simstudioai · waleedlatif1 · May 23, 2026 · May 22, 2026 · May 22, 2026 · May 22, 2026
diff --git a/.github/workflows/migrations.yml b/.github/workflows/migrations.yml
@@ -39,4 +39,4 @@ jobs:
         working-directory: ./packages/db
         env:
           DATABASE_URL: ${{ github.ref == 'refs/heads/main' && secrets.DATABASE_URL || github.ref == 'refs/heads/dev' && secrets.DEV_DATABASE_URL || secrets.STAGING_DATABASE_URL }}
-        run: bunx drizzle-kit migrate --config=./drizzle.config.ts
+        run: bun run ./scripts/migrate.ts
diff --git a/apps/sim/app/(landing)/components/collaboration/collaboration.tsx b/apps/sim/app/(landing)/components/collaboration/collaboration.tsx
@@ -1,6 +1,6 @@
 'use client'
 
-import { useCallback, useEffect, useRef, useState } from 'react'
+import { useCallback, useId, useRef, useState } from 'react'
 import dynamic from 'next/dynamic'
 import Image from 'next/image'
 import Link from 'next/link'
@@ -171,8 +171,8 @@ function YouCursor({ x, y, visible }: YouCursorProps) {
  * Collaboration section — team workflows and real-time collaboration.
  *
  * SEO:
- * - `<section id="collaboration" aria-labelledby="collaboration-heading">`.
- * - `<h2 id="collaboration-heading">` for the section title.
+ * - `<section id="collaboration">` is the stable anchor for in-page navigation.
+ * - The section title `<h2>` is linked via `aria-labelledby` using a `useId()`-generated id.
  * - Product visuals use `<figure>` with `<figcaption>` and descriptive `alt` text.
  *
  * GEO:
@@ -181,41 +181,17 @@ function YouCursor({ x, y, visible }: YouCursorProps) {
  * - Reference "Sim" by name per capability ("Sim's real-time collaboration").
  */
 
-const CURSOR_LERP_FACTOR = 0.3
-
 export default function Collaboration() {
+  const headingId = useId()
   const [cursorPos, setCursorPos] = useState({ x: 0, y: 0 })
   const [isHovering, setIsHovering] = useState(false)
   const sectionRef = useRef<HTMLElement>(null)
-  const targetPos = useRef({ x: 0, y: 0 })
-  const animationRef = useRef<number>(0)
-
-  useEffect(() => {
-    const animate = () => {
-      setCursorPos((prev) => ({
-        x: prev.x + (targetPos.current.x - prev.x) * CURSOR_LERP_FACTOR,
-        y: prev.y + (targetPos.current.y - prev.y) * CURSOR_LERP_FACTOR,
-      }))
-      animationRef.current = requestAnimationFrame(animate)
-    }
-
-    if (isHovering) {
-      animationRef.current = requestAnimationFrame(animate)
-    }
-
-    return () => {
-      if (animationRef.current) {
-        cancelAnimationFrame(animationRef.current)
-      }
-    }
-  }, [isHovering])
 
   const handleMouseMove = useCallback((e: React.MouseEvent) => {
-    targetPos.current = { x: e.clientX, y: e.clientY }
+    setCursorPos({ x: e.clientX, y: e.clientY })
   }, [])
 
   const handleMouseEnter = useCallback((e: React.MouseEvent) => {
-    targetPos.current = { x: e.clientX, y: e.clientY }
     setCursorPos({ x: e.clientX, y: e.clientY })
     setIsHovering(true)
   }, [])
@@ -228,7 +204,7 @@ export default function Collaboration() {
     <section
       ref={sectionRef}
       id='collaboration'
-      aria-labelledby='collaboration-heading'
+      aria-labelledby={headingId}
       className='bg-[var(--landing-bg)]'
       style={{ cursor: isHovering ? 'none' : 'auto' }}
       onMouseMove={handleMouseMove}
@@ -258,7 +234,7 @@ export default function Collaboration() {
             </Badge>
 
