.ts
index fcd3e6d65b..706a4b9bb1 100644
--- a/apps/sim/blocks/blocks/hubspot.ts
+++ b/apps/sim/blocks/blocks/hubspot.ts
@@ -39,6 +39,8 @@ export const HubSpotBlock: BlockConfig<HubSpotResponse> = {
       id: 'credential',
       title: 'HubSpot Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       serviceId: 'hubspot',
       requiredScopes: [
         'crm.objects.contacts.read',
@@ -68,6 +70,15 @@ export const HubSpotBlock: BlockConfig<HubSpotResponse> = {
       placeholder: 'Select HubSpot account',
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'HubSpot Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     {
       id: 'contactId',
       title: 'Contact ID or Email',
@@ -823,7 +834,7 @@ Return ONLY the JSON array of property names - no explanations, no markdown, no
       },
       params: (params) => {
         const {
-          credential,
+          oauthCredential,
           operation,
           propertiesToSet,
           properties,
@@ -835,7 +846,7 @@ Return ONLY the JSON array of property names - no explanations, no markdown, no
         } = params
 
         const cleanParams: Record<string, any> = {
-          credential,
+          oauthCredential,
         }
 
         const createUpdateOps = [
@@ -890,7 +901,7 @@ Return ONLY the JSON array of property names - no explanations, no markdown, no
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'HubSpot access token' },
+    oauthCredential: { type: 'string', description: 'HubSpot access token' },
     contactId: { type: 'string', description: 'Contact ID or email' },
     companyId: { type: 'string', description: 'Company ID or domain' },
     idProperty: { type: 'string', description: 'Property name to use as unique identifier' },
diff --git a/apps/sim/blocks/blocks/jira.ts b/apps/sim/blocks/blocks/jira.ts
index 63e06ea539..96eb7eebba 100644
--- a/apps/sim/blocks/blocks/jira.ts
+++ b/apps/sim/blocks/blocks/jira.ts
@@ -60,6 +60,8 @@ export const JiraBlock: BlockConfig<JiraResponse> = {
       id: 'credential',
       title: 'Jira Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       required: true,
       serviceId: 'jira',
       requiredScopes: [
@@ -96,6 +98,15 @@ export const JiraBlock: BlockConfig<JiraResponse> = {
       ],
       placeholder: 'Select Jira account',
     },
+    {
+      id: 'manualCredential',
+      title: 'Jira Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     // Project selector (basic mode)
     {
       id: 'projectId',
@@ -789,14 +800,14 @@ Return ONLY the comment text - no explanations.`,
         }
       },
       params: (params) => {
-        const { credential, projectId, issueKey, ...rest } = params
+        const { oauthCredential, projectId, issueKey, ...rest } = params
 
         // Use canonical param IDs (raw subBlock IDs are deleted after serialization)
         const effectiveProjectId = projectId ? String(projectId).trim() : ''
         const effectiveIssueKey = issueKey ? String(issueKey).trim() : ''
 
         const baseParams = {
-          credential,
+          oauthCredential,
           domain: params.domain,
         }
 
@@ -1049,7 +1060,7 @@ Return ONLY the comment text - no explanations.`,
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
     domain: { type: 'string', description: 'Jira domain' },
-    credential: { type: 'string', description: 'Jira access token' },
+    oauthCredential: { type: 'string', description: 'Jira access token' },
     issueKey: { type: 'string', description: 'Issue key identifier (canonical param)' },
     projectId: { type: 'string', description: 'Project identifier (canonical param)' },
     // Update/Write operation inputs
diff --git a/apps/sim/blocks/blocks/jira_service_management.ts b/apps/sim/blocks/blocks/jira_service_management.ts
index 11cda38587..7baec43a6b 100644
--- a/apps/sim/blocks/blocks/jira_service_management.ts
+++ b/apps/sim/blocks/blocks/jira_service_management.ts
@@ -55,6 +55,8 @@ export const JiraServiceManagementBlock: BlockConfig<JsmResponse> = {
       id: 'credential',
       title: 'Jira Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       required: true,
       serviceId: 'jira',
       requiredScopes: [
@@ -95,6 +97,15 @@ export const JiraServiceManagementBlock: BlockConfig<JsmResponse> = {
       ],
       placeholder: 'Select Jira account',
     },
+    {
+      id: 'manualCredential',
+      title: 'Jira Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     {
       id: 'serviceDeskId',
       title: 'Service Desk ID',
@@ -493,7 +504,7 @@ Return ONLY the comment text - no explanations.`,
       },
       params: (params) => {
         const baseParams = {
-          credential: params.credential,
+          oauthCredential: params.oauthCredential,
           domain: params.domain,
         }
 
@@ -740,7 +751,7 @@ Return ONLY the comment text - no explanations.`,
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
     domain: { type: 'string', description: 'Jira domain' },
-    credential: { type: 'string', description: 'Jira Service Management access token' },
+    oauthCredential: { type: 'string', description: 'Jira Service Management access token' },
     serviceDeskId: { type: 'string', description: 'Service desk ID' },
     requestTypeId: { type: 'string', description: 'Request type ID' },
     issueIdOrKey: { type: 'string', description: 'Issue ID or key' },
diff --git a/apps/sim/blocks/blocks/linear.ts b/apps/sim/blocks/blocks/linear.ts
index b7b838ef2c..2f50d70db2 100644
--- a/apps/sim/blocks/blocks/linear.ts
+++ b/apps/sim/blocks/blocks/linear.ts
@@ -129,11 +129,22 @@ export const LinearBlock: BlockConfig<LinearResponse> = {
       id: 'credential',
       title: 'Linear Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       serviceId: 'linear',
       requiredScopes: ['read', 'write'],
       placeholder: 'Select Linear account',
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'Linear Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     // Team selector (for most operations)
     {
       id: 'teamId',
@@ -1504,7 +1515,7 @@ Return ONLY the date string in YYYY-MM-DD format - no explanations, no quotes, n
 
         // Base params that most operations need
         const baseParams: Record<string, any> = {
-          credential: params.credential,
+          oauthCredential: params.oauthCredential,
         }
 
         // Operation-specific param mapping
@@ -2323,7 +2334,7 @@ Return ONLY the date string in YYYY-MM-DD format - no explanations, no quotes, n
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Linear access token' },
+    oauthCredential: { type: 'string', description: 'Linear access token' },
     teamId: { type: 'string', description: 'Linear team identifier (canonical param)' },
     projectId: { type: 'string', description: 'Linear project identifier (canonical param)' },
     issueId: { type: 'string', description: 'Issue identifier' },
diff --git a/apps/sim/blocks/blocks/linkedin.ts b/apps/sim/blocks/blocks/linkedin.ts
index 25e1dfb579..2440cd0091 100644
--- a/apps/sim/blocks/blocks/linkedin.ts
+++ b/apps/sim/blocks/blocks/linkedin.ts
@@ -33,10 +33,21 @@ export const LinkedInBlock: BlockConfig<LinkedInResponse> = {
       title: 'LinkedIn Account',
       type: 'oauth-input',
       serviceId: 'linkedin',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       requiredScopes: ['profile', 'openid', 'email', 'w_member_social'],
       placeholder: 'Select LinkedIn account',
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'LinkedIn Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
 
     // Share Post specific fields
     {
@@ -80,25 +91,25 @@ export const LinkedInBlock: BlockConfig<LinkedInResponse> = {
       },
       params: (inputs) => {
         const operation = inputs.operation || 'share_post'
-        const { credential, ...rest } = inputs
+        const { oauthCredential, ...rest } = inputs
 
         if (operation === 'get_profile') {
           return {
-            accessToken: credential,
+            accessToken: oauthCredential,
           }
         }
 
         return {
           text: rest.text,
           visibility: rest.visibility || 'PUBLIC',
-          accessToken: credential,
+          accessToken: oauthCredential,
         }
       },
     },
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'LinkedIn access token' },
+    oauthCredential: { type: 'string', description: 'LinkedIn access token' },
     text: { type: 'string', description: 'Post text content' },
     visibility: { type: 'string', description: 'Post visibility (PUBLIC or CONNECTIONS)' },
   },
diff --git a/apps/sim/blocks/blocks/microsoft_excel.ts b/apps/sim/blocks/blocks/microsoft_excel.ts
index 9909124246..6d8a7c301f 100644
--- a/apps/sim/blocks/blocks/microsoft_excel.ts
+++ b/apps/sim/blocks/blocks/microsoft_excel.ts
@@ -36,6 +36,8 @@ export const MicrosoftExcelBlock: BlockConfig<MicrosoftExcelResponse> = {
       id: 'credential',
       title: 'Microsoft Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       serviceId: 'microsoft-excel',
       requiredScopes: [
         'openid',
@@ -48,6 +50,15 @@ export const MicrosoftExcelBlock: BlockConfig<MicrosoftExcelResponse> = {
       placeholder: 'Select Microsoft account',
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'Microsoft Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     {
       id: 'spreadsheetId',
       title: 'Select Sheet',
@@ -241,7 +252,7 @@ Return ONLY the JSON array - no explanations, no markdown, no extra text.`,
         }
       },
       params: (params) => {
-        const { credential, values, spreadsheetId, tableName, worksheetName, ...rest } = params
+        const { oauthCredential, values, spreadsheetId, tableName, worksheetName, ...rest } = params
 
         // Use canonical param ID (raw subBlock IDs are deleted after serialization)
         const effectiveSpreadsheetId = spreadsheetId ? String(spreadsheetId).trim() : ''
@@ -269,7 +280,7 @@ Return ONLY the JSON array - no explanations, no markdown, no extra text.`,
           ...rest,
           spreadsheetId: effectiveSpreadsheetId,
           values: parsedValues,
-          credential,
+          oauthCredential,
         }
 
         if (params.operation === 'table_add') {
@@ -292,7 +303,7 @@ Return ONLY the JSON array - no explanations, no markdown, no extra text.`,
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Microsoft Excel access token' },
+    oauthCredential: { type: 'string', description: 'Microsoft Excel access token' },
     spreadsheetId: { type: 'string', description: 'Spreadsheet identifier (canonical param)' },
     range: { type: 'string', description: 'Cell range' },
     tableName: { type: 'string', description: 'Table name' },
@@ -351,6 +362,8 @@ export const MicrosoftExcelV2Block: BlockConfig<MicrosoftExcelV2Response> = {
       id: 'credential',
       title: 'Microsoft Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       serviceId: 'microsoft-excel',
       requiredScopes: [
         'openid',
@@ -363,6 +376,15 @@ export const MicrosoftExcelV2Block: BlockConfig<MicrosoftExcelV2Response> = {
       placeholder: 'Select Microsoft account',
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'Microsoft Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     // Spreadsheet Selector (basic mode)
     {
       id: 'spreadsheetId',
@@ -497,7 +519,7 @@ Return ONLY the JSON array - no explanations, no markdown, no extra text.`,
         fallbackToolId: 'microsoft_excel_read_v2',
       }),
       params: (params) => {
-        const { credential, values, spreadsheetId, sheetName, cellRange, ...rest } = params
+        const { oauthCredential, values, spreadsheetId, sheetName, cellRange, ...rest } = params
 
         const parsedValues = values ? JSON.parse(values as string) : undefined
 
@@ -519,14 +541,14 @@ Return ONLY the JSON array - no explanations, no markdown, no extra text.`,
           sheetName: effectiveSheetName,
           cellRange: cellRange ? (cellRange as string).trim() : undefined,
           values: parsedValues,
-          credential,
+          oauthCredential,
         }
       },
     },
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Microsoft Excel access token' },
+    oauthCredential: { type: 'string', description: 'Microsoft Excel access token' },
     spreadsheetId: { type: 'string', description: 'Spreadsheet identifier (canonical param)' },
     sheetName: { type: 'string', description: 'Name of the sheet/tab (canonical param)' },
     cellRange: { type: 'string', description: 'Cell range (e.g., A1:D10)' },
diff --git a/apps/sim/blocks/blocks/microsoft_planner.ts b/apps/sim/blocks/blocks/microsoft_planner.ts
index b49f8c284f..48771c3b68 100644
--- a/apps/sim/blocks/blocks/microsoft_planner.ts
+++ b/apps/sim/blocks/blocks/microsoft_planner.ts
@@ -4,7 +4,7 @@ import { AuthMode } from '@/blocks/types'
 import type { MicrosoftPlannerResponse } from '@/tools/microsoft_planner/types'
 
 interface MicrosoftPlannerBlockParams {
-  credential: string
+  oauthCredential: string
   accessToken?: string
   planId?: string
   taskId?: string
@@ -61,6 +61,8 @@ export const MicrosoftPlannerBlock: BlockConfig<MicrosoftPlannerResponse> = {
       id: 'credential',
       title: 'Microsoft Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       serviceId: 'microsoft-planner',
       requiredScopes: [
         'openid',
@@ -73,6 +75,14 @@ export const MicrosoftPlannerBlock: BlockConfig<MicrosoftPlannerResponse> = {
       ],
       placeholder: 'Select Microsoft account',
     },
+    {
+      id: 'manualCredential',
+      title: 'Microsoft Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+    },
 
     // Plan ID - for various operations
     {
@@ -350,7 +360,7 @@ Return ONLY the timestamp string - no explanations, no quotes, no extra text.`,
       },
       params: (params) => {
         const {
-          credential,
+          oauthCredential,
           operation,
           groupId,
           planId,
@@ -375,7 +385,7 @@ Return ONLY the timestamp string - no explanations, no quotes, no extra text.`,
 
         const baseParams: MicrosoftPlannerBlockParams = {
           ...rest,
-          credential,
+          oauthCredential,
         }
 
         // Handle different task ID fields based on operation
@@ -560,7 +570,7 @@ Return ONLY the timestamp string - no explanations, no quotes, no extra text.`,
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Microsoft account credential' },
+    oauthCredential: { type: 'string', description: 'Microsoft account credential' },
     groupId: { type: 'string', description: 'Microsoft 365 group ID' },
     planId: { type: 'string', description: 'Plan ID' },
     readTaskId: { type: 'string', description: 'Task ID for read operation' },
diff --git a/apps/sim/blocks/blocks/microsoft_teams.ts b/apps/sim/blocks/blocks/microsoft_teams.ts
index 9cf21df992..5f6481f701 100644
--- a/apps/sim/blocks/blocks/microsoft_teams.ts
+++ b/apps/sim/blocks/blocks/microsoft_teams.ts
@@ -44,6 +44,8 @@ export const MicrosoftTeamsBlock: BlockConfig<MicrosoftTeamsResponse> = {
       id: 'credential',
       title: 'Microsoft Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       serviceId: 'microsoft-teams',
       requiredScopes: [
         'openid',
@@ -70,6 +72,15 @@ export const MicrosoftTeamsBlock: BlockConfig<MicrosoftTeamsResponse> = {
       placeholder: 'Select Microsoft account',
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'Microsoft Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     {
       id: 'teamSelector',
       title: 'Select Team',
@@ -321,7 +332,7 @@ export const MicrosoftTeamsBlock: BlockConfig<MicrosoftTeamsResponse> = {
       },
       params: (params) => {
         const {
-          credential,
+          oauthCredential,
           operation,
           teamId, // Canonical param from teamSelector (basic) or manualTeamId (advanced)
           chatId, // Canonical param from chatSelector (basic) or manualChatId (advanced)
@@ -339,7 +350,7 @@ export const MicrosoftTeamsBlock: BlockConfig<MicrosoftTeamsResponse> = {
 
         const baseParams: Record<string, any> = {
           ...rest,
-          credential,
+          oauthCredential,
         }
 
         if ((operation === 'read_chat' || operation === 'read_channel') && includeAttachments) {
@@ -419,7 +430,7 @@ export const MicrosoftTeamsBlock: BlockConfig<MicrosoftTeamsResponse> = {
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Microsoft Teams access token' },
+    oauthCredential: { type: 'string', description: 'Microsoft Teams access token' },
     messageId: {
       type: 'string',
       description: 'Message identifier for update/delete/reply/reaction operations',
diff --git a/apps/sim/blocks/blocks/notion.ts b/apps/sim/blocks/blocks/notion.ts
index a970de73f8..92727444d9 100644
--- a/apps/sim/blocks/blocks/notion.ts
+++ b/apps/sim/blocks/blocks/notion.ts
@@ -38,10 +38,21 @@ export const NotionBlock: BlockConfig<NotionResponse> = {
       id: 'credential',
       title: 'Notion Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       serviceId: 'notion',
       placeholder: 'Select Notion account',
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'Notion Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     // Read/Write operation - Page ID
     {
       id: 'pageId',
@@ -302,7 +313,7 @@ export const NotionBlock: BlockConfig<NotionResponse> = {
         }
       },
       params: (params) => {
-        const { credential, operation, properties, filter, sorts, ...rest } = params
+        const { oauthCredential, operation, properties, filter, sorts, ...rest } = params
 
         // Parse properties from JSON string for create/add operations
         let parsedProperties
@@ -351,7 +362,7 @@ export const NotionBlock: BlockConfig<NotionResponse> = {
 
         return {
           ...rest,
-          credential,
+          oauthCredential,
           ...(parsedProperties ? { properties: parsedProperties } : {}),
           ...(parsedFilter ? { filter: JSON.stringify(parsedFilter) } : {}),
           ...(parsedSorts ? { sorts: JSON.stringify(parsedSorts) } : {}),
@@ -361,7 +372,7 @@ export const NotionBlock: BlockConfig<NotionResponse> = {
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Notion access token' },
+    oauthCredential: { type: 'string', description: 'Notion access token' },
     pageId: { type: 'string', description: 'Page identifier' },
     content: { type: 'string', description: 'Page content' },
     // Create page inputs
diff --git a/apps/sim/blocks/blocks/onedrive.ts b/apps/sim/blocks/blocks/onedrive.ts
index 47a15d0cc4..e2e1451072 100644
--- a/apps/sim/blocks/blocks/onedrive.ts
+++ b/apps/sim/blocks/blocks/onedrive.ts
@@ -39,6 +39,8 @@ export const OneDriveBlock: BlockConfig<OneDriveResponse> = {
       id: 'credential',
       title: 'Microsoft Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       serviceId: 'onedrive',
       requiredScopes: [
         'openid',
@@ -50,6 +52,14 @@ export const OneDriveBlock: BlockConfig<OneDriveResponse> = {
       ],
       placeholder: 'Select Microsoft account',
     },
+    {
+      id: 'manualCredential',
+      title: 'Microsoft Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+    },
     // Create File Fields
     {
       id: 'fileName',
@@ -355,7 +365,7 @@ export const OneDriveBlock: BlockConfig<OneDriveResponse> = {
       },
       params: (params) => {
         const {
-          credential,
+          oauthCredential,
           // Folder canonical params (per-operation)
           uploadFolderId,
           createFolderParentId,
@@ -405,7 +415,7 @@ export const OneDriveBlock: BlockConfig<OneDriveResponse> = {
         }
 
         return {
-          credential,
+          oauthCredential,
           ...rest,
           values: normalizedValues,
           file: normalizedFile,
@@ -420,7 +430,7 @@ export const OneDriveBlock: BlockConfig<OneDriveResponse> = {
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Microsoft account credential' },
+    oauthCredential: { type: 'string', description: 'Microsoft account credential' },
     // Upload and Create operation inputs
     fileName: { type: 'string', description: 'File name' },
     file: { type: 'json', description: 'File to upload (UserFile object)' },
diff --git a/apps/sim/blocks/blocks/outlook.ts b/apps/sim/blocks/blocks/outlook.ts
index a22d4195cd..8c1b5372bb 100644
--- a/apps/sim/blocks/blocks/outlook.ts
+++ b/apps/sim/blocks/blocks/outlook.ts
@@ -39,6 +39,8 @@ export const OutlookBlock: BlockConfig<OutlookResponse> = {
       id: 'credential',
       title: 'Microsoft Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       serviceId: 'outlook',
       requiredScopes: [
         'Mail.ReadWrite',
@@ -53,6 +55,15 @@ export const OutlookBlock: BlockConfig<OutlookResponse> = {
       placeholder: 'Select Microsoft account',
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'Microsoft Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     {
       id: 'to',
       title: 'To',
@@ -326,7 +337,7 @@ export const OutlookBlock: BlockConfig<OutlookResponse> = {
       },
       params: (params) => {
         const {
-          credential,
+          oauthCredential,
           folder,
           destinationId,
           copyDestinationId,
@@ -385,14 +396,14 @@ export const OutlookBlock: BlockConfig<OutlookResponse> = {
 
         return {
           ...rest,
-          credential,
+          oauthCredential,
         }
       },
     },
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Outlook access token' },
+    oauthCredential: { type: 'string', description: 'Outlook access token' },
     // Send operation inputs
     to: { type: 'string', description: 'Recipient email address' },
     subject: { type: 'string', description: 'Email subject' },
diff --git a/apps/sim/blocks/blocks/pipedrive.ts b/apps/sim/blocks/blocks/pipedrive.ts
index 22d81d7822..ecaf62dcc3 100644
--- a/apps/sim/blocks/blocks/pipedrive.ts
+++ b/apps/sim/blocks/blocks/pipedrive.ts
@@ -45,6 +45,8 @@ export const PipedriveBlock: BlockConfig<PipedriveResponse> = {
       id: 'credential',
       title: 'Pipedrive Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       serviceId: 'pipedrive',
       requiredScopes: [
         'base',
@@ -58,6 +60,15 @@ export const PipedriveBlock: BlockConfig<PipedriveResponse> = {
       placeholder: 'Select Pipedrive account',
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'Pipedrive Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     {
       id: 'status',
       title: 'Status',
@@ -746,10 +757,10 @@ Return ONLY the date string in YYYY-MM-DD format - no explanations, no quotes, n
         }
       },
       params: (params) => {
-        const { credential, operation, ...rest } = params
+        const { oauthCredential, operation, ...rest } = params
 
         const cleanParams: Record<string, any> = {
-          credential,
+          oauthCredential,
         }
 
         Object.entries(rest).forEach(([key, value]) => {
@@ -764,7 +775,7 @@ Return ONLY the date string in YYYY-MM-DD format - no explanations, no quotes, n
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Pipedrive access token' },
+    oauthCredential: { type: 'string', description: 'Pipedrive access token' },
     deal_id: { type: 'string', description: 'Deal ID' },
     title: { type: 'string', description: 'Title' },
     value: { type: 'string', description: 'Monetary value' },
diff --git a/apps/sim/blocks/blocks/reddit.ts b/apps/sim/blocks/blocks/reddit.ts
index 5eb27e5fb3..828d4e338e 100644
--- a/apps/sim/blocks/blocks/reddit.ts
+++ b/apps/sim/blocks/blocks/reddit.ts
@@ -43,6 +43,8 @@ export const RedditBlock: BlockConfig<RedditResponse> = {
       title: 'Reddit Account',
       type: 'oauth-input',
       serviceId: 'reddit',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       requiredScopes: [
         'identity',
         'read',
@@ -64,6 +66,15 @@ export const RedditBlock: BlockConfig<RedditResponse> = {
       placeholder: 'Select Reddit account',
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'Reddit Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
 
     // Common fields - appear for all actions
     {
@@ -555,7 +566,7 @@ export const RedditBlock: BlockConfig<RedditResponse> = {
       },
       params: (inputs) => {
         const operation = inputs.operation || 'get_posts'
-        const { credential, ...rest } = inputs
+        const { oauthCredential, ...rest } = inputs
 
         if (operation === 'get_comments') {
           return {
@@ -563,7 +574,7 @@ export const RedditBlock: BlockConfig<RedditResponse> = {
             subreddit: rest.subreddit,
             sort: rest.commentSort,
             limit: rest.commentLimit ? Number.parseInt(rest.commentLimit) : undefined,
-            credential: credential,
+            oauthCredential: oauthCredential,
           }
         }
 
@@ -572,7 +583,7 @@ export const RedditBlock: BlockConfig<RedditResponse> = {
             subreddit: rest.subreddit,
             time: rest.controversialTime,
             limit: rest.controversialLimit ? Number.parseInt(rest.controversialLimit) : undefined,
-            credential: credential,
+            oauthCredential: oauthCredential,
           }
         }
 
@@ -583,7 +594,7 @@ export const RedditBlock: BlockConfig<RedditResponse> = {
             sort: rest.searchSort,
             time: rest.searchTime,
             limit: rest.searchLimit ? Number.parseInt(rest.searchLimit) : undefined,
-            credential: credential,
+            oauthCredential: oauthCredential,
           }
         }
 
@@ -595,7 +606,7 @@ export const RedditBlock: BlockConfig<RedditResponse> = {
             url: rest.postType === 'link' ? rest.url : undefined,
             nsfw: rest.nsfw === 'true',
             spoiler: rest.spoiler === 'true',
-            credential: credential,
+            oauthCredential: oauthCredential,
           }
         }
 
@@ -603,7 +614,7 @@ export const RedditBlock: BlockConfig<RedditResponse> = {
           return {
             id: rest.voteId,
             dir: Number.parseInt(rest.voteDirection),
-            credential: credential,
+            oauthCredential: oauthCredential,
           }
         }
 
@@ -611,14 +622,14 @@ export const RedditBlock: BlockConfig<RedditResponse> = {
           return {
             id: rest.saveId,
             category: rest.saveCategory,
-            credential: credential,
+            oauthCredential: oauthCredential,
           }
         }
 
         if (operation === 'unsave') {
           return {
             id: rest.saveId,
-            credential: credential,
+            oauthCredential: oauthCredential,
           }
         }
 
@@ -626,7 +637,7 @@ export const RedditBlock: BlockConfig<RedditResponse> = {
           return {
             parent_id: rest.replyParentId,
             text: rest.replyText,
-            credential: credential,
+            oauthCredential: oauthCredential,
           }
         }
 
@@ -634,14 +645,14 @@ export const RedditBlock: BlockConfig<RedditResponse> = {
           return {
             thing_id: rest.editThingId,
             text: rest.editText,
-            credential: credential,
+            oauthCredential: oauthCredential,
           }
         }
 
         if (operation === 'delete') {
           return {
             id: rest.deleteId,
-            credential: credential,
+            oauthCredential: oauthCredential,
           }
         }
 
@@ -649,7 +660,7 @@ export const RedditBlock: BlockConfig<RedditResponse> = {
           return {
             subreddit: rest.subscribeSubreddit,
             action: rest.subscribeAction,
-            credential: credential,
+            oauthCredential: oauthCredential,
           }
         }
 
@@ -658,14 +669,14 @@ export const RedditBlock: BlockConfig<RedditResponse> = {
           sort: rest.sort,
           limit: rest.limit ? Number.parseInt(rest.limit) : undefined,
           time: rest.sort === 'top' ? rest.time : undefined,
-          credential: credential,
+          oauthCredential: oauthCredential,
         }
       },
     },
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Reddit access token' },
+    oauthCredential: { type: 'string', description: 'Reddit access token' },
     subreddit: { type: 'string', description: 'Subreddit name' },
     sort: { type: 'string', description: 'Sort order' },
     time: { type: 'string', description: 'Time filter' },
diff --git a/apps/sim/blocks/blocks/salesforce.ts b/apps/sim/blocks/blocks/salesforce.ts
index e5f077e5f6..bbfa8616ef 100644
--- a/apps/sim/blocks/blocks/salesforce.ts
+++ b/apps/sim/blocks/blocks/salesforce.ts
@@ -62,11 +62,22 @@ export const SalesforceBlock: BlockConfig<SalesforceResponse> = {
       id: 'credential',
       title: 'Salesforce Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       serviceId: 'salesforce',
       requiredScopes: ['api', 'refresh_token', 'openid', 'offline_access'],
       placeholder: 'Select Salesforce account',
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'Salesforce Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     // Common fields for GET operations
     {
       id: 'fields',
@@ -614,8 +625,8 @@ Return ONLY the date string in YYYY-MM-DD format - no explanations, no quotes, n
         }
       },
       params: (params) => {
-        const { credential, operation, ...rest } = params
-        const cleanParams: Record<string, any> = { credential }
+        const { oauthCredential, operation, ...rest } = params
+        const cleanParams: Record<string, any> = { oauthCredential }
         Object.entries(rest).forEach(([key, value]) => {
           if (value !== undefined && value !== null && value !== '') {
             cleanParams[key] = value
@@ -627,7 +638,7 @@ Return ONLY the date string in YYYY-MM-DD format - no explanations, no quotes, n
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Salesforce credential' },
+    oauthCredential: { type: 'string', description: 'Salesforce credential' },
   },
   outputs: {
     success: { type: 'boolean', description: 'Operation success status' },
diff --git a/apps/sim/blocks/blocks/sharepoint.ts b/apps/sim/blocks/blocks/sharepoint.ts
index f10c1d5d95..9863dce349 100644
--- a/apps/sim/blocks/blocks/sharepoint.ts
+++ b/apps/sim/blocks/blocks/sharepoint.ts
@@ -38,6 +38,8 @@ export const SharepointBlock: BlockConfig<SharepointResponse> = {
       id: 'credential',
       title: 'Microsoft Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       serviceId: 'sharepoint',
       requiredScopes: [
         'openid',
@@ -50,6 +52,14 @@ export const SharepointBlock: BlockConfig<SharepointResponse> = {
       ],
       placeholder: 'Select Microsoft account',
     },
+    {
+      id: 'manualCredential',
+      title: 'Microsoft Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+    },
 
     {
       id: 'siteSelector',
@@ -403,7 +413,7 @@ Return ONLY the JSON object - no explanations, no markdown, no extra text.`,
         }
       },
       params: (params) => {
-        const { credential, siteId, mimeType, ...rest } = params
+        const { oauthCredential, siteId, mimeType, ...rest } = params
 
         // siteId is the canonical param from siteSelector (basic) or manualSiteId (advanced)
         const effectiveSiteId = siteId ? String(siteId).trim() : ''
@@ -461,7 +471,7 @@ Return ONLY the JSON object - no explanations, no markdown, no extra text.`,
         // Handle file upload files parameter using canonical param
         const normalizedFiles = normalizeFileInput(files)
         const baseParams: Record<string, any> = {
-          credential,
+          oauthCredential,
           siteId: effectiveSiteId || undefined,
           pageSize: others.pageSize ? Number.parseInt(others.pageSize as string, 10) : undefined,
           mimeType: mimeType,
@@ -487,7 +497,7 @@ Return ONLY the JSON object - no explanations, no markdown, no extra text.`,
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Microsoft account credential' },
+    oauthCredential: { type: 'string', description: 'Microsoft account credential' },
     pageName: { type: 'string', description: 'Page name' },
     columnDefinitions: {
       type: 'string',
diff --git a/apps/sim/blocks/blocks/shopify.ts b/apps/sim/blocks/blocks/shopify.ts
index 3d98542f42..dc3f3cae62 100644
--- a/apps/sim/blocks/blocks/shopify.ts
+++ b/apps/sim/blocks/blocks/shopify.ts
@@ -61,6 +61,8 @@ export const ShopifyBlock: BlockConfig<ShopifyResponse> = {
       title: 'Shopify Account',
       type: 'oauth-input',
       serviceId: 'shopify',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       requiredScopes: [
         'write_products',
         'write_orders',
@@ -72,6 +74,15 @@ export const ShopifyBlock: BlockConfig<ShopifyResponse> = {
       placeholder: 'Select Shopify account',
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'Shopify Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     {
       id: 'shopDomain',
       title: 'Shop Domain',
@@ -527,7 +538,7 @@ export const ShopifyBlock: BlockConfig<ShopifyResponse> = {
       },
       params: (params) => {
         const baseParams: Record<string, unknown> = {
-          credential: params.credential,
+          oauthCredential: params.oauthCredential,
           shopDomain: params.shopDomain?.trim(),
         }
 
