fix(envvars): resolution standardized

Author: icecrasher321

apps/sim/app/api/copilot/execute-tool/route.ts

@@ -104,17 +104,11 @@ export async function POST(req: NextRequest) {
     })
 
     // Build execution params starting with LLM-provided arguments
-    // Resolve all {{ENV_VAR}} references in the arguments
+    // Resolve all {{ENV_VAR}} references in the arguments (deep for nested objects)
     const executionParams: Record<string, any> = resolveEnvVarReferences(
       toolArgs,
       decryptedEnvVars,
-      {
-        resolveExactMatch: true,
-        allowEmbedded: true,
-        trimKeys: true,
-        onMissing: 'keep',
-        deep: true,
-      }
+      { deep: true }
     ) as Record<string, any>
 
     logger.info(`[${tracker.requestId}] Resolved env var references in arguments`, {

apps/sim/app/api/mcp/servers/test-connection/route.ts

@@ -1,11 +1,10 @@
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
-import { getEffectiveDecryptedEnv } from '@/lib/environment/utils'
 import { McpClient } from '@/lib/mcp/client'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
-import type { McpServerConfig, McpTransport } from '@/lib/mcp/types'
+import { resolveMcpConfigEnvVars } from '@/lib/mcp/resolve-config'
+import type { McpTransport } from '@/lib/mcp/types'
 import { createMcpErrorResponse, createMcpSuccessResponse } from '@/lib/mcp/utils'
-import { resolveEnvVarReferences } from '@/executor/utils/reference-validation'
 
 const logger = createLogger('McpServerTestAPI')
 
@@ -19,30 +18,6 @@ function isUrlBasedTransport(transport: McpTransport): boolean {
   return transport === 'streamable-http'
 }
 
-/**
- * Resolve environment variables in strings
- */
-function resolveEnvVars(value: string, envVars: Record<string, string>): string {
-  const missingVars: string[] = []
-  const resolvedValue = resolveEnvVarReferences(value, envVars, {
-    allowEmbedded: true,
-    resolveExactMatch: true,
-    trimKeys: true,
-    onMissing: 'keep',
-    deep: false,
-    missingKeys: missingVars,
-  }) as string
-
-  if (missingVars.length > 0) {
-    const uniqueMissing = Array.from(new Set(missingVars))
-    uniqueMissing.forEach((envKey) => {
-      logger.warn(`Environment variable "${envKey}" not found in MCP server test`)
-    })
-  }
-
-  return resolvedValue
-}
-
 interface TestConnectionRequest {
   name: string
   transport: McpTransport
@@ -96,39 +71,30 @@ export const POST = withMcpAuth('write')(
         )
       }
 
-      let resolvedUrl = body.url
-      let resolvedHeaders = body.headers || {}
-
-      try {
-        const envVars = await getEffectiveDecryptedEnv(userId, workspaceId)
-
-        if (resolvedUrl) {
-          resolvedUrl = resolveEnvVars(resolvedUrl, envVars)
-        }
-
-        const resolvedHeadersObj: Record<string, string> = {}
-        for (const [key, value] of Object.entries(resolvedHeaders)) {
-          resolvedHeadersObj[key] = resolveEnvVars(value, envVars)
-        }
-        resolvedHeaders = resolvedHeadersObj
-      } catch (envError) {
-        logger.warn(
-          `[${requestId}] Failed to resolve environment variables, using raw values:`,
-          envError
-        )
-      }
-
-      const testConfig: McpServerConfig = {
+      // Build initial config for resolution
+      const initialConfig = {
         id: `test-${requestId}`,
         name: body.name,
         transport: body.transport,
-        url: resolvedUrl,
-        headers: resolvedHeaders,
+        url: body.url,
+        headers: body.headers || {},
         timeout: body.timeout || 10000,
         retries: 1, // Only one retry for tests
         enabled: true,
       }
 