             <h2
-              id='collaboration-heading'
+              id={headingId}
               className='text-balance font-[430] font-season text-[32px] text-white leading-[100%] tracking-[-0.02em] sm:text-[36px] md:text-[40px]'
             >
               Realtime

diff --git a/apps/sim/app/(landing)/components/footer/footer.tsx b/apps/sim/app/(landing)/components/footer/footer.tsx
@@ -14,7 +14,7 @@ interface FooterItem {
 }
 
 const PRODUCT_LINKS: FooterItem[] = [
-  { label: 'Mothership', href: 'https://docs.sim.ai', external: true },
+  { label: 'Mothership', href: 'https://docs.sim.ai/mothership', external: true },
   { label: 'Workflows', href: 'https://docs.sim.ai', external: true },
   { label: 'Knowledge Base', href: 'https://docs.sim.ai/knowledgebase', external: true },
   { label: 'Tables', href: 'https://docs.sim.ai/tables', external: true },

diff --git a/apps/sim/app/api/mcp/serve/[serverId]/route.test.ts b/apps/sim/app/api/mcp/serve/[serverId]/route.test.ts
@@ -197,4 +197,51 @@ describe('MCP Serve Route', () => {
     expect(headers['X-API-Key']).toBeUndefined()
     expect(mockGenerateInternalToken).toHaveBeenCalledWith('user-1')
   })
+
+  describe('initialize protocol version negotiation', () => {
+    async function callInitialize(protocolVersion?: string) {
+      dbChainMockFns.limit.mockResolvedValueOnce([
+        {
+          id: 'server-1',
+          name: 'Public Server',
+          workspaceId: 'ws-1',
+          isPublic: true,
+          createdBy: 'owner-1',
+        },
+      ])
+      const params: Record<string, unknown> = {
+        capabilities: {},
+        clientInfo: { name: 'test', version: '1.0.0' },
+      }
+      if (protocolVersion !== undefined) params.protocolVersion = protocolVersion
+      const req = new NextRequest('http://localhost:3000/api/mcp/serve/server-1', {
+        method: 'POST',
+        body: JSON.stringify({ jsonrpc: '2.0', id: 1, method: 'initialize', params }),
+      })
+      const res = await POST(req, { params: Promise.resolve({ serverId: 'server-1' }) })
+      return res.json() as Promise<{ result: { protocolVersion: string } }>
+    }
+
+    it('echoes a supported client protocolVersion (2025-06-18)', async () => {
+      const body = await callInitialize('2025-06-18')
+      expect(body.result.protocolVersion).toBe('2025-06-18')
+    })
+
+    it('echoes a supported client protocolVersion (2024-11-05)', async () => {
+      const body = await callInitialize('2024-11-05')
+      expect(body.result.protocolVersion).toBe('2024-11-05')
+    })
+
+    it('falls back to SDK latest when client requests unknown version', async () => {
+      const { LATEST_PROTOCOL_VERSION } = await import('@modelcontextprotocol/sdk/types.js')
+      const body = await callInitialize('2099-01-01')
+      expect(body.result.protocolVersion).toBe(LATEST_PROTOCOL_VERSION)
+    })
+
+    it('falls back to SDK latest when client omits protocolVersion', async () => {
+      const { LATEST_PROTOCOL_VERSION } = await import('@modelcontextprotocol/sdk/types.js')
+      const body = await callInitialize(undefined)
+      expect(body.result.protocolVersion).toBe(LATEST_PROTOCOL_VERSION)
+    })
+  })
 })
diff --git a/apps/sim/app/api/mcp/serve/[serverId]/route.ts b/apps/sim/app/api/mcp/serve/[serverId]/route.ts
@@ -11,8 +11,10 @@ import {
   type JSONRPCError,
   type JSONRPCMessage,
   type JSONRPCResultResponse,
+  LATEST_PROTOCOL_VERSION,
   type ListToolsResult,
   type RequestId,
+  SUPPORTED_PROTOCOL_VERSIONS,
   type Tool,
 } from '@modelcontextprotocol/sdk/types.js'
 import { db } from '@sim/db'
@@ -36,6 +38,17 @@ import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('WorkflowMcpServeAPI')
 
+function negotiateProtocolVersion(rpcParams: unknown): string {
+  const requested =
+    rpcParams && typeof rpcParams === 'object' && 'protocolVersion' in rpcParams
+      ? (rpcParams as { protocolVersion?: unknown }).protocolVersion
+      : undefined
+  if (typeof requested === 'string' && SUPPORTED_PROTOCOL_VERSIONS.includes(requested)) {
+    return requested
+  }
+  return LATEST_PROTOCOL_VERSION
+}
+
 export const dynamic = 'force-dynamic'
 
 interface RouteParams {
@@ -214,7 +227,7 @@ export const POST = withRouteHandler(
       switch (method) {
         case 'initialize': {
           const result: InitializeResult = {
-            protocolVersion: '2024-11-05',
+            protocolVersion: negotiateProtocolVersion(rpcParams),
             capabilities: { tools: {} },
             serverInfo: { name: server.name, version: '1.0.0' },
           }

diff --git a/apps/sim/app/api/tools/hubspot/lists/route.ts b/apps/sim/app/api/tools/hubspot/lists/route.ts
@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { hubspotListsSelectorContract } from '@/lib/api/contracts/selectors/hubspot'
 import { parseRequest } from '@/lib/api/server'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
@@ -27,6 +28,12 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
     if (!parsed.success) return parsed.response
     const { credentialId, objectTypeId, query } = parsed.data.query
 
