Fix

Author: Sg312

apps/sim/lib/copilot/tools/handlers/vfs.test.ts

@@ -52,7 +52,8 @@ describe('vfs handlers oversize policy', () => {
     )
 
     expect(result.success).toBe(false)
-    expect(result.error).toContain('smaller grep')
+    expect(result.error).toContain('more specific pattern')
+    expect(result.error).toContain('context window')
   })
 
   it('fails oversized read results with grep guidance', async () => {
@@ -67,6 +68,8 @@ describe('vfs handlers oversize policy', () => {
 
     expect(result.success).toBe(false)
     expect(result.error).toContain('Use grep')
+    expect(result.error).toContain('offset/limit')
+    expect(result.error).toContain('context window')
   })
 
   it('fails file-backed oversized read placeholders with grep guidance', async () => {
@@ -85,5 +88,7 @@ describe('vfs handlers oversize policy', () => {
 
     expect(result.success).toBe(false)
     expect(result.error).toContain('Use grep')
+    expect(result.error).toContain('offset/limit')
+    expect(result.error).toContain('context window')
   })
 })

apps/sim/lib/copilot/tools/handlers/vfs.ts

@@ -37,6 +37,7 @@ export async function executeVfsGrep(
   if (!pattern) {
     return { success: false, error: "Missing required parameter 'pattern'" }
   }
+  const outputMode = (params.output_mode as string) ?? 'content'
 
   const workspaceId = context.workspaceId
   if (!workspaceId) {
@@ -47,12 +48,11 @@ export async function executeVfsGrep(
     const vfs = await getOrMaterializeVFS(workspaceId, context.userId)
     const result = vfs.grep(pattern, params.path as string | undefined, {
       maxResults: (params.maxResults as number) ?? 50,
-      outputMode: (params.output_mode as 'content' | 'files_with_matches' | 'count') ?? 'content',
+      outputMode: outputMode as 'content' | 'files_with_matches' | 'count',
       ignoreCase: (params.ignoreCase as boolean) ?? false,
       lineNumbers: (params.lineNumbers as boolean) ?? true,
       context: (params.context as number) ?? 0,
     })
-    const outputMode = (params.output_mode as string) ?? 'content'
     const key =
       outputMode === 'files_with_matches' ? 'files' : outputMode === 'count' ? 'counts' : 'matches'
     const matchCount = Array.isArray(result)
@@ -65,7 +65,7 @@ export async function executeVfsGrep(
       return {
         success: false,
         error:
-          'Grep result too large to return inline. Use a smaller grep by narrowing the pattern/path, reducing context, or lowering maxResults.',
+          'Grep result too large to return inline. Retry grep with a more specific pattern or narrower path, and reduce context or maxResults. Avoid catch-all greps because smaller searches save context window and make follow-up reads cheaper.',
       }
     }
     logger.debug('vfs_grep result', { pattern, path: params.path, outputMode, matchCount })
@@ -168,7 +168,7 @@ export async function executeVfsRead(
           return {
             success: false,
             error:
-              'Read result too large to return inline. Use grep on this path instead of reading it directly.',
+              'Read result too large to return inline. Use grep with a more specific pattern or narrower path to locate the relevant section, then retry read with offset/limit. Avoid catch-all greps or full-file reads because they waste context window.',
           }
         }
         const windowedUpload = applyWindow(uploadResult)
@@ -199,7 +199,7 @@ export async function executeVfsRead(
           return {
             success: false,
             error:
-              'Read result too large to return inline. Use grep on this path instead of reading it directly.',
+              'Read result too large to return inline. Use grep with a more specific pattern or narrower path to locate the relevant section, then retry read with offset/limit. Avoid catch-all greps or full-file reads because they waste context window.',
           }
         }
         const windowedFileContent = applyWindow(fileContent)
@@ -231,7 +231,7 @@ export async function executeVfsRead(
       return {
         success: false,
         error:
-          'Read result too large to return inline. Use grep on this path instead of reading it directly.',
+          'Read result too large to return inline. Use grep with a more specific pattern or narrower path to locate the relevant section, then retry read with offset/limit. Avoid catch-all greps or full-file reads because they waste context window.',
       }
     }
     logger.debug('vfs_read result', { path, totalLines: result.totalLines, offset, limit })

apps/sim/lib/copilot/tools/server/workflow/edit-workflow/index.ts

@@ -92,6 +92,9 @@ export const editWorkflowServerTool: BaseServerTool<EditWorkflowParams, unknown>
       throw new Error(authorization.message || 'Unauthorized workflow access')
     }
 
+    const workspaceId = authorization.workflow?.workspaceId ?? undefined
+    const workflowName = authorization.workflow?.name ?? undefined
+
     logger.info('Executing edit_workflow', {
       operationCount: operations.length,
       workflowId,
@@ -124,7 +127,7 @@ export const editWorkflowServerTool: BaseServerTool<EditWorkflowParams, unknown>
     if (context?.userId) {
       const { filteredOperations, errors: credErrors } = await preValidateCredentialInputs(
         operations,
-        { userId: context.userId },
+        { userId: context.userId, workspaceId },
         workflowState
       )
       operationsToApply = filteredOperations
@@ -141,20 +144,6 @@ export const editWorkflowServerTool: BaseServerTool<EditWorkflowParams, unknown>
     // Add credential validation errors
     validationErrors.push(...credentialErrors)
 
