Fix build

Author: Sg312

apps/sim/app/api/mothership/execute/route.ts

@@ -97,7 +97,7 @@ export const POST = withRouteHandler(async (req: NextRequest) => {
       messages,
       responseFormat,
       workspaceId,
-      userId,
+      userId: bodyUserId,
       chatId,
       messageId: providedMessageId,
       requestId: providedRequestId,
@@ -107,6 +107,23 @@ export const POST = withRouteHandler(async (req: NextRequest) => {
       userMetadata,
     } = validation.data.body
 
+    // Bind the billing actor to the authenticated identity. The executor mints
+    // the internal JWT with the workflow owner's userId, so a token issued for
+    // one user must never be used to attribute mothership-block cost to another
+    // user via a forged body.userId. When the token carries a userId we require
+    // the body to match it; the JWT userId is authoritative.
+    if (auth.userId && auth.userId !== bodyUserId) {
+      logger.warn('Mothership execute userId does not match authenticated identity', {
+        tokenUserId: auth.userId,
+        bodyUserId,
+      })
+      return NextResponse.json(
+        { error: 'userId does not match authenticated identity' },
+        { status: 403 }
+      )
+    }
+    const userId = auth.userId ?? bodyUserId
+
     await assertActiveWorkspaceAccess(workspaceId, userId)
 
     const effectiveChatId = chatId || generateId()

apps/sim/app/api/workflows/[id]/execute/route.ts

@@ -827,7 +827,10 @@ async function handleExecutePost(
     }
 
     const effectiveWorkflowStateOverride =
-      sanitizedWorkflowStateOverride || cachedWorkflowData || undefined
+      // double-cast-allowed: workflowStateSchema is structurally a supertype of the executor's reactflow-typed override (edges[].style is Record<string, unknown> vs CSSProperties); validated bodies carry store-shaped values so the runtime shape matches
+      (sanitizedWorkflowStateOverride as unknown as ExecutionMetadata['workflowStateOverride']) ||
+      cachedWorkflowData ||
+      undefined
     const largeValueExecutionIds = [executionId]
     const largeValueKeys: string[] = []
     const fileKeys: string[] = []

apps/sim/app/workspace/[workspaceId]/settings/components/byok/byok-key-manager.tsx

@@ -7,6 +7,7 @@ import { Eye, EyeOff, Search } from 'lucide-react'
 import {
   Button,
   Chip,
+  ChipConfirmModal,
   ChipModal,
   ChipModalBody,
   ChipModalError,
@@ -293,47 +294,42 @@ export function BYOKKeyManager({
           </ChipModalField>
           <ChipModalError>{error}</ChipModalError>
         </ChipModalBody>
-        <ChipModalFooter>
-          <Chip variant='filled' flush onClick={closeEditModal} disabled={isSaving}>
-            Cancel
-          </Chip>
-          <Chip
-            variant='primary'
-            flush
-            onClick={handleSave}
-            disabled={!apiKeyInput.trim() || isSaving}
-          >
-            {isSaving ? 'Saving...' : 'Save'}
-          </Chip>
-        </ChipModalFooter>
+        <ChipModalFooter
+          onCancel={closeEditModal}
+          cancelDisabled={isSaving}
+          primaryAction={{
+            label: isSaving ? 'Saving...' : 'Save',
+            onClick: handleSave,
+            disabled: !apiKeyInput.trim() || isSaving,
+          }}
+        />
       </ChipModal>
 