@@ -774,7 +785,7 @@ export const ShopifyBlock: BlockConfig<ShopifyResponse> = {
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Shopify access token' },
+    oauthCredential: { type: 'string', description: 'Shopify access token' },
     shopDomain: { type: 'string', description: 'Shopify store domain' },
     // Product inputs
     productId: { type: 'string', description: 'Product ID' },
diff --git a/apps/sim/blocks/blocks/slack.ts b/apps/sim/blocks/blocks/slack.ts
index 38f22ca78c..9606191eb2 100644
--- a/apps/sim/blocks/blocks/slack.ts
+++ b/apps/sim/blocks/blocks/slack.ts
@@ -69,6 +69,8 @@ export const SlackBlock: BlockConfig<SlackResponse> = {
       id: 'credential',
       title: 'Slack Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       serviceId: 'slack',
       requiredScopes: [
         'channels:read',
@@ -94,6 +96,20 @@ export const SlackBlock: BlockConfig<SlackResponse> = {
       },
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'Slack Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      dependsOn: ['authMethod'],
+      condition: {
+        field: 'authMethod',
+        value: 'oauth',
+      },
+      required: true,
+    },
     {
       id: 'botToken',
       title: 'Bot Token',
@@ -547,7 +563,7 @@ Return ONLY the timestamp string - no explanations, no quotes, no extra text.`,
       },
       params: (params) => {
         const {
-          credential,
+          oauthCredential,
           authMethod,
           botToken,
           operation,
@@ -597,7 +613,7 @@ Return ONLY the timestamp string - no explanations, no quotes, no extra text.`,
           baseParams.accessToken = botToken
         } else {
           // Default to OAuth
-          baseParams.credential = credential
+          baseParams.credential = oauthCredential
         }
 
         switch (operation) {
@@ -701,7 +717,7 @@ Return ONLY the timestamp string - no explanations, no quotes, no extra text.`,
     operation: { type: 'string', description: 'Operation to perform' },
     authMethod: { type: 'string', description: 'Authentication method' },
     destinationType: { type: 'string', description: 'Destination type (channel or dm)' },
-    credential: { type: 'string', description: 'Slack access token' },
+    oauthCredential: { type: 'string', description: 'Slack access token' },
     botToken: { type: 'string', description: 'Bot token' },
     channel: { type: 'string', description: 'Channel identifier (canonical param)' },
     dmUserId: { type: 'string', description: 'User ID for DM recipient (canonical param)' },
diff --git a/apps/sim/blocks/blocks/spotify.ts b/apps/sim/blocks/blocks/spotify.ts
index 4b450bac32..fb63d0fa16 100644
--- a/apps/sim/blocks/blocks/spotify.ts
+++ b/apps/sim/blocks/blocks/spotify.ts
@@ -160,6 +160,17 @@ export const SpotifyBlock: BlockConfig<ToolResponse> = {
       title: 'Spotify Account',
       type: 'oauth-input',
       serviceId: 'spotify',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
+      required: true,
+    },
+    {
+      id: 'manualCredential',
+      title: 'Spotify Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
       required: true,
     },
 
@@ -796,7 +807,7 @@ export const SpotifyBlock: BlockConfig<ToolResponse> = {
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Spotify OAuth credential' },
+    oauthCredential: { type: 'string', description: 'Spotify OAuth credential' },
     // Search
     query: { type: 'string', description: 'Search query' },
     type: { type: 'string', description: 'Search type' },
diff --git a/apps/sim/blocks/blocks/trello.ts b/apps/sim/blocks/blocks/trello.ts
index 0de378a8c2..777e060fe9 100644
--- a/apps/sim/blocks/blocks/trello.ts
+++ b/apps/sim/blocks/blocks/trello.ts
@@ -42,10 +42,21 @@ export const TrelloBlock: BlockConfig<ToolResponse> = {
       title: 'Trello Account',
       type: 'oauth-input',
       serviceId: 'trello',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       requiredScopes: ['read', 'write'],
       placeholder: 'Select Trello account',
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'Trello Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
 
     {
       id: 'boardId',
@@ -394,7 +405,7 @@ Return ONLY the date/timestamp string - no explanations, no quotes, no extra tex
   },
   inputs: {
     operation: { type: 'string', description: 'Trello operation to perform' },
-    credential: { type: 'string', description: 'Trello OAuth credential' },
+    oauthCredential: { type: 'string', description: 'Trello OAuth credential' },
     boardId: { type: 'string', description: 'Board ID' },
     listId: { type: 'string', description: 'List ID' },
     cardId: { type: 'string', description: 'Card ID' },
diff --git a/apps/sim/blocks/blocks/wealthbox.ts b/apps/sim/blocks/blocks/wealthbox.ts
index f149213774..29acc0f1b9 100644
--- a/apps/sim/blocks/blocks/wealthbox.ts
+++ b/apps/sim/blocks/blocks/wealthbox.ts
@@ -33,11 +33,22 @@ export const WealthboxBlock: BlockConfig<WealthboxResponse> = {
       id: 'credential',
       title: 'Wealthbox Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       serviceId: 'wealthbox',
       requiredScopes: ['login', 'data'],
       placeholder: 'Select Wealthbox account',
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'Wealthbox Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     {
       id: 'noteId',
       title: 'Note ID',
@@ -169,14 +180,14 @@ Return ONLY the date/time string - no explanations, no quotes, no extra text.`,
         }
       },
       params: (params) => {
-        const { credential, operation, contactId, taskId, ...rest } = params
+        const { oauthCredential, operation, contactId, taskId, ...rest } = params
 
         // contactId is the canonical param for both basic (file-selector) and advanced (manualContactId) modes
         const effectiveContactId = contactId ? String(contactId).trim() : ''
 
         const baseParams = {
           ...rest,
-          credential,
+          credential: oauthCredential,
         }
 
         if (operation === 'read_note' || operation === 'write_note') {
@@ -220,7 +231,7 @@ Return ONLY the date/time string - no explanations, no quotes, no extra text.`,
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Wealthbox access token' },
+    oauthCredential: { type: 'string', description: 'Wealthbox access token' },
     noteId: { type: 'string', description: 'Note identifier' },
     contactId: { type: 'string', description: 'Contact identifier' },
     taskId: { type: 'string', description: 'Task identifier' },
diff --git a/apps/sim/blocks/blocks/webflow.ts b/apps/sim/blocks/blocks/webflow.ts
index c785413bf6..4cb3aa26c1 100644
--- a/apps/sim/blocks/blocks/webflow.ts
+++ b/apps/sim/blocks/blocks/webflow.ts
@@ -34,11 +34,22 @@ export const WebflowBlock: BlockConfig<WebflowResponse> = {
       id: 'credential',
       title: 'Webflow Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       serviceId: 'webflow',
       requiredScopes: ['sites:read', 'sites:write', 'cms:read', 'cms:write'],
       placeholder: 'Select Webflow account',
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'Webflow Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     {
       id: 'siteSelector',
       title: 'Site',
@@ -156,7 +167,7 @@ export const WebflowBlock: BlockConfig<WebflowResponse> = {
       },
       params: (params) => {
         const {
-          credential,
+          oauthCredential,
           fieldData,
           siteId, // Canonical param from siteSelector (basic) or manualSiteId (advanced)
           collectionId, // Canonical param from collectionSelector (basic) or manualCollectionId (advanced)
@@ -178,7 +189,7 @@ export const WebflowBlock: BlockConfig<WebflowResponse> = {
         const effectiveItemId = itemId ? String(itemId).trim() : ''
 
         const baseParams = {
-          credential,
+          credential: oauthCredential,
           siteId: effectiveSiteId,
           collectionId: effectiveCollectionId,
           ...rest,
@@ -203,7 +214,7 @@ export const WebflowBlock: BlockConfig<WebflowResponse> = {
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Webflow OAuth access token' },
+    oauthCredential: { type: 'string', description: 'Webflow OAuth access token' },
     siteId: { type: 'string', description: 'Webflow site identifier' },
     collectionId: { type: 'string', description: 'Webflow collection identifier' },
     itemId: { type: 'string', description: 'Item identifier' },
diff --git a/apps/sim/blocks/blocks/wordpress.ts b/apps/sim/blocks/blocks/wordpress.ts
index 207c197404..9ddfbbf403 100644
--- a/apps/sim/blocks/blocks/wordpress.ts
+++ b/apps/sim/blocks/blocks/wordpress.ts
@@ -65,11 +65,22 @@ export const WordPressBlock: BlockConfig<WordPressResponse> = {
       id: 'credential',
       title: 'WordPress Account',
       type: 'oauth-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       serviceId: 'wordpress',
       requiredScopes: ['global'],
       placeholder: 'Select WordPress account',
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'WordPress Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
 
     // Site ID for WordPress.com (required for OAuth)
     {
@@ -667,7 +678,7 @@ export const WordPressBlock: BlockConfig<WordPressResponse> = {
       params: (params) => {
         // OAuth authentication for WordPress.com
         const baseParams: Record<string, any> = {
-          credential: params.credential,
+          credential: params.oauthCredential,
           siteId: params.siteId,
         }
 
@@ -890,6 +901,7 @@ export const WordPressBlock: BlockConfig<WordPressResponse> = {
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
+    oauthCredential: { type: 'string', description: 'WordPress OAuth credential' },
     siteId: { type: 'string', description: 'WordPress.com site ID or domain' },
     // Post inputs
     postId: { type: 'number', description: 'Post ID' },
diff --git a/apps/sim/blocks/blocks/x.ts b/apps/sim/blocks/blocks/x.ts
index 4fc65d14b1..9b297a064f 100644
--- a/apps/sim/blocks/blocks/x.ts
+++ b/apps/sim/blocks/blocks/x.ts
@@ -32,9 +32,19 @@ export const XBlock: BlockConfig<XResponse> = {
       title: 'X Account',
       type: 'oauth-input',
       serviceId: 'x',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       requiredScopes: ['tweet.read', 'tweet.write', 'users.read', 'offline.access'],
       placeholder: 'Select X account',
     },
+    {
+      id: 'manualCredential',
+      title: 'X Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+    },
     {
       id: 'text',
       title: 'Tweet Text',
@@ -171,10 +181,10 @@ Return ONLY the timestamp string - no explanations, no quotes, no extra text.`,
         }
       },
       params: (params) => {
-        const { credential, ...rest } = params
+        const { oauthCredential, ...rest } = params
 
         const parsedParams: Record<string, any> = {
-          credential: credential,
+          credential: oauthCredential,
         }
 
         Object.keys(rest).forEach((key) => {
@@ -200,7 +210,7 @@ Return ONLY the timestamp string - no explanations, no quotes, no extra text.`,
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'X account credential' },
+    oauthCredential: { type: 'string', description: 'X account credential' },
     text: { type: 'string', description: 'Tweet text content' },
     replyTo: { type: 'string', description: 'Reply to tweet ID' },
     mediaIds: { type: 'string', description: 'Media identifiers' },
diff --git a/apps/sim/blocks/blocks/zoom.ts b/apps/sim/blocks/blocks/zoom.ts
index 77d9bbb55c..88f7fd044a 100644
--- a/apps/sim/blocks/blocks/zoom.ts
+++ b/apps/sim/blocks/blocks/zoom.ts
@@ -38,6 +38,8 @@ export const ZoomBlock: BlockConfig<ZoomResponse> = {
       title: 'Zoom Account',
       type: 'oauth-input',
       serviceId: 'zoom',
+      canonicalParamId: 'oauthCredential',
+      mode: 'basic',
       requiredScopes: [
         'user:read:user',
         'meeting:write:meeting',
@@ -54,6 +56,15 @@ export const ZoomBlock: BlockConfig<ZoomResponse> = {
       placeholder: 'Select Zoom account',
       required: true,
     },
+    {
+      id: 'manualCredential',
+      title: 'Zoom Account',
+      type: 'short-input',
+      canonicalParamId: 'oauthCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+    },
     // User ID for create/list operations
     {
       id: 'userId',
@@ -413,7 +424,7 @@ Return ONLY the date string - no explanations, no quotes, no extra text.`,
       },
       params: (params) => {
         const baseParams: Record<string, any> = {
-          credential: params.credential,
+          credential: params.oauthCredential,
         }
 
         switch (params.operation) {
@@ -558,7 +569,7 @@ Return ONLY the date string - no explanations, no quotes, no extra text.`,
   },
   inputs: {
     operation: { type: 'string', description: 'Operation to perform' },
-    credential: { type: 'string', description: 'Zoom access token' },
+    oauthCredential: { type: 'string', description: 'Zoom access token' },
     userId: { type: 'string', description: 'User ID or email (use "me" for authenticated user)' },
     meetingId: { type: 'string', description: 'Meeting ID' },
     topic: { type: 'string', description: 'Meeting topic' },
diff --git a/apps/sim/executor/constants.ts b/apps/sim/executor/constants.ts
index b5f97dd471..bac3dccc63 100644
--- a/apps/sim/executor/constants.ts
+++ b/apps/sim/executor/constants.ts
@@ -205,10 +205,6 @@ export const CREDENTIAL_SET = {
   PREFIX: 'credentialSet:',
 } as const
 
-export const CREDENTIAL = {
-  FOREIGN_LABEL: 'Saved by collaborator',
-} as const
-
 export function isCredentialSetValue(value: string | null | undefined): boolean {
   return typeof value === 'string' && value.startsWith(CREDENTIAL_SET.PREFIX)
 }
diff --git a/apps/sim/executor/execution/executor.ts b/apps/sim/executor/execution/executor.ts
index a19081ef9e..f2c710bf4a 100644
--- a/apps/sim/executor/execution/executor.ts
+++ b/apps/sim/executor/execution/executor.ts
@@ -264,6 +264,7 @@ export class DAGExecutor {
       executionId: this.contextExtensions.executionId,
       userId: this.contextExtensions.userId,
       isDeployedContext: this.contextExtensions.isDeployedContext,
+      enforceCredentialAccess: this.contextExtensions.enforceCredentialAccess,
       blockStates: state.getBlockStates(),
       blockLogs: overrides?.runFromBlockContext ? [] : (snapshotState?.blockLogs ?? []),
       metadata: {
diff --git a/apps/sim/executor/execution/types.ts b/apps/sim/executor/execution/types.ts
index 29b79ca037..c2d9b61dca 100644
--- a/apps/sim/executor/execution/types.ts
+++ b/apps/sim/executor/execution/types.ts
@@ -16,6 +16,7 @@ export interface ExecutionMetadata {
   useDraftState: boolean
   startTime: string
   isClientSession?: boolean
+  enforceCredentialAccess?: boolean
   pendingBlocks?: string[]
   resumeFromSnapshot?: boolean
   credentialAccountUserId?: string
@@ -80,6 +81,7 @@ export interface ContextExtensions {
   selectedOutputs?: string[]
   edges?: Array<{ source: string; target: string }>
   isDeployedContext?: boolean
+  enforceCredentialAccess?: boolean
   isChildExecution?: boolean
   resumeFromSnapshot?: boolean
   resumePendingQueue?: string[]
diff --git a/apps/sim/executor/handlers/agent/agent-handler.ts b/apps/sim/executor/handlers/agent/agent-handler.ts
index f87b3cfdee..46ddab8690 100644
--- a/apps/sim/executor/handlers/agent/agent-handler.ts
+++ b/apps/sim/executor/handlers/agent/agent-handler.ts
@@ -336,6 +336,7 @@ export class AgentBlockHandler implements BlockHandler {
               workspaceId: ctx.workspaceId,
               userId: ctx.userId,
               isDeployedContext: ctx.isDeployedContext,
+              enforceCredentialAccess: ctx.enforceCredentialAccess,
             },
           },
           false,
diff --git a/apps/sim/executor/handlers/api/api-handler.ts b/apps/sim/executor/handlers/api/api-handler.ts
index 83c710bef0..4d4cacd3fd 100644
--- a/apps/sim/executor/handlers/api/api-handler.ts
+++ b/apps/sim/executor/handlers/api/api-handler.ts
@@ -74,6 +74,7 @@ export class ApiBlockHandler implements BlockHandler {
             executionId: ctx.executionId,
             userId: ctx.userId,
             isDeployedContext: ctx.isDeployedContext,
+            enforceCredentialAccess: ctx.enforceCredentialAccess,
           },
         },
         false,
diff --git a/apps/sim/executor/handlers/condition/condition-handler.ts b/apps/sim/executor/handlers/condition/condition-handler.ts
index 0c88e0e784..9cb96a9585 100644
--- a/apps/sim/executor/handlers/condition/condition-handler.ts
+++ b/apps/sim/executor/handlers/condition/condition-handler.ts
@@ -50,6 +50,7 @@ export async function evaluateConditionExpression(
           workspaceId: ctx.workspaceId,
           userId: ctx.userId,
           isDeployedContext: ctx.isDeployedContext,
+          enforceCredentialAccess: ctx.enforceCredentialAccess,
         },
       },
       false,
diff --git a/apps/sim/executor/handlers/function/function-handler.ts b/apps/sim/executor/handlers/function/function-handler.ts
index d8e1209e54..68302412bc 100644
--- a/apps/sim/executor/handlers/function/function-handler.ts
+++ b/apps/sim/executor/handlers/function/function-handler.ts
@@ -41,6 +41,7 @@ export class FunctionBlockHandler implements BlockHandler {
           workspaceId: ctx.workspaceId,
           userId: ctx.userId,
           isDeployedContext: ctx.isDeployedContext,
+          enforceCredentialAccess: ctx.enforceCredentialAccess,
         },
       },
       false,
diff --git a/apps/sim/executor/handlers/generic/generic-handler.ts b/apps/sim/executor/handlers/generic/generic-handler.ts
index c6a6b7e9f3..ff9cbbf440 100644
--- a/apps/sim/executor/handlers/generic/generic-handler.ts
+++ b/apps/sim/executor/handlers/generic/generic-handler.ts
@@ -68,6 +68,7 @@ export class GenericBlockHandler implements BlockHandler {
             executionId: ctx.executionId,
             userId: ctx.userId,
             isDeployedContext: ctx.isDeployedContext,
+            enforceCredentialAccess: ctx.enforceCredentialAccess,
           },
         },
         false,
diff --git a/apps/sim/executor/handlers/human-in-the-loop/human-in-the-loop-handler.ts b/apps/sim/executor/handlers/human-in-the-loop/human-in-the-loop-handler.ts
index 2a23c622c2..63b331754a 100644
--- a/apps/sim/executor/handlers/human-in-the-loop/human-in-the-loop-handler.ts
+++ b/apps/sim/executor/handlers/human-in-the-loop/human-in-the-loop-handler.ts
@@ -607,6 +607,7 @@ export class HumanInTheLoopBlockHandler implements BlockHandler {
             workspaceId: ctx.workspaceId,
             userId: ctx.userId,
             isDeployedContext: ctx.isDeployedContext,
+            enforceCredentialAccess: ctx.enforceCredentialAccess,
           },
           blockData: blockDataWithPause,
           blockNameMapping: blockNameMappingWithPause,
diff --git a/apps/sim/executor/handlers/workflow/workflow-handler.ts b/apps/sim/executor/handlers/workflow/workflow-handler.ts
index d32353f434..50b0029166 100644
--- a/apps/sim/executor/handlers/workflow/workflow-handler.ts
+++ b/apps/sim/executor/handlers/workflow/workflow-handler.ts
@@ -123,6 +123,7 @@ export class WorkflowBlockHandler implements BlockHandler {
         contextExtensions: {
           isChildExecution: true,
           isDeployedContext: ctx.isDeployedContext === true,
+          enforceCredentialAccess: ctx.enforceCredentialAccess,
           workspaceId: ctx.workspaceId,
           userId: ctx.userId,
           executionId: ctx.executionId,
diff --git a/apps/sim/executor/types.ts b/apps/sim/executor/types.ts
index 9298f66678..dcb6e2c6ad 100644
--- a/apps/sim/executor/types.ts
+++ b/apps/sim/executor/types.ts
@@ -168,6 +168,7 @@ export interface ExecutionContext {
   executionId?: string
   userId?: string
   isDeployedContext?: boolean
+  enforceCredentialAccess?: boolean
 
   permissionConfig?: PermissionGroupConfig | null
   permissionConfigLoaded?: boolean
diff --git a/apps/sim/hooks/queries/credentials.ts b/apps/sim/hooks/queries/credentials.ts
new file mode 100644
index 0000000000..ef87d18265
--- /dev/null
+++ b/apps/sim/hooks/queries/credentials.ts
@@ -0,0 +1,272 @@
+'use client'
+
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
+import { environmentKeys } from '@/hooks/queries/environment'
+import { fetchJson } from '@/hooks/selectors/helpers'
+
+export type WorkspaceCredentialType = 'oauth' | 'env_workspace' | 'env_personal'
+export type WorkspaceCredentialRole = 'admin' | 'member'
+export type WorkspaceCredentialMemberStatus = 'active' | 'pending' | 'revoked'
+
+export interface WorkspaceCredential {
+  id: string
+  workspaceId: string
+  type: WorkspaceCredentialType
+  displayName: string
+  description: string | null
+  providerId: string | null
+  accountId: string | null
+  envKey: string | null
+  envOwnerUserId: string | null
+  createdBy: string
+  createdAt: string
+  updatedAt: string
+  role?: WorkspaceCredentialRole
+  status?: WorkspaceCredentialMemberStatus
+}
+
+export interface WorkspaceCredentialMember {
+  id: string
+  userId: string
+  role: WorkspaceCredentialRole
+  status: WorkspaceCredentialMemberStatus
+  joinedAt: string | null
+  invitedBy: string | null
+  createdAt: string
+  updatedAt: string
+  userName: string | null
+  userEmail: string | null
+  userImage: string | null
+}
+
+interface CredentialListResponse {
+  credentials?: WorkspaceCredential[]
+}
+
+interface CredentialResponse {
+  credential?: WorkspaceCredential | null
+}
+
+interface MembersResponse {
+  members?: WorkspaceCredentialMember[]
+}
+
+export const workspaceCredentialKeys = {
+  all: ['workspaceCredentials'] as const,
+  list: (workspaceId?: string, type?: string, providerId?: string) =>
+    ['workspaceCredentials', workspaceId ?? 'none', type ?? 'all', providerId ?? 'all'] as const,
+  detail: (credentialId?: string) =>
+    ['workspaceCredentials', 'detail', credentialId ?? 'none'] as const,
+  members: (credentialId?: string) =>
+    ['workspaceCredentials', 'detail', credentialId ?? 'none', 'members'] as const,
+}
+
+export function useWorkspaceCredentials(params: {
+  workspaceId?: string
+  type?: WorkspaceCredentialType
+  providerId?: string
+  enabled?: boolean
+}) {
+  const { workspaceId, type, providerId, enabled = true } = params
+
+  return useQuery<WorkspaceCredential[]>({
+    queryKey: workspaceCredentialKeys.list(workspaceId, type, providerId),
+    queryFn: async () => {
+      if (!workspaceId) return []
+      const data = await fetchJson<CredentialListResponse>('/api/credentials', {
+        searchParams: {
+          workspaceId,
+          type,
+          providerId,
+        },
+      })
+      return data.credentials ?? []
+    },
+    enabled: Boolean(workspaceId) && enabled,
+    staleTime: 60 * 1000,
+  })
+}
+
+export function useWorkspaceCredential(credentialId?: string, enabled = true) {
+  return useQuery<WorkspaceCredential | null>({
+    queryKey: workspaceCredentialKeys.detail(credentialId),
+    queryFn: async () => {
+      if (!credentialId) return null
+      const data = await fetchJson<CredentialResponse>(`/api/credentials/${credentialId}`)
+      return data.credential ?? null
+    },
+    enabled: Boolean(credentialId) && enabled,
+    staleTime: 60 * 1000,
+  })
+}
+
+export function useCreateWorkspaceCredential() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async (payload: {
+      workspaceId: string
+      type: WorkspaceCredentialType
+      displayName?: string
+      description?: string
+      providerId?: string
+      accountId?: string
+      envKey?: string
+      envOwnerUserId?: string
+    }) => {
+      const response = await fetch('/api/credentials', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(payload),
+      })
+
+      if (!response.ok) {
+        const data = await response.json()
+        throw new Error(data.error || 'Failed to create credential')
+      }
+
+      return response.json()
+    },
+    onSuccess: (_data, variables) => {
+      queryClient.invalidateQueries({
+        queryKey: workspaceCredentialKeys.list(variables.workspaceId),
+      })
+      queryClient.invalidateQueries({
+        queryKey: workspaceCredentialKeys.all,
+      })
+    },
+  })
+}
+
+export function useUpdateWorkspaceCredential() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async (payload: {
+      credentialId: string
+      displayName?: string
+      description?: string | null
+      accountId?: string
+    }) => {
+      const response = await fetch(`/api/credentials/${payload.credentialId}`, {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          displayName: payload.displayName,
+          description: payload.description,
+          accountId: payload.accountId,
+        }),
+      })
+      if (!response.ok) {
+        const data = await response.json()
+        throw new Error(data.error || 'Failed to update credential')
+      }
+      return response.json()
+    },
+    onSuccess: (_data, variables) => {
+      queryClient.invalidateQueries({
+        queryKey: workspaceCredentialKeys.detail(variables.credentialId),
+      })
+      queryClient.invalidateQueries({
+        queryKey: workspaceCredentialKeys.all,
+      })
+    },
+  })
+}
+
+export function useDeleteWorkspaceCredential() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async (credentialId: string) => {
+      const response = await fetch(`/api/credentials/${credentialId}`, {
+        method: 'DELETE',
+      })
+      if (!response.ok) {
+        const data = await response.json()
+        throw new Error(data.error || 'Failed to delete credential')
+      }
+      return response.json()
+    },
+    onSuccess: (_data, credentialId) => {
+      queryClient.invalidateQueries({ queryKey: workspaceCredentialKeys.detail(credentialId) })
+      queryClient.invalidateQueries({ queryKey: workspaceCredentialKeys.all })
+      queryClient.invalidateQueries({ queryKey: environmentKeys.all })
+    },
+  })
+}
+
+export function useWorkspaceCredentialMembers(credentialId?: string) {
+  return useQuery<WorkspaceCredentialMember[]>({
+    queryKey: workspaceCredentialKeys.members(credentialId),
+    queryFn: async () => {
+      if (!credentialId) return []
+      const data = await fetchJson<MembersResponse>(`/api/credentials/${credentialId}/members`)
+      return data.members ?? []
+    },
+    enabled: Boolean(credentialId),
+    staleTime: 30 * 1000,
+  })
+}
+
+export function useUpsertWorkspaceCredentialMember() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async (payload: {
+      credentialId: string
+      userId: string
+      role: WorkspaceCredentialRole
+    }) => {
+      const response = await fetch(`/api/credentials/${payload.credentialId}/members`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          userId: payload.userId,
+          role: payload.role,
+        }),
+      })
+      if (!response.ok) {
+        const data = await response.json()
+        throw new Error(data.error || 'Failed to update credential member')
+      }
+      return response.json()
+    },
+    onSuccess: (_data, variables) => {
+      queryClient.invalidateQueries({
+        queryKey: workspaceCredentialKeys.members(variables.credentialId),
+      })
+      queryClient.invalidateQueries({
+        queryKey: workspaceCredentialKeys.detail(variables.credentialId),
+      })
+      queryClient.invalidateQueries({ queryKey: workspaceCredentialKeys.all })
+    },
+  })
+}
+
+export function useRemoveWorkspaceCredentialMember() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async (payload: { credentialId: string; userId: string }) => {
+      const response = await fetch(
+        `/api/credentials/${payload.credentialId}/members?userId=${encodeURIComponent(payload.userId)}`,
+        { method: 'DELETE' }
+      )
+      if (!response.ok) {
+        const data = await response.json()
+        throw new Error(data.error || 'Failed to remove credential member')
+      }
+      return response.json()
+    },
+    onSuccess: (_data, variables) => {
+      queryClient.invalidateQueries({
+        queryKey: workspaceCredentialKeys.members(variables.credentialId),
+      })
+      queryClient.invalidateQueries({
+        queryKey: workspaceCredentialKeys.detail(variables.credentialId),
+      })
+      queryClient.invalidateQueries({ queryKey: workspaceCredentialKeys.all })
+    },
+  })
+}
diff --git a/apps/sim/hooks/queries/oauth-connections.ts b/apps/sim/hooks/queries/oauth-connections.ts
index d6243f8544..02dfe1dfe4 100644
--- a/apps/sim/hooks/queries/oauth-connections.ts
+++ b/apps/sim/hooks/queries/oauth-connections.ts
@@ -169,9 +169,9 @@ export function useConnectOAuthService() {
 
 interface DisconnectServiceParams {
   provider: string
-  providerId: string
+  providerId?: string
   serviceId: string
-  accountId: string
+  accountId?: string
 }
 
 /**
@@ -182,7 +182,7 @@ export function useDisconnectOAuthService() {
   const queryClient = useQueryClient()
 
   return useMutation({
-    mutationFn: async ({ provider, providerId }: DisconnectServiceParams) => {
+    mutationFn: async ({ provider, providerId, accountId }: DisconnectServiceParams) => {
       const response = await fetch('/api/auth/oauth/disconnect', {
         method: 'POST',
         headers: {
@@ -191,6 +191,7 @@ export function useDisconnectOAuthService() {
         body: JSON.stringify({
           provider,
           providerId,
+          accountId,
         }),
       })
 
@@ -212,7 +213,8 @@ export function useDisconnectOAuthService() {
           oauthConnectionsKeys.connections(),
           previousServices.map((svc) => {
             if (svc.id === serviceId) {
-              const updatedAccounts = svc.accounts?.filter((acc) => acc.id !== accountId) || []
+              const updatedAccounts =
+                accountId && svc.accounts ? svc.accounts.filter((acc) => acc.id !== accountId) : []
               return {
                 ...svc,
                 accounts: updatedAccounts,
diff --git a/apps/sim/hooks/queries/oauth-credentials.ts b/apps/sim/hooks/queries/oauth-credentials.ts
index 414fae2d9c..b300db6eea 100644
--- a/apps/sim/hooks/queries/oauth-credentials.ts
+++ b/apps/sim/hooks/queries/oauth-credentials.ts
@@ -1,6 +1,6 @@
 import { useQuery } from '@tanstack/react-query'
 import type { Credential } from '@/lib/oauth'
-import { CREDENTIAL, CREDENTIAL_SET } from '@/executor/constants'
+import { CREDENTIAL_SET } from '@/executor/constants'
 import { useCredentialSetDetail } from '@/hooks/queries/credential-sets'
 import { fetchJson } from '@/hooks/selectors/helpers'
 
@@ -13,15 +13,34 @@ interface CredentialDetailResponse {
 }
 
 export const oauthCredentialKeys = {
-  list: (providerId?: string) => ['oauthCredentials', providerId ?? 'none'] as const,
+  list: (providerId?: string, workspaceId?: string, workflowId?: string) =>
+    [
+      'oauthCredentials',
+      providerId ?? 'none',
+      workspaceId ?? 'none',
+      workflowId ?? 'none',
+    ] as const,
   detail: (credentialId?: string, workflowId?: string) =>
     ['oauthCredentialDetail', credentialId ?? 'none', workflowId ?? 'none'] as const,
 }
 
-export async function fetchOAuthCredentials(providerId: string): Promise<Credential[]> {
+interface FetchOAuthCredentialsParams {
+  providerId: string
+  workspaceId?: string
+  workflowId?: string
+}
+
+export async function fetchOAuthCredentials(
+  params: FetchOAuthCredentialsParams
+): Promise<Credential[]> {
+  const { providerId, workspaceId, workflowId } = params
   if (!providerId) return []
   const data = await fetchJson<CredentialListResponse>('/api/auth/oauth/credentials', {
-    searchParams: { provider: providerId },
+    searchParams: {
+      provider: providerId,
+      workspaceId,
+      workflowId,
+    },
   })
   return data.credentials ?? []
 }
@@ -40,10 +59,44 @@ export async function fetchOAuthCredentialDetail(
   return data.credentials ?? []
 }
 
