simstudioai · icecrasher321 · Oct 21, 2025 · Oct 21, 2025 · Oct 21, 2025 · Oct 21, 2025
diff --git a/apps/docs/components/docs-layout/sidebar-components.tsx b/apps/docs/components/docs-layout/sidebar-components.tsx
@@ -97,7 +97,7 @@ export function SidebarFolder({
       <div
         className={cn(
           'overflow-hidden transition-all duration-200 ease-in-out',
-          open ? 'max-h-[2000px] opacity-100' : 'max-h-0 opacity-0'
+          open ? 'max-h-[10000px] opacity-100' : 'max-h-0 opacity-0'
         )}
       >
         <ul className='mt-0.5 ml-2 space-y-[0.0625rem] border-gray-200/60 border-l pl-2.5 dark:border-gray-700/60'>

diff --git a/apps/docs/components/navbar/navbar.tsx b/apps/docs/components/navbar/navbar.tsx
@@ -39,7 +39,7 @@ export function Navbar() {
           </div>
 
           {/* Center cluster: search */}
-          <div className='flex flex-1 items-center justify-center'>
+          <div className='flex flex-1 items-center justify-center pl-32'>
             <SearchTrigger />
           </div>
 

diff --git a/apps/docs/components/ui/search-trigger.tsx b/apps/docs/components/ui/search-trigger.tsx
@@ -15,7 +15,7 @@ export function SearchTrigger() {
   return (
     <button
       type='button'
-      className='flex h-10 w-[500px] items-center gap-2 rounded-xl border border-border/50 px-3 py-2 text-sm backdrop-blur-xl transition-colors hover:border-border'
+      className='flex h-10 w-[460px] items-center gap-2 rounded-xl border border-border/50 px-3 py-2 text-sm backdrop-blur-xl transition-colors hover:border-border'
       style={{
         backgroundColor: 'hsla(0, 0%, 5%, 0.85)',
         backdropFilter: 'blur(33px) saturate(180%)',

diff --git a/apps/sim/lib/knowledge/documents/document-processor.ts b/apps/sim/lib/knowledge/documents/document-processor.ts
@@ -407,11 +407,16 @@ async function parseWithMistralOCR(fileUrl: string, filename: string, mimeType:
   try {
     const response = await retryWithExponentialBackoff(
       async () => {
-        const url =
+        let url =
           typeof mistralParserTool.request!.url === 'function'
             ? mistralParserTool.request!.url(params)
             : mistralParserTool.request!.url
 
+        if (url.startsWith('/')) {
+          const { getBaseUrl } = await import('@/lib/urls/utils')
+          url = `${getBaseUrl()}${url}`
+        }
+
         const headers =
           typeof mistralParserTool.request!.headers === 'function'
             ? mistralParserTool.request!.headers(params)

diff --git a/apps/sim/tools/index.ts b/apps/sim/tools/index.ts
@@ -227,7 +227,7 @@ export async function executeTool(
     const isInternalRoute = endpointUrl.startsWith('/api/')
 
     if (isInternalRoute || skipProxy) {
-      const result = await handleInternalRequest(toolId, tool, contextParams)
+      const result = await handleInternalRequest(toolId, tool, contextParams, executionContext)
 
       // Apply post-processing if available and not skipped
       let finalResult = result
@@ -414,7 +414,8 @@ function isErrorResponse(
 async function handleInternalRequest(
   toolId: string,
   tool: ToolConfig,
-  params: Record<string, any>
+  params: Record<string, any>,
+  executionContext?: ExecutionContext
 ): Promise<ToolResponse> {
   const requestId = generateRequestId()
 
@@ -427,7 +428,11 @@ async function handleInternalRequest(
     const endpointUrl =
       typeof tool.request.url === 'function' ? tool.request.url(params) : tool.request.url
 
-    const fullUrl = new URL(endpointUrl, baseUrl).toString()
+    const fullUrlObj = new URL(endpointUrl, baseUrl)
+    if (executionContext?.workflowId && typeof window === 'undefined') {
+      fullUrlObj.searchParams.set('workflowId', executionContext.workflowId)
+    }
+    const fullUrl = fullUrlObj.toString()
 
