Merge branch 'staging' into feat/workspace-files-folders

Author: icecrasher321

apps/docs/package.json

@@ -26,7 +26,7 @@
     "fumadocs-openapi": "10.8.1",
     "fumadocs-ui": "16.8.5",
     "lucide-react": "^0.511.0",
-    "next": "16.2.4",
+    "next": "16.2.6",
     "next-themes": "^0.4.6",
     "postgres": "^3.4.5",
     "react": "19.2.4",

apps/sim/app/(landing)/integrations/data/icon-mapping.ts

@@ -258,6 +258,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
   extend_v2: ExtendIcon,
   fathom: FathomIcon,
   file_v3: DocumentIcon,
+  file_v4: DocumentIcon,
   firecrawl: FirecrawlIcon,
   fireflies_v2: FirefliesIcon,
   gamma: GammaIcon,

apps/sim/app/(landing)/integrations/data/integrations.json

@@ -4032,18 +4032,22 @@
     "tags": ["meeting", "note-taking"]
   },
   {
-    "type": "file_v3",
+    "type": "file_v4",
     "slug": "file",
     "name": "File",
-    "description": "Read and write workspace files",
-    "longDescription": "Read and parse files from uploads or URLs, write new workspace files, or append content to existing files.",
+    "description": "Read, fetch, write, and append files",
+    "longDescription": "Read workspace files by picker or canonical ID, fetch and parse files from URLs with optional headers, write new workspace files, or append content to existing files.",
     "bgColor": "#40916C",
     "iconName": "DocumentIcon",
     "docsUrl": "https://docs.sim.ai/tools/file",
     "operations": [
       {
         "name": "Read",
-        "description": "Parse one or more uploaded files or files from URLs (text, PDF, CSV, images, etc.)"
+        "description": "Get a workspace file object from a selected file or canonical workspace file ID."
+      },
+      {
+        "name": "Fetch",
+        "description": "Parse a file from a URL with optional custom headers for authenticated downloads."
       },
       {
         "name": "Write",
@@ -4054,7 +4058,7 @@
         "description": "Append content to an existing workspace file. The file must already exist. Content is added to the end of the file."
       }
     ],
-    "operationCount": 3,
+    "operationCount": 4,
     "triggers": [],
     "triggerCount": 0,
     "authType": "none",

apps/sim/app/api/files/authorization.ts

@@ -14,6 +14,14 @@ import { isUuid } from '@/executor/constants'
 
 const logger = createLogger('FileAuthorization')
 
+/** Thrown by utility functions when file access is denied, so route handlers can return 404. */
+export class FileAccessDeniedError extends Error {
+  constructor() {
+    super('File not found')
+    this.name = 'FileAccessDeniedError'
+  }
+}
+
 interface AuthorizationResult {
   granted: boolean
   reason: string
@@ -598,18 +606,14 @@ async function authorizeFileAccess(
  */
 export async function assertToolFileAccess(
   key: unknown,
-  userId: string | undefined,
+  userId: string,
   requestId: string,
   routeLogger: ReturnType<typeof createLogger>
 ): Promise<NextResponse | null> {
   if (typeof key !== 'string' || key.length === 0) {
     routeLogger.warn(`[${requestId}] File access check rejected: missing key`)
     return NextResponse.json({ success: false, error: 'File not found' }, { status: 404 })
   }
-  if (!userId) {
-    routeLogger.warn(`[${requestId}] File access check requires userId but none available`)
-    return NextResponse.json({ success: false, error: 'File not found' }, { status: 404 })
-  }
   const hasAccess = await verifyFileAccess(key, userId)
   if (!hasAccess) {
     routeLogger.warn(`[${requestId}] File access denied for user`, { userId, key })

apps/sim/app/api/files/multipart/route.test.ts

@@ -53,6 +53,15 @@ vi.mock('@/lib/uploads/providers/blob/client', () => ({
 
 vi.mock('@/lib/workspaces/permissions/utils', () => permissionsMock)
 
+const { mockCheckStorageQuota, mockInitiateS3MultipartUpload } = vi.hoisted(() => ({
+  mockCheckStorageQuota: vi.fn(),
+  mockInitiateS3MultipartUpload: vi.fn(),
+}))
+
+vi.mock('@/lib/billing/storage', () => ({
+  checkStorageQuota: mockCheckStorageQuota,
+}))
+
 import { POST } from '@/app/api/files/multipart/route'
 