-export function useOAuthCredentials(providerId?: string, enabled = true) {
+interface UseOAuthCredentialsOptions {
+  enabled?: boolean
+  workspaceId?: string
+  workflowId?: string
+}
+
+function resolveOptions(
+  enabledOrOptions?: boolean | UseOAuthCredentialsOptions
+): Required<UseOAuthCredentialsOptions> {
+  if (typeof enabledOrOptions === 'boolean') {
+    return {
+      enabled: enabledOrOptions,
+      workspaceId: '',
+      workflowId: '',
+    }
+  }
+
+  return {
+    enabled: enabledOrOptions?.enabled ?? true,
+    workspaceId: enabledOrOptions?.workspaceId ?? '',
+    workflowId: enabledOrOptions?.workflowId ?? '',
+  }
+}
+
+export function useOAuthCredentials(
+  providerId?: string,
+  enabledOrOptions?: boolean | UseOAuthCredentialsOptions
+) {
+  const { enabled, workspaceId, workflowId } = resolveOptions(enabledOrOptions)
+
   return useQuery<Credential[]>({
-    queryKey: oauthCredentialKeys.list(providerId),
-    queryFn: () => fetchOAuthCredentials(providerId ?? ''),
+    queryKey: oauthCredentialKeys.list(providerId, workspaceId, workflowId),
+    queryFn: () =>
+      fetchOAuthCredentials({
+        providerId: providerId ?? '',
+        workspaceId: workspaceId || undefined,
+        workflowId: workflowId || undefined,
+      }),
     enabled: Boolean(providerId) && enabled,
     staleTime: 60 * 1000,
   })
@@ -62,7 +115,12 @@ export function useOAuthCredentialDetail(
   })
 }
 
-export function useCredentialName(credentialId?: string, providerId?: string, workflowId?: string) {
+export function useCredentialName(
+  credentialId?: string,
+  providerId?: string,
+  workflowId?: string,
+  workspaceId?: string
+) {
   // Check if this is a credential set value
   const isCredentialSet = credentialId?.startsWith(CREDENTIAL_SET.PREFIX) ?? false
   const credentialSetId = isCredentialSet
@@ -77,7 +135,11 @@ export function useCredentialName(credentialId?: string, providerId?: string, wo
 
   const { data: credentials = [], isFetching: credentialsLoading } = useOAuthCredentials(
     providerId,
-    Boolean(providerId) && !isCredentialSet
+    {
+      enabled: Boolean(providerId) && !isCredentialSet,
+      workspaceId,
+      workflowId,
+    }
   )
 
   const selectedCredential = credentials.find((cred) => cred.id === credentialId)
@@ -92,18 +154,18 @@ export function useCredentialName(credentialId?: string, providerId?: string, wo
     shouldFetchDetail
   )
 
+  const detailCredential = foreignCredentials[0]
   const hasForeignMeta = foreignCredentials.length > 0
-  const isForeignCredentialSet = isCredentialSet && !credentialSetData && !credentialSetLoading
 
   const displayName =
-    credentialSetData?.name ??
-    selectedCredential?.name ??
-    (hasForeignMeta ? CREDENTIAL.FOREIGN_LABEL : null) ??
-    (isForeignCredentialSet ? CREDENTIAL.FOREIGN_LABEL : null)
+    credentialSetData?.name ?? selectedCredential?.name ?? detailCredential?.name ?? null
 
   return {
     displayName,
-    isLoading: credentialsLoading || foreignLoading || (isCredentialSet && credentialSetLoading),
+    isLoading:
+      credentialsLoading ||
+      foreignLoading ||
+      (isCredentialSet && credentialSetLoading && !credentialSetData),
     hasForeignMeta,
   }
 }
diff --git a/apps/sim/lib/auth/auth.ts b/apps/sim/lib/auth/auth.ts
index be5b961f0f..726db4cec6 100644
--- a/apps/sim/lib/auth/auth.ts
+++ b/apps/sim/lib/auth/auth.ts
@@ -14,7 +14,7 @@ import {
   oneTimeToken,
   organization,
 } from 'better-auth/plugins'
-import { and, eq } from 'drizzle-orm'
+import { and, eq, inArray, sql } from 'drizzle-orm'
 import { headers } from 'next/headers'
 import Stripe from 'stripe'
 import {
@@ -55,6 +55,10 @@ import {
 } from '@/lib/core/config/feature-flags'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { getBaseUrl } from '@/lib/core/utils/urls'
+import {
+  handleCreateCredentialFromDraft,
+  handleReconnectCredential,
+} from '@/lib/credentials/draft-hooks'
 import { sendEmail } from '@/lib/messaging/email/mailer'
 import { getFromEmailAddress, getPersonalEmailFrom } from '@/lib/messaging/email/utils'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
@@ -150,16 +154,6 @@ export const auth = betterAuth({
     account: {
       create: {
         before: async (account) => {
-          // Only one credential per (userId, providerId) is allowed
-          // If user reconnects (even with a different external account), delete the old one
-          // and let Better Auth create the new one (returning false breaks account linking flow)
-          const existing = await db.query.account.findFirst({
-            where: and(
-              eq(schema.account.userId, account.userId),
-              eq(schema.account.providerId, account.providerId)
-            ),
-          })
-
           const modifiedAccount = { ...account }
 
           if (account.providerId === 'salesforce' && account.accessToken) {
@@ -189,32 +183,121 @@ export const auth = betterAuth({
             }
           }
 
-          // Handle Microsoft refresh token expiry
           if (isMicrosoftProvider(account.providerId)) {
             modifiedAccount.refreshTokenExpiresAt = getMicrosoftRefreshTokenExpiry()
           }
 
-          if (existing) {
-            // Delete the existing account so Better Auth can create the new one
-            // This allows account linking/re-authorization to succeed
-            await db.delete(schema.account).where(eq(schema.account.id, existing.id))
+          return { data: modifiedAccount }
+        },
+        after: async (account) => {
+          /**
+           * Migrate credentials from stale account rows to the newly created one.
+           *
+           * Each getUserInfo appends a random UUID to the stable external ID so
+           * that Better Auth never blocks cross-user connections. This means
+           * re-connecting the same external identity creates a new row. We detect
+           * the stale siblings here by comparing the stable prefix (everything
+           * before the trailing UUID), migrate any credential FKs to the new row,
+           * then delete the stale rows.
+           */
+          try {
+            const UUID_SUFFIX_RE = /-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/
+            const stablePrefix = account.accountId.replace(UUID_SUFFIX_RE, '')
+
+            if (stablePrefix && stablePrefix !== account.accountId) {
+              const siblings = await db
+                .select({ id: schema.account.id, accountId: schema.account.accountId })
+                .from(schema.account)
+                .where(
+                  and(
+                    eq(schema.account.userId, account.userId),
+                    eq(schema.account.providerId, account.providerId),
+                    sql`${schema.account.id} != ${account.id}`
+                  )
+                )
+
+              const staleRows = siblings.filter(
+                (row) => row.accountId.replace(UUID_SUFFIX_RE, '') === stablePrefix
+              )
+
+              if (staleRows.length > 0) {
+                const staleIds = staleRows.map((row) => row.id)
 
-            // Preserve the existing account ID so references (like workspace notifications) continue to work
-            modifiedAccount.id = existing.id
+                await db
+                  .update(schema.credential)
+                  .set({ accountId: account.id })
+                  .where(inArray(schema.credential.accountId, staleIds))
 
-            logger.info('[account.create.before] Deleted existing account for re-authorization', {
+                await db.delete(schema.account).where(inArray(schema.account.id, staleIds))
+
+                logger.info('[account.create.after] Migrated credentials from stale accounts', {
+                  userId: account.userId,
+                  providerId: account.providerId,
+                  newAccountId: account.id,
+                  migratedFrom: staleIds,
+                })
+              }
+            }
+          } catch (error) {
+            logger.error('[account.create.after] Failed to clean up stale accounts', {
               userId: account.userId,
               providerId: account.providerId,
-              existingAccountId: existing.id,
-              preservingId: true,
+              error,
             })
+          }
+
+          /**
+           * If a pending credential draft exists for this (userId, providerId),
+           * either create a new credential or reconnect an existing one.
+           *
+           * - draft.credentialId is null: create a new credential (normal connect flow)
+           * - draft.credentialId is set: update existing credential's accountId (reconnect flow)
+           */
+          try {
+            const [draft] = await db
+              .select()
+              .from(schema.pendingCredentialDraft)
+              .where(
+                and(
+                  eq(schema.pendingCredentialDraft.userId, account.userId),
+                  eq(schema.pendingCredentialDraft.providerId, account.providerId),
+                  sql`${schema.pendingCredentialDraft.expiresAt} > NOW()`
+                )
+              )
+              .limit(1)
+
+            if (draft) {
+              const now = new Date()
+
+              if (draft.credentialId) {
+                await handleReconnectCredential({
+                  draft,
+                  newAccountId: account.id,
+                  workspaceId: draft.workspaceId,
+                  now,
+                })
+              } else {
+                await handleCreateCredentialFromDraft({
+                  draft,
+                  accountId: account.id,
+                  providerId: account.providerId,
+                  userId: account.userId,
+                  now,
+                })
+              }
 
-            // Sync webhooks for credential sets after reconnecting (in after hook)
+              await db
+                .delete(schema.pendingCredentialDraft)
+                .where(eq(schema.pendingCredentialDraft.id, draft.id))
+            }
+          } catch (error) {
+            logger.error('[account.create.after] Failed to process credential draft', {
+              userId: account.userId,
+              providerId: account.providerId,
+              error,
+            })
           }
 
-          return { data: modifiedAccount }
-        },
-        after: async (account) => {
           try {
             const { ensureUserStatsExists } = await import('@/lib/billing/core/usage')
             await ensureUserStatsExists(account.userId)
@@ -1487,7 +1570,7 @@ export const auth = betterAuth({
               })
 
               return {
-                id: `${data.user_id || data.hub_id.toString()}-${crypto.randomUUID()}`,
+                id: `${(data.user_id || data.hub_id).toString()}-${crypto.randomUUID()}`,
                 name: data.user || 'HubSpot User',
                 email: data.user || `hubspot-${data.hub_id}@hubspot.com`,
                 emailVerified: true,
@@ -1541,7 +1624,7 @@ export const auth = betterAuth({
               const data = await response.json()
 
               return {
-                id: `${data.user_id || data.sub}-${crypto.randomUUID()}`,
+                id: `${(data.user_id || data.sub).toString()}-${crypto.randomUUID()}`,
                 name: data.name || 'Salesforce User',
                 email: data.email || `salesforce-${data.user_id}@salesforce.com`,
                 emailVerified: data.email_verified || true,
@@ -1600,7 +1683,7 @@ export const auth = betterAuth({
               const now = new Date()
 
               return {
-                id: `${profile.data.id}-${crypto.randomUUID()}`,
+                id: `${profile.data.id.toString()}-${crypto.randomUUID()}`,
                 name: profile.data.name || 'X User',
                 email: `${profile.data.username}@x.com`,
                 image: profile.data.profile_image_url,
@@ -1680,7 +1763,7 @@ export const auth = betterAuth({
               const now = new Date()
 
               return {
-                id: `${profile.account_id}-${crypto.randomUUID()}`,
+                id: `${profile.account_id.toString()}-${crypto.randomUUID()}`,
                 name: profile.name || profile.display_name || 'Confluence User',
                 email: profile.email || `${profile.account_id}@atlassian.com`,
                 image: profile.picture || undefined,
@@ -1791,7 +1874,7 @@ export const auth = betterAuth({
               const now = new Date()
 
               return {
-                id: `${profile.account_id}-${crypto.randomUUID()}`,
+                id: `${profile.account_id.toString()}-${crypto.randomUUID()}`,
                 name: profile.name || profile.display_name || 'Jira User',
                 email: profile.email || `${profile.account_id}@atlassian.com`,
                 image: profile.picture || undefined,
@@ -1841,7 +1924,7 @@ export const auth = betterAuth({
               const now = new Date()
 
               return {
-                id: `${data.id}-${crypto.randomUUID()}`,
+                id: `${data.id.toString()}-${crypto.randomUUID()}`,
                 name: data.email ? data.email.split('@')[0] : 'Airtable User',
                 email: data.email || `${data.id}@airtable.user`,
                 emailVerified: !!data.email,
@@ -1890,7 +1973,7 @@ export const auth = betterAuth({
               const now = new Date()
 
               return {
-                id: `${profile.bot?.owner?.user?.id || profile.id}-${crypto.randomUUID()}`,
+                id: `${(profile.bot?.owner?.user?.id || profile.id).toString()}-${crypto.randomUUID()}`,
                 name: profile.name || profile.bot?.owner?.user?.name || 'Notion User',
                 email: profile.person?.email || `${profile.id}@notion.user`,
                 emailVerified: !!profile.person?.email,
@@ -1957,7 +2040,7 @@ export const auth = betterAuth({
               const now = new Date()
 
               return {
-                id: `${data.id}-${crypto.randomUUID()}`,
+                id: `${data.id.toString()}-${crypto.randomUUID()}`,
                 name: data.name || 'Reddit User',
                 email: `${data.name}@reddit.user`,
                 image: data.icon_img || undefined,
@@ -2029,7 +2112,7 @@ export const auth = betterAuth({
               const viewer = data.viewer
 
               return {
-                id: `${viewer.id}-${crypto.randomUUID()}`,
+                id: `${viewer.id.toString()}-${crypto.randomUUID()}`,
                 email: viewer.email,
                 name: viewer.name,
                 emailVerified: true,
@@ -2092,7 +2175,7 @@ export const auth = betterAuth({
               const data = await response.json()
 
               return {
-                id: `${data.account_id}-${crypto.randomUUID()}`,
+                id: `${data.account_id.toString()}-${crypto.randomUUID()}`,
                 email: data.email,
                 name: data.name?.display_name || data.email,
                 emailVerified: data.email_verified || false,
@@ -2143,7 +2226,7 @@ export const auth = betterAuth({
               const now = new Date()
 
               return {
-                id: `${profile.gid}-${crypto.randomUUID()}`,
+                id: `${profile.gid.toString()}-${crypto.randomUUID()}`,
                 name: profile.name || 'Asana User',
                 email: profile.email || `${profile.gid}@asana.user`,
                 image: profile.photo?.image_128x128 || undefined,
@@ -2378,7 +2461,7 @@ export const auth = betterAuth({
               const profile = await response.json()
 
               return {
-                id: `${profile.id}-${crypto.randomUUID()}`,
+                id: `${profile.id.toString()}-${crypto.randomUUID()}`,
                 name:
                   `${profile.first_name || ''} ${profile.last_name || ''}`.trim() || 'Zoom User',
                 email: profile.email || `${profile.id}@zoom.user`,
@@ -2445,7 +2528,7 @@ export const auth = betterAuth({
               const profile = await response.json()
 
               return {
-                id: `${profile.id}-${crypto.randomUUID()}`,
+                id: `${profile.id.toString()}-${crypto.randomUUID()}`,
                 name: profile.display_name || 'Spotify User',
                 email: profile.email || `${profile.id}@spotify.user`,
                 emailVerified: true,
diff --git a/apps/sim/lib/auth/credential-access.ts b/apps/sim/lib/auth/credential-access.ts
index 61b0f655af..b4ecc18476 100644
--- a/apps/sim/lib/auth/credential-access.ts
+++ b/apps/sim/lib/auth/credential-access.ts
@@ -1,6 +1,6 @@
 import { db } from '@sim/db'
-import { account, workflow as workflowTable } from '@sim/db/schema'
-import { eq } from 'drizzle-orm'
+import { account, credential, credentialMember, workflow as workflowTable } from '@sim/db/schema'
+import { and, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
@@ -12,23 +12,25 @@ export interface CredentialAccessResult {
   requesterUserId?: string
   credentialOwnerUserId?: string
   workspaceId?: string
+  resolvedCredentialId?: string
 }
 
 /**
- * Centralizes auth + collaboration rules for credential use.
- * - Uses checkSessionOrInternalAuth to authenticate the caller
- * - Fetches credential owner
- * - Authorization rules:
- *   - session: allow if requester owns the credential; otherwise require workflowId and
- *     verify BOTH requester and owner have access to the workflow's workspace
- *   - internal_jwt: require workflowId (by default) and verify credential owner has access to the
- *     workflow's workspace (requester identity is the system/workflow)
+ * Centralizes auth + credential membership checks for OAuth usage.
+ * - Workspace-scoped credential IDs enforce active credential_member access.
+ * - Legacy account IDs are resolved to workspace-scoped credentials when workflowId is provided.
+ * - Direct legacy account-ID access without workflowId is restricted to account owners only.
  */
 export async function authorizeCredentialUse(
   request: NextRequest,
-  params: { credentialId: string; workflowId?: string; requireWorkflowIdForInternal?: boolean }
+  params: {
+    credentialId: string
+    workflowId?: string
+    requireWorkflowIdForInternal?: boolean
+    callerUserId?: string
+  }
 ): Promise<CredentialAccessResult> {
-  const { credentialId, workflowId, requireWorkflowIdForInternal = true } = params
+  const { credentialId, workflowId, requireWorkflowIdForInternal = true, callerUserId } = params
 
   const auth = await checkSessionOrInternalAuth(request, {
     requireWorkflowId: requireWorkflowIdForInternal,
@@ -37,71 +39,189 @@ export async function authorizeCredentialUse(
     return { ok: false, error: auth.error || 'Authentication required' }
   }
 
-  // Lookup credential owner
-  const [credRow] = await db
-    .select({ userId: account.userId })
-    .from(account)
-    .where(eq(account.id, credentialId))
-    .limit(1)
+  const actingUserId = auth.authType === 'internal_jwt' ? callerUserId : auth.userId
 
-  if (!credRow) {
-    return { ok: false, error: 'Credential not found' }
+  const [workflowContext] = workflowId
+    ? await db
+        .select({ workspaceId: workflowTable.workspaceId })
+        .from(workflowTable)
+        .where(eq(workflowTable.id, workflowId))
+        .limit(1)
+    : [null]
+
+  if (workflowId && (!workflowContext || !workflowContext.workspaceId)) {
+    return { ok: false, error: 'Workflow not found' }
   }
 
-  const credentialOwnerUserId = credRow.userId
+  const [platformCredential] = await db
+    .select({
+      id: credential.id,
+      workspaceId: credential.workspaceId,
+      type: credential.type,
+      accountId: credential.accountId,
+    })
+    .from(credential)
+    .where(eq(credential.id, credentialId))
+    .limit(1)
+
+  if (platformCredential) {
+    if (platformCredential.type !== 'oauth' || !platformCredential.accountId) {
+      return { ok: false, error: 'Unsupported credential type for OAuth access' }
+    }
+
+    if (workflowContext && workflowContext.workspaceId !== platformCredential.workspaceId) {
+      return { ok: false, error: 'Credential is not accessible from this workflow workspace' }
+    }
+
+    const [accountRow] = await db
+      .select({ userId: account.userId })
+      .from(account)
+      .where(eq(account.id, platformCredential.accountId))
+      .limit(1)
+
+    if (!accountRow) {
+      return { ok: false, error: 'Credential account not found' }
+    }
+
+    if (actingUserId) {
+      const requesterPerm = await getUserEntityPermissions(
+        actingUserId,
+        'workspace',
+        platformCredential.workspaceId
+      )
+
+      const [membership] = await db
+        .select({ id: credentialMember.id })
+        .from(credentialMember)
+        .where(
+          and(
+            eq(credentialMember.credentialId, platformCredential.id),
+            eq(credentialMember.userId, actingUserId),
+            eq(credentialMember.status, 'active')
+          )
+        )
+        .limit(1)
+
+      if (!membership) {
+        return {
+          ok: false,
+          error: `You do not have access to this credential. Ask the credential admin to add you as a member.`,
+        }
+      }
+      if (requesterPerm === null) {
+        return {
+          ok: false,
+          error: 'You do not have access to this workspace.',
+        }
+      }
+    }
+
+    const ownerPerm = await getUserEntityPermissions(
+      accountRow.userId,
+      'workspace',
+      platformCredential.workspaceId
+    )
+    if (ownerPerm === null) {
+      return { ok: false, error: 'Unauthorized' }
+    }
 
-  // If requester owns the credential, allow immediately
-  if (auth.authType !== 'internal_jwt' && auth.userId === credentialOwnerUserId) {
     return {
       ok: true,
       authType: auth.authType as CredentialAccessResult['authType'],
       requesterUserId: auth.userId,
-      credentialOwnerUserId,
+      credentialOwnerUserId: accountRow.userId,
+      workspaceId: platformCredential.workspaceId,
+      resolvedCredentialId: platformCredential.accountId,
     }
   }
 
-  // For collaboration paths, workflowId is required to scope to a workspace
-  if (!workflowId) {
-    return { ok: false, error: 'workflowId is required' }
-  }
+  if (workflowContext?.workspaceId) {
+    const [workspaceCredential] = await db
+      .select({
+        id: credential.id,
+        workspaceId: credential.workspaceId,
+        accountId: credential.accountId,
+      })
+      .from(credential)
+      .where(
+        and(
+          eq(credential.type, 'oauth'),
+          eq(credential.workspaceId, workflowContext.workspaceId),
+          eq(credential.accountId, credentialId)
+        )
+      )
+      .limit(1)
 
-  const [wf] = await db
-    .select({ workspaceId: workflowTable.workspaceId })
-    .from(workflowTable)
-    .where(eq(workflowTable.id, workflowId))
-    .limit(1)
+    if (!workspaceCredential?.accountId) {
+      return { ok: false, error: 'Credential not found' }
+    }
 
-  if (!wf || !wf.workspaceId) {
-    return { ok: false, error: 'Workflow not found' }
-  }
+    const [accountRow] = await db
+      .select({ userId: account.userId })
+      .from(account)
+      .where(eq(account.id, workspaceCredential.accountId))
+      .limit(1)
+
+    if (!accountRow) {
+      return { ok: false, error: 'Credential account not found' }
+    }
+
+    if (actingUserId) {
+      const [membership] = await db
+        .select({ id: credentialMember.id })
+        .from(credentialMember)
+        .where(
+          and(
+            eq(credentialMember.credentialId, workspaceCredential.id),
+            eq(credentialMember.userId, actingUserId),
+            eq(credentialMember.status, 'active')
+          )
+        )
+        .limit(1)
+
+      if (!membership) {
+        return {
+          ok: false,
+          error:
+            'You do not have access to this credential. Ask the credential admin to add you as a member.',
+        }
+      }
+    }
 
-  if (auth.authType === 'internal_jwt') {
-    // Internal calls: verify credential owner belongs to the workflow's workspace
     const ownerPerm = await getUserEntityPermissions(
-      credentialOwnerUserId,
+      accountRow.userId,
       'workspace',
-      wf.workspaceId
+      workflowContext.workspaceId
     )
     if (ownerPerm === null) {
       return { ok: false, error: 'Unauthorized' }
     }
+
     return {
       ok: true,
       authType: auth.authType as CredentialAccessResult['authType'],
       requesterUserId: auth.userId,
-      credentialOwnerUserId,
-      workspaceId: wf.workspaceId,
+      credentialOwnerUserId: accountRow.userId,
+      workspaceId: workflowContext.workspaceId,
+      resolvedCredentialId: workspaceCredential.accountId,
     }
   }
 
-  // Session: verify BOTH requester and owner belong to the workflow's workspace
-  const requesterPerm = await getUserEntityPermissions(auth.userId, 'workspace', wf.workspaceId)
-  const ownerPerm = await getUserEntityPermissions(
-    credentialOwnerUserId,
-    'workspace',
-    wf.workspaceId
-  )
-  if (requesterPerm === null || ownerPerm === null) {
+  const [legacyAccount] = await db
+    .select({ userId: account.userId })
+    .from(account)
+    .where(eq(account.id, credentialId))
+    .limit(1)
+
+  if (!legacyAccount) {
+    return { ok: false, error: 'Credential not found' }
+  }
+
+  if (auth.authType === 'internal_jwt') {
+    return { ok: false, error: 'workflowId is required' }
+  }
+
+  if (auth.userId !== legacyAccount.userId) {
     return { ok: false, error: 'Unauthorized' }
   }
 
@@ -109,7 +229,7 @@ export async function authorizeCredentialUse(
     ok: true,
     authType: auth.authType as CredentialAccessResult['authType'],
     requesterUserId: auth.userId,
-    credentialOwnerUserId,
-    workspaceId: wf.workspaceId,
+    credentialOwnerUserId: legacyAccount.userId,
+    resolvedCredentialId: credentialId,
   }
 }
diff --git a/apps/sim/lib/copilot/tools/server/user/set-environment-variables.ts b/apps/sim/lib/copilot/tools/server/user/set-environment-variables.ts
index 000cb65ab8..840e7825b9 100644
--- a/apps/sim/lib/copilot/tools/server/user/set-environment-variables.ts
+++ b/apps/sim/lib/copilot/tools/server/user/set-environment-variables.ts
@@ -1,10 +1,14 @@
 import { db } from '@sim/db'
-import { environment } from '@sim/db/schema'
+import { credential, environment, workflow, workspaceEnvironment } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { eq } from 'drizzle-orm'
+import { and, eq, inArray } from 'drizzle-orm'
 import { z } from 'zod'
 import type { BaseServerTool } from '@/lib/copilot/tools/server/base-tool'
 import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
+import {
+  syncPersonalEnvCredentialsForUser,
+  syncWorkspaceEnvCredentials,
+} from '@/lib/credentials/environment'
 
 interface SetEnvironmentVariablesParams {
   variables: Record<string, any> | Array<{ name: string; value: string }>
@@ -54,74 +58,179 @@ export const setEnvironmentVariablesServerTool: BaseServerTool<SetEnvironmentVar
       const normalized = normalizeVariables(variables || {})
       const { variables: validatedVariables } = EnvVarSchema.parse({ variables: normalized })
 
-      // Fetch existing personal environment variables
-      const existingData = await db
-        .select()
-        .from(environment)
-        .where(eq(environment.userId, authenticatedUserId))
-        .limit(1)
-      const existingEncrypted = (existingData[0]?.variables as Record<string, string>) || {}
+      const requestedKeys = Object.keys(validatedVariables)
+      const workflowId = params.workflowId
+
+      const workspaceKeySet = new Set<string>()
+      let resolvedWorkspaceId: string | null = null
+
+      if (requestedKeys.length > 0 && workflowId) {
+        const [wf] = await db
+          .select({ workspaceId: workflow.workspaceId })
+          .from(workflow)
+          .where(eq(workflow.id, workflowId))
+          .limit(1)
+
+        if (wf?.workspaceId) {
+          resolvedWorkspaceId = wf.workspaceId
+          const existingWorkspaceCredentials = await db
+            .select({ envKey: credential.envKey })
+            .from(credential)
+            .where(
+              and(
+                eq(credential.workspaceId, wf.workspaceId),
+                eq(credential.type, 'env_workspace'),
+                inArray(credential.envKey, requestedKeys)
+              )
+            )
+
+          for (const row of existingWorkspaceCredentials) {
+            if (row.envKey) workspaceKeySet.add(row.envKey)
+          }
+        }
+      }
+
+      const personalVars: Record<string, string> = {}
+      const workspaceVars: Record<string, string> = {}
+
+      for (const [key, value] of Object.entries(validatedVariables)) {
+        if (workspaceKeySet.has(key)) {
+          workspaceVars[key] = value
+        } else {
+          personalVars[key] = value
+        }
+      }
 
-      const toEncrypt: Record<string, string> = {}
       const added: string[] = []
       const updated: string[] = []
-      for (const [key, newVal] of Object.entries(validatedVariables)) {
-        if (!(key in existingEncrypted)) {
-          toEncrypt[key] = newVal
-          added.push(key)
-        } else {
-          try {
-            const { decrypted } = await decryptSecret(existingEncrypted[key])
-            if (decrypted !== newVal) {
+      const workspaceUpdated: string[] = []
+
+      if (Object.keys(personalVars).length > 0) {
+        const existingData = await db
+          .select()
+          .from(environment)
+          .where(eq(environment.userId, authenticatedUserId))
+          .limit(1)
+        const existingEncrypted = (existingData[0]?.variables as Record<string, string>) || {}
+
+        const toEncrypt: Record<string, string> = {}
+        for (const [key, newVal] of Object.entries(personalVars)) {
+          if (!(key in existingEncrypted)) {
+            toEncrypt[key] = newVal
+            added.push(key)
+          } else {
+            try {
+              const { decrypted } = await decryptSecret(existingEncrypted[key])
+              if (decrypted !== newVal) {
+                toEncrypt[key] = newVal
+                updated.push(key)
+              }
+            } catch {
               toEncrypt[key] = newVal
               updated.push(key)
             }
-          } catch {
-            toEncrypt[key] = newVal
-            updated.push(key)
           }
         }
-      }
 
-      const newlyEncrypted = await Object.entries(toEncrypt).reduce(
-        async (accP, [key, val]) => {
-          const acc = await accP
-          const { encrypted } = await encryptSecret(val)
-          return { ...acc, [key]: encrypted }
-        },
-        Promise.resolve({} as Record<string, string>)
-      )
-
-      const finalEncrypted = { ...existingEncrypted, ...newlyEncrypted }
-
-      // Save to personal environment variables (keyed by userId)
-      await db
-        .insert(environment)
-        .values({
-          id: crypto.randomUUID(),
+        const newlyEncrypted = await Object.entries(toEncrypt).reduce(
+          async (accP, [key, val]) => {
+            const acc = await accP
+            const { encrypted } = await encryptSecret(val)
+            return { ...acc, [key]: encrypted }
+          },
+          Promise.resolve({} as Record<string, string>)
+        )
+
+        const finalEncrypted = { ...existingEncrypted, ...newlyEncrypted }
+
+        await db
+          .insert(environment)
+          .values({
+            id: crypto.randomUUID(),
+            userId: authenticatedUserId,
+            variables: finalEncrypted,
+            updatedAt: new Date(),
+          })
+          .onConflictDoUpdate({
+            target: [environment.userId],
+            set: { variables: finalEncrypted, updatedAt: new Date() },
+          })
+
+        await syncPersonalEnvCredentialsForUser({
           userId: authenticatedUserId,
-          variables: finalEncrypted,
-          updatedAt: new Date(),
+          envKeys: Object.keys(finalEncrypted),
         })
-        .onConflictDoUpdate({
-          target: [environment.userId],
-          set: { variables: finalEncrypted, updatedAt: new Date() },
+      }
+
+      if (Object.keys(workspaceVars).length > 0 && resolvedWorkspaceId) {
+        const wsRows = await db
+          .select()
+          .from(workspaceEnvironment)
+          .where(eq(workspaceEnvironment.workspaceId, resolvedWorkspaceId))
+          .limit(1)
+
+        const existingWsEncrypted = (wsRows[0]?.variables as Record<string, string>) || {}
+
+        const toEncryptWs: Record<string, string> = {}
+        for (const [key, newVal] of Object.entries(workspaceVars)) {
+          toEncryptWs[key] = newVal
+          workspaceUpdated.push(key)
+        }
+
+        const newlyEncryptedWs = await Object.entries(toEncryptWs).reduce(
+          async (accP, [key, val]) => {
+            const acc = await accP
+            const { encrypted } = await encryptSecret(val)
+            return { ...acc, [key]: encrypted }
+          },
+          Promise.resolve({} as Record<string, string>)
+        )
+
+        const mergedWs = { ...existingWsEncrypted, ...newlyEncryptedWs }
+
+        await db
+          .insert(workspaceEnvironment)
+          .values({
+            id: crypto.randomUUID(),
+            workspaceId: resolvedWorkspaceId,
+            variables: mergedWs,
+            createdAt: new Date(),
+            updatedAt: new Date(),
+          })
+          .onConflictDoUpdate({
+            target: [workspaceEnvironment.workspaceId],
+            set: { variables: mergedWs, updatedAt: new Date() },
+          })
+
+        await syncWorkspaceEnvCredentials({
+          workspaceId: resolvedWorkspaceId,
+          envKeys: Object.keys(workspaceVars),
+          actingUserId: authenticatedUserId,
         })
+      }
 