-    let workspaceId: string | undefined
-    let workflowName: string | undefined
-    try {
-      const [workflowRecord] = await db
-        .select({ workspaceId: workflowTable.workspaceId, name: workflowTable.name })
-        .from(workflowTable)
-        .where(eq(workflowTable.id, workflowId))
-        .limit(1)
-      workspaceId = workflowRecord?.workspaceId ?? undefined
-      workflowName = workflowRecord?.name ?? undefined
-    } catch (error) {
-      logger.warn('Failed to get workflow metadata for validation', { error, workflowId })
-    }
-
     // Validate selector IDs exist in the database
     if (context?.userId) {
       try {

apps/sim/lib/copilot/tools/server/workflow/edit-workflow/validation.test.ts

@@ -1,9 +1,12 @@
 /**
  * @vitest-environment node
  */
-import { describe, expect, it, vi } from 'vitest'
+import { beforeEach, describe, expect, it, vi } from 'vitest'
 import { normalizeConditionRouterIds } from './builders'
-import { validateInputsForBlock } from './validation'
+
+const { mockValidateSelectorIds } = vi.hoisted(() => ({
+  mockValidateSelectorIds: vi.fn(),
+}))
 
 const conditionBlockConfig = {
   type: 'condition',
@@ -12,6 +15,13 @@ const conditionBlockConfig = {
   subBlocks: [{ id: 'conditions', type: 'condition-input' }],
 }
 
+const oauthBlockConfig = {
+  type: 'slack',
+  name: 'Slack',
+  outputs: {},
+  subBlocks: [{ id: 'credential', type: 'oauth-input' }],
+}
+
 const routerBlockConfig = {
   type: 'router_v2',
   name: 'Router',
@@ -23,12 +33,33 @@ vi.mock('@/blocks/registry', () => ({
   getBlock: (type: string) =>
     type === 'condition'
       ? conditionBlockConfig
-      : type === 'router_v2'
-        ? routerBlockConfig
-        : undefined,
+      : type === 'slack'
+        ? oauthBlockConfig
+        : type === 'router_v2'
+          ? routerBlockConfig
+          : undefined,
+}))
+
+vi.mock('@/lib/copilot/validation/selector-validator', () => ({
+  validateSelectorIds: mockValidateSelectorIds,
 }))
 
+vi.mock('@/lib/core/config/feature-flags', () => ({
+  isHosted: false,
+}))
+
+vi.mock('@/providers/utils', () => ({
+  getHostedModels: () => [],
+}))
+
+import { preValidateCredentialInputs, validateInputsForBlock } from './validation'
+
 describe('validateInputsForBlock', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+    mockValidateSelectorIds.mockResolvedValue({ valid: [], invalid: [] })
+  })
+
   it('accepts condition-input arrays with arbitrary item ids', () => {
     const result = validateInputsForBlock(
       'condition',
@@ -88,3 +119,37 @@ describe('normalizeConditionRouterIds', () => {
     expect(normalizeConditionRouterIds('block-1', 'code', input)).toBe(input)
   })
 })
+
+describe('preValidateCredentialInputs', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+    mockValidateSelectorIds.mockResolvedValue({ valid: ['shared-cred-1'], invalid: [] })
+  })
+
+  it('passes workspace context when validating shared oauth credentials', async () => {
+    const operations = [
+      {
+        operation_type: 'edit' as const,
+        block_id: 'block-1',
+        params: {
+          type: 'slack',
+          inputs: {
+            credential: 'shared-cred-1',
+          },
+        },
+      },
+    ]
+
+    const result = await preValidateCredentialInputs(operations, {
+      userId: 'user-1',
+      workspaceId: 'workspace-1',
+    })
+
+    expect(mockValidateSelectorIds).toHaveBeenCalledWith('oauth-input', ['shared-cred-1'], {
+      userId: 'user-1',
+      workspaceId: 'workspace-1',
+    })
+    expect(result.filteredOperations[0]?.params?.inputs?.credential).toBe('shared-cred-1')
+    expect(result.errors).toHaveLength(0)
+  })
+})

apps/sim/lib/copilot/tools/server/workflow/edit-workflow/validation.ts

@@ -792,14 +792,14 @@ export async function validateWorkflowSelectorIds(
 
 /**
  * Pre-validates credential and apiKey inputs in operations before they are applied.
- * - Validates oauth-input (credential) IDs belong to the user
+ * - Validates oauth-input (credential) IDs are accessible to the user in the workflow workspace
  * - Filters out apiKey inputs for hosted models when isHosted is true
  * - Also validates credentials and apiKeys in nestedNodes (blocks inside loop/parallel)
  * Returns validation errors for any removed inputs.
  */
 export async function preValidateCredentialInputs(
   operations: EditWorkflowOperation[],
-  context: { userId: string },
+  context: { userId: string; workspaceId?: string },
   workflowState?: Record<string, unknown>
 ): Promise<{ filteredOperations: EditWorkflowOperation[]; errors: ValidationError[] }> {
   const { isHosted } = await import('@/lib/core/config/feature-flags')