 const tokenPayload = {
@@ -200,3 +209,69 @@ describe('POST /api/files/multipart action=complete', () => {
     expect(mockCompleteS3MultipartUpload).toHaveBeenCalledTimes(2)
   })
 })
+
+describe('POST /api/files/multipart action=initiate quota enforcement', () => {
+  const makeInitiateRequest = (body: unknown) =>
+    new NextRequest('http://localhost/api/files/multipart?action=initiate', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(body),
+    })
+
+  beforeEach(() => {
+    vi.clearAllMocks()
+    authMockFns.mockGetSession.mockResolvedValue({ user: { id: 'user-1' } })
+    permissionsMockFns.mockGetUserEntityPermissions.mockResolvedValue('write')
+    mockIsUsingCloudStorage.mockReturnValue(true)
+    mockGetStorageProvider.mockReturnValue('s3')
+    mockGetStorageConfig.mockReturnValue({ bucket: 'b', region: 'r' })
+    mockSignUploadToken.mockReturnValue('signed-token')
+    mockCheckStorageQuota.mockResolvedValue({ allowed: true })
+    mockInitiateS3MultipartUpload.mockResolvedValue({ uploadId: 'up-1', key: 'k/file.bin' })
+  })
+
+  it('blocks upload when fileSize: 0 exceeds quota', async () => {
+    mockCheckStorageQuota.mockResolvedValue({ allowed: false, error: 'Storage limit exceeded' })
+
+    const res = await makeInitiateRequest({
+      fileName: 'file.bin',
+      contentType: 'application/octet-stream',
+      fileSize: 0,
+      workspaceId: 'ws-1',
+      context: 'knowledge-base',
+    })
+
+    const response = await POST(res)
+    expect(response.status).toBe(413)
+    const body = await response.json()
+    expect(body.error).toContain('Storage limit exceeded')
+  })
+
+  it('does not check quota for quota-exempt contexts (og-images)', async () => {
+    const res = await makeInitiateRequest({
+      fileName: 'img.png',
+      contentType: 'image/png',
+      fileSize: 99999,
+      workspaceId: 'ws-1',
+      context: 'og-images',
+    })
+
+    const response = await POST(res)
+    expect(mockCheckStorageQuota).not.toHaveBeenCalled()
+  })
+
+  it('rejects logs context — not allowed via the multipart endpoint', async () => {
+    const res = await makeInitiateRequest({
+      fileName: 'exec.log',
+      contentType: 'text/plain',
+      fileSize: 1000,
+      workspaceId: 'ws-1',
+      context: 'logs',
+    })
+
+    const response = await POST(res)
+    expect(response.status).toBe(400)
+    const body = await response.json()
+    expect(body.error).toMatch(/invalid storage context/i)
+  })
+})

apps/sim/app/api/files/multipart/route.ts

@@ -22,7 +22,7 @@ import {
   type UploadTokenPayload,
   verifyUploadToken,
 } from '@/lib/uploads/core/upload-token'
-import type { StorageConfig } from '@/lib/uploads/shared/types'
+import { QUOTA_EXEMPT_STORAGE_CONTEXTS, type StorageConfig } from '@/lib/uploads/shared/types'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('MultipartUploadAPI')
@@ -36,7 +36,6 @@ const ALLOWED_UPLOAD_CONTEXTS = new Set<StorageContext>([
   'workspace',
   'profile-pictures',
   'og-images',
-  'logs',
   'workspace-logos',
 ])
 
@@ -135,6 +134,17 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
 
         const config = getStorageConfig(storageContext)
 
+        if (!QUOTA_EXEMPT_STORAGE_CONTEXTS.has(context as StorageContext)) {
+          const { checkStorageQuota } = await import('@/lib/billing/storage')
+          const quotaCheck = await checkStorageQuota(userId, fileSize ?? 0)
+          if (!quotaCheck.allowed) {
+            return NextResponse.json(
+              { error: quotaCheck.error || 'Storage limit exceeded' },
+              { status: 413 }
+            )
+          }
+        }
+
         let customKey: string | undefined
         if (context === 'workspace' || context === 'mothership') {
           const { MAX_WORKSPACE_FILE_SIZE } = await import('@/lib/uploads/shared/types')
@@ -149,15 +159,6 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
             '@/lib/uploads/contexts/workspace/workspace-file-manager'
           )
           customKey = generateWorkspaceFileKey(workspaceId, fileName)
-
-          const { checkStorageQuota } = await import('@/lib/billing/storage')
-          const quotaCheck = await checkStorageQuota(userId, fileSize)
-          if (!quotaCheck.allowed) {
-            return NextResponse.json(
-              { error: quotaCheck.error || 'Storage limit exceeded' },
-              { status: 413 }
-            )
-          }
         } else if (context === 'execution') {
           const workflowId = (data as { workflowId?: unknown }).workflowId
           const executionId = (data as { executionId?: unknown }).executionId

apps/sim/app/api/files/parse/route.test.ts

@@ -8,6 +8,7 @@ import {
   createMockRequest,
   hybridAuthMockFns,
   inputValidationMock,
+  inputValidationMockFns,
   permissionsMock,
   permissionsMockFns,
   storageServiceMock,
@@ -310,6 +311,39 @@ describe('File Parse API Route', () => {
     expect(data.results).toHaveLength(2)
   })
 