+      // Resolve env vars using shared utility (non-strict mode for testing)
+      const { config: testConfig, missingVars } = await resolveMcpConfigEnvVars(
+        initialConfig,
+        userId,
+        workspaceId,
+        { strict: false }
+      )
+
+      if (missingVars.length > 0) {
+        logger.warn(`[${requestId}] Some environment variables not found:`, { missingVars })
+      }
+
       const testSecurityPolicy = {
         requireConsent: false,
         auditLevel: 'none' as const,

apps/sim/app/api/webhooks/[id]/route.ts

@@ -7,6 +7,7 @@ import { getSession } from '@/lib/auth'
 import { validateInteger } from '@/lib/core/security/input-validation'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { resolveEnvVarsInObject } from '@/lib/webhooks/env-resolver'
 import {
   cleanupExternalWebhook,
   createExternalWebhookSubscription,
@@ -112,9 +113,12 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
       }
     }
 
+    // Keep original config with {{ENV_VAR}} patterns for saving to DB
+    const originalProviderConfig = providerConfig
+
+    // Resolve for processing (subscription checks) but don't save resolved values
     let resolvedProviderConfig = providerConfig
     if (providerConfig) {
-      const { resolveEnvVarsInObject } = await import('@/lib/webhooks/env-resolver')
       const webhookDataForResolve = await db
         .select({
           workspaceId: workflow.workspaceId,
@@ -230,18 +234,22 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
       hasFailedCountUpdate: failedCount !== undefined,
     })
 
-    // Merge providerConfig to preserve credential-related fields
+    // Merge providerConfig to preserve credential-related fields and system-managed fields
+    // Use original config (preserves {{ENV_VAR}} patterns) + system fields from existing/updated
     let finalProviderConfig = webhooks[0].webhook.providerConfig
-    if (providerConfig !== undefined) {
+    if (providerConfig !== undefined && originalProviderConfig) {
       const existingConfig = existingProviderConfig
       finalProviderConfig = {
-        ...nextProviderConfig,
+        // Start with original config (preserves {{ENV_VAR}} patterns)
+        ...originalProviderConfig,
+        // Preserve credential-related and system-managed fields from existing
         credentialId: existingConfig.credentialId,
         credentialSetId: existingConfig.credentialSetId,
         userId: existingConfig.userId,
         historyId: existingConfig.historyId,
         lastCheckedTimestamp: existingConfig.lastCheckedTimestamp,
         setupCompleted: existingConfig.setupCompleted,
+        // Use updated externalId from subscription recreation, or existing
         externalId: nextProviderConfig.externalId ?? existingConfig.externalId,
       }
     }

apps/sim/app/api/webhooks/route.ts

@@ -7,6 +7,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { resolveEnvVarsInObject } from '@/lib/webhooks/env-resolver'
 import { createExternalWebhookSubscription } from '@/lib/webhooks/provider-subscriptions'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 
@@ -300,12 +301,14 @@ export async function POST(request: NextRequest) {
 
     let savedWebhook: any = null // Variable to hold the result of save/update
 
-    // Use the original provider config - Gmail/Outlook configuration functions will inject userId automatically
-    const finalProviderConfig = providerConfig || {}
+    // Keep original config with {{ENV_VAR}} patterns - these should be saved to DB
+    // and resolved at runtime, so users can update env vars without recreating webhooks
+    const originalProviderConfig = providerConfig || {}
 
-    const { resolveEnvVarsInObject } = await import('@/lib/webhooks/env-resolver')
+    // Resolve env vars for processing (credential detection, external subscriptions)
+    // but don't save resolved values - save original patterns instead
     let resolvedProviderConfig = await resolveEnvVarsInObject(
-      finalProviderConfig,
+      originalProviderConfig,
       userId,
       workflowRecord.workspaceId || undefined
     )
@@ -469,6 +472,9 @@ export async function POST(request: NextRequest) {
       providerConfig: providerConfigOverride,
     })
 
+    // Config to save to DB - starts with original (preserves {{ENV_VAR}} patterns)
+    const configToSave = { ...originalProviderConfig }
+
     try {
       const result = await createExternalWebhookSubscription(
         request,
@@ -477,7 +483,16 @@ export async function POST(request: NextRequest) {
         userId,
         requestId
       )
-      resolvedProviderConfig = result.updatedProviderConfig as Record<string, unknown>
+      // Merge any new fields (like externalId) from external subscription into original config
+      // This preserves {{ENV_VAR}} patterns while adding system-managed fields
+      const updatedConfig = result.updatedProviderConfig as Record<string, unknown>
+      for (const [key, value] of Object.entries(updatedConfig)) {
+        if (!(key in originalProviderConfig)) {
+          // New field added by external subscription (e.g., externalId, subscriptionId)
+          configToSave[key] = value
+        }
+      }
+      resolvedProviderConfig = updatedConfig // Keep for logging/credential checks
       externalSubscriptionCreated = result.externalSubscriptionCreated
     } catch (err) {
       logger.error(`[${requestId}] Error creating external webhook subscription`, err)
@@ -491,24 +506,23 @@ export async function POST(request: NextRequest) {
     }
 