     // For custom tools, validate parameters on the client side before sending
     if (toolId.startsWith('custom_') && tool.request.body) {
@@ -445,10 +450,21 @@ async function handleInternalRequest(
       }
     }
 
+    const headers = new Headers(requestParams.headers)
+    if (typeof window === 'undefined') {
+      try {
+        const internalToken = await generateInternalToken()
+        headers.set('Authorization', `Bearer ${internalToken}`)
+        logger.info(`[${requestId}] Added internal auth token for ${toolId}`)
+      } catch (error) {
+        logger.error(`[${requestId}] Failed to generate internal token for ${toolId}:`, error)
+      }
+    }
+
     // Prepare request options
     const requestOptions = {
       method: requestParams.method,
-      headers: new Headers(requestParams.headers),
+      headers: headers,
       body: requestParams.body,
     }
 

diff --git a/helm/sim/README.md b/helm/sim/README.md
@@ -629,18 +629,30 @@ helm uninstall sim
 
 For production deployments, make sure to:
 
-1. **Change default secrets**: Update `BETTER_AUTH_SECRET` and `ENCRYPTION_KEY` with secure, randomly generated values
+1. **Change default secrets**: Update `BETTER_AUTH_SECRET`, `ENCRYPTION_KEY`, and `INTERNAL_API_SECRET` with secure, randomly generated values using `openssl rand -hex 32`
 2. **Use strong database passwords**: Set `postgresql.auth.password` to a strong password
 3. **Enable TLS**: Configure `postgresql.tls.enabled=true` and provide proper certificates
 4. **Configure ingress TLS**: Enable HTTPS with proper SSL certificates
 