-      logger.info('Saved personal environment variables', {
+      const totalProcessed = added.length + updated.length + workspaceUpdated.length
+
+      logger.info('Saved environment variables', {
         userId: authenticatedUserId,
         addedCount: added.length,
         updatedCount: updated.length,
-        totalCount: Object.keys(finalEncrypted).length,
+        workspaceUpdatedCount: workspaceUpdated.length,
       })
 
+      const parts: string[] = []
+      if (added.length > 0) parts.push(`${added.length} personal secret(s) added`)
+      if (updated.length > 0) parts.push(`${updated.length} personal secret(s) updated`)
+      if (workspaceUpdated.length > 0)
+        parts.push(`${workspaceUpdated.length} workspace secret(s) updated`)
+
       return {
-        message: `Successfully processed ${Object.keys(validatedVariables).length} personal environment variable(s): ${added.length} added, ${updated.length} updated`,
+        message: `Successfully processed ${totalProcessed} secret(s): ${parts.join(', ')}`,
         variableCount: Object.keys(validatedVariables).length,
         variableNames: Object.keys(validatedVariables),
-        totalVariableCount: Object.keys(finalEncrypted).length,
         addedVariables: added,
         updatedVariables: updated,
+        workspaceUpdatedVariables: workspaceUpdated,
       }
     },
   }
diff --git a/apps/sim/lib/credentials/access.ts b/apps/sim/lib/credentials/access.ts
new file mode 100644
index 0000000000..18573879ac
--- /dev/null
+++ b/apps/sim/lib/credentials/access.ts
@@ -0,0 +1,166 @@
+import { db } from '@sim/db'
+import { credential, credentialMember, workspace } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq, inArray, ne } from 'drizzle-orm'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
+
+const logger = createLogger('CredentialAccess')
+
+type ActiveCredentialMember = typeof credentialMember.$inferSelect
+type CredentialRecord = typeof credential.$inferSelect
+
+export interface CredentialActorContext {
+  credential: CredentialRecord | null
+  member: ActiveCredentialMember | null
+  hasWorkspaceAccess: boolean
+  canWriteWorkspace: boolean
+  isAdmin: boolean
+}
+
+/**
+ * Resolves user access context for a credential.
+ */
+export async function getCredentialActorContext(
+  credentialId: string,
+  userId: string
+): Promise<CredentialActorContext> {
+  const [credentialRow] = await db
+    .select()
+    .from(credential)
+    .where(eq(credential.id, credentialId))
+    .limit(1)
+
+  if (!credentialRow) {
+    return {
+      credential: null,
+      member: null,
+      hasWorkspaceAccess: false,
+      canWriteWorkspace: false,
+      isAdmin: false,
+    }
+  }
+
+  const workspaceAccess = await checkWorkspaceAccess(credentialRow.workspaceId, userId)
+  const [memberRow] = await db
+    .select()
+    .from(credentialMember)
+    .where(
+      and(
+        eq(credentialMember.credentialId, credentialId),
+        eq(credentialMember.userId, userId),
+        eq(credentialMember.status, 'active')
+      )
+    )
+    .limit(1)
+
+  const isAdmin = memberRow?.role === 'admin'
+
+  return {
+    credential: credentialRow,
+    member: memberRow ?? null,
+    hasWorkspaceAccess: workspaceAccess.hasAccess,
+    canWriteWorkspace: workspaceAccess.canWrite,
+    isAdmin,
+  }
+}
+
+/**
+ * Revokes all credential memberships for a user across a workspace.
+ * Before revoking, ensures the workspace owner is an admin on any credential
+ * where the removed user is the sole active admin, preventing orphaned credentials.
+ */
+export async function revokeWorkspaceCredentialMemberships(
+  workspaceId: string,
+  userId: string
+): Promise<void> {
+  const workspaceCredentialIds = await db
+    .select({ id: credential.id })
+    .from(credential)
+    .where(eq(credential.workspaceId, workspaceId))
+
+  if (workspaceCredentialIds.length === 0) return
+
+  const credIds = workspaceCredentialIds.map((c) => c.id)
+
+  const [workspaceRow] = await db
+    .select({ ownerId: workspace.ownerId })
+    .from(workspace)
+    .where(eq(workspace.id, workspaceId))
+    .limit(1)
+
+  const ownerId = workspaceRow?.ownerId
+
+  if (ownerId && ownerId !== userId) {
+    const userAdminMemberships = await db
+      .select({ credentialId: credentialMember.credentialId })
+      .from(credentialMember)
+      .where(
+        and(
+          eq(credentialMember.userId, userId),
+          eq(credentialMember.role, 'admin'),
+          eq(credentialMember.status, 'active'),
+          inArray(credentialMember.credentialId, credIds)
+        )
+      )
+
+    for (const { credentialId: credId } of userAdminMemberships) {
+      const otherAdmins = await db
+        .select({ id: credentialMember.id })
+        .from(credentialMember)
+        .where(
+          and(
+            eq(credentialMember.credentialId, credId),
+            eq(credentialMember.role, 'admin'),
+            eq(credentialMember.status, 'active'),
+            ne(credentialMember.userId, userId)
+          )
+        )
+        .limit(1)
+
+      if (otherAdmins.length > 0) continue
+
+      const now = new Date()
+      const [existingOwnerMembership] = await db
+        .select({ id: credentialMember.id, status: credentialMember.status })
+        .from(credentialMember)
+        .where(and(eq(credentialMember.credentialId, credId), eq(credentialMember.userId, ownerId)))
+        .limit(1)
+
+      if (existingOwnerMembership) {
+        await db
+          .update(credentialMember)
+          .set({ role: 'admin', status: 'active', updatedAt: now })
+          .where(eq(credentialMember.id, existingOwnerMembership.id))
+      } else {
+        await db.insert(credentialMember).values({
+          id: crypto.randomUUID(),
+          credentialId: credId,
+          userId: ownerId,
+          role: 'admin',
+          status: 'active',
+          joinedAt: now,
+          invitedBy: ownerId,
+          createdAt: now,
+          updatedAt: now,
+        })
+      }
+
+      logger.info('Assigned workspace owner as credential admin before member removal', {
+        credentialId: credId,
+        ownerId,
+        removedUserId: userId,
+      })
+    }
+  }
+
+  await db
+    .update(credentialMember)
+    .set({ status: 'revoked', updatedAt: new Date() })
+    .where(
+      and(
+        eq(credentialMember.userId, userId),
+        eq(credentialMember.status, 'active'),
+        inArray(credentialMember.credentialId, credIds)
+      )
+    )
+}
diff --git a/apps/sim/lib/credentials/client-state.ts b/apps/sim/lib/credentials/client-state.ts
new file mode 100644
index 0000000000..9a333e5ea7
--- /dev/null
+++ b/apps/sim/lib/credentials/client-state.ts
@@ -0,0 +1,83 @@
+'use client'
+
+export const PENDING_OAUTH_CREDENTIAL_DRAFT_KEY = 'sim.pending-oauth-credential-draft'
+export const PENDING_CREDENTIAL_CREATE_REQUEST_KEY = 'sim.pending-credential-create-request'
+export const PENDING_CREDENTIAL_CREATE_REQUEST_EVENT = 'sim:pending-credential-create-request'
+
+export interface PendingOAuthCredentialDraft {
+  workspaceId: string
+  providerId: string
+  displayName: string
+  existingCredentialIds: string[]
+  existingAccountIds: string[]
+  requestedAt: number
+}
+
+interface PendingOAuthCredentialCreateRequest {
+  workspaceId: string
+  type: 'oauth'
+  providerId: string
+  displayName: string
+  serviceId: string
+  requiredScopes: string[]
+  requestedAt: number
+}
+
+interface PendingSecretCredentialCreateRequest {
+  workspaceId: string
+  type: 'env_personal' | 'env_workspace'
+  envKey?: string
+  requestedAt: number
+}
+
+export type PendingCredentialCreateRequest =
+  | PendingOAuthCredentialCreateRequest
+  | PendingSecretCredentialCreateRequest
+
+function parseJson<T>(raw: string | null): T | null {
+  if (!raw) return null
+  try {
+    return JSON.parse(raw) as T
+  } catch {
+    return null
+  }
+}
+
+export function readPendingOAuthCredentialDraft(): PendingOAuthCredentialDraft | null {
+  if (typeof window === 'undefined') return null
+  return parseJson<PendingOAuthCredentialDraft>(
+    window.sessionStorage.getItem(PENDING_OAUTH_CREDENTIAL_DRAFT_KEY)
+  )
+}
+
+export function writePendingOAuthCredentialDraft(payload: PendingOAuthCredentialDraft) {
+  if (typeof window === 'undefined') return
+  window.sessionStorage.setItem(PENDING_OAUTH_CREDENTIAL_DRAFT_KEY, JSON.stringify(payload))
+}
+
+export function clearPendingOAuthCredentialDraft() {
+  if (typeof window === 'undefined') return
+  window.sessionStorage.removeItem(PENDING_OAUTH_CREDENTIAL_DRAFT_KEY)
+}
+
+export function readPendingCredentialCreateRequest(): PendingCredentialCreateRequest | null {
+  if (typeof window === 'undefined') return null
+  return parseJson<PendingCredentialCreateRequest>(
+    window.sessionStorage.getItem(PENDING_CREDENTIAL_CREATE_REQUEST_KEY)
+  )
+}
+
+export function writePendingCredentialCreateRequest(payload: PendingCredentialCreateRequest) {
+  if (typeof window === 'undefined') return
+  window.sessionStorage.setItem(PENDING_CREDENTIAL_CREATE_REQUEST_KEY, JSON.stringify(payload))
+  window.dispatchEvent(
+    new CustomEvent<PendingCredentialCreateRequest>(PENDING_CREDENTIAL_CREATE_REQUEST_EVENT, {
+      detail: payload,
+    })
+  )
+}
+
+export function clearPendingCredentialCreateRequest() {
+  if (typeof window === 'undefined') return
+  window.sessionStorage.removeItem(PENDING_CREDENTIAL_CREATE_REQUEST_KEY)
+}
diff --git a/apps/sim/lib/credentials/draft-hooks.ts b/apps/sim/lib/credentials/draft-hooks.ts
new file mode 100644
index 0000000000..8f852210f6
--- /dev/null
+++ b/apps/sim/lib/credentials/draft-hooks.ts
@@ -0,0 +1,148 @@
+import { db } from '@sim/db'
+import * as schema from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq, sql } from 'drizzle-orm'
+
+const logger = createLogger('CredentialDraftHooks')
+
+/**
+ * Creates a new credential from a pending draft (normal OAuth connect flow).
+ */
+export async function handleCreateCredentialFromDraft(params: {
+  draft: { workspaceId: string; displayName: string; description: string | null }
+  accountId: string
+  providerId: string
+  userId: string
+  now: Date
+}) {
+  const { draft, accountId, providerId, userId, now } = params
+  const credentialId = crypto.randomUUID()
+
+  try {
+    await db.insert(schema.credential).values({
+      id: credentialId,
+      workspaceId: draft.workspaceId,
+      type: 'oauth',
+      displayName: draft.displayName,
+      description: draft.description ?? null,
+      providerId,
+      accountId,
+      createdBy: userId,
+      createdAt: now,
+      updatedAt: now,
+    })
+
+    await db.insert(schema.credentialMember).values({
+      id: crypto.randomUUID(),
+      credentialId,
+      userId,
+      role: 'admin',
+      status: 'active',
+      joinedAt: now,
+      invitedBy: userId,
+      createdAt: now,
+      updatedAt: now,
+    })
+
+    logger.info('Created credential from draft', {
+      credentialId,
+      displayName: draft.displayName,
+      providerId,
+      accountId,
+    })
+  } catch (insertError: unknown) {
+    const code =
+      insertError && typeof insertError === 'object' && 'code' in insertError
+        ? (insertError as { code: string }).code
+        : undefined
+    if (code !== '23505') {
+      throw insertError
+    }
+    logger.info('Credential already exists, skipping draft', {
+      providerId,
+      accountId,
+    })
+  }
+}
+
+/**
+ * Reconnects an existing credential to a new OAuth account.
+ * Handles unique constraint checks and orphaned account cleanup.
+ */
+export async function handleReconnectCredential(params: {
+  draft: { credentialId: string | null; workspaceId: string; displayName: string }
+  newAccountId: string
+  workspaceId: string
+  now: Date
+}) {
+  const { draft, newAccountId, workspaceId, now } = params
+  if (!draft.credentialId) return
+
+  const [existingCredential] = await db
+    .select({ id: schema.credential.id, accountId: schema.credential.accountId })
+    .from(schema.credential)
+    .where(eq(schema.credential.id, draft.credentialId))
+    .limit(1)
+
+  if (!existingCredential) {
+    logger.warn('Credential not found for reconnect, skipping', {
+      credentialId: draft.credentialId,
+    })
+    return
+  }
+
+  const oldAccountId = existingCredential.accountId
+
+  if (oldAccountId === newAccountId) {
+    logger.info('Account unchanged during reconnect, skipping update', {
+      credentialId: draft.credentialId,
+      accountId: newAccountId,
+    })
+    return
+  }
+
+  const [conflicting] = await db
+    .select({ id: schema.credential.id })
+    .from(schema.credential)
+    .where(
+      and(
+        eq(schema.credential.workspaceId, workspaceId),
+        eq(schema.credential.accountId, newAccountId),
+        sql`${schema.credential.id} != ${draft.credentialId}`
+      )
+    )
+    .limit(1)
+
+  if (conflicting) {
+    logger.warn('New account already used by another credential, skipping reconnect', {
+      credentialId: draft.credentialId,
+      newAccountId,
+      conflictingCredentialId: conflicting.id,
+    })
+    return
+  }
+
+  await db
+    .update(schema.credential)
+    .set({ accountId: newAccountId, updatedAt: now })
+    .where(eq(schema.credential.id, draft.credentialId))
+
+  logger.info('Reconnected credential to new account', {
+    credentialId: draft.credentialId,
+    oldAccountId,
+    newAccountId,
+  })
+
+  if (oldAccountId) {
+    const [stillReferenced] = await db
+      .select({ id: schema.credential.id })
+      .from(schema.credential)
+      .where(eq(schema.credential.accountId, oldAccountId))
+      .limit(1)
+
+    if (!stillReferenced) {
+      await db.delete(schema.account).where(eq(schema.account.id, oldAccountId))
+      logger.info('Deleted orphaned account after reconnect', { accountId: oldAccountId })
+    }
+  }
+}
diff --git a/apps/sim/lib/credentials/environment.ts b/apps/sim/lib/credentials/environment.ts
new file mode 100644
index 0000000000..9010461e52
--- /dev/null
+++ b/apps/sim/lib/credentials/environment.ts
@@ -0,0 +1,360 @@
+import { db } from '@sim/db'
+import { credential, credentialMember, permissions, workspace } from '@sim/db/schema'
+import { and, eq, inArray, notInArray } from 'drizzle-orm'
+
+interface AccessibleEnvCredential {
+  type: 'env_workspace' | 'env_personal'
+  envKey: string
+  envOwnerUserId: string | null
+  updatedAt: Date
+}
+
+function getPostgresErrorCode(error: unknown): string | undefined {
+  if (!error || typeof error !== 'object') return undefined
+  const err = error as { code?: string; cause?: { code?: string } }
+  return err.code || err.cause?.code
+}
+
+export async function getWorkspaceMemberUserIds(workspaceId: string): Promise<string[]> {
+  const [workspaceRows, permissionRows] = await Promise.all([
+    db
+      .select({ ownerId: workspace.ownerId })
+      .from(workspace)
+      .where(eq(workspace.id, workspaceId))
+      .limit(1),
+    db
+      .select({ userId: permissions.userId })
+      .from(permissions)
+      .where(and(eq(permissions.entityType, 'workspace'), eq(permissions.entityId, workspaceId))),
+  ])
+  const workspaceRow = workspaceRows[0]
+
+  const memberIds = new Set<string>(permissionRows.map((row) => row.userId))
+  if (workspaceRow?.ownerId) {
+    memberIds.add(workspaceRow.ownerId)
+  }
+  return Array.from(memberIds)
+}
+
+export async function getUserWorkspaceIds(userId: string): Promise<string[]> {
+  const [permissionRows, ownedWorkspaceRows] = await Promise.all([
+    db
+      .select({ workspaceId: workspace.id })
+      .from(permissions)
+      .innerJoin(
+        workspace,
+        and(eq(permissions.entityType, 'workspace'), eq(permissions.entityId, workspace.id))
+      )
+      .where(eq(permissions.userId, userId)),
+    db.select({ workspaceId: workspace.id }).from(workspace).where(eq(workspace.ownerId, userId)),
+  ])
+
+  const workspaceIds = new Set<string>(permissionRows.map((row) => row.workspaceId))
+  for (const row of ownedWorkspaceRows) {
+    workspaceIds.add(row.workspaceId)
+  }
+
+  return Array.from(workspaceIds)
+}
+
+async function upsertCredentialAdminMember(credentialId: string, adminUserId: string) {
+  const now = new Date()
+  const [existingMembership] = await db
+    .select({ id: credentialMember.id, joinedAt: credentialMember.joinedAt })
+    .from(credentialMember)
+    .where(
+      and(eq(credentialMember.credentialId, credentialId), eq(credentialMember.userId, adminUserId))
+    )
+    .limit(1)
+
+  if (existingMembership) {
+    await db
+      .update(credentialMember)
+      .set({
+        role: 'admin',
+        status: 'active',
+        joinedAt: existingMembership.joinedAt ?? now,
+        invitedBy: adminUserId,
+        updatedAt: now,
+      })
+      .where(eq(credentialMember.id, existingMembership.id))
+    return
+  }
+
+  await db.insert(credentialMember).values({
+    id: crypto.randomUUID(),
+    credentialId,
+    userId: adminUserId,
+    role: 'admin',
+    status: 'active',
+    joinedAt: now,
+    invitedBy: adminUserId,
+    createdAt: now,
+    updatedAt: now,
+  })
+}
+
+async function ensureWorkspaceCredentialMemberships(
+  credentialId: string,
+  workspaceId: string,
+  ownerUserId: string
+) {
+  const workspaceMemberUserIds = await getWorkspaceMemberUserIds(workspaceId)
+  if (!workspaceMemberUserIds.length) return
+
+  const existingMemberships = await db
+    .select({
+      id: credentialMember.id,
+      userId: credentialMember.userId,
+      status: credentialMember.status,
+      joinedAt: credentialMember.joinedAt,
+    })
+    .from(credentialMember)
+    .where(
+      and(
+        eq(credentialMember.credentialId, credentialId),
+        inArray(credentialMember.userId, workspaceMemberUserIds)
+      )
+    )
+
+  const byUserId = new Map(existingMemberships.map((row) => [row.userId, row]))
+  const now = new Date()
+
+  for (const memberUserId of workspaceMemberUserIds) {
+    const targetRole = memberUserId === ownerUserId ? 'admin' : 'member'
+    const existing = byUserId.get(memberUserId)
+    if (existing) {
+      if (existing.status === 'revoked') {
+        continue
+      }
+      await db
+        .update(credentialMember)
+        .set({
+          role: targetRole,
+          status: 'active',
+          joinedAt: existing.joinedAt ?? now,
+          invitedBy: ownerUserId,
+          updatedAt: now,
+        })
+        .where(eq(credentialMember.id, existing.id))
+      continue
+    }
+
+    await db.insert(credentialMember).values({
+      id: crypto.randomUUID(),
+      credentialId,
+      userId: memberUserId,
+      role: targetRole,
+      status: 'active',
+      joinedAt: now,
+      invitedBy: ownerUserId,
+      createdAt: now,
+      updatedAt: now,
+    })
+  }
+}
+
+export async function syncWorkspaceEnvCredentials(params: {
+  workspaceId: string
+  envKeys: string[]
+  actingUserId: string
+}) {
+  const { workspaceId, envKeys, actingUserId } = params
+  const [workspaceRow] = await db
+    .select({ ownerId: workspace.ownerId })
+    .from(workspace)
+    .where(eq(workspace.id, workspaceId))
+    .limit(1)
+
+  if (!workspaceRow) return
+
+  const normalizedKeys = Array.from(new Set(envKeys.filter(Boolean)))
+  const existingCredentials = await db
+    .select({
+      id: credential.id,
+      envKey: credential.envKey,
+    })
+    .from(credential)
+    .where(and(eq(credential.workspaceId, workspaceId), eq(credential.type, 'env_workspace')))
+
+  const existingByKey = new Map(
+    existingCredentials
+      .filter((row): row is { id: string; envKey: string } => Boolean(row.envKey))
+      .map((row) => [row.envKey, row.id])
+  )
+
+  const credentialIdsToEnsureMembership = new Set<string>()
+  const now = new Date()
+
+  for (const envKey of normalizedKeys) {
+    const existingId = existingByKey.get(envKey)
+    if (existingId) {
+      credentialIdsToEnsureMembership.add(existingId)
+      continue
+    }
+
+    const createdId = crypto.randomUUID()
+    try {
+      await db.insert(credential).values({
+        id: createdId,
+        workspaceId,
+        type: 'env_workspace',
+        displayName: envKey,
+        envKey,
+        createdBy: actingUserId,
+        createdAt: now,
+        updatedAt: now,
+      })
+      credentialIdsToEnsureMembership.add(createdId)
+    } catch (error: unknown) {
+      const code = getPostgresErrorCode(error)
+      if (code !== '23505') throw error
+    }
+  }
+
+  for (const credentialId of credentialIdsToEnsureMembership) {
+    await ensureWorkspaceCredentialMemberships(credentialId, workspaceId, workspaceRow.ownerId)
+  }
+
+  if (normalizedKeys.length > 0) {
+    await db
+      .delete(credential)
+      .where(
+        and(
+          eq(credential.workspaceId, workspaceId),
+          eq(credential.type, 'env_workspace'),
+          notInArray(credential.envKey, normalizedKeys)
+        )
+      )
+    return
+  }
+
+  await db
+    .delete(credential)
+    .where(and(eq(credential.workspaceId, workspaceId), eq(credential.type, 'env_workspace')))
+}
+
+export async function syncPersonalEnvCredentialsForUser(params: {
+  userId: string
+  envKeys: string[]
+}) {
+  const { userId, envKeys } = params
+  const workspaceIds = await getUserWorkspaceIds(userId)
+  if (!workspaceIds.length) return
+
+  const normalizedKeys = Array.from(new Set(envKeys.filter(Boolean)))
+  const now = new Date()
+
+  for (const workspaceId of workspaceIds) {
+    const existingCredentials = await db
+      .select({
+        id: credential.id,
+        envKey: credential.envKey,
+      })
+      .from(credential)
+      .where(
+        and(
+          eq(credential.workspaceId, workspaceId),
+          eq(credential.type, 'env_personal'),
+          eq(credential.envOwnerUserId, userId)
+        )
+      )
+
+    const existingByKey = new Map(
+      existingCredentials
+        .filter((row): row is { id: string; envKey: string } => Boolean(row.envKey))
+        .map((row) => [row.envKey, row.id])
+    )
+
+    for (const envKey of normalizedKeys) {
+      const existingId = existingByKey.get(envKey)
+      if (existingId) {
+        await upsertCredentialAdminMember(existingId, userId)
+        continue
+      }
+
+      const createdId = crypto.randomUUID()
+      try {
+        await db.insert(credential).values({
+          id: createdId,
+          workspaceId,
+          type: 'env_personal',
+          displayName: envKey,
+          envKey,
+          envOwnerUserId: userId,
+          createdBy: userId,
+          createdAt: now,
+          updatedAt: now,
+        })
+        await upsertCredentialAdminMember(createdId, userId)
+      } catch (error: unknown) {
+        const code = getPostgresErrorCode(error)
+        if (code !== '23505') throw error
+      }
+    }
+
+    if (normalizedKeys.length > 0) {
+      await db
+        .delete(credential)
+        .where(
+          and(
+            eq(credential.workspaceId, workspaceId),
+            eq(credential.type, 'env_personal'),
+            eq(credential.envOwnerUserId, userId),
+            notInArray(credential.envKey, normalizedKeys)
+          )
+        )
+      continue
+    }
+
+    await db
+      .delete(credential)
+      .where(
+        and(
+          eq(credential.workspaceId, workspaceId),
+          eq(credential.type, 'env_personal'),
+          eq(credential.envOwnerUserId, userId)
+        )
+      )
+  }
+}
+
+export async function getAccessibleEnvCredentials(
+  workspaceId: string,
+  userId: string
+): Promise<AccessibleEnvCredential[]> {
+  const rows = await db
+    .select({
+      type: credential.type,
+      envKey: credential.envKey,
+      envOwnerUserId: credential.envOwnerUserId,
+      updatedAt: credential.updatedAt,
+    })
+    .from(credential)
+    .innerJoin(
+      credentialMember,
+      and(
+        eq(credentialMember.credentialId, credential.id),
+        eq(credentialMember.userId, userId),
+        eq(credentialMember.status, 'active')
+      )
+    )
+    .where(
+      and(
+        eq(credential.workspaceId, workspaceId),
+        inArray(credential.type, ['env_workspace', 'env_personal'])
+      )
+    )
+
+  return rows
+    .filter(
+      (row): row is AccessibleEnvCredential =>
+        (row.type === 'env_workspace' || row.type === 'env_personal') && Boolean(row.envKey)
+    )
+    .map((row) => ({
+      type: row.type,
+      envKey: row.envKey!,
+      envOwnerUserId: row.envOwnerUserId,
+      updatedAt: row.updatedAt,
+    }))
+}
diff --git a/apps/sim/lib/credentials/oauth.ts b/apps/sim/lib/credentials/oauth.ts
new file mode 100644
index 0000000000..8969c2301a
--- /dev/null
+++ b/apps/sim/lib/credentials/oauth.ts
@@ -0,0 +1,200 @@
+import { db } from '@sim/db'
+import { account, credential, credentialMember } from '@sim/db/schema'
+import { and, eq, inArray, notInArray } from 'drizzle-orm'
+import { getServiceConfigByProviderId } from '@/lib/oauth'
+
+/** Provider IDs that are not real OAuth integrations (e.g. Better Auth's password provider) */
+const NON_OAUTH_PROVIDER_IDS = ['credential'] as const
+
+interface SyncWorkspaceOAuthCredentialsForUserParams {
+  workspaceId: string
+  userId: string
+}
+
+interface SyncWorkspaceOAuthCredentialsForUserResult {
+  createdCredentials: number
+  updatedMemberships: number
+}
+
+function getPostgresErrorCode(error: unknown): string | undefined {
+  if (!error || typeof error !== 'object') return undefined
+  const err = error as { code?: string; cause?: { code?: string } }
+  return err.code || err.cause?.code
+}
+
+/**
+ * Ensures connected OAuth accounts for a user exist as workspace-scoped credentials.
+ */
+export async function syncWorkspaceOAuthCredentialsForUser(
+  params: SyncWorkspaceOAuthCredentialsForUserParams
+): Promise<SyncWorkspaceOAuthCredentialsForUserResult> {
+  const { workspaceId, userId } = params
+
+  const userAccounts = await db
+    .select({
+      id: account.id,
+      providerId: account.providerId,
+      accountId: account.accountId,
+    })
+    .from(account)
+    .where(
+      and(eq(account.userId, userId), notInArray(account.providerId, [...NON_OAUTH_PROVIDER_IDS]))
+    )
+
+  if (userAccounts.length === 0) {
+    return { createdCredentials: 0, updatedMemberships: 0 }
+  }
+
+  const accountIds = userAccounts.map((row) => row.id)
+  const existingCredentials = await db
+    .select({
+      id: credential.id,
+      displayName: credential.displayName,
+      providerId: credential.providerId,
+      accountId: credential.accountId,
+    })
+    .from(credential)
+    .where(
+      and(
+        eq(credential.workspaceId, workspaceId),
+        eq(credential.type, 'oauth'),
+        inArray(credential.accountId, accountIds)
+      )
+    )
+
+  const now = new Date()
+  const userAccountById = new Map(userAccounts.map((row) => [row.id, row]))
+  for (const existingCredential of existingCredentials) {
+    if (!existingCredential.accountId) continue
+    const linkedAccount = userAccountById.get(existingCredential.accountId)
+    if (!linkedAccount) continue
+
+    const normalizedLabel =
+      getServiceConfigByProviderId(linkedAccount.providerId)?.name || linkedAccount.providerId
+    const shouldNormalizeDisplayName =
+      existingCredential.displayName === linkedAccount.accountId ||
+      existingCredential.displayName === linkedAccount.providerId
+
+    if (!shouldNormalizeDisplayName || existingCredential.displayName === normalizedLabel) {
+      continue
+    }
+
+    await db
+      .update(credential)
+      .set({
+        displayName: normalizedLabel,
+        updatedAt: now,
+      })
+      .where(eq(credential.id, existingCredential.id))
+  }
+
+  const existingByAccountId = new Map(
+    existingCredentials
+      .filter((row) => Boolean(row.accountId))
+      .map((row) => [row.accountId!, row.id])
+  )
+
+  let createdCredentials = 0
+
+  for (const acc of userAccounts) {
+    if (existingByAccountId.has(acc.id)) {
+      continue
+    }
+
+    try {
+      await db.insert(credential).values({
+        id: crypto.randomUUID(),
+        workspaceId,
+        type: 'oauth',
+        displayName: getServiceConfigByProviderId(acc.providerId)?.name || acc.providerId,
+        providerId: acc.providerId,
+        accountId: acc.id,
+        createdBy: userId,
+        createdAt: now,
+        updatedAt: now,
+      })
+      createdCredentials += 1
+    } catch (error) {
+      if (getPostgresErrorCode(error) !== '23505') {
+        throw error
+      }
+    }
+  }
+
+  const credentialRows = await db
+    .select({ id: credential.id, accountId: credential.accountId })
+    .from(credential)
+    .where(
+      and(
+        eq(credential.workspaceId, workspaceId),
+        eq(credential.type, 'oauth'),
+        inArray(credential.accountId, accountIds)
+      )
+    )
+
+  const credentialIdByAccountId = new Map(
+    credentialRows.filter((row) => Boolean(row.accountId)).map((row) => [row.accountId!, row.id])
+  )
+  const allCredentialIds = Array.from(credentialIdByAccountId.values())
+  if (allCredentialIds.length === 0) {
+    return { createdCredentials, updatedMemberships: 0 }
+  }
+
+  const existingMemberships = await db
+    .select({
+      id: credentialMember.id,
+      credentialId: credentialMember.credentialId,
+      joinedAt: credentialMember.joinedAt,
+    })
+    .from(credentialMember)
+    .where(
+      and(
+        inArray(credentialMember.credentialId, allCredentialIds),
+        eq(credentialMember.userId, userId)
+      )
+    )
+
+  const membershipByCredentialId = new Map(
+    existingMemberships.map((row) => [row.credentialId, row])
+  )
+  let updatedMemberships = 0
+
+  for (const credentialId of allCredentialIds) {
+    const existingMembership = membershipByCredentialId.get(credentialId)
+    if (existingMembership) {
+      await db
+        .update(credentialMember)
+        .set({
+          role: 'admin',
+          status: 'active',
+          joinedAt: existingMembership.joinedAt ?? now,
+          invitedBy: userId,
+          updatedAt: now,
+        })
+        .where(eq(credentialMember.id, existingMembership.id))
+      updatedMemberships += 1
+      continue
+    }
+
+    try {
+      await db.insert(credentialMember).values({
+        id: crypto.randomUUID(),
+        credentialId,
+        userId,
+        role: 'admin',
+        status: 'active',
+        joinedAt: now,
+        invitedBy: userId,
+        createdAt: now,
+        updatedAt: now,
+      })
+      updatedMemberships += 1
+    } catch (error) {
+      if (getPostgresErrorCode(error) !== '23505') {
+        throw error
+      }
+    }
+  }
+
+  return { createdCredentials, updatedMemberships }
+}
diff --git a/apps/sim/lib/environment/utils.ts b/apps/sim/lib/environment/utils.ts
index 7dbf63c1c3..e10be496e0 100644
--- a/apps/sim/lib/environment/utils.ts
+++ b/apps/sim/lib/environment/utils.ts
@@ -1,8 +1,9 @@
 import { db } from '@sim/db'
 import { environment, workspaceEnvironment } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { eq } from 'drizzle-orm'
+import { eq, inArray } from 'drizzle-orm'
 import { decryptSecret } from '@/lib/core/security/encryption'
+import { getAccessibleEnvCredentials } from '@/lib/credentials/environment'
 
 const logger = createLogger('EnvironmentUtils')
 