-      <ChipModal
+      <ChipConfirmModal
         open={!!deleteConfirmProvider}
-        onOpenChange={() => setDeleteConfirmProvider(null)}
+        onOpenChange={(open) => {
+          if (!open) setDeleteConfirmProvider(null)
+        }}
         srTitle='Delete API Key'
-      >
-        <ChipModalHeader showDivider={false}>Delete API Key</ChipModalHeader>
-        <ChipModalBody>
-          <p className='px-2 text-[var(--text-secondary)] text-sm'>
+        title='Delete API Key'
+        description={
+          <>
             Are you sure you want to delete the{' '}
             <span className='font-medium text-[var(--text-primary)]'>{deleteMeta?.name}</span> API
             key?{' '}
             <span className='text-[var(--text-error)]'>
               This workspace will revert to using platform hosted keys.
             </span>{' '}
             This action cannot be undone.
-          </p>
-        </ChipModalBody>
-        <ChipModalFooter>
-          <Chip variant='filled' flush onClick={() => setDeleteConfirmProvider(null)}>
-            Cancel
-          </Chip>
-          <Chip variant='destructive' flush onClick={handleDelete} disabled={isDeleting}>
-            {isDeleting ? 'Deleting...' : 'Delete'}
-          </Chip>
-        </ChipModalFooter>
-      </ChipModal>
+          </>
+        }
+        confirm={{
+          label: 'Delete',
+          onClick: handleDelete,
+          pending: isDeleting,
+          pendingLabel: 'Deleting...',
+        }}
+      />
     </>
   )
 }

apps/sim/app/workspace/[workspaceId]/settings/components/byok/byok.tsx

@@ -2,17 +2,6 @@
 
 import { useMemo } from 'react'
 import { useParams } from 'next/navigation'
-import {
-  Button,
-  ChipConfirmModal,
-  ChipInput,
-  ChipModal,
-  ChipModalBody,
-  ChipModalError,
-  ChipModalField,
-  ChipModalFooter,
-  ChipModalHeader,
-} from '@/components/emcn'
 import {
   AnthropicIcon,
   BasetenIcon,
@@ -321,128 +310,6 @@ export function BYOK() {
           />
         </div>
       </div>
-
-      <ChipModal
-        open={!!editingProvider}
-        onOpenChange={(open) => {
-          if (!open) {
-            setEditingProvider(null)
-            setApiKeyInput('')
-            setShowApiKey(false)
-            setError(null)
-          }
-        }}
-        srTitle='Add/Update API Key'
-      >
-        <ChipModalHeader
-          onClose={() => {
-            setEditingProvider(null)
-            setApiKeyInput('')
-            setShowApiKey(false)
-            setError(null)
-          }}
-        >
-          {editingProvider && (
-            <>
-              {getKeyForProvider(editingProvider) ? 'Update' : 'Add'}{' '}
-              {PROVIDERS.find((p) => p.id === editingProvider)?.name} API Key
-            </>
-          )}
-        </ChipModalHeader>
-        <ChipModalBody>
-          <p className='px-2 text-[var(--text-secondary)] text-sm'>
-            This key will be used for all {PROVIDERS.find((p) => p.id === editingProvider)?.name}{' '}
-            requests in this workspace. Your key is encrypted and stored securely.
-          </p>
-          <ChipModalField type='custom' title='API Key' required>
-            {/* Hidden decoy fields to prevent browser autofill */}
-            <input
-              type='text'
-              name='fakeusernameremembered'
-              autoComplete='username'
-              style={{
-                position: 'absolute',
-                left: '-9999px',
-                opacity: 0,
-                pointerEvents: 'none',
-              }}
-              tabIndex={-1}
-              readOnly
-            />
-            <ChipInput
-              type={showApiKey ? 'text' : 'password'}
-              value={apiKeyInput}
-              onChange={(e) => {
-                setApiKeyInput(e.target.value)
-                if (error) setError(null)
-              }}
-              placeholder={PROVIDERS.find((p) => p.id === editingProvider)?.placeholder}
-              name='byok_api_key'
-              autoComplete='off'
-              autoCorrect='off'
-              autoCapitalize='off'
-              data-lpignore='true'
-              data-form-type='other'
-              endAdornment={
-                <Button
-                  variant='ghost'
-                  className='size-[28px] p-0'
-                  onClick={() => setShowApiKey(!showApiKey)}
-                >
-                  {showApiKey ? (
-                    <EyeOff className='size-[14px]' />
-                  ) : (
-                    <Eye className='size-[14px]' />
-                  )}
-                </Button>
-              }
-            />
-          </ChipModalField>
-          <ChipModalError>{error}</ChipModalError>
-        </ChipModalBody>
-        <ChipModalFooter
-          onCancel={() => {
-            setEditingProvider(null)
-            setApiKeyInput('')
-            setShowApiKey(false)
-            setError(null)
-          }}
-          cancelDisabled={upsertKey.isPending}
-          primaryAction={{
-            label: upsertKey.isPending ? 'Saving...' : 'Save',
-            onClick: handleSave,
-            disabled: !apiKeyInput.trim() || upsertKey.isPending,
-          }}
-        />
-      </ChipModal>
-
-      <ChipConfirmModal
-        open={!!deleteConfirmProvider}
-        onOpenChange={(open) => {
-          if (!open) setDeleteConfirmProvider(null)
-        }}
-        srTitle='Delete API Key'
-        title='Delete API Key'
-        description={
-          <>
-            Are you sure you want to delete the{' '}
-            <span className='font-medium text-[var(--text-primary)]'>
-              {PROVIDERS.find((p) => p.id === deleteConfirmProvider)?.name}
-            </span>{' '}
-            API key?{' '}
-            <span className='text-[var(--text-error)]'>
-              This workspace will revert to using platform hosted keys.
-            </span>{' '}
-            This action cannot be undone.
-          </>
-        }
-        confirm={{
-          label: 'Delete',
-          onClick: handleDelete,
-          pending: deleteKey.isPending,
-          pendingLabel: 'Deleting...',
-        }}
-      />
     </div>
   )
 }