apps/sim/lib/copilot/validation/selector-validator.test.ts

@@ -0,0 +1,131 @@
+/**
+ * @vitest-environment node
+ */
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+
+const { mockDbSelect } = vi.hoisted(() => ({
+  mockDbSelect: vi.fn(),
+}))
+
+vi.mock('@sim/db', () => ({
+  db: {
+    select: (...args: unknown[]) => mockDbSelect(...args),
+  },
+}))
+
+vi.mock('@sim/db/schema', () => ({
+  account: {
+    id: 'account.id',
+    userId: 'account.userId',
+    providerId: 'account.providerId',
+  },
+  credential: {
+    id: 'credential.id',
+    accountId: 'credential.accountId',
+    displayName: 'credential.displayName',
+    providerId: 'credential.providerId',
+    workspaceId: 'credential.workspaceId',
+    type: 'credential.type',
+  },
+  credentialMember: {
+    credentialId: 'credentialMember.credentialId',
+    userId: 'credentialMember.userId',
+    status: 'credentialMember.status',
+  },
+  document: {
+    id: 'document.id',
+    userExcluded: 'document.userExcluded',
+    archivedAt: 'document.archivedAt',
+    deletedAt: 'document.deletedAt',
+  },
+  knowledgeBase: {
+    id: 'knowledgeBase.id',
+    deletedAt: 'knowledgeBase.deletedAt',
+    workspaceId: 'knowledgeBase.workspaceId',
+  },
+  mcpServers: {
+    id: 'mcpServers.id',
+    enabled: 'mcpServers.enabled',
+    deletedAt: 'mcpServers.deletedAt',
+    workspaceId: 'mcpServers.workspaceId',
+  },
+  workflow: {
+    id: 'workflow.id',
+    archivedAt: 'workflow.archivedAt',
+  },
+}))
+
+vi.mock('@sim/logger', () => ({
+  createLogger: () => ({
+    warn: vi.fn(),
+    error: vi.fn(),
+  }),
+}))
+
+vi.mock('drizzle-orm', () => ({
+  and: vi.fn((...args: unknown[]) => ({ type: 'and', args })),
+  eq: vi.fn((...args: unknown[]) => ({ type: 'eq', args })),
+  inArray: vi.fn((...args: unknown[]) => ({ type: 'inArray', args })),
+  isNull: vi.fn((field: unknown) => ({ type: 'isNull', field })),
+  or: vi.fn((...args: unknown[]) => ({ type: 'or', args })),
+}))
+
+import { validateSelectorIds } from './selector-validator'
+
+function createSelectChain(result: unknown) {
+  const chain: Record<string, unknown> = {}
+  Object.assign(chain, {
+    from: vi.fn().mockReturnValue(chain),
+    innerJoin: vi.fn().mockReturnValue(chain),
+    leftJoin: vi.fn().mockReturnValue(chain),
+    where: vi.fn().mockResolvedValue(result),
+  })
+  return chain
+}
+
+describe('validateSelectorIds', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+
+  it('accepts shared workspace credential ids and legacy account ids for oauth-input', async () => {
+    mockDbSelect.mockReturnValueOnce(
+      createSelectChain([{ credentialId: 'cred-1', accountId: 'acct-1' }])
+    )
+
+    const result = await validateSelectorIds('oauth-input', ['cred-1', 'acct-1'], {
+      userId: 'user-1',
+      workspaceId: 'workspace-1',
+    })
+
+    expect(result).toEqual({
+      valid: ['cred-1', 'acct-1'],
+      invalid: [],
+    })
+    expect(mockDbSelect).toHaveBeenCalledTimes(1)
+  })
+
+  it('reports accessible workspace credentials in warnings for invalid oauth-input ids', async () => {
+    mockDbSelect.mockReturnValueOnce(createSelectChain([])).mockReturnValueOnce(
+      createSelectChain([
+        {
+          id: 'cred-2',
+          displayName: 'Shared Gmail',
+          accountId: 'acct-2',
+          credentialProviderId: null,
+          accountProviderId: 'google-email',
+        },
+      ])
+    )
+
+    const result = await validateSelectorIds('oauth-input', 'missing-cred', {
+      userId: 'user-1',
+      workspaceId: 'workspace-1',
+    })
+
+    expect(result.valid).toEqual([])
+    expect(result.invalid).toEqual(['missing-cred'])
+    expect(result.warning).toContain('Accessible workspace credentials:')
+    expect(result.warning).toContain('Shared Gmail [cred-2]')
+  })
+})