@@ -53,7 +54,7 @@ export async function getPersonalAndWorkspaceEnv(
   conflicts: string[]
   decryptionFailures: string[]
 }> {
-  const [personalRows, workspaceRows] = await Promise.all([
+  const [personalRows, workspaceRows, accessibleEnvCredentials] = await Promise.all([
     db.select().from(environment).where(eq(environment.userId, userId)).limit(1),
     workspaceId
       ? db
@@ -62,10 +63,69 @@ export async function getPersonalAndWorkspaceEnv(
           .where(eq(workspaceEnvironment.workspaceId, workspaceId))
           .limit(1)
       : Promise.resolve([] as any[]),
+    workspaceId ? getAccessibleEnvCredentials(workspaceId, userId) : Promise.resolve([]),
   ])
 
-  const personalEncrypted: Record<string, string> = (personalRows[0]?.variables as any) || {}
-  const workspaceEncrypted: Record<string, string> = (workspaceRows[0]?.variables as any) || {}
+  const ownPersonalEncrypted: Record<string, string> = (personalRows[0]?.variables as any) || {}
+  const allWorkspaceEncrypted: Record<string, string> = (workspaceRows[0]?.variables as any) || {}
+
+  const hasCredentialFiltering = Boolean(workspaceId) && accessibleEnvCredentials.length > 0
+  const workspaceCredentialKeys = new Set(
+    accessibleEnvCredentials.filter((row) => row.type === 'env_workspace').map((row) => row.envKey)
+  )
+
+  const personalCredentialRows = accessibleEnvCredentials
+    .filter((row) => row.type === 'env_personal' && row.envOwnerUserId)
+    .sort((a, b) => {
+      const aIsRequester = a.envOwnerUserId === userId
+      const bIsRequester = b.envOwnerUserId === userId
+      if (aIsRequester && !bIsRequester) return -1
+      if (!aIsRequester && bIsRequester) return 1
+      return b.updatedAt.getTime() - a.updatedAt.getTime()
+    })
+
+  const selectedPersonalOwners = new Map<string, string>()
+  for (const row of personalCredentialRows) {
+    if (!selectedPersonalOwners.has(row.envKey) && row.envOwnerUserId) {
+      selectedPersonalOwners.set(row.envKey, row.envOwnerUserId)
+    }
+  }
+
+  const ownerUserIds = Array.from(new Set(selectedPersonalOwners.values()))
+  const ownerEnvironmentRows =
+    ownerUserIds.length > 0
+      ? await db
+          .select({
+            userId: environment.userId,
+            variables: environment.variables,
+          })
+          .from(environment)
+          .where(inArray(environment.userId, ownerUserIds))
+      : []
+
+  const ownerVariablesByUserId = new Map<string, Record<string, string>>(
+    ownerEnvironmentRows.map((row) => [row.userId, (row.variables as Record<string, string>) || {}])
+  )
+
+  let personalEncrypted: Record<string, string> = ownPersonalEncrypted
+  let workspaceEncrypted: Record<string, string> = allWorkspaceEncrypted
+
+  if (hasCredentialFiltering) {
+    personalEncrypted = {}
+    for (const [envKey, ownerUserId] of selectedPersonalOwners.entries()) {
+      const ownerVariables = ownerVariablesByUserId.get(ownerUserId)
+      const encryptedValue = ownerVariables?.[envKey]
+      if (encryptedValue) {
+        personalEncrypted[envKey] = encryptedValue
+      }
+    }
+
+    workspaceEncrypted = Object.fromEntries(
+      Object.entries(allWorkspaceEncrypted).filter(([envKey]) =>
+        workspaceCredentialKeys.has(envKey)
+      )
+    )
+  }
 
   const decryptionFailures: string[] = []
 
diff --git a/apps/sim/lib/workflows/executor/execution-core.ts b/apps/sim/lib/workflows/executor/execution-core.ts
index 963256af2e..170892f2c4 100644
--- a/apps/sim/lib/workflows/executor/execution-core.ts
+++ b/apps/sim/lib/workflows/executor/execution-core.ts
@@ -302,6 +302,7 @@ export async function executeWorkflowCore(
       workspaceId: providedWorkspaceId,
       userId,
       isDeployedContext: !metadata.isClientSession,
+      enforceCredentialAccess: metadata.enforceCredentialAccess ?? false,
       onBlockStart,
       onBlockComplete: wrappedOnBlockComplete,
       onStream,
diff --git a/apps/sim/stores/modals/settings/types.ts b/apps/sim/stores/modals/settings/types.ts
index 2903bff8dd..247e2c099e 100644
--- a/apps/sim/stores/modals/settings/types.ts
+++ b/apps/sim/stores/modals/settings/types.ts
@@ -1,8 +1,7 @@
 export type SettingsSection =
   | 'general'
-  | 'environment'
+  | 'credentials'
   | 'template-profile'
-  | 'integrations'
   | 'apikeys'
   | 'files'
   | 'subscription'
diff --git a/apps/sim/tools/index.ts b/apps/sim/tools/index.ts
index 9af514aeb8..5febf72ebd 100644
--- a/apps/sim/tools/index.ts
+++ b/apps/sim/tools/index.ts
@@ -303,7 +303,7 @@ export async function executeTool(
         if (workflowId) {
           tokenUrlObj.searchParams.set('workflowId', workflowId)
         }
-        if (userId) {
+        if (userId && contextParams._context?.enforceCredentialAccess) {
           tokenUrlObj.searchParams.set('userId', userId)
         }
 
@@ -330,7 +330,15 @@ export async function executeTool(
             status: response.status,
             error: errorText,
           })
-          throw new Error(`Failed to fetch access token: ${response.status} ${errorText}`)
+          let parsedError = errorText
+          try {
+            const parsed = JSON.parse(errorText)
+            if (parsed.error) parsedError = parsed.error
+          } catch {
+            // Use raw text
+          }
+          const toolLabel = tool?.name || toolId
+          throw new Error(`Failed to obtain credential for ${toolLabel}: ${parsedError}`)
         }
 
         const data = await response.json()
@@ -359,10 +367,7 @@ export async function executeTool(
         logger.error(`[${requestId}] Error fetching access token for ${toolId}:`, {
           error: error instanceof Error ? error.message : String(error),
         })
-        // Re-throw the error to fail the tool execution if token fetching fails
-        throw new Error(
-          `Failed to obtain credential for tool ${toolId}: ${error instanceof Error ? error.message : String(error)}`
-        )
+        throw error
       }
     }
 