+**Required Secrets:**
+- `BETTER_AUTH_SECRET`: Authentication JWT signing (minimum 32 characters)
+- `ENCRYPTION_KEY`: Encrypts sensitive data like environment variables (minimum 32 characters)
+- `INTERNAL_API_SECRET`: Internal service-to-service authentication (minimum 32 characters)
+
+**Optional Security (Recommended for Production):**
+- `CRON_SECRET`: Authenticates scheduled job requests to API endpoints (required only if `cronjobs.enabled=true`)
+- `API_ENCRYPTION_KEY`: Encrypts API keys at rest in database (must be exactly 64 hex characters). If not set, API keys are stored in plain text. Generate using: `openssl rand -hex 32` (outputs 64 hex chars representing 32 bytes)
+
 ### Example secure values:
 
 ```yaml
 app:
   env:
     BETTER_AUTH_SECRET: "your-secure-random-string-here"
     ENCRYPTION_KEY: "your-secure-encryption-key-here"
+    INTERNAL_API_SECRET: "your-secure-internal-api-secret-here"
+    CRON_SECRET: "your-secure-cron-secret-here"
+    API_ENCRYPTION_KEY: "your-64-char-hex-string-for-api-key-encryption"  # Optional but recommended
 
 postgresql:
   auth:

diff --git a/helm/sim/examples/values-aws.yaml b/helm/sim/examples/values-aws.yaml
@@ -32,8 +32,15 @@ app:
     NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com"
 
     # Security settings (REQUIRED - replace with your own secure secrets)
+    # Generate using: openssl rand -hex 32
     BETTER_AUTH_SECRET: "your-secure-production-auth-secret-here"
     ENCRYPTION_KEY: "your-secure-production-encryption-key-here"
+    INTERNAL_API_SECRET: "your-secure-production-internal-api-secret-here"
+    CRON_SECRET: "your-secure-production-cron-secret-here"
+
+    # Optional: API Key Encryption (RECOMMENDED for production)
+    # Generate 64-character hex string using: openssl rand -hex 32
+    API_ENCRYPTION_KEY: "your-64-char-hex-api-encryption-key-here"  # Optional but recommended
 
     NODE_ENV: "production"
     NEXT_TELEMETRY_DISABLED: "1"

diff --git a/helm/sim/examples/values-azure.yaml b/helm/sim/examples/values-azure.yaml
@@ -30,8 +30,15 @@ app:
     NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com"
 
     # Security settings (REQUIRED - replace with your own secure secrets)
+    # Generate using: openssl rand -hex 32
     BETTER_AUTH_SECRET: "your-secure-production-auth-secret-here"
     ENCRYPTION_KEY: "your-secure-production-encryption-key-here"
+    INTERNAL_API_SECRET: "your-secure-production-internal-api-secret-here"
+    CRON_SECRET: "your-secure-production-cron-secret-here"
+
+    # Optional: API Key Encryption (RECOMMENDED for production)
+    # Generate 64-character hex string using: openssl rand -hex 32
+    API_ENCRYPTION_KEY: "your-64-char-hex-api-encryption-key-here"  # Optional but recommended
 
     NODE_ENV: "production"
     NEXT_TELEMETRY_DISABLED: "1"

diff --git a/helm/sim/examples/values-development.yaml b/helm/sim/examples/values-development.yaml
@@ -26,8 +26,15 @@ app:
     NEXT_PUBLIC_SOCKET_URL: "http://localhost:3002"
 
     # Example secrets for development (replace with secure values for production)
+    # For production, generate using: openssl rand -hex 32
     BETTER_AUTH_SECRET: "dev-32-char-auth-secret-not-secure-dev"
     ENCRYPTION_KEY: "dev-32-char-encryption-key-not-secure"
+    INTERNAL_API_SECRET: "dev-32-char-internal-secret-not-secure"
+    CRON_SECRET: "dev-32-char-cron-secret-not-for-prod"
+
+    # Optional: API Key Encryption (leave empty for dev, encrypts API keys at rest)
+    # For production, generate 64-char hex using: openssl rand -hex 32
+    API_ENCRYPTION_KEY: ""  # Optional - if not set, API keys stored in plain text
 
 # Realtime service
 realtime:

diff --git a/helm/sim/examples/values-external-db.yaml b/helm/sim/examples/values-external-db.yaml
@@ -26,8 +26,15 @@ app:
     NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com"
 
     # Security settings (REQUIRED - replace with your own secure secrets)
+    # Generate using: openssl rand -hex 32
     BETTER_AUTH_SECRET: ""  # Set via --set flag or external secret manager
     ENCRYPTION_KEY: ""      # Set via --set flag or external secret manager
+    INTERNAL_API_SECRET: "" # Set via --set flag or external secret manager
+    CRON_SECRET: ""         # Set via --set flag or external secret manager
+
+    # Optional: API Key Encryption (RECOMMENDED for production)
+    # Generate 64-character hex string using: openssl rand -hex 32