+  it('should pass custom headers when fetching external URLs', async () => {
+    inputValidationMockFns.mockValidateUrlWithDNS.mockResolvedValue({
+      isValid: true,
+      resolvedIP: '203.0.113.10',
+    })
+    inputValidationMockFns.mockSecureFetchWithPinnedIP.mockResolvedValue(
+      new Response('private file content', {
+        status: 200,
+        headers: { 'content-type': 'text/plain' },
+      })
+    )
+
+    const headers = { Authorization: 'Bearer xoxb-test-token' }
+    const req = createMockRequest('POST', {
+      filePath: 'https://files.slack.com/files-pri/T000-F000/download/report.txt',
+      headers,
+    })
+
+    const response = await POST(req)
+    const data = await response.json()
+
+    expect(response.status).toBe(200)
+    expect(data.success).toBe(true)
+    expect(inputValidationMockFns.mockSecureFetchWithPinnedIP).toHaveBeenCalledWith(
+      'https://files.slack.com/files-pri/T000-F000/download/report.txt',
+      '203.0.113.10',
+      expect.objectContaining({
+        timeout: 30000,
+        headers,
+      })
+    )
+  })
+
   it('should process execution file URLs with context query param', async () => {
     setupFileApiMocks({
       cloudEnabled: true,

apps/sim/app/api/files/parse/route.ts

@@ -110,7 +110,7 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
     )
     if (!parsed.success) return parsed.response
 
-    const { filePath, fileType, workspaceId, workflowId, executionId } = parsed.data.body
+    const { filePath, fileType, headers, workspaceId, workflowId, executionId } = parsed.data.body
 
     if (!filePath || (typeof filePath === 'string' && filePath.trim() === '')) {
       return NextResponse.json({ success: false, error: 'No file path provided' }, { status: 400 })
@@ -128,6 +128,7 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       workspaceId,
       userId,
       hasExecutionContext: !!executionContext,
+      hasHeaders: Boolean(headers && Object.keys(headers).length > 0),
     })
 
     if (Array.isArray(filePath)) {
@@ -146,7 +147,8 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
             fileType,
             workspaceId,
             userId,
-            executionContext
+            executionContext,
+            headers
           )
           if (result.metadata) {
             result.metadata.processingTime = Date.now() - startTime
@@ -180,7 +182,14 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       })
     }
 
-    const result = await parseFileSingle(filePath, fileType, workspaceId, userId, executionContext)
+    const result = await parseFileSingle(
+      filePath,
+      fileType,
+      workspaceId,
+      userId,
+      executionContext,
+      headers
+    )
 
     if (result.metadata) {
       result.metadata.processingTime = Date.now() - startTime
@@ -225,7 +234,8 @@ async function parseFileSingle(
   fileType: string,
   workspaceId: string,
   userId: string,
-  executionContext?: ExecutionContext
+  executionContext?: ExecutionContext,
+  headers?: Record<string, string>
 ): Promise<ParseResult> {
   logger.info('Parsing file:', filePath)
 
@@ -251,7 +261,7 @@ async function parseFileSingle(
   }
 
   if (filePath.startsWith('http://') || filePath.startsWith('https://')) {
-    return handleExternalUrl(filePath, fileType, workspaceId, userId, executionContext)
+    return handleExternalUrl(filePath, fileType, workspaceId, userId, executionContext, headers)
   }
 
   if (isUsingCloudStorage()) {
@@ -298,7 +308,8 @@ async function handleExternalUrl(
   fileType: string,
   workspaceId: string,
   userId: string,
-  executionContext?: ExecutionContext
+  executionContext?: ExecutionContext,
+  headers?: Record<string, string>
 ): Promise<ParseResult> {
   try {
     logger.info('Fetching external URL:', url)
@@ -382,6 +393,7 @@ async function handleExternalUrl(
 
     const response = await secureFetchWithPinnedIP(url, urlValidation.resolvedIP!, {
       timeout: DOWNLOAD_TIMEOUT_MS,
+      ...(headers && Object.keys(headers).length > 0 && { headers }),
     })
     if (!response.ok) {
       throw new Error(`Failed to fetch URL: ${response.status} ${response.statusText}`)

apps/sim/app/api/tools/agiloft/attach/route.ts

@@ -10,6 +10,7 @@ import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import type { RawFileInput } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
+import { assertToolFileAccess } from '@/app/api/files/authorization'
 import { agiloftLogin, agiloftLogout, buildAttachFileUrl } from '@/tools/agiloft/utils'
 
 export const dynamic = 'force-dynamic'
@@ -22,7 +23,7 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
   try {
     const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
 
-    if (!authResult.success) {
+    if (!authResult.success || !authResult.userId) {
       logger.warn(`[${requestId}] Unauthorized Agiloft attach attempt: ${authResult.error}`)
       return NextResponse.json(
         { success: false, error: authResult.error || 'Authentication required' },
@@ -66,6 +67,8 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       `[${requestId}] Downloading file for Agiloft attach: ${userFile.name} (${userFile.size} bytes)`
     )
 
+    const denied = await assertToolFileAccess(userFile.key, authResult.userId, requestId, logger)
+    if (denied) return denied
     const fileBuffer = await downloadFileFromStorage(userFile, requestId, logger)
     const resolvedFileName = data.fileName || userFile.name || 'attachment'