diff --git a/packages/db/migrations/0155_nebulous_rocket_raccoon.sql b/packages/db/migrations/0155_nebulous_rocket_raccoon.sql
new file mode 100644
index 0000000000..2e59d4de64
--- /dev/null
+++ b/packages/db/migrations/0155_nebulous_rocket_raccoon.sql
@@ -0,0 +1,298 @@
+CREATE TYPE "public"."credential_member_role" AS ENUM('admin', 'member');--> statement-breakpoint
+CREATE TYPE "public"."credential_member_status" AS ENUM('active', 'pending', 'revoked');--> statement-breakpoint
+CREATE TYPE "public"."credential_type" AS ENUM('oauth', 'env_workspace', 'env_personal');--> statement-breakpoint
+CREATE TABLE "credential" (
+	"id" text PRIMARY KEY NOT NULL,
+	"workspace_id" text NOT NULL,
+	"type" "credential_type" NOT NULL,
+	"display_name" text NOT NULL,
+	"description" text,
+	"provider_id" text,
+	"account_id" text,
+	"env_key" text,
+	"env_owner_user_id" text,
+	"created_by" text NOT NULL,
+	"created_at" timestamp DEFAULT now() NOT NULL,
+	"updated_at" timestamp DEFAULT now() NOT NULL,
+	CONSTRAINT "credential_oauth_source_check" CHECK ((type <> 'oauth') OR (account_id IS NOT NULL AND provider_id IS NOT NULL)),
+	CONSTRAINT "credential_workspace_env_source_check" CHECK ((type <> 'env_workspace') OR (env_key IS NOT NULL AND env_owner_user_id IS NULL)),
+	CONSTRAINT "credential_personal_env_source_check" CHECK ((type <> 'env_personal') OR (env_key IS NOT NULL AND env_owner_user_id IS NOT NULL))
+);
+--> statement-breakpoint
+CREATE TABLE "credential_member" (
+	"id" text PRIMARY KEY NOT NULL,
+	"credential_id" text NOT NULL,
+	"user_id" text NOT NULL,
+	"role" "credential_member_role" DEFAULT 'member' NOT NULL,
+	"status" "credential_member_status" DEFAULT 'active' NOT NULL,
+	"joined_at" timestamp,
+	"invited_by" text,
+	"created_at" timestamp DEFAULT now() NOT NULL,
+	"updated_at" timestamp DEFAULT now() NOT NULL
+);
+--> statement-breakpoint
+CREATE TABLE "pending_credential_draft" (
+	"id" text PRIMARY KEY NOT NULL,
+	"user_id" text NOT NULL,
+	"workspace_id" text NOT NULL,
+	"provider_id" text NOT NULL,
+	"display_name" text NOT NULL,
+	"description" text,
+	"credential_id" text,
+	"expires_at" timestamp NOT NULL,
+	"created_at" timestamp DEFAULT now() NOT NULL
+);
+--> statement-breakpoint
+DROP INDEX "account_user_provider_unique";--> statement-breakpoint
+ALTER TABLE "credential" ADD CONSTRAINT "credential_workspace_id_workspace_id_fk" FOREIGN KEY ("workspace_id") REFERENCES "public"."workspace"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "credential" ADD CONSTRAINT "credential_account_id_account_id_fk" FOREIGN KEY ("account_id") REFERENCES "public"."account"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "credential" ADD CONSTRAINT "credential_env_owner_user_id_user_id_fk" FOREIGN KEY ("env_owner_user_id") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "credential" ADD CONSTRAINT "credential_created_by_user_id_fk" FOREIGN KEY ("created_by") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "credential_member" ADD CONSTRAINT "credential_member_credential_id_credential_id_fk" FOREIGN KEY ("credential_id") REFERENCES "public"."credential"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "credential_member" ADD CONSTRAINT "credential_member_user_id_user_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "credential_member" ADD CONSTRAINT "credential_member_invited_by_user_id_fk" FOREIGN KEY ("invited_by") REFERENCES "public"."user"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "pending_credential_draft" ADD CONSTRAINT "pending_credential_draft_user_id_user_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "pending_credential_draft" ADD CONSTRAINT "pending_credential_draft_workspace_id_workspace_id_fk" FOREIGN KEY ("workspace_id") REFERENCES "public"."workspace"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "pending_credential_draft" ADD CONSTRAINT "pending_credential_draft_credential_id_credential_id_fk" FOREIGN KEY ("credential_id") REFERENCES "public"."credential"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+CREATE INDEX "credential_workspace_id_idx" ON "credential" USING btree ("workspace_id");--> statement-breakpoint
+CREATE INDEX "credential_type_idx" ON "credential" USING btree ("type");--> statement-breakpoint
+CREATE INDEX "credential_provider_id_idx" ON "credential" USING btree ("provider_id");--> statement-breakpoint
+CREATE INDEX "credential_account_id_idx" ON "credential" USING btree ("account_id");--> statement-breakpoint
+CREATE INDEX "credential_env_owner_user_id_idx" ON "credential" USING btree ("env_owner_user_id");--> statement-breakpoint
+CREATE UNIQUE INDEX "credential_workspace_account_unique" ON "credential" USING btree ("workspace_id","account_id") WHERE account_id IS NOT NULL;--> statement-breakpoint
+CREATE UNIQUE INDEX "credential_workspace_env_unique" ON "credential" USING btree ("workspace_id","type","env_key") WHERE type = 'env_workspace';--> statement-breakpoint
+CREATE UNIQUE INDEX "credential_workspace_personal_env_unique" ON "credential" USING btree ("workspace_id","type","env_key","env_owner_user_id") WHERE type = 'env_personal';--> statement-breakpoint
+CREATE INDEX "credential_member_credential_id_idx" ON "credential_member" USING btree ("credential_id");--> statement-breakpoint
+CREATE INDEX "credential_member_user_id_idx" ON "credential_member" USING btree ("user_id");--> statement-breakpoint
+CREATE INDEX "credential_member_role_idx" ON "credential_member" USING btree ("role");--> statement-breakpoint
+CREATE INDEX "credential_member_status_idx" ON "credential_member" USING btree ("status");--> statement-breakpoint
+CREATE UNIQUE INDEX "credential_member_unique" ON "credential_member" USING btree ("credential_id","user_id");--> statement-breakpoint
+CREATE UNIQUE INDEX "pending_draft_user_provider_ws" ON "pending_credential_draft" USING btree ("user_id","provider_id","workspace_id");
+--> statement-breakpoint
+-- ============================================================
+-- BACKFILL: Create credentials and members from existing data
+-- ============================================================
+
+-- Helper CTE: all workspace members (from permissions + workspace owners)
+-- Used by all three backfill sections below.
+
+-- ----------------------------------------------------------
+-- 1. OAuth credentials
+-- ----------------------------------------------------------
+-- For each (account, workspace) where account owner has workspace access,
+-- create a "Default <Service Name> Credential".
+-- Account owner = admin, other workspace members = member.
+
+WITH provider_names(pid, sname) AS (
+	VALUES
+		('google-email', 'Gmail'),
+		('google-drive', 'Google Drive'),
+		('google-docs', 'Google Docs'),
+		('google-sheets', 'Google Sheets'),
+		('google-forms', 'Google Forms'),
+		('google-calendar', 'Google Calendar'),
+		('google-vault', 'Google Vault'),
+		('google-slides', 'Google Slides'),
+		('google-groups', 'Google Groups'),
+		('slack', 'Slack'),
+		('notion', 'Notion'),
+		('confluence', 'Confluence'),
+		('jira', 'Jira'),
+		('jira-service-management', 'Jira Service Management'),
+		('linear', 'Linear'),
+		('airtable', 'Airtable'),
+		('asana', 'Asana'),
+		('hubspot', 'HubSpot'),
+		('salesforce', 'Salesforce'),
+		('pipedrive', 'Pipedrive'),
+		('microsoft-teams', 'Microsoft Teams'),
+		('microsoft-planner', 'Microsoft Planner'),
+		('microsoft-excel', 'Microsoft Excel'),
+		('outlook', 'Outlook'),
+		('onedrive', 'OneDrive'),
+		('sharepoint', 'SharePoint'),
+		('dropbox', 'Dropbox'),
+		('wordpress', 'WordPress'),
+		('webflow', 'Webflow'),
+		('wealthbox', 'Wealthbox'),
+		('spotify', 'Spotify'),
+		('x', 'X'),
+		('reddit', 'Reddit'),
+		('linkedin', 'LinkedIn'),
+		('trello', 'Trello'),
+		('shopify', 'Shopify'),
+		('zoom', 'Zoom'),
+		('calcom', 'Cal.com'),
+		('discord', 'Discord'),
+		('box', 'Box'),
+		('github', 'GitHub')
+),
+workspace_user_access AS (
+	SELECT DISTINCT w.id AS workspace_id, p.user_id, p.permission_type
+	FROM "permissions" p
+	INNER JOIN "workspace" w ON w.id = p.entity_id
+	WHERE p.entity_type = 'workspace'
+	UNION
+	SELECT w.id, w.owner_id, 'admin'::"permission_type"
+	FROM "workspace" w
+),
+oauth_creds AS (
+	INSERT INTO "credential" (
+		"id", "workspace_id", "type", "display_name", "provider_id", "account_id",
+		"created_by", "created_at", "updated_at"
+	)
+	SELECT
+		'cred_' || md5(wua.workspace_id || ':' || a.id) AS id,
+		wua.workspace_id,
+		'oauth'::"credential_type",
+		COALESCE(u.name, 'User') || '''s ' || COALESCE(pn.sname, a.provider_id),
+		a.provider_id,
+		a.id,
+		a.user_id,
+		now(),
+		now()
+	FROM "account" a
+	INNER JOIN workspace_user_access wua ON wua.user_id = a.user_id
+	INNER JOIN "user" u ON u.id = a.user_id
+	LEFT JOIN provider_names pn ON pn.pid = a.provider_id
+	WHERE a.provider_id != 'credential'
+	ON CONFLICT DO NOTHING
+	RETURNING id, workspace_id, account_id
+)
+INSERT INTO "credential_member" (
+	"id", "credential_id", "user_id", "role", "status", "joined_at", "invited_by", "created_at", "updated_at"
+)
+SELECT
+	'credm_' || md5(oc.id || ':' || wua.user_id),
+	oc.id,
+	wua.user_id,
+	CASE WHEN a.user_id = wua.user_id THEN 'admin'::"credential_member_role" ELSE 'member'::"credential_member_role" END,
+	'active'::"credential_member_status",
+	now(),
+	a.user_id,
+	now(),
+	now()
+FROM oauth_creds oc
+INNER JOIN "account" a ON a.id = oc.account_id
+INNER JOIN workspace_user_access wua ON wua.workspace_id = oc.workspace_id
+ON CONFLICT DO NOTHING;
+
+--> statement-breakpoint
+-- ----------------------------------------------------------
+-- 2. Workspace environment variable credentials
+-- ----------------------------------------------------------
+-- For each key in workspace_environment.variables JSON,
+-- create a credential. Workspace admins = admin, others = member.
+
+WITH workspace_user_access AS (
+	SELECT DISTINCT w.id AS workspace_id, p.user_id, p.permission_type
+	FROM "permissions" p
+	INNER JOIN "workspace" w ON w.id = p.entity_id
+	WHERE p.entity_type = 'workspace'
+	UNION
+	SELECT w.id, w.owner_id, 'admin'::"permission_type"
+	FROM "workspace" w
+),
+ws_env_keys AS (
+	SELECT
+		we.workspace_id,
+		key AS env_key,
+		w.owner_id
+	FROM "workspace_environment" we
+	INNER JOIN "workspace" w ON w.id = we.workspace_id
+	CROSS JOIN LATERAL json_object_keys(we.variables::json) AS key
+),
+ws_env_creds AS (
+	INSERT INTO "credential" (
+		"id", "workspace_id", "type", "display_name", "env_key",
+		"created_by", "created_at", "updated_at"
+	)
+	SELECT
+		'cred_' || md5(wek.workspace_id || ':env_workspace:' || wek.env_key),
+		wek.workspace_id,
+		'env_workspace'::"credential_type",
+		wek.env_key,
+		wek.env_key,
+		wek.owner_id,
+		now(),
+		now()
+	FROM ws_env_keys wek
+	ON CONFLICT DO NOTHING
+	RETURNING id, workspace_id
+)
+INSERT INTO "credential_member" (
+	"id", "credential_id", "user_id", "role", "status", "joined_at", "invited_by", "created_at", "updated_at"
+)
+SELECT
+	'credm_' || md5(wec.id || ':' || wua.user_id),
+	wec.id,
+	wua.user_id,
+	CASE WHEN wua.permission_type = 'admin' THEN 'admin'::"credential_member_role" ELSE 'member'::"credential_member_role" END,
+	'active'::"credential_member_status",
+	now(),
+	(SELECT w.owner_id FROM "workspace" w WHERE w.id = wec.workspace_id LIMIT 1),
+	now(),
+	now()
+FROM ws_env_creds wec
+INNER JOIN workspace_user_access wua ON wua.workspace_id = wec.workspace_id
+ON CONFLICT DO NOTHING;
+
+--> statement-breakpoint
+-- ----------------------------------------------------------
+-- 3. Personal environment variable credentials
+-- ----------------------------------------------------------
+-- For each key in environment.variables JSON, for each workspace
+-- the user belongs to, create a credential with the user as admin.
+
+WITH workspace_user_access AS (
+	SELECT DISTINCT w.id AS workspace_id, p.user_id
+	FROM "permissions" p
+	INNER JOIN "workspace" w ON w.id = p.entity_id
+	WHERE p.entity_type = 'workspace'
+	UNION
+	SELECT w.id, w.owner_id
+	FROM "workspace" w
+),
+personal_env_keys AS (
+	SELECT
+		e.user_id,
+		key AS env_key
+	FROM "environment" e
+	CROSS JOIN LATERAL json_object_keys(e.variables::json) AS key
+),
+personal_env_creds AS (
+	INSERT INTO "credential" (
+		"id", "workspace_id", "type", "display_name", "env_key", "env_owner_user_id",
+		"created_by", "created_at", "updated_at"
+	)
+	SELECT
+		'cred_' || md5(wua.workspace_id || ':env_personal:' || pek.env_key || ':' || pek.user_id),
+		wua.workspace_id,
+		'env_personal'::"credential_type",
+		pek.env_key,
+		pek.env_key,
+		pek.user_id,
+		pek.user_id,
+		now(),
+		now()
+	FROM personal_env_keys pek
+	INNER JOIN workspace_user_access wua ON wua.user_id = pek.user_id
+	ON CONFLICT DO NOTHING
+	RETURNING id, workspace_id
+)
+INSERT INTO "credential_member" (
+	"id", "credential_id", "user_id", "role", "status", "joined_at", "invited_by", "created_at", "updated_at"
+)
+SELECT
+	'credm_' || md5(pec.id || ':' || c.env_owner_user_id),
+	pec.id,
+	c.env_owner_user_id,
+	'admin'::"credential_member_role",
+	'active'::"credential_member_status",
+	now(),
+	c.env_owner_user_id,
+	now(),
+	now()
+FROM personal_env_creds pec
+INNER JOIN "credential" c ON c.id = pec.id
+ON CONFLICT DO NOTHING;
\ No newline at end of file
diff --git a/packages/db/migrations/meta/0155_snapshot.json b/packages/db/migrations/meta/0155_snapshot.json
new file mode 100644
index 0000000000..8a979ddec8
--- /dev/null
+++ b/packages/db/migrations/meta/0155_snapshot.json
@@ -0,0 +1,11556 @@
+{
+  "id": "51b38e47-a8a7-40d2-abc5-6bf2525e7494",
+  "prevId": "49f580f7-7eba-4431-bdf4-61db0e606546",
+  "version": "7",
+  "dialect": "postgresql",
+  "tables": {
+    "public.a2a_agent": {
+      "name": "a2a_agent",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workspace_id": {
+          "name": "workspace_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "workflow_id": {
+          "name": "workflow_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_by": {
+          "name": "created_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "version": {
+          "name": "version",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'1.0.0'"
+        },
+        "capabilities": {
+          "name": "capabilities",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{}'"
+        },
+        "skills": {
+          "name": "skills",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'[]'"
+        },
+        "authentication": {
+          "name": "authentication",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{}'"
+        },
+        "signatures": {
+          "name": "signatures",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'[]'"
+        },
+        "is_published": {
+          "name": "is_published",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "published_at": {
+          "name": "published_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "a2a_agent_workspace_id_idx": {
+          "name": "a2a_agent_workspace_id_idx",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "a2a_agent_workflow_id_idx": {
+          "name": "a2a_agent_workflow_id_idx",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "a2a_agent_created_by_idx": {
+          "name": "a2a_agent_created_by_idx",
+          "columns": [
+            {
+              "expression": "created_by",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "a2a_agent_workspace_workflow_unique": {
+          "name": "a2a_agent_workspace_workflow_unique",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "a2a_agent_workspace_id_workspace_id_fk": {
+          "name": "a2a_agent_workspace_id_workspace_id_fk",
+          "tableFrom": "a2a_agent",
+          "tableTo": "workspace",
+          "columnsFrom": ["workspace_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "a2a_agent_workflow_id_workflow_id_fk": {
+          "name": "a2a_agent_workflow_id_workflow_id_fk",
+          "tableFrom": "a2a_agent",
+          "tableTo": "workflow",
+          "columnsFrom": ["workflow_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "a2a_agent_created_by_user_id_fk": {
+          "name": "a2a_agent_created_by_user_id_fk",
+          "tableFrom": "a2a_agent",
+          "tableTo": "user",
+          "columnsFrom": ["created_by"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.a2a_push_notification_config": {
+      "name": "a2a_push_notification_config",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "task_id": {
+          "name": "task_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "url": {
+          "name": "url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "token": {
+          "name": "token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "auth_schemes": {
+          "name": "auth_schemes",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'[]'"
+        },
+        "auth_credentials": {
+          "name": "auth_credentials",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "a2a_push_notification_config_task_id_idx": {
+          "name": "a2a_push_notification_config_task_id_idx",
+          "columns": [
+            {
+              "expression": "task_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "a2a_push_notification_config_task_unique": {
+          "name": "a2a_push_notification_config_task_unique",
+          "columns": [
+            {
+              "expression": "task_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "a2a_push_notification_config_task_id_a2a_task_id_fk": {
+          "name": "a2a_push_notification_config_task_id_a2a_task_id_fk",
+          "tableFrom": "a2a_push_notification_config",
+          "tableTo": "a2a_task",
+          "columnsFrom": ["task_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.a2a_task": {
+      "name": "a2a_task",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "agent_id": {
+          "name": "agent_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "session_id": {
+          "name": "session_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "status": {
+          "name": "status",
+          "type": "a2a_task_status",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'submitted'"
+        },
+        "messages": {
+          "name": "messages",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'[]'"
+        },
+        "artifacts": {
+          "name": "artifacts",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'[]'"
+        },
+        "execution_id": {
+          "name": "execution_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'{}'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "completed_at": {
+          "name": "completed_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {
+        "a2a_task_agent_id_idx": {
+          "name": "a2a_task_agent_id_idx",
+          "columns": [
+            {
+              "expression": "agent_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "a2a_task_session_id_idx": {
+          "name": "a2a_task_session_id_idx",
+          "columns": [
+            {
+              "expression": "session_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "a2a_task_status_idx": {
+          "name": "a2a_task_status_idx",
+          "columns": [
+            {
+              "expression": "status",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "a2a_task_execution_id_idx": {
+          "name": "a2a_task_execution_id_idx",
+          "columns": [
+            {
+              "expression": "execution_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "a2a_task_created_at_idx": {
+          "name": "a2a_task_created_at_idx",
+          "columns": [
+            {
+              "expression": "created_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "a2a_task_agent_id_a2a_agent_id_fk": {
+          "name": "a2a_task_agent_id_a2a_agent_id_fk",
+          "tableFrom": "a2a_task",
+          "tableTo": "a2a_agent",
+          "columnsFrom": ["agent_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.account": {
+      "name": "account",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "account_id": {
+          "name": "account_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "provider_id": {
+          "name": "provider_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "access_token": {
+          "name": "access_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refresh_token": {
+          "name": "refresh_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "id_token": {
+          "name": "id_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "access_token_expires_at": {
+          "name": "access_token_expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refresh_token_expires_at": {
+          "name": "refresh_token_expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "scope": {
+          "name": "scope",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {
+        "account_user_id_idx": {
+          "name": "account_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "idx_account_on_account_id_provider_id": {
+          "name": "idx_account_on_account_id_provider_id",
+          "columns": [
+            {
+              "expression": "account_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "provider_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "account_user_id_user_id_fk": {
+          "name": "account_user_id_user_id_fk",
+          "tableFrom": "account",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.api_key": {
+      "name": "api_key",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "workspace_id": {
+          "name": "workspace_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_by": {
+          "name": "created_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "type": {
+          "name": "type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'personal'"
+        },
+        "last_used": {
+          "name": "last_used",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {
+        "api_key_workspace_type_idx": {
+          "name": "api_key_workspace_type_idx",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "type",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "api_key_user_type_idx": {
+          "name": "api_key_user_type_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "type",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "api_key_user_id_user_id_fk": {
+          "name": "api_key_user_id_user_id_fk",
+          "tableFrom": "api_key",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "api_key_workspace_id_workspace_id_fk": {
+          "name": "api_key_workspace_id_workspace_id_fk",
+          "tableFrom": "api_key",
+          "tableTo": "workspace",
+          "columnsFrom": ["workspace_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "api_key_created_by_user_id_fk": {
+          "name": "api_key_created_by_user_id_fk",
+          "tableFrom": "api_key",
+          "tableTo": "user",
+          "columnsFrom": ["created_by"],
+          "columnsTo": ["id"],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "api_key_key_unique": {
+          "name": "api_key_key_unique",
+          "nullsNotDistinct": false,
+          "columns": ["key"]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {
+        "workspace_type_check": {
+          "name": "workspace_type_check",
+          "value": "(type = 'workspace' AND workspace_id IS NOT NULL) OR (type = 'personal' AND workspace_id IS NULL)"
+        }
+      },
+      "isRLSEnabled": false
+    },
+    "public.async_jobs": {
+      "name": "async_jobs",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "type": {
+          "name": "type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "payload": {
+          "name": "payload",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'pending'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "started_at": {
+          "name": "started_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "completed_at": {
+          "name": "completed_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "run_at": {
+          "name": "run_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "attempts": {
+          "name": "attempts",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "max_attempts": {
+          "name": "max_attempts",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 3
+        },
+        "error": {
+          "name": "error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "output": {
+          "name": "output",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{}'"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "async_jobs_status_started_at_idx": {
+          "name": "async_jobs_status_started_at_idx",
+          "columns": [
+            {
+              "expression": "status",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "started_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "async_jobs_status_completed_at_idx": {
+          "name": "async_jobs_status_completed_at_idx",
+          "columns": [
+            {
+              "expression": "status",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "completed_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.chat": {
+      "name": "chat",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workflow_id": {
+          "name": "workflow_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "identifier": {
+          "name": "identifier",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "title": {
+          "name": "title",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "customizations": {
+          "name": "customizations",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'{}'"
+        },
+        "auth_type": {
+          "name": "auth_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'public'"
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "allowed_emails": {
+          "name": "allowed_emails",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'[]'"
+        },
+        "output_configs": {
+          "name": "output_configs",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'[]'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "identifier_idx": {
+          "name": "identifier_idx",
+          "columns": [
+            {
+              "expression": "identifier",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "chat_workflow_id_workflow_id_fk": {
+          "name": "chat_workflow_id_workflow_id_fk",
+          "tableFrom": "chat",
+          "tableTo": "workflow",
+          "columnsFrom": ["workflow_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "chat_user_id_user_id_fk": {
+          "name": "chat_user_id_user_id_fk",
+          "tableFrom": "chat",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.copilot_chats": {
+      "name": "copilot_chats",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "workflow_id": {
+          "name": "workflow_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "title": {
+          "name": "title",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "messages": {
+          "name": "messages",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'[]'"
+        },
+        "model": {
+          "name": "model",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'claude-3-7-sonnet-latest'"
+        },
+        "conversation_id": {
+          "name": "conversation_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "preview_yaml": {
+          "name": "preview_yaml",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "plan_artifact": {
+          "name": "plan_artifact",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "config": {
+          "name": "config",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "copilot_chats_user_id_idx": {
+          "name": "copilot_chats_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "copilot_chats_workflow_id_idx": {
+          "name": "copilot_chats_workflow_id_idx",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "copilot_chats_user_workflow_idx": {
+          "name": "copilot_chats_user_workflow_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "copilot_chats_created_at_idx": {
+          "name": "copilot_chats_created_at_idx",
+          "columns": [
+            {
+              "expression": "created_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "copilot_chats_updated_at_idx": {
+          "name": "copilot_chats_updated_at_idx",
+          "columns": [
+            {
+              "expression": "updated_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "copilot_chats_user_id_user_id_fk": {
+          "name": "copilot_chats_user_id_user_id_fk",
+          "tableFrom": "copilot_chats",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "copilot_chats_workflow_id_workflow_id_fk": {
+          "name": "copilot_chats_workflow_id_workflow_id_fk",
+          "tableFrom": "copilot_chats",
+          "tableTo": "workflow",
+          "columnsFrom": ["workflow_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.copilot_feedback": {
+      "name": "copilot_feedback",
+      "schema": "",
+      "columns": {
+        "feedback_id": {
+          "name": "feedback_id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "chat_id": {
+          "name": "chat_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_query": {
+          "name": "user_query",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "agent_response": {
+          "name": "agent_response",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "is_positive": {
+          "name": "is_positive",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "feedback": {
+          "name": "feedback",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "workflow_yaml": {
+          "name": "workflow_yaml",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "copilot_feedback_user_id_idx": {
+          "name": "copilot_feedback_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "copilot_feedback_chat_id_idx": {
+          "name": "copilot_feedback_chat_id_idx",
+          "columns": [
+            {
+              "expression": "chat_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "copilot_feedback_user_chat_idx": {
+          "name": "copilot_feedback_user_chat_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "chat_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "copilot_feedback_is_positive_idx": {
+          "name": "copilot_feedback_is_positive_idx",
+          "columns": [
+            {
+              "expression": "is_positive",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "copilot_feedback_created_at_idx": {
+          "name": "copilot_feedback_created_at_idx",
+          "columns": [
+            {
+              "expression": "created_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "copilot_feedback_user_id_user_id_fk": {
+          "name": "copilot_feedback_user_id_user_id_fk",
+          "tableFrom": "copilot_feedback",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "copilot_feedback_chat_id_copilot_chats_id_fk": {
+          "name": "copilot_feedback_chat_id_copilot_chats_id_fk",
+          "tableFrom": "copilot_feedback",
+          "tableTo": "copilot_chats",
+          "columnsFrom": ["chat_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.credential": {
+      "name": "credential",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workspace_id": {
+          "name": "workspace_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "type": {
+          "name": "type",
+          "type": "credential_type",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "display_name": {
+          "name": "display_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "provider_id": {
+          "name": "provider_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "account_id": {
+          "name": "account_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env_key": {
+          "name": "env_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env_owner_user_id": {
+          "name": "env_owner_user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_by": {
+          "name": "created_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "credential_workspace_id_idx": {
+          "name": "credential_workspace_id_idx",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "credential_type_idx": {
+          "name": "credential_type_idx",
+          "columns": [
+            {
+              "expression": "type",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "credential_provider_id_idx": {
+          "name": "credential_provider_id_idx",
+          "columns": [
+            {
+              "expression": "provider_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "credential_account_id_idx": {
+          "name": "credential_account_id_idx",
+          "columns": [
+            {
+              "expression": "account_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "credential_env_owner_user_id_idx": {
+          "name": "credential_env_owner_user_id_idx",
+          "columns": [
+            {
+              "expression": "env_owner_user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "credential_workspace_account_unique": {
+          "name": "credential_workspace_account_unique",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "account_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "where": "account_id IS NOT NULL",
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "credential_workspace_env_unique": {
+          "name": "credential_workspace_env_unique",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "type",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "env_key",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "where": "type = 'env_workspace'",
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "credential_workspace_personal_env_unique": {
+          "name": "credential_workspace_personal_env_unique",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "type",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "env_key",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "env_owner_user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "where": "type = 'env_personal'",
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "credential_workspace_id_workspace_id_fk": {
+          "name": "credential_workspace_id_workspace_id_fk",
+          "tableFrom": "credential",
+          "tableTo": "workspace",
+          "columnsFrom": ["workspace_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "credential_account_id_account_id_fk": {
+          "name": "credential_account_id_account_id_fk",
+          "tableFrom": "credential",
+          "tableTo": "account",
+          "columnsFrom": ["account_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "credential_env_owner_user_id_user_id_fk": {
+          "name": "credential_env_owner_user_id_user_id_fk",
+          "tableFrom": "credential",
+          "tableTo": "user",
+          "columnsFrom": ["env_owner_user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "credential_created_by_user_id_fk": {
+          "name": "credential_created_by_user_id_fk",
+          "tableFrom": "credential",
+          "tableTo": "user",
+          "columnsFrom": ["created_by"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {
+        "credential_oauth_source_check": {
+          "name": "credential_oauth_source_check",
+          "value": "(type <> 'oauth') OR (account_id IS NOT NULL AND provider_id IS NOT NULL)"
+        },
+        "credential_workspace_env_source_check": {
+          "name": "credential_workspace_env_source_check",
+          "value": "(type <> 'env_workspace') OR (env_key IS NOT NULL AND env_owner_user_id IS NULL)"
+        },
+        "credential_personal_env_source_check": {
+          "name": "credential_personal_env_source_check",
+          "value": "(type <> 'env_personal') OR (env_key IS NOT NULL AND env_owner_user_id IS NOT NULL)"
+        }
+      },
+      "isRLSEnabled": false
+    },
+    "public.credential_member": {
+      "name": "credential_member",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "credential_id": {
+          "name": "credential_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role": {
+          "name": "role",
+          "type": "credential_member_role",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'member'"
+        },
+        "status": {
+          "name": "status",
+          "type": "credential_member_status",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'active'"
+        },
+        "joined_at": {
+          "name": "joined_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "invited_by": {
+          "name": "invited_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "credential_member_credential_id_idx": {
+          "name": "credential_member_credential_id_idx",
+          "columns": [
+            {
+              "expression": "credential_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "credential_member_user_id_idx": {
+          "name": "credential_member_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "credential_member_role_idx": {
+          "name": "credential_member_role_idx",
+          "columns": [
+            {
+              "expression": "role",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "credential_member_status_idx": {
+          "name": "credential_member_status_idx",
+          "columns": [
+            {
+              "expression": "status",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "credential_member_unique": {
+          "name": "credential_member_unique",
+          "columns": [
+            {
+              "expression": "credential_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "credential_member_credential_id_credential_id_fk": {
+          "name": "credential_member_credential_id_credential_id_fk",
+          "tableFrom": "credential_member",
+          "tableTo": "credential",
+          "columnsFrom": ["credential_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "credential_member_user_id_user_id_fk": {
+          "name": "credential_member_user_id_user_id_fk",
+          "tableFrom": "credential_member",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "credential_member_invited_by_user_id_fk": {
+          "name": "credential_member_invited_by_user_id_fk",
+          "tableFrom": "credential_member",
+          "tableTo": "user",
+          "columnsFrom": ["invited_by"],
+          "columnsTo": ["id"],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.credential_set": {
+      "name": "credential_set",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "provider_id": {
+          "name": "provider_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_by": {
+          "name": "created_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "credential_set_organization_id_idx": {
+          "name": "credential_set_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "credential_set_created_by_idx": {
+          "name": "credential_set_created_by_idx",
+          "columns": [
+            {
+              "expression": "created_by",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "credential_set_org_name_unique": {
+          "name": "credential_set_org_name_unique",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "name",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "credential_set_provider_id_idx": {
+          "name": "credential_set_provider_id_idx",
+          "columns": [
+            {
+              "expression": "provider_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "credential_set_organization_id_organization_id_fk": {
+          "name": "credential_set_organization_id_organization_id_fk",
+          "tableFrom": "credential_set",
+          "tableTo": "organization",
+          "columnsFrom": ["organization_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "credential_set_created_by_user_id_fk": {
+          "name": "credential_set_created_by_user_id_fk",
+          "tableFrom": "credential_set",
+          "tableTo": "user",
+          "columnsFrom": ["created_by"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.credential_set_invitation": {
+      "name": "credential_set_invitation",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "credential_set_id": {
+          "name": "credential_set_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "token": {
+          "name": "token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "invited_by": {
+          "name": "invited_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "status": {
+          "name": "status",
+          "type": "credential_set_invitation_status",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'pending'"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "accepted_at": {
+          "name": "accepted_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "accepted_by_user_id": {
+          "name": "accepted_by_user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "credential_set_invitation_set_id_idx": {
+          "name": "credential_set_invitation_set_id_idx",
+          "columns": [
+            {
+              "expression": "credential_set_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "credential_set_invitation_token_idx": {
+          "name": "credential_set_invitation_token_idx",
+          "columns": [
+            {
+              "expression": "token",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "credential_set_invitation_status_idx": {
+          "name": "credential_set_invitation_status_idx",
+          "columns": [
+            {
+              "expression": "status",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "credential_set_invitation_expires_at_idx": {
+          "name": "credential_set_invitation_expires_at_idx",
+          "columns": [
+            {
+              "expression": "expires_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "credential_set_invitation_credential_set_id_credential_set_id_fk": {
+          "name": "credential_set_invitation_credential_set_id_credential_set_id_fk",
+          "tableFrom": "credential_set_invitation",
+          "tableTo": "credential_set",
+          "columnsFrom": ["credential_set_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "credential_set_invitation_invited_by_user_id_fk": {
+          "name": "credential_set_invitation_invited_by_user_id_fk",
+          "tableFrom": "credential_set_invitation",
+          "tableTo": "user",
+          "columnsFrom": ["invited_by"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "credential_set_invitation_accepted_by_user_id_user_id_fk": {
+          "name": "credential_set_invitation_accepted_by_user_id_user_id_fk",
+          "tableFrom": "credential_set_invitation",
+          "tableTo": "user",
+          "columnsFrom": ["accepted_by_user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "credential_set_invitation_token_unique": {
+          "name": "credential_set_invitation_token_unique",
+          "nullsNotDistinct": false,
+          "columns": ["token"]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.credential_set_member": {
+      "name": "credential_set_member",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "credential_set_id": {
+          "name": "credential_set_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "status": {
+          "name": "status",
+          "type": "credential_set_member_status",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'pending'"
+        },
+        "joined_at": {
+          "name": "joined_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "invited_by": {
+          "name": "invited_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "credential_set_member_set_id_idx": {
+          "name": "credential_set_member_set_id_idx",
+          "columns": [
+            {
+              "expression": "credential_set_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "credential_set_member_user_id_idx": {
+          "name": "credential_set_member_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "credential_set_member_unique": {
+          "name": "credential_set_member_unique",
+          "columns": [
+            {
+              "expression": "credential_set_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "credential_set_member_status_idx": {
+          "name": "credential_set_member_status_idx",
+          "columns": [
+            {
+              "expression": "status",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "credential_set_member_credential_set_id_credential_set_id_fk": {
+          "name": "credential_set_member_credential_set_id_credential_set_id_fk",
+          "tableFrom": "credential_set_member",
+          "tableTo": "credential_set",
+          "columnsFrom": ["credential_set_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "credential_set_member_user_id_user_id_fk": {
+          "name": "credential_set_member_user_id_user_id_fk",
+          "tableFrom": "credential_set_member",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "credential_set_member_invited_by_user_id_fk": {
+          "name": "credential_set_member_invited_by_user_id_fk",
+          "tableFrom": "credential_set_member",
+          "tableTo": "user",
+          "columnsFrom": ["invited_by"],
+          "columnsTo": ["id"],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.custom_tools": {
+      "name": "custom_tools",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workspace_id": {
+          "name": "workspace_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "title": {
+          "name": "title",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "schema": {
+          "name": "schema",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "code": {
+          "name": "code",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "custom_tools_workspace_id_idx": {
+          "name": "custom_tools_workspace_id_idx",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "custom_tools_workspace_title_unique": {
+          "name": "custom_tools_workspace_title_unique",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "title",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "custom_tools_workspace_id_workspace_id_fk": {
+          "name": "custom_tools_workspace_id_workspace_id_fk",
+          "tableFrom": "custom_tools",
+          "tableTo": "workspace",
+          "columnsFrom": ["workspace_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "custom_tools_user_id_user_id_fk": {
+          "name": "custom_tools_user_id_user_id_fk",
+          "tableFrom": "custom_tools",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.docs_embeddings": {
+      "name": "docs_embeddings",
+      "schema": "",
+      "columns": {
+        "chunk_id": {
+          "name": "chunk_id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "chunk_text": {
+          "name": "chunk_text",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "source_document": {
+          "name": "source_document",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "source_link": {
+          "name": "source_link",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "header_text": {
+          "name": "header_text",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "header_level": {
+          "name": "header_level",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "token_count": {
+          "name": "token_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "embedding": {
+          "name": "embedding",
+          "type": "vector(1536)",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "embedding_model": {
+          "name": "embedding_model",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'text-embedding-3-small'"
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{}'"
+        },
+        "chunk_text_tsv": {
+          "name": "chunk_text_tsv",
+          "type": "tsvector",
+          "primaryKey": false,
+          "notNull": false,
+          "generated": {
+            "as": "to_tsvector('english', \"docs_embeddings\".\"chunk_text\")",
+            "type": "stored"
+          }
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "docs_emb_source_document_idx": {
+          "name": "docs_emb_source_document_idx",
+          "columns": [
+            {
+              "expression": "source_document",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "docs_emb_header_level_idx": {
+          "name": "docs_emb_header_level_idx",
+          "columns": [
+            {
+              "expression": "header_level",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "docs_emb_source_header_idx": {
+          "name": "docs_emb_source_header_idx",
+          "columns": [
+            {
+              "expression": "source_document",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "header_level",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "docs_emb_model_idx": {
+          "name": "docs_emb_model_idx",
+          "columns": [
+            {
+              "expression": "embedding_model",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "docs_emb_created_at_idx": {
+          "name": "docs_emb_created_at_idx",
+          "columns": [
+            {
+              "expression": "created_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "docs_embedding_vector_hnsw_idx": {
+          "name": "docs_embedding_vector_hnsw_idx",
+          "columns": [
+            {
+              "expression": "embedding",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last",
+              "opclass": "vector_cosine_ops"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "hnsw",
+          "with": {
+            "m": 16,
+            "ef_construction": 64
+          }
+        },
+        "docs_emb_metadata_gin_idx": {
+          "name": "docs_emb_metadata_gin_idx",
+          "columns": [
+            {
+              "expression": "metadata",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "gin",
+          "with": {}
+        },
+        "docs_emb_chunk_text_fts_idx": {
+          "name": "docs_emb_chunk_text_fts_idx",
+          "columns": [
+            {
+              "expression": "chunk_text_tsv",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "gin",
+          "with": {}
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {
+        "docs_embedding_not_null_check": {
+          "name": "docs_embedding_not_null_check",
+          "value": "\"embedding\" IS NOT NULL"
+        },
+        "docs_header_level_check": {
+          "name": "docs_header_level_check",
+          "value": "\"header_level\" >= 1 AND \"header_level\" <= 6"
+        }
+      },
+      "isRLSEnabled": false
+    },
+    "public.document": {
+      "name": "document",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "knowledge_base_id": {
+          "name": "knowledge_base_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "filename": {
+          "name": "filename",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "file_url": {
+          "name": "file_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "file_size": {
+          "name": "file_size",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "mime_type": {
+          "name": "mime_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "chunk_count": {
+          "name": "chunk_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "token_count": {
+          "name": "token_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "character_count": {
+          "name": "character_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "processing_status": {
+          "name": "processing_status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'pending'"
+        },
+        "processing_started_at": {
+          "name": "processing_started_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "processing_completed_at": {
+          "name": "processing_completed_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "processing_error": {
+          "name": "processing_error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "deleted_at": {
+          "name": "deleted_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tag1": {
+          "name": "tag1",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tag2": {
+          "name": "tag2",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tag3": {
+          "name": "tag3",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tag4": {
+          "name": "tag4",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tag5": {
+          "name": "tag5",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tag6": {
+          "name": "tag6",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tag7": {
+          "name": "tag7",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "number1": {
+          "name": "number1",
+          "type": "double precision",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "number2": {
+          "name": "number2",
+          "type": "double precision",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "number3": {
+          "name": "number3",
+          "type": "double precision",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "number4": {
+          "name": "number4",
+          "type": "double precision",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "number5": {
+          "name": "number5",
+          "type": "double precision",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "date1": {
+          "name": "date1",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "date2": {
+          "name": "date2",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "boolean1": {
+          "name": "boolean1",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "boolean2": {
+          "name": "boolean2",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "boolean3": {
+          "name": "boolean3",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "uploaded_at": {
+          "name": "uploaded_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "doc_kb_id_idx": {
+          "name": "doc_kb_id_idx",
+          "columns": [
+            {
+              "expression": "knowledge_base_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "doc_filename_idx": {
+          "name": "doc_filename_idx",
+          "columns": [
+            {
+              "expression": "filename",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "doc_processing_status_idx": {
+          "name": "doc_processing_status_idx",
+          "columns": [
+            {
+              "expression": "knowledge_base_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "processing_status",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "doc_tag1_idx": {
+          "name": "doc_tag1_idx",
+          "columns": [
+            {
+              "expression": "tag1",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "doc_tag2_idx": {
+          "name": "doc_tag2_idx",
+          "columns": [
+            {
+              "expression": "tag2",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "doc_tag3_idx": {
+          "name": "doc_tag3_idx",
+          "columns": [
+            {
+              "expression": "tag3",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "doc_tag4_idx": {
+          "name": "doc_tag4_idx",
+          "columns": [
+            {
+              "expression": "tag4",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "doc_tag5_idx": {
+          "name": "doc_tag5_idx",
+          "columns": [
+            {
+              "expression": "tag5",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "doc_tag6_idx": {
+          "name": "doc_tag6_idx",
+          "columns": [
+            {
+              "expression": "tag6",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "doc_tag7_idx": {
+          "name": "doc_tag7_idx",
+          "columns": [
+            {
+              "expression": "tag7",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "doc_number1_idx": {
+          "name": "doc_number1_idx",
+          "columns": [
+            {
+              "expression": "number1",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "doc_number2_idx": {
+          "name": "doc_number2_idx",
+          "columns": [
+            {
+              "expression": "number2",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "doc_number3_idx": {
+          "name": "doc_number3_idx",
+          "columns": [
+            {
+              "expression": "number3",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "doc_number4_idx": {
+          "name": "doc_number4_idx",
+          "columns": [
+            {
+              "expression": "number4",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "doc_number5_idx": {
+          "name": "doc_number5_idx",
+          "columns": [
+            {
+              "expression": "number5",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "doc_date1_idx": {
+          "name": "doc_date1_idx",
+          "columns": [
+            {
+              "expression": "date1",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "doc_date2_idx": {
+          "name": "doc_date2_idx",
+          "columns": [
+            {
+              "expression": "date2",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "doc_boolean1_idx": {
+          "name": "doc_boolean1_idx",
+          "columns": [
+            {
+              "expression": "boolean1",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "doc_boolean2_idx": {
+          "name": "doc_boolean2_idx",
+          "columns": [
+            {
+              "expression": "boolean2",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "doc_boolean3_idx": {
+          "name": "doc_boolean3_idx",
+          "columns": [
+            {
+              "expression": "boolean3",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "document_knowledge_base_id_knowledge_base_id_fk": {
+          "name": "document_knowledge_base_id_knowledge_base_id_fk",
+          "tableFrom": "document",
+          "tableTo": "knowledge_base",
+          "columnsFrom": ["knowledge_base_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.embedding": {
+      "name": "embedding",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "knowledge_base_id": {
+          "name": "knowledge_base_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "document_id": {
+          "name": "document_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "chunk_index": {
+          "name": "chunk_index",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "chunk_hash": {
+          "name": "chunk_hash",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "content": {
+          "name": "content",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "content_length": {
+          "name": "content_length",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "token_count": {
+          "name": "token_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "embedding": {
+          "name": "embedding",
+          "type": "vector(1536)",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "embedding_model": {
+          "name": "embedding_model",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'text-embedding-3-small'"
+        },
+        "start_offset": {
+          "name": "start_offset",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "end_offset": {
+          "name": "end_offset",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "tag1": {
+          "name": "tag1",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tag2": {
+          "name": "tag2",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tag3": {
+          "name": "tag3",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tag4": {
+          "name": "tag4",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tag5": {
+          "name": "tag5",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tag6": {
+          "name": "tag6",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "tag7": {
+          "name": "tag7",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "number1": {
+          "name": "number1",
+          "type": "double precision",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "number2": {
+          "name": "number2",
+          "type": "double precision",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "number3": {
+          "name": "number3",
+          "type": "double precision",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "number4": {
+          "name": "number4",
+          "type": "double precision",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "number5": {
+          "name": "number5",
+          "type": "double precision",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "date1": {
+          "name": "date1",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "date2": {
+          "name": "date2",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "boolean1": {
+          "name": "boolean1",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "boolean2": {
+          "name": "boolean2",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "boolean3": {
+          "name": "boolean3",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "content_tsv": {
+          "name": "content_tsv",
+          "type": "tsvector",
+          "primaryKey": false,
+          "notNull": false,
+          "generated": {
+            "as": "to_tsvector('english', \"embedding\".\"content\")",
+            "type": "stored"
+          }
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "emb_kb_id_idx": {
+          "name": "emb_kb_id_idx",
+          "columns": [
+            {
+              "expression": "knowledge_base_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "emb_doc_id_idx": {
+          "name": "emb_doc_id_idx",
+          "columns": [
+            {
+              "expression": "document_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "emb_doc_chunk_idx": {
+          "name": "emb_doc_chunk_idx",
+          "columns": [
+            {
+              "expression": "document_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "chunk_index",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "emb_kb_model_idx": {
+          "name": "emb_kb_model_idx",
+          "columns": [
+            {
+              "expression": "knowledge_base_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "embedding_model",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "emb_kb_enabled_idx": {
+          "name": "emb_kb_enabled_idx",
+          "columns": [
+            {
+              "expression": "knowledge_base_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "enabled",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "emb_doc_enabled_idx": {
+          "name": "emb_doc_enabled_idx",
+          "columns": [
+            {
+              "expression": "document_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "enabled",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "embedding_vector_hnsw_idx": {
+          "name": "embedding_vector_hnsw_idx",
+          "columns": [
+            {
+              "expression": "embedding",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last",
+              "opclass": "vector_cosine_ops"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "hnsw",
+          "with": {
+            "m": 16,
+            "ef_construction": 64
+          }
+        },
+        "emb_tag1_idx": {
+          "name": "emb_tag1_idx",
+          "columns": [
+            {
+              "expression": "tag1",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "emb_tag2_idx": {
+          "name": "emb_tag2_idx",
+          "columns": [
+            {
+              "expression": "tag2",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "emb_tag3_idx": {
+          "name": "emb_tag3_idx",
+          "columns": [
+            {
+              "expression": "tag3",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "emb_tag4_idx": {
+          "name": "emb_tag4_idx",
+          "columns": [
+            {
+              "expression": "tag4",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "emb_tag5_idx": {
+          "name": "emb_tag5_idx",
+          "columns": [
+            {
+              "expression": "tag5",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "emb_tag6_idx": {
+          "name": "emb_tag6_idx",
+          "columns": [
+            {
+              "expression": "tag6",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "emb_tag7_idx": {
+          "name": "emb_tag7_idx",
+          "columns": [
+            {
+              "expression": "tag7",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "emb_number1_idx": {
+          "name": "emb_number1_idx",
+          "columns": [
+            {
+              "expression": "number1",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "emb_number2_idx": {
+          "name": "emb_number2_idx",
+          "columns": [
+            {
+              "expression": "number2",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "emb_number3_idx": {
+          "name": "emb_number3_idx",
+          "columns": [
+            {
+              "expression": "number3",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "emb_number4_idx": {
+          "name": "emb_number4_idx",
+          "columns": [
+            {
+              "expression": "number4",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "emb_number5_idx": {
+          "name": "emb_number5_idx",
+          "columns": [
+            {
+              "expression": "number5",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "emb_date1_idx": {
+          "name": "emb_date1_idx",
+          "columns": [
+            {
+              "expression": "date1",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "emb_date2_idx": {
+          "name": "emb_date2_idx",
+          "columns": [
+            {
+              "expression": "date2",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "emb_boolean1_idx": {
+          "name": "emb_boolean1_idx",
+          "columns": [
+            {
+              "expression": "boolean1",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "emb_boolean2_idx": {
+          "name": "emb_boolean2_idx",
+          "columns": [
+            {
+              "expression": "boolean2",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "emb_boolean3_idx": {
+          "name": "emb_boolean3_idx",
+          "columns": [
+            {
+              "expression": "boolean3",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "emb_content_fts_idx": {
+          "name": "emb_content_fts_idx",
+          "columns": [
+            {
+              "expression": "content_tsv",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "gin",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "embedding_knowledge_base_id_knowledge_base_id_fk": {
+          "name": "embedding_knowledge_base_id_knowledge_base_id_fk",
+          "tableFrom": "embedding",
+          "tableTo": "knowledge_base",
+          "columnsFrom": ["knowledge_base_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "embedding_document_id_document_id_fk": {
+          "name": "embedding_document_id_document_id_fk",
+          "tableFrom": "embedding",
+          "tableTo": "document",
+          "columnsFrom": ["document_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {
+        "embedding_not_null_check": {
+          "name": "embedding_not_null_check",
+          "value": "\"embedding\" IS NOT NULL"
+        }
+      },
+      "isRLSEnabled": false
+    },
+    "public.environment": {
+      "name": "environment",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "variables": {
+          "name": "variables",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "environment_user_id_user_id_fk": {
+          "name": "environment_user_id_user_id_fk",
+          "tableFrom": "environment",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "environment_user_id_unique": {
+          "name": "environment_user_id_unique",
+          "nullsNotDistinct": false,
+          "columns": ["user_id"]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.form": {
+      "name": "form",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workflow_id": {
+          "name": "workflow_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "identifier": {
+          "name": "identifier",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "title": {
+          "name": "title",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "customizations": {
+          "name": "customizations",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'{}'"
+        },
+        "auth_type": {
+          "name": "auth_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'public'"
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "allowed_emails": {
+          "name": "allowed_emails",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'[]'"
+        },
+        "show_branding": {
+          "name": "show_branding",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "form_identifier_idx": {
+          "name": "form_identifier_idx",
+          "columns": [
+            {
+              "expression": "identifier",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "form_workflow_id_idx": {
+          "name": "form_workflow_id_idx",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "form_user_id_idx": {
+          "name": "form_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "form_workflow_id_workflow_id_fk": {
+          "name": "form_workflow_id_workflow_id_fk",
+          "tableFrom": "form",
+          "tableTo": "workflow",
+          "columnsFrom": ["workflow_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "form_user_id_user_id_fk": {
+          "name": "form_user_id_user_id_fk",
+          "tableFrom": "form",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.idempotency_key": {
+      "name": "idempotency_key",
+      "schema": "",
+      "columns": {
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "result": {
+          "name": "result",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "idempotency_key_created_at_idx": {
+          "name": "idempotency_key_created_at_idx",
+          "columns": [
+            {
+              "expression": "created_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.invitation": {
+      "name": "invitation",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "inviter_id": {
+          "name": "inviter_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role": {
+          "name": "role",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "invitation_email_idx": {
+          "name": "invitation_email_idx",
+          "columns": [
+            {
+              "expression": "email",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "invitation_organization_id_idx": {
+          "name": "invitation_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "invitation_inviter_id_user_id_fk": {
+          "name": "invitation_inviter_id_user_id_fk",
+          "tableFrom": "invitation",
+          "tableTo": "user",
+          "columnsFrom": ["inviter_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "invitation_organization_id_organization_id_fk": {
+          "name": "invitation_organization_id_organization_id_fk",
+          "tableFrom": "invitation",
+          "tableTo": "organization",
+          "columnsFrom": ["organization_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.knowledge_base": {
+      "name": "knowledge_base",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "workspace_id": {
+          "name": "workspace_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "token_count": {
+          "name": "token_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "embedding_model": {
+          "name": "embedding_model",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'text-embedding-3-small'"
+        },
+        "embedding_dimension": {
+          "name": "embedding_dimension",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 1536
+        },
+        "chunking_config": {
+          "name": "chunking_config",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{\"maxSize\": 1024, \"minSize\": 1, \"overlap\": 200}'"
+        },
+        "deleted_at": {
+          "name": "deleted_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "kb_user_id_idx": {
+          "name": "kb_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "kb_workspace_id_idx": {
+          "name": "kb_workspace_id_idx",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "kb_user_workspace_idx": {
+          "name": "kb_user_workspace_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "kb_deleted_at_idx": {
+          "name": "kb_deleted_at_idx",
+          "columns": [
+            {
+              "expression": "deleted_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "knowledge_base_user_id_user_id_fk": {
+          "name": "knowledge_base_user_id_user_id_fk",
+          "tableFrom": "knowledge_base",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "knowledge_base_workspace_id_workspace_id_fk": {
+          "name": "knowledge_base_workspace_id_workspace_id_fk",
+          "tableFrom": "knowledge_base",
+          "tableTo": "workspace",
+          "columnsFrom": ["workspace_id"],
+          "columnsTo": ["id"],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.knowledge_base_tag_definitions": {
+      "name": "knowledge_base_tag_definitions",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "knowledge_base_id": {
+          "name": "knowledge_base_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "tag_slot": {
+          "name": "tag_slot",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "display_name": {
+          "name": "display_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "field_type": {
+          "name": "field_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'text'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "kb_tag_definitions_kb_slot_idx": {
+          "name": "kb_tag_definitions_kb_slot_idx",
+          "columns": [
+            {
+              "expression": "knowledge_base_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "tag_slot",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "kb_tag_definitions_kb_display_name_idx": {
+          "name": "kb_tag_definitions_kb_display_name_idx",
+          "columns": [
+            {
+              "expression": "knowledge_base_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "display_name",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "kb_tag_definitions_kb_id_idx": {
+          "name": "kb_tag_definitions_kb_id_idx",
+          "columns": [
+            {
+              "expression": "knowledge_base_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "knowledge_base_tag_definitions_knowledge_base_id_knowledge_base_id_fk": {
+          "name": "knowledge_base_tag_definitions_knowledge_base_id_knowledge_base_id_fk",
+          "tableFrom": "knowledge_base_tag_definitions",
+          "tableTo": "knowledge_base",
+          "columnsFrom": ["knowledge_base_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.mcp_servers": {
+      "name": "mcp_servers",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workspace_id": {
+          "name": "workspace_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_by": {
+          "name": "created_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "transport": {
+          "name": "transport",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "url": {
+          "name": "url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "headers": {
+          "name": "headers",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'{}'"
+        },
+        "timeout": {
+          "name": "timeout",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 30000
+        },
+        "retries": {
+          "name": "retries",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 3
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "last_connected": {
+          "name": "last_connected",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "connection_status": {
+          "name": "connection_status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'disconnected'"
+        },
+        "last_error": {
+          "name": "last_error",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "status_config": {
+          "name": "status_config",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'{}'"
+        },
+        "tool_count": {
+          "name": "tool_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "last_tools_refresh": {
+          "name": "last_tools_refresh",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "total_requests": {
+          "name": "total_requests",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "last_used": {
+          "name": "last_used",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "deleted_at": {
+          "name": "deleted_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "mcp_servers_workspace_enabled_idx": {
+          "name": "mcp_servers_workspace_enabled_idx",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "enabled",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "mcp_servers_workspace_deleted_idx": {
+          "name": "mcp_servers_workspace_deleted_idx",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "deleted_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "mcp_servers_workspace_id_workspace_id_fk": {
+          "name": "mcp_servers_workspace_id_workspace_id_fk",
+          "tableFrom": "mcp_servers",
+          "tableTo": "workspace",
+          "columnsFrom": ["workspace_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mcp_servers_created_by_user_id_fk": {
+          "name": "mcp_servers_created_by_user_id_fk",
+          "tableFrom": "mcp_servers",
+          "tableTo": "user",
+          "columnsFrom": ["created_by"],
+          "columnsTo": ["id"],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.member": {
+      "name": "member",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role": {
+          "name": "role",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "member_user_id_unique": {
+          "name": "member_user_id_unique",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "member_organization_id_idx": {
+          "name": "member_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "member_user_id_user_id_fk": {
+          "name": "member_user_id_user_id_fk",
+          "tableFrom": "member",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "member_organization_id_organization_id_fk": {
+          "name": "member_organization_id_organization_id_fk",
+          "tableFrom": "member",
+          "tableTo": "organization",
+          "columnsFrom": ["organization_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.memory": {
+      "name": "memory",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workspace_id": {
+          "name": "workspace_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "data": {
+          "name": "data",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "deleted_at": {
+          "name": "deleted_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {
+        "memory_key_idx": {
+          "name": "memory_key_idx",
+          "columns": [
+            {
+              "expression": "key",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "memory_workspace_idx": {
+          "name": "memory_workspace_idx",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "memory_workspace_key_idx": {
+          "name": "memory_workspace_key_idx",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "key",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "memory_workspace_id_workspace_id_fk": {
+          "name": "memory_workspace_id_workspace_id_fk",
+          "tableFrom": "memory",
+          "tableTo": "workspace",
+          "columnsFrom": ["workspace_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.organization": {
+      "name": "organization",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "slug": {
+          "name": "slug",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "logo": {
+          "name": "logo",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "org_usage_limit": {
+          "name": "org_usage_limit",
+          "type": "numeric",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "storage_used_bytes": {
+          "name": "storage_used_bytes",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "departed_member_usage": {
+          "name": "departed_member_usage",
+          "type": "numeric",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'0'"
+        },
+        "credit_balance": {
+          "name": "credit_balance",
+          "type": "numeric",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'0'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.paused_executions": {
+      "name": "paused_executions",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workflow_id": {
+          "name": "workflow_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "execution_id": {
+          "name": "execution_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "execution_snapshot": {
+          "name": "execution_snapshot",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "pause_points": {
+          "name": "pause_points",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "total_pause_count": {
+          "name": "total_pause_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "resumed_count": {
+          "name": "resumed_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'paused'"
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{}'::jsonb"
+        },
+        "paused_at": {
+          "name": "paused_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {
+        "paused_executions_workflow_id_idx": {
+          "name": "paused_executions_workflow_id_idx",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "paused_executions_status_idx": {
+          "name": "paused_executions_status_idx",
+          "columns": [
+            {
+              "expression": "status",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "paused_executions_execution_id_unique": {
+          "name": "paused_executions_execution_id_unique",
+          "columns": [
+            {
+              "expression": "execution_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "paused_executions_workflow_id_workflow_id_fk": {
+          "name": "paused_executions_workflow_id_workflow_id_fk",
+          "tableFrom": "paused_executions",
+          "tableTo": "workflow",
+          "columnsFrom": ["workflow_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.pending_credential_draft": {
+      "name": "pending_credential_draft",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "workspace_id": {
+          "name": "workspace_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "provider_id": {
+          "name": "provider_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "display_name": {
+          "name": "display_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "credential_id": {
+          "name": "credential_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "pending_draft_user_provider_ws": {
+          "name": "pending_draft_user_provider_ws",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "provider_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "pending_credential_draft_user_id_user_id_fk": {
+          "name": "pending_credential_draft_user_id_user_id_fk",
+          "tableFrom": "pending_credential_draft",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "pending_credential_draft_workspace_id_workspace_id_fk": {
+          "name": "pending_credential_draft_workspace_id_workspace_id_fk",
+          "tableFrom": "pending_credential_draft",
+          "tableTo": "workspace",
+          "columnsFrom": ["workspace_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "pending_credential_draft_credential_id_credential_id_fk": {
+          "name": "pending_credential_draft_credential_id_credential_id_fk",
+          "tableFrom": "pending_credential_draft",
+          "tableTo": "credential",
+          "columnsFrom": ["credential_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.permission_group": {
+      "name": "permission_group",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "config": {
+          "name": "config",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{}'"
+        },
+        "created_by": {
+          "name": "created_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "auto_add_new_members": {