apps/sim/app/workspace/[workspaceId]/settings/components/team-management/components/manage-credits-modal/manage-credits-modal.tsx

@@ -3,7 +3,6 @@
 import { useEffect, useRef, useState } from 'react'
 import { getErrorMessage } from '@sim/utils/errors'
 import {
-  Chip,
   ChipModal,
   ChipModalBody,
   ChipModalError,
@@ -128,19 +127,15 @@ export function ManageCreditsModal({
         />
         <ChipModalError>{error}</ChipModalError>
       </ChipModalBody>
-      <ChipModalFooter>
-        <Chip variant='filled' flush onClick={() => onOpenChange(false)} disabled={isSaving}>
-          Cancel
-        </Chip>
-        <Chip
-          variant='primary'
-          flush
-          onClick={handleSave}
-          disabled={!isValid || !isDirty || isSaving || isLoading}
-        >
-          {isSaving ? 'Saving…' : 'Save'}
-        </Chip>
-      </ChipModalFooter>
+      <ChipModalFooter
+        onCancel={() => onOpenChange(false)}
+        cancelDisabled={isSaving}
+        primaryAction={{
+          label: isSaving ? 'Saving…' : 'Save',
+          onClick: handleSave,
+          disabled: !isValid || !isDirty || isSaving || isLoading,
+        }}
+      />
     </ChipModal>
   )
 }

apps/sim/lib/auth/internal.ts

@@ -8,7 +8,12 @@ import { getClientIp } from '@/lib/core/utils/request'
 const logger = createLogger('CronAuth')
 
 const getJwtSecret = () => {
-  const secret = new TextEncoder().encode(env.INTERNAL_API_SECRET)
+  // Prefer a dedicated JWT signing key so the internal-JWT trust domain is
+  // separable from the raw INTERNAL_API_SECRET shared-bearer secret: leaking one
+  // shouldn't grant the other (raw secret => call internal endpoints; JWT key =>
+  // mint tokens for arbitrary userIds). Falls back to INTERNAL_API_SECRET when
+  // unset so existing deployments keep working until the key is rotated in.
+  const secret = new TextEncoder().encode(env.INTERNAL_JWT_SECRET || env.INTERNAL_API_SECRET)
   return secret
 }
 

apps/sim/lib/core/config/env.ts

@@ -35,6 +35,7 @@ export const env = createEnv({
     ENCRYPTION_KEY:                        z.string().min(32),                     // Key for encrypting sensitive data
     API_ENCRYPTION_KEY:                    z.string().min(32).optional(),          // Dedicated key for encrypting API keys (optional for OSS)
     INTERNAL_API_SECRET:                   z.string().min(32),                     // Secret for internal API authentication
+    INTERNAL_JWT_SECRET:                   z.string().min(32).optional(),          // Dedicated signing key for internal JWTs (falls back to INTERNAL_API_SECRET); separating limits blast radius if one leaks
 
     // Copilot
     COPILOT_API_KEY:                       z.string().min(1).optional(),           // Secret for internal sim agent API authentication