+    API_ENCRYPTION_KEY: ""  # Optional but recommended - encrypts API keys at rest
 
     NODE_ENV: "production"
     NEXT_TELEMETRY_DISABLED: "1"
@@ -150,4 +157,7 @@ networkPolicy:
 #   --set externalDatabase.database="your-db-name" \
 #   --set app.env.BETTER_AUTH_SECRET="$(openssl rand -hex 32)" \
 #   --set app.env.ENCRYPTION_KEY="$(openssl rand -hex 32)" \
+#   --set app.env.INTERNAL_API_SECRET="$(openssl rand -hex 32)" \
+#   --set app.env.CRON_SECRET="$(openssl rand -hex 32)" \
+#   --set app.env.API_ENCRYPTION_KEY="$(openssl rand -hex 32)" \
 #   --set realtime.env.BETTER_AUTH_SECRET="$(openssl rand -hex 32)"
diff --git a/helm/sim/examples/values-gcp.yaml b/helm/sim/examples/values-gcp.yaml
@@ -32,8 +32,15 @@ app:
     NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com"
 
     # Security settings (REQUIRED - replace with your own secure secrets)
+    # Generate using: openssl rand -hex 32
     BETTER_AUTH_SECRET: "your-secure-production-auth-secret-here"
     ENCRYPTION_KEY: "your-secure-production-encryption-key-here"
+    INTERNAL_API_SECRET: "your-secure-production-internal-api-secret-here"
+    CRON_SECRET: "your-secure-production-cron-secret-here"
+
+    # Optional: API Key Encryption (RECOMMENDED for production)
+    # Generate 64-character hex string using: openssl rand -hex 32
+    API_ENCRYPTION_KEY: "your-64-char-hex-api-encryption-key-here"  # Optional but recommended
 
     NODE_ENV: "production"
     NEXT_TELEMETRY_DISABLED: "1"

diff --git a/helm/sim/examples/values-production.yaml b/helm/sim/examples/values-production.yaml
@@ -27,8 +27,15 @@ app:
     NEXT_PUBLIC_SOCKET_URL: "https://sim-ws.acme.ai"
 
     # Security settings (REQUIRED - replace with your own secure secrets)
+    # Generate using: openssl rand -hex 32
     BETTER_AUTH_SECRET: "your-production-auth-secret-here"
     ENCRYPTION_KEY: "your-production-encryption-key-here"
+    INTERNAL_API_SECRET: "your-production-internal-api-secret-here"
+    CRON_SECRET: "your-production-cron-secret-here"
+
+    # Optional: API Key Encryption (RECOMMENDED for production)
+    # Generate 64-character hex string using: openssl rand -hex 32
+    API_ENCRYPTION_KEY: "your-64-char-hex-api-encryption-key-here"  # Optional but recommended
 
     # Email verification (set to true if you want to require email verification)
     EMAIL_VERIFICATION_ENABLED: "false"

diff --git a/helm/sim/examples/values-whitelabeled.yaml b/helm/sim/examples/values-whitelabeled.yaml
@@ -20,8 +20,15 @@ app:
     NEXT_PUBLIC_SOCKET_URL: "https://sim-ws.acme.ai"
 
     # Security settings (REQUIRED)
+    # Generate using: openssl rand -hex 32
     BETTER_AUTH_SECRET: "your-production-auth-secret-here"
     ENCRYPTION_KEY: "your-production-encryption-key-here"
+    INTERNAL_API_SECRET: "your-production-internal-api-secret-here"
+    CRON_SECRET: "your-production-cron-secret-here"
+
+    # Optional: API Key Encryption (RECOMMENDED for production)
+    # Generate 64-character hex string using: openssl rand -hex 32
+    API_ENCRYPTION_KEY: "your-64-char-hex-api-encryption-key-here"  # Optional but recommended
 
     # UI Branding & Whitelabeling Configuration
     NEXT_PUBLIC_BRAND_NAME: "Acme AI Studio"

diff --git a/helm/sim/values.yaml b/helm/sim/values.yaml
@@ -63,6 +63,15 @@ app:
     # Generate secure 32-character secrets using: openssl rand -hex 32
     BETTER_AUTH_SECRET: ""  # REQUIRED - set via --set flag or external secret manager
     ENCRYPTION_KEY: ""      # REQUIRED - set via --set flag or external secret manager
+    INTERNAL_API_SECRET: "" # REQUIRED - set via --set flag or external secret manager, used for internal service-to-service authentication
+
+    # Optional: Scheduled Jobs Authentication
+    # Generate using: openssl rand -hex 32
+    CRON_SECRET: ""         # OPTIONAL - required only if cronjobs.enabled=true, authenticates scheduled job requests
+
+    # Optional: API Key Encryption (RECOMMENDED for production)
+    # Generate 64-character hex string using: openssl rand -hex 32 (outputs 64 hex chars = 32 bytes)
+    API_ENCRYPTION_KEY: ""  # OPTIONAL - encrypts API keys at rest, must be exactly 64 hex characters, if not set keys stored in plain text
 
     # Email & Communication
     EMAIL_VERIFICATION_ENABLED: "false"                   # Enable email verification for user registration and login (defaults to false)