     // Now save to database (only if subscription succeeded or provider doesn't need external subscription)
+    // Save configToSave which preserves {{ENV_VAR}} patterns + system-managed fields
     try {
       if (targetWebhookId) {
         logger.info(`[${requestId}] Updating existing webhook for path: ${finalPath}`, {
           webhookId: targetWebhookId,
           provider,
-          hasCredentialId: !!(resolvedProviderConfig as any)?.credentialId,
-          credentialId: (resolvedProviderConfig as any)?.credentialId,
+          hasCredentialId: !!(configToSave as any)?.credentialId,
+          credentialId: (configToSave as any)?.credentialId,
         })
         const updatedResult = await db
           .update(webhook)
           .set({
             blockId,
             provider,
-            providerConfig: resolvedProviderConfig,
+            providerConfig: configToSave,
             credentialSetId:
-              ((resolvedProviderConfig as Record<string, unknown>)?.credentialSetId as
-                | string
-                | null) || null,
+              ((configToSave as Record<string, unknown>)?.credentialSetId as string | null) || null,
             isActive: true,
             updatedAt: new Date(),
           })
@@ -531,11 +545,9 @@ export async function POST(request: NextRequest) {
             blockId,
             path: finalPath,
             provider,
-            providerConfig: resolvedProviderConfig,
+            providerConfig: configToSave,
             credentialSetId:
-              ((resolvedProviderConfig as Record<string, unknown>)?.credentialSetId as
-                | string
-                | null) || null,
+              ((configToSave as Record<string, unknown>)?.credentialSetId as string | null) || null,
             isActive: true,
             createdAt: new Date(),
             updatedAt: new Date(),
@@ -549,7 +561,7 @@ export async function POST(request: NextRequest) {
         try {
           const { cleanupExternalWebhook } = await import('@/lib/webhooks/provider-subscriptions')
           await cleanupExternalWebhook(
-            createTempWebhookData(resolvedProviderConfig),
+            createTempWebhookData(configToSave),
             workflowRecord,
             requestId
           )

apps/sim/app/api/workflows/[id]/execute/route.ts

@@ -116,7 +116,6 @@ type AsyncExecutionParams = {
   userId: string
   input: any
   triggerType: CoreTriggerType
-  preflighted?: boolean
 }
 
 /**
@@ -139,7 +138,6 @@ async function handleAsyncExecution(params: AsyncExecutionParams): Promise<NextR
     userId,
     input,
     triggerType,
-    preflighted: params.preflighted,
   }
 
   try {
@@ -276,7 +274,6 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       requestId
     )
 
-    const shouldPreflightEnvVars = isAsyncMode && isTriggerDevEnabled
     const preprocessResult = await preprocessExecution({
       workflowId,
       userId,
@@ -285,9 +282,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       requestId,
       checkDeployment: !shouldUseDraftState,
       loggingSession,
-      preflightEnvVars: shouldPreflightEnvVars,
       useDraftState: shouldUseDraftState,
-      envUserId: isClientSession ? userId : undefined,
     })
 
     if (!preprocessResult.success) {
@@ -319,7 +314,6 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
         userId: actorUserId,
         input,
         triggerType: loggingTriggerType,
-        preflighted: shouldPreflightEnvVars,
       })
     }
 

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/workflow-block.tsx

@@ -7,7 +7,7 @@ import { useStoreWithEqualityFn } from 'zustand/traditional'
 import { Badge, Tooltip } from '@/components/emcn'
 import { cn } from '@/lib/core/utils/cn'
 import { getBaseUrl } from '@/lib/core/utils/urls'
-import { createMcpToolId } from '@/lib/mcp/utils'
+import { createMcpToolId } from '@/lib/mcp/shared'
 import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { BLOCK_DIMENSIONS, HANDLE_POSITIONS } from '@/lib/workflows/blocks/block-dimensions'
 import {