+          "name": "auto_add_new_members",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        }
+      },
+      "indexes": {
+        "permission_group_organization_id_idx": {
+          "name": "permission_group_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "permission_group_created_by_idx": {
+          "name": "permission_group_created_by_idx",
+          "columns": [
+            {
+              "expression": "created_by",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "permission_group_org_name_unique": {
+          "name": "permission_group_org_name_unique",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "name",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "permission_group_org_auto_add_unique": {
+          "name": "permission_group_org_auto_add_unique",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "where": "auto_add_new_members = true",
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "permission_group_organization_id_organization_id_fk": {
+          "name": "permission_group_organization_id_organization_id_fk",
+          "tableFrom": "permission_group",
+          "tableTo": "organization",
+          "columnsFrom": ["organization_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "permission_group_created_by_user_id_fk": {
+          "name": "permission_group_created_by_user_id_fk",
+          "tableFrom": "permission_group",
+          "tableTo": "user",
+          "columnsFrom": ["created_by"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.permission_group_member": {
+      "name": "permission_group_member",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "permission_group_id": {
+          "name": "permission_group_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "assigned_by": {
+          "name": "assigned_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "assigned_at": {
+          "name": "assigned_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "permission_group_member_group_id_idx": {
+          "name": "permission_group_member_group_id_idx",
+          "columns": [
+            {
+              "expression": "permission_group_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "permission_group_member_user_id_unique": {
+          "name": "permission_group_member_user_id_unique",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "permission_group_member_permission_group_id_permission_group_id_fk": {
+          "name": "permission_group_member_permission_group_id_permission_group_id_fk",
+          "tableFrom": "permission_group_member",
+          "tableTo": "permission_group",
+          "columnsFrom": ["permission_group_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "permission_group_member_user_id_user_id_fk": {
+          "name": "permission_group_member_user_id_user_id_fk",
+          "tableFrom": "permission_group_member",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "permission_group_member_assigned_by_user_id_fk": {
+          "name": "permission_group_member_assigned_by_user_id_fk",
+          "tableFrom": "permission_group_member",
+          "tableTo": "user",
+          "columnsFrom": ["assigned_by"],
+          "columnsTo": ["id"],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.permissions": {
+      "name": "permissions",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "entity_type": {
+          "name": "entity_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "entity_id": {
+          "name": "entity_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "permission_type": {
+          "name": "permission_type",
+          "type": "permission_type",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "permissions_user_id_idx": {
+          "name": "permissions_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "permissions_entity_idx": {
+          "name": "permissions_entity_idx",
+          "columns": [
+            {
+              "expression": "entity_type",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "entity_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "permissions_user_entity_type_idx": {
+          "name": "permissions_user_entity_type_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "entity_type",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "permissions_user_entity_permission_idx": {
+          "name": "permissions_user_entity_permission_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "entity_type",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "permission_type",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "permissions_user_entity_idx": {
+          "name": "permissions_user_entity_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "entity_type",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "entity_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "permissions_unique_constraint": {
+          "name": "permissions_unique_constraint",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "entity_type",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "entity_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "permissions_user_id_user_id_fk": {
+          "name": "permissions_user_id_user_id_fk",
+          "tableFrom": "permissions",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.rate_limit_bucket": {
+      "name": "rate_limit_bucket",
+      "schema": "",
+      "columns": {
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "tokens": {
+          "name": "tokens",
+          "type": "numeric",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "last_refill_at": {
+          "name": "last_refill_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.referral_attribution": {
+      "name": "referral_attribution",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "campaign_id": {
+          "name": "campaign_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "utm_source": {
+          "name": "utm_source",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "utm_medium": {
+          "name": "utm_medium",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "utm_campaign": {
+          "name": "utm_campaign",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "utm_content": {
+          "name": "utm_content",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "referrer_url": {
+          "name": "referrer_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "landing_page": {
+          "name": "landing_page",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bonus_credit_amount": {
+          "name": "bonus_credit_amount",
+          "type": "numeric",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'0'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "referral_attribution_user_id_idx": {
+          "name": "referral_attribution_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "referral_attribution_org_unique_idx": {
+          "name": "referral_attribution_org_unique_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "where": "\"referral_attribution\".\"organization_id\" IS NOT NULL",
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "referral_attribution_campaign_id_idx": {
+          "name": "referral_attribution_campaign_id_idx",
+          "columns": [
+            {
+              "expression": "campaign_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "referral_attribution_utm_campaign_idx": {
+          "name": "referral_attribution_utm_campaign_idx",
+          "columns": [
+            {
+              "expression": "utm_campaign",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "referral_attribution_utm_content_idx": {
+          "name": "referral_attribution_utm_content_idx",
+          "columns": [
+            {
+              "expression": "utm_content",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "referral_attribution_created_at_idx": {
+          "name": "referral_attribution_created_at_idx",
+          "columns": [
+            {
+              "expression": "created_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "referral_attribution_user_id_user_id_fk": {
+          "name": "referral_attribution_user_id_user_id_fk",
+          "tableFrom": "referral_attribution",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "referral_attribution_organization_id_organization_id_fk": {
+          "name": "referral_attribution_organization_id_organization_id_fk",
+          "tableFrom": "referral_attribution",
+          "tableTo": "organization",
+          "columnsFrom": ["organization_id"],
+          "columnsTo": ["id"],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "referral_attribution_campaign_id_referral_campaigns_id_fk": {
+          "name": "referral_attribution_campaign_id_referral_campaigns_id_fk",
+          "tableFrom": "referral_attribution",
+          "tableTo": "referral_campaigns",
+          "columnsFrom": ["campaign_id"],
+          "columnsTo": ["id"],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "referral_attribution_user_id_unique": {
+          "name": "referral_attribution_user_id_unique",
+          "nullsNotDistinct": false,
+          "columns": ["user_id"]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.referral_campaigns": {
+      "name": "referral_campaigns",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "code": {
+          "name": "code",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "utm_source": {
+          "name": "utm_source",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "utm_medium": {
+          "name": "utm_medium",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "utm_campaign": {
+          "name": "utm_campaign",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "utm_content": {
+          "name": "utm_content",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bonus_credit_amount": {
+          "name": "bonus_credit_amount",
+          "type": "numeric",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "referral_campaigns_active_idx": {
+          "name": "referral_campaigns_active_idx",
+          "columns": [
+            {
+              "expression": "is_active",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "referral_campaigns_code_unique": {
+          "name": "referral_campaigns_code_unique",
+          "nullsNotDistinct": false,
+          "columns": ["code"]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.resume_queue": {
+      "name": "resume_queue",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "paused_execution_id": {
+          "name": "paused_execution_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "parent_execution_id": {
+          "name": "parent_execution_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "new_execution_id": {
+          "name": "new_execution_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "context_id": {
+          "name": "context_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "resume_input": {
+          "name": "resume_input",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'pending'"
+        },
+        "queued_at": {
+          "name": "queued_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "claimed_at": {
+          "name": "claimed_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "completed_at": {
+          "name": "completed_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "failure_reason": {
+          "name": "failure_reason",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {
+        "resume_queue_parent_status_idx": {
+          "name": "resume_queue_parent_status_idx",
+          "columns": [
+            {
+              "expression": "parent_execution_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "status",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "queued_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "resume_queue_new_execution_idx": {
+          "name": "resume_queue_new_execution_idx",
+          "columns": [
+            {
+              "expression": "new_execution_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "resume_queue_paused_execution_id_paused_executions_id_fk": {
+          "name": "resume_queue_paused_execution_id_paused_executions_id_fk",
+          "tableFrom": "resume_queue",
+          "tableTo": "paused_executions",
+          "columnsFrom": ["paused_execution_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.session": {
+      "name": "session",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "token": {
+          "name": "token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "ip_address": {
+          "name": "ip_address",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_agent": {
+          "name": "user_agent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "active_organization_id": {
+          "name": "active_organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {
+        "session_user_id_idx": {
+          "name": "session_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "session_token_idx": {
+          "name": "session_token_idx",
+          "columns": [
+            {
+              "expression": "token",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "session_user_id_user_id_fk": {
+          "name": "session_user_id_user_id_fk",
+          "tableFrom": "session",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "session_active_organization_id_organization_id_fk": {
+          "name": "session_active_organization_id_organization_id_fk",
+          "tableFrom": "session",
+          "tableTo": "organization",
+          "columnsFrom": ["active_organization_id"],
+          "columnsTo": ["id"],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "session_token_unique": {
+          "name": "session_token_unique",
+          "nullsNotDistinct": false,
+          "columns": ["token"]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.settings": {
+      "name": "settings",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "theme": {
+          "name": "theme",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'dark'"
+        },
+        "auto_connect": {
+          "name": "auto_connect",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "telemetry_enabled": {
+          "name": "telemetry_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "email_preferences": {
+          "name": "email_preferences",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{}'"
+        },
+        "billing_usage_notifications_enabled": {
+          "name": "billing_usage_notifications_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "show_training_controls": {
+          "name": "show_training_controls",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "super_user_mode_enabled": {
+          "name": "super_user_mode_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "error_notifications_enabled": {
+          "name": "error_notifications_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "snap_to_grid_size": {
+          "name": "snap_to_grid_size",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "show_action_bar": {
+          "name": "show_action_bar",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "copilot_enabled_models": {
+          "name": "copilot_enabled_models",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{}'"
+        },
+        "copilot_auto_allowed_tools": {
+          "name": "copilot_auto_allowed_tools",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'[]'"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "settings_user_id_user_id_fk": {
+          "name": "settings_user_id_user_id_fk",
+          "tableFrom": "settings",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "settings_user_id_unique": {
+          "name": "settings_user_id_unique",
+          "nullsNotDistinct": false,
+          "columns": ["user_id"]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.skill": {
+      "name": "skill",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workspace_id": {
+          "name": "workspace_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "content": {
+          "name": "content",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "skill_workspace_id_idx": {
+          "name": "skill_workspace_id_idx",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "skill_workspace_name_unique": {
+          "name": "skill_workspace_name_unique",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "name",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "skill_workspace_id_workspace_id_fk": {
+          "name": "skill_workspace_id_workspace_id_fk",
+          "tableFrom": "skill",
+          "tableTo": "workspace",
+          "columnsFrom": ["workspace_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "skill_user_id_user_id_fk": {
+          "name": "skill_user_id_user_id_fk",
+          "tableFrom": "skill",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.sso_provider": {
+      "name": "sso_provider",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "issuer": {
+          "name": "issuer",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "domain": {
+          "name": "domain",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "oidc_config": {
+          "name": "oidc_config",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "saml_config": {
+          "name": "saml_config",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "provider_id": {
+          "name": "provider_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {
+        "sso_provider_provider_id_idx": {
+          "name": "sso_provider_provider_id_idx",
+          "columns": [
+            {
+              "expression": "provider_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "sso_provider_domain_idx": {
+          "name": "sso_provider_domain_idx",
+          "columns": [
+            {
+              "expression": "domain",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "sso_provider_user_id_idx": {
+          "name": "sso_provider_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "sso_provider_organization_id_idx": {
+          "name": "sso_provider_organization_id_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "sso_provider_user_id_user_id_fk": {
+          "name": "sso_provider_user_id_user_id_fk",
+          "tableFrom": "sso_provider",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "sso_provider_organization_id_organization_id_fk": {
+          "name": "sso_provider_organization_id_organization_id_fk",
+          "tableFrom": "sso_provider",
+          "tableTo": "organization",
+          "columnsFrom": ["organization_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.subscription": {
+      "name": "subscription",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "plan": {
+          "name": "plan",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "reference_id": {
+          "name": "reference_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "stripe_customer_id": {
+          "name": "stripe_customer_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stripe_subscription_id": {
+          "name": "stripe_subscription_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "period_start": {
+          "name": "period_start",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "period_end": {
+          "name": "period_end",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cancel_at_period_end": {
+          "name": "cancel_at_period_end",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "seats": {
+          "name": "seats",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "trial_start": {
+          "name": "trial_start",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "trial_end": {
+          "name": "trial_end",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {
+        "subscription_reference_status_idx": {
+          "name": "subscription_reference_status_idx",
+          "columns": [
+            {
+              "expression": "reference_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "status",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {
+        "check_enterprise_metadata": {
+          "name": "check_enterprise_metadata",
+          "value": "plan != 'enterprise' OR metadata IS NOT NULL"
+        }
+      },
+      "isRLSEnabled": false
+    },
+    "public.template_creators": {
+      "name": "template_creators",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "reference_type": {
+          "name": "reference_type",
+          "type": "template_creator_type",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "reference_id": {
+          "name": "reference_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "profile_image_url": {
+          "name": "profile_image_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "details": {
+          "name": "details",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "verified": {
+          "name": "verified",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "created_by": {
+          "name": "created_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "template_creators_reference_idx": {
+          "name": "template_creators_reference_idx",
+          "columns": [
+            {
+              "expression": "reference_type",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "reference_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "template_creators_reference_id_idx": {
+          "name": "template_creators_reference_id_idx",
+          "columns": [
+            {
+              "expression": "reference_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "template_creators_created_by_idx": {
+          "name": "template_creators_created_by_idx",
+          "columns": [
+            {
+              "expression": "created_by",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "template_creators_created_by_user_id_fk": {
+          "name": "template_creators_created_by_user_id_fk",
+          "tableFrom": "template_creators",
+          "tableTo": "user",
+          "columnsFrom": ["created_by"],
+          "columnsTo": ["id"],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.template_stars": {
+      "name": "template_stars",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "template_id": {
+          "name": "template_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "starred_at": {
+          "name": "starred_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "template_stars_user_id_idx": {
+          "name": "template_stars_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "template_stars_template_id_idx": {
+          "name": "template_stars_template_id_idx",
+          "columns": [
+            {
+              "expression": "template_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "template_stars_user_template_idx": {
+          "name": "template_stars_user_template_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "template_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "template_stars_template_user_idx": {
+          "name": "template_stars_template_user_idx",
+          "columns": [
+            {
+              "expression": "template_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "template_stars_starred_at_idx": {
+          "name": "template_stars_starred_at_idx",
+          "columns": [
+            {
+              "expression": "starred_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "template_stars_template_starred_at_idx": {
+          "name": "template_stars_template_starred_at_idx",
+          "columns": [
+            {
+              "expression": "template_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "starred_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "template_stars_user_template_unique": {
+          "name": "template_stars_user_template_unique",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "template_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "template_stars_user_id_user_id_fk": {
+          "name": "template_stars_user_id_user_id_fk",
+          "tableFrom": "template_stars",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "template_stars_template_id_templates_id_fk": {
+          "name": "template_stars_template_id_templates_id_fk",
+          "tableFrom": "template_stars",
+          "tableTo": "templates",
+          "columnsFrom": ["template_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.templates": {
+      "name": "templates",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workflow_id": {
+          "name": "workflow_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "details": {
+          "name": "details",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "creator_id": {
+          "name": "creator_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "views": {
+          "name": "views",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "stars": {
+          "name": "stars",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "status": {
+          "name": "status",
+          "type": "template_status",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'pending'"
+        },
+        "tags": {
+          "name": "tags",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{}'::text[]"
+        },
+        "required_credentials": {
+          "name": "required_credentials",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'[]'"
+        },
+        "state": {
+          "name": "state",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "og_image_url": {
+          "name": "og_image_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "templates_status_idx": {
+          "name": "templates_status_idx",
+          "columns": [
+            {
+              "expression": "status",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "templates_creator_id_idx": {
+          "name": "templates_creator_id_idx",
+          "columns": [
+            {
+              "expression": "creator_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "templates_views_idx": {
+          "name": "templates_views_idx",
+          "columns": [
+            {
+              "expression": "views",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "templates_stars_idx": {
+          "name": "templates_stars_idx",
+          "columns": [
+            {
+              "expression": "stars",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "templates_status_views_idx": {
+          "name": "templates_status_views_idx",
+          "columns": [
+            {
+              "expression": "status",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "views",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "templates_status_stars_idx": {
+          "name": "templates_status_stars_idx",
+          "columns": [
+            {
+              "expression": "status",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "stars",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "templates_created_at_idx": {
+          "name": "templates_created_at_idx",
+          "columns": [
+            {
+              "expression": "created_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "templates_updated_at_idx": {
+          "name": "templates_updated_at_idx",
+          "columns": [
+            {
+              "expression": "updated_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "templates_workflow_id_workflow_id_fk": {
+          "name": "templates_workflow_id_workflow_id_fk",
+          "tableFrom": "templates",
+          "tableTo": "workflow",
+          "columnsFrom": ["workflow_id"],
+          "columnsTo": ["id"],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "templates_creator_id_template_creators_id_fk": {
+          "name": "templates_creator_id_template_creators_id_fk",
+          "tableFrom": "templates",
+          "tableTo": "template_creators",
+          "columnsFrom": ["creator_id"],
+          "columnsTo": ["id"],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.usage_log": {
+      "name": "usage_log",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "category": {
+          "name": "category",
+          "type": "usage_log_category",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "source": {
+          "name": "source",
+          "type": "usage_log_source",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cost": {
+          "name": "cost",
+          "type": "numeric",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "workspace_id": {
+          "name": "workspace_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "workflow_id": {
+          "name": "workflow_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "execution_id": {
+          "name": "execution_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "usage_log_user_created_at_idx": {
+          "name": "usage_log_user_created_at_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "created_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "usage_log_source_idx": {
+          "name": "usage_log_source_idx",
+          "columns": [
+            {
+              "expression": "source",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "usage_log_workspace_id_idx": {
+          "name": "usage_log_workspace_id_idx",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "usage_log_workflow_id_idx": {
+          "name": "usage_log_workflow_id_idx",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "usage_log_user_id_user_id_fk": {
+          "name": "usage_log_user_id_user_id_fk",
+          "tableFrom": "usage_log",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "usage_log_workspace_id_workspace_id_fk": {
+          "name": "usage_log_workspace_id_workspace_id_fk",
+          "tableFrom": "usage_log",
+          "tableTo": "workspace",
+          "columnsFrom": ["workspace_id"],
+          "columnsTo": ["id"],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "usage_log_workflow_id_workflow_id_fk": {
+          "name": "usage_log_workflow_id_workflow_id_fk",
+          "tableFrom": "usage_log",
+          "tableTo": "workflow",
+          "columnsFrom": ["workflow_id"],
+          "columnsTo": ["id"],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.user": {
+      "name": "user",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "email_verified": {
+          "name": "email_verified",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "image": {
+          "name": "image",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "stripe_customer_id": {
+          "name": "stripe_customer_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_super_user": {
+          "name": "is_super_user",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "user_email_unique": {
+          "name": "user_email_unique",
+          "nullsNotDistinct": false,
+          "columns": ["email"]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.user_stats": {
+      "name": "user_stats",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "total_manual_executions": {
+          "name": "total_manual_executions",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "total_api_calls": {
+          "name": "total_api_calls",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "total_webhook_triggers": {
+          "name": "total_webhook_triggers",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "total_scheduled_executions": {
+          "name": "total_scheduled_executions",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "total_chat_executions": {
+          "name": "total_chat_executions",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "total_mcp_executions": {
+          "name": "total_mcp_executions",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "total_a2a_executions": {
+          "name": "total_a2a_executions",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "total_tokens_used": {
+          "name": "total_tokens_used",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "total_cost": {
+          "name": "total_cost",
+          "type": "numeric",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'0'"
+        },
+        "current_usage_limit": {
+          "name": "current_usage_limit",
+          "type": "numeric",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'20'"
+        },
+        "usage_limit_updated_at": {
+          "name": "usage_limit_updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "current_period_cost": {
+          "name": "current_period_cost",
+          "type": "numeric",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'0'"
+        },
+        "last_period_cost": {
+          "name": "last_period_cost",
+          "type": "numeric",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'0'"
+        },
+        "billed_overage_this_period": {
+          "name": "billed_overage_this_period",
+          "type": "numeric",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'0'"
+        },
+        "pro_period_cost_snapshot": {
+          "name": "pro_period_cost_snapshot",
+          "type": "numeric",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'0'"
+        },
+        "credit_balance": {
+          "name": "credit_balance",
+          "type": "numeric",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'0'"
+        },
+        "total_copilot_cost": {
+          "name": "total_copilot_cost",
+          "type": "numeric",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'0'"
+        },
+        "current_period_copilot_cost": {
+          "name": "current_period_copilot_cost",
+          "type": "numeric",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'0'"
+        },
+        "last_period_copilot_cost": {
+          "name": "last_period_copilot_cost",
+          "type": "numeric",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'0'"
+        },
+        "total_copilot_tokens": {
+          "name": "total_copilot_tokens",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "total_copilot_calls": {
+          "name": "total_copilot_calls",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "total_mcp_copilot_calls": {
+          "name": "total_mcp_copilot_calls",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "total_mcp_copilot_cost": {
+          "name": "total_mcp_copilot_cost",
+          "type": "numeric",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'0'"
+        },
+        "current_period_mcp_copilot_cost": {
+          "name": "current_period_mcp_copilot_cost",
+          "type": "numeric",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'0'"
+        },
+        "storage_used_bytes": {
+          "name": "storage_used_bytes",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "last_active": {
+          "name": "last_active",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "billing_blocked": {
+          "name": "billing_blocked",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "billing_blocked_reason": {
+          "name": "billing_blocked_reason",
+          "type": "billing_blocked_reason",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "user_stats_user_id_user_id_fk": {
+          "name": "user_stats_user_id_user_id_fk",
+          "tableFrom": "user_stats",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "user_stats_user_id_unique": {
+          "name": "user_stats_user_id_unique",
+          "nullsNotDistinct": false,
+          "columns": ["user_id"]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.verification": {
+      "name": "verification",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "identifier": {
+          "name": "identifier",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {
+        "verification_identifier_idx": {
+          "name": "verification_identifier_idx",
+          "columns": [
+            {
+              "expression": "identifier",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "verification_expires_at_idx": {
+          "name": "verification_expires_at_idx",
+          "columns": [
+            {
+              "expression": "expires_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.waitlist": {
+      "name": "waitlist",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'pending'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "waitlist_email_unique": {
+          "name": "waitlist_email_unique",
+          "nullsNotDistinct": false,
+          "columns": ["email"]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.webhook": {
+      "name": "webhook",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workflow_id": {
+          "name": "workflow_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "deployment_version_id": {
+          "name": "deployment_version_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "block_id": {
+          "name": "block_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "path": {
+          "name": "path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "provider": {
+          "name": "provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "provider_config": {
+          "name": "provider_config",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "failed_count": {
+          "name": "failed_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 0
+        },
+        "last_failed_at": {
+          "name": "last_failed_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "credential_set_id": {
+          "name": "credential_set_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "path_deployment_unique": {
+          "name": "path_deployment_unique",
+          "columns": [
+            {
+              "expression": "path",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "deployment_version_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "idx_webhook_on_workflow_id_block_id": {
+          "name": "idx_webhook_on_workflow_id_block_id",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "block_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "webhook_workflow_deployment_idx": {
+          "name": "webhook_workflow_deployment_idx",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "deployment_version_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "webhook_credential_set_id_idx": {
+          "name": "webhook_credential_set_id_idx",
+          "columns": [
+            {
+              "expression": "credential_set_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "webhook_workflow_id_workflow_id_fk": {
+          "name": "webhook_workflow_id_workflow_id_fk",
+          "tableFrom": "webhook",
+          "tableTo": "workflow",
+          "columnsFrom": ["workflow_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "webhook_deployment_version_id_workflow_deployment_version_id_fk": {
+          "name": "webhook_deployment_version_id_workflow_deployment_version_id_fk",
+          "tableFrom": "webhook",
+          "tableTo": "workflow_deployment_version",
+          "columnsFrom": ["deployment_version_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "webhook_credential_set_id_credential_set_id_fk": {
+          "name": "webhook_credential_set_id_credential_set_id_fk",
+          "tableFrom": "webhook",
+          "tableTo": "credential_set",
+          "columnsFrom": ["credential_set_id"],
+          "columnsTo": ["id"],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.workflow": {
+      "name": "workflow",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "workspace_id": {
+          "name": "workspace_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "folder_id": {
+          "name": "folder_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "sort_order": {
+          "name": "sort_order",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "color": {
+          "name": "color",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'#3972F6'"
+        },
+        "last_synced": {
+          "name": "last_synced",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "is_deployed": {
+          "name": "is_deployed",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "deployed_at": {
+          "name": "deployed_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "run_count": {
+          "name": "run_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "last_run_at": {
+          "name": "last_run_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "variables": {
+          "name": "variables",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'{}'"
+        }
+      },
+      "indexes": {
+        "workflow_user_id_idx": {
+          "name": "workflow_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_workspace_id_idx": {
+          "name": "workflow_workspace_id_idx",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_user_workspace_idx": {
+          "name": "workflow_user_workspace_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_folder_sort_idx": {
+          "name": "workflow_folder_sort_idx",
+          "columns": [
+            {
+              "expression": "folder_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "sort_order",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "workflow_user_id_user_id_fk": {
+          "name": "workflow_user_id_user_id_fk",
+          "tableFrom": "workflow",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "workflow_workspace_id_workspace_id_fk": {
+          "name": "workflow_workspace_id_workspace_id_fk",
+          "tableFrom": "workflow",
+          "tableTo": "workspace",
+          "columnsFrom": ["workspace_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "workflow_folder_id_workflow_folder_id_fk": {
+          "name": "workflow_folder_id_workflow_folder_id_fk",
+          "tableFrom": "workflow",
+          "tableTo": "workflow_folder",
+          "columnsFrom": ["folder_id"],
+          "columnsTo": ["id"],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.workflow_blocks": {
+      "name": "workflow_blocks",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workflow_id": {
+          "name": "workflow_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "type": {
+          "name": "type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "position_x": {
+          "name": "position_x",
+          "type": "numeric",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "position_y": {
+          "name": "position_y",
+          "type": "numeric",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "horizontal_handles": {
+          "name": "horizontal_handles",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "is_wide": {
+          "name": "is_wide",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "advanced_mode": {
+          "name": "advanced_mode",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "trigger_mode": {
+          "name": "trigger_mode",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "locked": {
+          "name": "locked",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "height": {
+          "name": "height",
+          "type": "numeric",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'0'"
+        },
+        "sub_blocks": {
+          "name": "sub_blocks",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{}'"
+        },
+        "outputs": {
+          "name": "outputs",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{}'"
+        },
+        "data": {
+          "name": "data",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'{}'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "workflow_blocks_workflow_id_idx": {
+          "name": "workflow_blocks_workflow_id_idx",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_blocks_type_idx": {
+          "name": "workflow_blocks_type_idx",
+          "columns": [
+            {
+              "expression": "type",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "workflow_blocks_workflow_id_workflow_id_fk": {
+          "name": "workflow_blocks_workflow_id_workflow_id_fk",
+          "tableFrom": "workflow_blocks",
+          "tableTo": "workflow",
+          "columnsFrom": ["workflow_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.workflow_checkpoints": {
+      "name": "workflow_checkpoints",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "workflow_id": {
+          "name": "workflow_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "chat_id": {
+          "name": "chat_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "message_id": {
+          "name": "message_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "workflow_state": {
+          "name": "workflow_state",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "workflow_checkpoints_user_id_idx": {
+          "name": "workflow_checkpoints_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_checkpoints_workflow_id_idx": {
+          "name": "workflow_checkpoints_workflow_id_idx",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_checkpoints_chat_id_idx": {
+          "name": "workflow_checkpoints_chat_id_idx",
+          "columns": [
+            {
+              "expression": "chat_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_checkpoints_message_id_idx": {
+          "name": "workflow_checkpoints_message_id_idx",
+          "columns": [
+            {
+              "expression": "message_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_checkpoints_user_workflow_idx": {
+          "name": "workflow_checkpoints_user_workflow_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_checkpoints_workflow_chat_idx": {
+          "name": "workflow_checkpoints_workflow_chat_idx",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "chat_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_checkpoints_created_at_idx": {
+          "name": "workflow_checkpoints_created_at_idx",
+          "columns": [
+            {
+              "expression": "created_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_checkpoints_chat_created_at_idx": {
+          "name": "workflow_checkpoints_chat_created_at_idx",
+          "columns": [
+            {
+              "expression": "chat_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "created_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "workflow_checkpoints_user_id_user_id_fk": {
+          "name": "workflow_checkpoints_user_id_user_id_fk",
+          "tableFrom": "workflow_checkpoints",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "workflow_checkpoints_workflow_id_workflow_id_fk": {
+          "name": "workflow_checkpoints_workflow_id_workflow_id_fk",
+          "tableFrom": "workflow_checkpoints",
+          "tableTo": "workflow",
+          "columnsFrom": ["workflow_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "workflow_checkpoints_chat_id_copilot_chats_id_fk": {
+          "name": "workflow_checkpoints_chat_id_copilot_chats_id_fk",
+          "tableFrom": "workflow_checkpoints",
+          "tableTo": "copilot_chats",
+          "columnsFrom": ["chat_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.workflow_deployment_version": {
+      "name": "workflow_deployment_version",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workflow_id": {
+          "name": "workflow_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "version": {
+          "name": "version",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "state": {
+          "name": "state",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "created_by": {
+          "name": "created_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {
+        "workflow_deployment_version_workflow_version_unique": {
+          "name": "workflow_deployment_version_workflow_version_unique",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "version",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_deployment_version_workflow_active_idx": {
+          "name": "workflow_deployment_version_workflow_active_idx",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "is_active",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_deployment_version_created_at_idx": {
+          "name": "workflow_deployment_version_created_at_idx",
+          "columns": [
+            {
+              "expression": "created_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "workflow_deployment_version_workflow_id_workflow_id_fk": {
+          "name": "workflow_deployment_version_workflow_id_workflow_id_fk",
+          "tableFrom": "workflow_deployment_version",
+          "tableTo": "workflow",
+          "columnsFrom": ["workflow_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.workflow_edges": {
+      "name": "workflow_edges",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workflow_id": {
+          "name": "workflow_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "source_block_id": {
+          "name": "source_block_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "target_block_id": {
+          "name": "target_block_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "source_handle": {
+          "name": "source_handle",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "target_handle": {
+          "name": "target_handle",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "workflow_edges_workflow_id_idx": {
+          "name": "workflow_edges_workflow_id_idx",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_edges_workflow_source_idx": {
+          "name": "workflow_edges_workflow_source_idx",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "source_block_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_edges_workflow_target_idx": {
+          "name": "workflow_edges_workflow_target_idx",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "target_block_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "workflow_edges_workflow_id_workflow_id_fk": {
+          "name": "workflow_edges_workflow_id_workflow_id_fk",
+          "tableFrom": "workflow_edges",
+          "tableTo": "workflow",
+          "columnsFrom": ["workflow_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "workflow_edges_source_block_id_workflow_blocks_id_fk": {
+          "name": "workflow_edges_source_block_id_workflow_blocks_id_fk",
+          "tableFrom": "workflow_edges",
+          "tableTo": "workflow_blocks",
+          "columnsFrom": ["source_block_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "workflow_edges_target_block_id_workflow_blocks_id_fk": {
+          "name": "workflow_edges_target_block_id_workflow_blocks_id_fk",
+          "tableFrom": "workflow_edges",
+          "tableTo": "workflow_blocks",
+          "columnsFrom": ["target_block_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.workflow_execution_logs": {
+      "name": "workflow_execution_logs",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workflow_id": {
+          "name": "workflow_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "workspace_id": {
+          "name": "workspace_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "execution_id": {
+          "name": "execution_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "state_snapshot_id": {
+          "name": "state_snapshot_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "deployment_version_id": {
+          "name": "deployment_version_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "level": {
+          "name": "level",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'running'"
+        },
+        "trigger": {
+          "name": "trigger",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "started_at": {
+          "name": "started_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "ended_at": {
+          "name": "ended_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "total_duration_ms": {
+          "name": "total_duration_ms",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "execution_data": {
+          "name": "execution_data",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{}'"
+        },
+        "cost": {
+          "name": "cost",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "files": {
+          "name": "files",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "workflow_execution_logs_workflow_id_idx": {
+          "name": "workflow_execution_logs_workflow_id_idx",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_execution_logs_state_snapshot_id_idx": {
+          "name": "workflow_execution_logs_state_snapshot_id_idx",
+          "columns": [
+            {
+              "expression": "state_snapshot_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_execution_logs_deployment_version_id_idx": {
+          "name": "workflow_execution_logs_deployment_version_id_idx",
+          "columns": [
+            {
+              "expression": "deployment_version_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_execution_logs_trigger_idx": {
+          "name": "workflow_execution_logs_trigger_idx",
+          "columns": [
+            {
+              "expression": "trigger",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_execution_logs_level_idx": {
+          "name": "workflow_execution_logs_level_idx",
+          "columns": [
+            {
+              "expression": "level",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_execution_logs_started_at_idx": {
+          "name": "workflow_execution_logs_started_at_idx",
+          "columns": [
+            {
+              "expression": "started_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_execution_logs_execution_id_unique": {
+          "name": "workflow_execution_logs_execution_id_unique",
+          "columns": [
+            {
+              "expression": "execution_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_execution_logs_workflow_started_at_idx": {
+          "name": "workflow_execution_logs_workflow_started_at_idx",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "started_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_execution_logs_workspace_started_at_idx": {
+          "name": "workflow_execution_logs_workspace_started_at_idx",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "started_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "workflow_execution_logs_workflow_id_workflow_id_fk": {
+          "name": "workflow_execution_logs_workflow_id_workflow_id_fk",
+          "tableFrom": "workflow_execution_logs",
+          "tableTo": "workflow",
+          "columnsFrom": ["workflow_id"],
+          "columnsTo": ["id"],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "workflow_execution_logs_workspace_id_workspace_id_fk": {
+          "name": "workflow_execution_logs_workspace_id_workspace_id_fk",
+          "tableFrom": "workflow_execution_logs",
+          "tableTo": "workspace",
+          "columnsFrom": ["workspace_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "workflow_execution_logs_state_snapshot_id_workflow_execution_snapshots_id_fk": {
+          "name": "workflow_execution_logs_state_snapshot_id_workflow_execution_snapshots_id_fk",
+          "tableFrom": "workflow_execution_logs",
+          "tableTo": "workflow_execution_snapshots",
+          "columnsFrom": ["state_snapshot_id"],
+          "columnsTo": ["id"],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        },
+        "workflow_execution_logs_deployment_version_id_workflow_deployment_version_id_fk": {
+          "name": "workflow_execution_logs_deployment_version_id_workflow_deployment_version_id_fk",
+          "tableFrom": "workflow_execution_logs",
+          "tableTo": "workflow_deployment_version",
+          "columnsFrom": ["deployment_version_id"],
+          "columnsTo": ["id"],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.workflow_execution_snapshots": {
+      "name": "workflow_execution_snapshots",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workflow_id": {
+          "name": "workflow_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "state_hash": {
+          "name": "state_hash",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "state_data": {
+          "name": "state_data",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "workflow_snapshots_workflow_id_idx": {
+          "name": "workflow_snapshots_workflow_id_idx",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_snapshots_hash_idx": {
+          "name": "workflow_snapshots_hash_idx",
+          "columns": [
+            {
+              "expression": "state_hash",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_snapshots_workflow_hash_idx": {
+          "name": "workflow_snapshots_workflow_hash_idx",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "state_hash",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_snapshots_created_at_idx": {
+          "name": "workflow_snapshots_created_at_idx",
+          "columns": [
+            {
+              "expression": "created_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "workflow_execution_snapshots_workflow_id_workflow_id_fk": {
+          "name": "workflow_execution_snapshots_workflow_id_workflow_id_fk",
+          "tableFrom": "workflow_execution_snapshots",
+          "tableTo": "workflow",
+          "columnsFrom": ["workflow_id"],
+          "columnsTo": ["id"],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.workflow_folder": {
+      "name": "workflow_folder",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "workspace_id": {
+          "name": "workspace_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "parent_id": {
+          "name": "parent_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "color": {
+          "name": "color",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'#6B7280'"
+        },
+        "is_expanded": {
+          "name": "is_expanded",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "sort_order": {
+          "name": "sort_order",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "workflow_folder_user_idx": {
+          "name": "workflow_folder_user_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_folder_workspace_parent_idx": {
+          "name": "workflow_folder_workspace_parent_idx",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "parent_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_folder_parent_sort_idx": {
+          "name": "workflow_folder_parent_sort_idx",
+          "columns": [
+            {
+              "expression": "parent_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "sort_order",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "workflow_folder_user_id_user_id_fk": {
+          "name": "workflow_folder_user_id_user_id_fk",
+          "tableFrom": "workflow_folder",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "workflow_folder_workspace_id_workspace_id_fk": {
+          "name": "workflow_folder_workspace_id_workspace_id_fk",
+          "tableFrom": "workflow_folder",
+          "tableTo": "workspace",
+          "columnsFrom": ["workspace_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.workflow_mcp_server": {
+      "name": "workflow_mcp_server",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workspace_id": {
+          "name": "workspace_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_by": {
+          "name": "created_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_public": {
+          "name": "is_public",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "workflow_mcp_server_workspace_id_idx": {
+          "name": "workflow_mcp_server_workspace_id_idx",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_mcp_server_created_by_idx": {
+          "name": "workflow_mcp_server_created_by_idx",
+          "columns": [
+            {
+              "expression": "created_by",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "workflow_mcp_server_workspace_id_workspace_id_fk": {
+          "name": "workflow_mcp_server_workspace_id_workspace_id_fk",
+          "tableFrom": "workflow_mcp_server",
+          "tableTo": "workspace",
+          "columnsFrom": ["workspace_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "workflow_mcp_server_created_by_user_id_fk": {
+          "name": "workflow_mcp_server_created_by_user_id_fk",
+          "tableFrom": "workflow_mcp_server",
+          "tableTo": "user",
+          "columnsFrom": ["created_by"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.workflow_mcp_tool": {
+      "name": "workflow_mcp_tool",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "server_id": {
+          "name": "server_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "workflow_id": {
+          "name": "workflow_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "tool_name": {
+          "name": "tool_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "tool_description": {
+          "name": "tool_description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "parameter_schema": {
+          "name": "parameter_schema",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{}'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "workflow_mcp_tool_server_id_idx": {
+          "name": "workflow_mcp_tool_server_id_idx",
+          "columns": [
+            {
+              "expression": "server_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_mcp_tool_workflow_id_idx": {
+          "name": "workflow_mcp_tool_workflow_id_idx",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_mcp_tool_server_workflow_unique": {
+          "name": "workflow_mcp_tool_server_workflow_unique",
+          "columns": [
+            {
+              "expression": "server_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "workflow_mcp_tool_server_id_workflow_mcp_server_id_fk": {
+          "name": "workflow_mcp_tool_server_id_workflow_mcp_server_id_fk",
+          "tableFrom": "workflow_mcp_tool",
+          "tableTo": "workflow_mcp_server",
+          "columnsFrom": ["server_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "workflow_mcp_tool_workflow_id_workflow_id_fk": {
+          "name": "workflow_mcp_tool_workflow_id_workflow_id_fk",
+          "tableFrom": "workflow_mcp_tool",
+          "tableTo": "workflow",
+          "columnsFrom": ["workflow_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.workflow_schedule": {
+      "name": "workflow_schedule",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workflow_id": {
+          "name": "workflow_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "deployment_version_id": {
+          "name": "deployment_version_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "block_id": {
+          "name": "block_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cron_expression": {
+          "name": "cron_expression",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "next_run_at": {
+          "name": "next_run_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_ran_at": {
+          "name": "last_ran_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_queued_at": {
+          "name": "last_queued_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "trigger_type": {
+          "name": "trigger_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "timezone": {
+          "name": "timezone",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'UTC'"
+        },
+        "failed_count": {
+          "name": "failed_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'active'"
+        },
+        "last_failed_at": {
+          "name": "last_failed_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "workflow_schedule_workflow_block_deployment_unique": {
+          "name": "workflow_schedule_workflow_block_deployment_unique",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "block_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "deployment_version_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_schedule_workflow_deployment_idx": {
+          "name": "workflow_schedule_workflow_deployment_idx",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "deployment_version_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "workflow_schedule_workflow_id_workflow_id_fk": {
+          "name": "workflow_schedule_workflow_id_workflow_id_fk",
+          "tableFrom": "workflow_schedule",
+          "tableTo": "workflow",
+          "columnsFrom": ["workflow_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "workflow_schedule_deployment_version_id_workflow_deployment_version_id_fk": {
+          "name": "workflow_schedule_deployment_version_id_workflow_deployment_version_id_fk",
+          "tableFrom": "workflow_schedule",
+          "tableTo": "workflow_deployment_version",
+          "columnsFrom": ["deployment_version_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.workflow_subflows": {
+      "name": "workflow_subflows",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workflow_id": {
+          "name": "workflow_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "type": {
+          "name": "type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "config": {
+          "name": "config",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{}'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "workflow_subflows_workflow_id_idx": {
+          "name": "workflow_subflows_workflow_id_idx",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workflow_subflows_workflow_type_idx": {
+          "name": "workflow_subflows_workflow_type_idx",
+          "columns": [
+            {
+              "expression": "workflow_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "type",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "workflow_subflows_workflow_id_workflow_id_fk": {
+          "name": "workflow_subflows_workflow_id_workflow_id_fk",
+          "tableFrom": "workflow_subflows",
+          "tableTo": "workflow",
+          "columnsFrom": ["workflow_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.workspace": {
+      "name": "workspace",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "owner_id": {
+          "name": "owner_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "billed_account_user_id": {
+          "name": "billed_account_user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "allow_personal_api_keys": {
+          "name": "allow_personal_api_keys",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "workspace_owner_id_user_id_fk": {
+          "name": "workspace_owner_id_user_id_fk",
+          "tableFrom": "workspace",
+          "tableTo": "user",
+          "columnsFrom": ["owner_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "workspace_billed_account_user_id_user_id_fk": {
+          "name": "workspace_billed_account_user_id_user_id_fk",
+          "tableFrom": "workspace",
+          "tableTo": "user",
+          "columnsFrom": ["billed_account_user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.workspace_byok_keys": {
+      "name": "workspace_byok_keys",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workspace_id": {
+          "name": "workspace_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "provider_id": {
+          "name": "provider_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "encrypted_api_key": {
+          "name": "encrypted_api_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_by": {
+          "name": "created_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "workspace_byok_provider_unique": {
+          "name": "workspace_byok_provider_unique",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "provider_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workspace_byok_workspace_idx": {
+          "name": "workspace_byok_workspace_idx",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "workspace_byok_keys_workspace_id_workspace_id_fk": {
+          "name": "workspace_byok_keys_workspace_id_workspace_id_fk",
+          "tableFrom": "workspace_byok_keys",
+          "tableTo": "workspace",
+          "columnsFrom": ["workspace_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "workspace_byok_keys_created_by_user_id_fk": {
+          "name": "workspace_byok_keys_created_by_user_id_fk",
+          "tableFrom": "workspace_byok_keys",
+          "tableTo": "user",
+          "columnsFrom": ["created_by"],
+          "columnsTo": ["id"],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.workspace_environment": {
+      "name": "workspace_environment",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workspace_id": {
+          "name": "workspace_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "variables": {
+          "name": "variables",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{}'"
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "workspace_environment_workspace_unique": {
+          "name": "workspace_environment_workspace_unique",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "workspace_environment_workspace_id_workspace_id_fk": {
+          "name": "workspace_environment_workspace_id_workspace_id_fk",
+          "tableFrom": "workspace_environment",
+          "tableTo": "workspace",
+          "columnsFrom": ["workspace_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.workspace_file": {
+      "name": "workspace_file",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workspace_id": {
+          "name": "workspace_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "size": {
+          "name": "size",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "type": {
+          "name": "type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "uploaded_by": {
+          "name": "uploaded_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "uploaded_at": {
+          "name": "uploaded_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "workspace_file_workspace_id_idx": {
+          "name": "workspace_file_workspace_id_idx",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workspace_file_key_idx": {
+          "name": "workspace_file_key_idx",
+          "columns": [
+            {
+              "expression": "key",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "workspace_file_workspace_id_workspace_id_fk": {
+          "name": "workspace_file_workspace_id_workspace_id_fk",
+          "tableFrom": "workspace_file",
+          "tableTo": "workspace",
+          "columnsFrom": ["workspace_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "workspace_file_uploaded_by_user_id_fk": {
+          "name": "workspace_file_uploaded_by_user_id_fk",
+          "tableFrom": "workspace_file",
+          "tableTo": "user",
+          "columnsFrom": ["uploaded_by"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "workspace_file_key_unique": {
+          "name": "workspace_file_key_unique",
+          "nullsNotDistinct": false,
+          "columns": ["key"]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.workspace_files": {
+      "name": "workspace_files",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "workspace_id": {
+          "name": "workspace_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "context": {
+          "name": "context",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "original_name": {
+          "name": "original_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "content_type": {
+          "name": "content_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "size": {
+          "name": "size",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "uploaded_at": {
+          "name": "uploaded_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "workspace_files_key_idx": {
+          "name": "workspace_files_key_idx",
+          "columns": [
+            {
+              "expression": "key",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workspace_files_user_id_idx": {
+          "name": "workspace_files_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workspace_files_workspace_id_idx": {
+          "name": "workspace_files_workspace_id_idx",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workspace_files_context_idx": {
+          "name": "workspace_files_context_idx",
+          "columns": [
+            {
+              "expression": "context",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "workspace_files_user_id_user_id_fk": {
+          "name": "workspace_files_user_id_user_id_fk",
+          "tableFrom": "workspace_files",
+          "tableTo": "user",
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "workspace_files_workspace_id_workspace_id_fk": {
+          "name": "workspace_files_workspace_id_workspace_id_fk",
+          "tableFrom": "workspace_files",
+          "tableTo": "workspace",
+          "columnsFrom": ["workspace_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "workspace_files_key_unique": {
+          "name": "workspace_files_key_unique",
+          "nullsNotDistinct": false,
+          "columns": ["key"]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.workspace_invitation": {
+      "name": "workspace_invitation",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workspace_id": {
+          "name": "workspace_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "inviter_id": {
+          "name": "inviter_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role": {
+          "name": "role",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'member'"
+        },
+        "status": {
+          "name": "status",
+          "type": "workspace_invitation_status",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'pending'"
+        },
+        "token": {
+          "name": "token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "permissions": {
+          "name": "permissions",
+          "type": "permission_type",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'admin'"
+        },
+        "org_invitation_id": {
+          "name": "org_invitation_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "workspace_invitation_workspace_id_workspace_id_fk": {
+          "name": "workspace_invitation_workspace_id_workspace_id_fk",
+          "tableFrom": "workspace_invitation",
+          "tableTo": "workspace",
+          "columnsFrom": ["workspace_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "workspace_invitation_inviter_id_user_id_fk": {
+          "name": "workspace_invitation_inviter_id_user_id_fk",
+          "tableFrom": "workspace_invitation",
+          "tableTo": "user",
+          "columnsFrom": ["inviter_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "workspace_invitation_token_unique": {
+          "name": "workspace_invitation_token_unique",
+          "nullsNotDistinct": false,
+          "columns": ["token"]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.workspace_notification_delivery": {
+      "name": "workspace_notification_delivery",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "subscription_id": {
+          "name": "subscription_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "workflow_id": {
+          "name": "workflow_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "execution_id": {
+          "name": "execution_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "status": {
+          "name": "status",
+          "type": "notification_delivery_status",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'pending'"
+        },
+        "attempts": {
+          "name": "attempts",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "last_attempt_at": {
+          "name": "last_attempt_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "next_attempt_at": {
+          "name": "next_attempt_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "response_status": {
+          "name": "response_status",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "response_body": {
+          "name": "response_body",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "error_message": {
+          "name": "error_message",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "workspace_notification_delivery_subscription_id_idx": {
+          "name": "workspace_notification_delivery_subscription_id_idx",
+          "columns": [
+            {
+              "expression": "subscription_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workspace_notification_delivery_execution_id_idx": {
+          "name": "workspace_notification_delivery_execution_id_idx",
+          "columns": [
+            {
+              "expression": "execution_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workspace_notification_delivery_status_idx": {
+          "name": "workspace_notification_delivery_status_idx",
+          "columns": [
+            {
+              "expression": "status",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workspace_notification_delivery_next_attempt_idx": {
+          "name": "workspace_notification_delivery_next_attempt_idx",
+          "columns": [
+            {
+              "expression": "next_attempt_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "workspace_notification_delivery_subscription_id_workspace_notification_subscription_id_fk": {
+          "name": "workspace_notification_delivery_subscription_id_workspace_notification_subscription_id_fk",
+          "tableFrom": "workspace_notification_delivery",
+          "tableTo": "workspace_notification_subscription",
+          "columnsFrom": ["subscription_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "workspace_notification_delivery_workflow_id_workflow_id_fk": {
+          "name": "workspace_notification_delivery_workflow_id_workflow_id_fk",
+          "tableFrom": "workspace_notification_delivery",
+          "tableTo": "workflow",
+          "columnsFrom": ["workflow_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.workspace_notification_subscription": {
+      "name": "workspace_notification_subscription",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "workspace_id": {
+          "name": "workspace_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "notification_type": {
+          "name": "notification_type",
+          "type": "notification_type",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "workflow_ids": {
+          "name": "workflow_ids",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{}'::text[]"
+        },
+        "all_workflows": {
+          "name": "all_workflows",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "level_filter": {
+          "name": "level_filter",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "ARRAY['info', 'error']::text[]"
+        },
+        "trigger_filter": {
+          "name": "trigger_filter",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "ARRAY['api', 'webhook', 'schedule', 'manual', 'chat']::text[]"
+        },
+        "include_final_output": {
+          "name": "include_final_output",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "include_trace_spans": {
+          "name": "include_trace_spans",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "include_rate_limits": {
+          "name": "include_rate_limits",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "include_usage_data": {
+          "name": "include_usage_data",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "webhook_config": {
+          "name": "webhook_config",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "email_recipients": {
+          "name": "email_recipients",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "slack_config": {
+          "name": "slack_config",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "alert_config": {
+          "name": "alert_config",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_alert_at": {
+          "name": "last_alert_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "active": {
+          "name": "active",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "created_by": {
+          "name": "created_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "workspace_notification_workspace_id_idx": {
+          "name": "workspace_notification_workspace_id_idx",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workspace_notification_active_idx": {
+          "name": "workspace_notification_active_idx",
+          "columns": [
+            {
+              "expression": "active",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "workspace_notification_type_idx": {
+          "name": "workspace_notification_type_idx",
+          "columns": [
+            {
+              "expression": "notification_type",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "workspace_notification_subscription_workspace_id_workspace_id_fk": {
+          "name": "workspace_notification_subscription_workspace_id_workspace_id_fk",
+          "tableFrom": "workspace_notification_subscription",
+          "tableTo": "workspace",
+          "columnsFrom": ["workspace_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "workspace_notification_subscription_created_by_user_id_fk": {
+          "name": "workspace_notification_subscription_created_by_user_id_fk",
+          "tableFrom": "workspace_notification_subscription",
+          "tableTo": "user",
+          "columnsFrom": ["created_by"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    }
+  },
+  "enums": {
+    "public.a2a_task_status": {
+      "name": "a2a_task_status",
+      "schema": "public",
+      "values": [
+        "submitted",
+        "working",
+        "input-required",
+        "completed",
+        "failed",
+        "canceled",
+        "rejected",
+        "auth-required",
+        "unknown"
+      ]
+    },
+    "public.billing_blocked_reason": {
+      "name": "billing_blocked_reason",
+      "schema": "public",
+      "values": ["payment_failed", "dispute"]
+    },
+    "public.credential_member_role": {
+      "name": "credential_member_role",
+      "schema": "public",
+      "values": ["admin", "member"]
+    },
+    "public.credential_member_status": {
+      "name": "credential_member_status",
+      "schema": "public",
+      "values": ["active", "pending", "revoked"]
+    },
+    "public.credential_set_invitation_status": {
+      "name": "credential_set_invitation_status",
+      "schema": "public",
+      "values": ["pending", "accepted", "expired", "cancelled"]
+    },
+    "public.credential_set_member_status": {
+      "name": "credential_set_member_status",
+      "schema": "public",
+      "values": ["active", "pending", "revoked"]
+    },
+    "public.credential_type": {
+      "name": "credential_type",
+      "schema": "public",
+      "values": ["oauth", "env_workspace", "env_personal"]
+    },
+    "public.notification_delivery_status": {
+      "name": "notification_delivery_status",
+      "schema": "public",
+      "values": ["pending", "in_progress", "success", "failed"]
+    },
+    "public.notification_type": {
+      "name": "notification_type",
+      "schema": "public",
+      "values": ["webhook", "email", "slack"]
+    },
+    "public.permission_type": {
+      "name": "permission_type",
+      "schema": "public",
+      "values": ["admin", "write", "read"]
+    },
+    "public.template_creator_type": {
+      "name": "template_creator_type",
+      "schema": "public",
+      "values": ["user", "organization"]
+    },
+    "public.template_status": {
+      "name": "template_status",
+      "schema": "public",
+      "values": ["pending", "approved", "rejected"]
+    },
+    "public.usage_log_category": {
+      "name": "usage_log_category",
+      "schema": "public",
+      "values": ["model", "fixed"]
+    },
+    "public.usage_log_source": {
+      "name": "usage_log_source",
+      "schema": "public",
+      "values": ["workflow", "wand", "copilot", "mcp_copilot"]
+    },
+    "public.workspace_invitation_status": {
+      "name": "workspace_invitation_status",
+      "schema": "public",
+      "values": ["pending", "accepted", "rejected", "cancelled"]
+    }
+  },
+  "schemas": {},
+  "sequences": {},
+  "roles": {},
+  "policies": {},
+  "views": {},
+  "_meta": {
+    "columns": {},
+    "schemas": {},
+    "tables": {}
+  }
+}
diff --git a/packages/db/migrations/meta/_journal.json b/packages/db/migrations/meta/_journal.json
index 2b83d1c908..a5efa4d9ed 100644
--- a/packages/db/migrations/meta/_journal.json
+++ b/packages/db/migrations/meta/_journal.json
@@ -1079,6 +1079,13 @@
       "when": 1770869658697,
       "tag": "0154_bumpy_living_mummy",
       "breakpoints": true
+    },
+    {
+      "idx": 155,
+      "version": "7",
+      "when": 1771023950966,
+      "tag": "0155_nebulous_rocket_raccoon",
+      "breakpoints": true
     }
   ]
 }
diff --git a/packages/db/schema.ts b/packages/db/schema.ts
index 090ab0855b..48729f91c2 100644
--- a/packages/db/schema.ts
+++ b/packages/db/schema.ts
@@ -89,10 +89,6 @@ export const account = pgTable(
       table.accountId,
       table.providerId
     ),
-    uniqueUserProvider: uniqueIndex('account_user_provider_unique').on(
-      table.userId,
-      table.providerId
-    ),
   })
 )
 
@@ -2066,6 +2062,121 @@ export const usageLog = pgTable(
   })
 )
 
+export const credentialTypeEnum = pgEnum('credential_type', [
+  'oauth',
+  'env_workspace',
+  'env_personal',
+])
+
+export const credential = pgTable(
+  'credential',
+  {
+    id: text('id').primaryKey(),
+    workspaceId: text('workspace_id')
+      .notNull()
+      .references(() => workspace.id, { onDelete: 'cascade' }),
+    type: credentialTypeEnum('type').notNull(),
+    displayName: text('display_name').notNull(),
+    description: text('description'),
+    providerId: text('provider_id'),
+    accountId: text('account_id').references(() => account.id, { onDelete: 'cascade' }),
+    envKey: text('env_key'),
+    envOwnerUserId: text('env_owner_user_id').references(() => user.id, { onDelete: 'cascade' }),
+    createdBy: text('created_by')
+      .notNull()
+      .references(() => user.id, { onDelete: 'cascade' }),
+    createdAt: timestamp('created_at').notNull().defaultNow(),
+    updatedAt: timestamp('updated_at').notNull().defaultNow(),
+  },
+  (table) => ({
+    workspaceIdIdx: index('credential_workspace_id_idx').on(table.workspaceId),
+    typeIdx: index('credential_type_idx').on(table.type),
+    providerIdIdx: index('credential_provider_id_idx').on(table.providerId),
+    accountIdIdx: index('credential_account_id_idx').on(table.accountId),
+    envOwnerUserIdIdx: index('credential_env_owner_user_id_idx').on(table.envOwnerUserId),
+    workspaceAccountUnique: uniqueIndex('credential_workspace_account_unique')
+      .on(table.workspaceId, table.accountId)
+      .where(sql`account_id IS NOT NULL`),
+    workspaceEnvUnique: uniqueIndex('credential_workspace_env_unique')
+      .on(table.workspaceId, table.type, table.envKey)
+      .where(sql`type = 'env_workspace'`),
+    workspacePersonalEnvUnique: uniqueIndex('credential_workspace_personal_env_unique')
+      .on(table.workspaceId, table.type, table.envKey, table.envOwnerUserId)
+      .where(sql`type = 'env_personal'`),
+    oauthSourceConstraint: check(
+      'credential_oauth_source_check',
+      sql`(type <> 'oauth') OR (account_id IS NOT NULL AND provider_id IS NOT NULL)`
+    ),
+    workspaceEnvSourceConstraint: check(
+      'credential_workspace_env_source_check',
+      sql`(type <> 'env_workspace') OR (env_key IS NOT NULL AND env_owner_user_id IS NULL)`
+    ),
+    personalEnvSourceConstraint: check(
+      'credential_personal_env_source_check',
+      sql`(type <> 'env_personal') OR (env_key IS NOT NULL AND env_owner_user_id IS NOT NULL)`
+    ),
+  })
+)
+
+export const credentialMemberRoleEnum = pgEnum('credential_member_role', ['admin', 'member'])
+export const credentialMemberStatusEnum = pgEnum('credential_member_status', [
+  'active',
+  'pending',
+  'revoked',
+])
+
+export const credentialMember = pgTable(
+  'credential_member',
+  {
+    id: text('id').primaryKey(),
+    credentialId: text('credential_id')
+      .notNull()
+      .references(() => credential.id, { onDelete: 'cascade' }),
+    userId: text('user_id')
+      .notNull()
+      .references(() => user.id, { onDelete: 'cascade' }),
+    role: credentialMemberRoleEnum('role').notNull().default('member'),
+    status: credentialMemberStatusEnum('status').notNull().default('active'),
+    joinedAt: timestamp('joined_at'),
+    invitedBy: text('invited_by').references(() => user.id, { onDelete: 'set null' }),
+    createdAt: timestamp('created_at').notNull().defaultNow(),
+    updatedAt: timestamp('updated_at').notNull().defaultNow(),
+  },
+  (table) => ({
+    credentialIdIdx: index('credential_member_credential_id_idx').on(table.credentialId),
+    userIdIdx: index('credential_member_user_id_idx').on(table.userId),
+    roleIdx: index('credential_member_role_idx').on(table.role),
+    statusIdx: index('credential_member_status_idx').on(table.status),
+    uniqueMembership: uniqueIndex('credential_member_unique').on(table.credentialId, table.userId),
+  })
+)
+
+export const pendingCredentialDraft = pgTable(
+  'pending_credential_draft',
+  {
+    id: text('id').primaryKey(),
+    userId: text('user_id')
+      .notNull()
+      .references(() => user.id, { onDelete: 'cascade' }),
+    workspaceId: text('workspace_id')
+      .notNull()
+      .references(() => workspace.id, { onDelete: 'cascade' }),
+    providerId: text('provider_id').notNull(),
+    displayName: text('display_name').notNull(),
+    description: text('description'),
+    credentialId: text('credential_id').references(() => credential.id, { onDelete: 'cascade' }),
+    expiresAt: timestamp('expires_at').notNull(),
+    createdAt: timestamp('created_at').notNull().defaultNow(),
+  },
+  (table) => ({
+    uniqueDraft: uniqueIndex('pending_draft_user_provider_ws').on(
+      table.userId,
+      table.providerId,
+      table.workspaceId
+    ),
+  })
+)
+
 export const credentialSet = pgTable(
   'credential_set',
   {