+    const credentialIdValidation = validateAlphanumericId(credentialId, 'credentialId', 255)
+    if (!credentialIdValidation.isValid) {
+      logger.warn(`[${requestId}] Invalid credential ID: ${credentialIdValidation.error}`)
+      return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })
+    }
+
     const authz = await authorizeCredentialUse(request, {
       credentialId,
       requireWorkflowIdForInternal: false,

diff --git a/apps/sim/app/api/tools/hubspot/owners/route.ts b/apps/sim/app/api/tools/hubspot/owners/route.ts
@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { hubspotOwnersSelectorContract } from '@/lib/api/contracts/selectors/hubspot'
 import { parseRequest } from '@/lib/api/server'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
@@ -27,6 +28,12 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
     if (!parsed.success) return parsed.response
     const { credentialId, query } = parsed.data.query
 
+    const credentialIdValidation = validateAlphanumericId(credentialId, 'credentialId', 255)
+    if (!credentialIdValidation.isValid) {
+      logger.warn(`[${requestId}] Invalid credential ID: ${credentialIdValidation.error}`)
+      return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })
+    }
+
     const authz = await authorizeCredentialUse(request, {
       credentialId,
       requireWorkflowIdForInternal: false,

diff --git a/apps/sim/app/api/tools/hubspot/pipelines/route.ts b/apps/sim/app/api/tools/hubspot/pipelines/route.ts
@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { hubspotPipelinesSelectorContract } from '@/lib/api/contracts/selectors/hubspot'
 import { parseRequest } from '@/lib/api/server'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
@@ -33,6 +34,12 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
     if (!parsed.success) return parsed.response
     const { credentialId, objectType } = parsed.data.query
 
+    const credentialIdValidation = validateAlphanumericId(credentialId, 'credentialId', 255)
+    if (!credentialIdValidation.isValid) {
+      logger.warn(`[${requestId}] Invalid credential ID: ${credentialIdValidation.error}`)
+      return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })
+    }
+
     const authz = await authorizeCredentialUse(request, {
       credentialId,
       requireWorkflowIdForInternal: false,

diff --git a/apps/sim/app/api/tools/hubspot/properties/route.ts b/apps/sim/app/api/tools/hubspot/properties/route.ts
@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { hubspotPropertiesSelectorContract } from '@/lib/api/contracts/selectors/hubspot'
 import { parseRequest } from '@/lib/api/server'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
@@ -36,6 +37,12 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
     if (!parsed.success) return parsed.response
     const { credentialId, objectType, query } = parsed.data.query
 
+    const credentialIdValidation = validateAlphanumericId(credentialId, 'credentialId', 255)
+    if (!credentialIdValidation.isValid) {
+      logger.warn(`[${requestId}] Invalid credential ID: ${credentialIdValidation.error}`)
+      return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })
+    }
+
     const authz = await authorizeCredentialUse(request, {
       credentialId,
       requireWorkflowIdForInternal: false,

diff --git a/apps/sim/app/api/tools/mongodb/utils.ts b/apps/sim/app/api/tools/mongodb/utils.ts
@@ -1,5 +1,8 @@
 import { MongoClient } from 'mongodb'
-import { validateDatabaseHost } from '@/lib/core/security/input-validation.server'
+import {
+  createPinnedLookup,
+  validateDatabaseHost,
+} from '@/lib/core/security/input-validation.server'
 import type { MongoDBCollectionInfo, MongoDBConnectionConfig } from '@/tools/mongodb/types'
 
 export async function createMongoDBConnection(config: MongoDBConnectionConfig) {
@@ -30,6 +33,7 @@ export async function createMongoDBConnection(config: MongoDBConnectionConfig) {
     connectTimeoutMS: 10000,
     socketTimeoutMS: 10000,
     maxPoolSize: 1,
+    lookup: createPinnedLookup(hostValidation.resolvedIP ?? config.host),
   })
 
   await client.connect()

diff --git a/apps/sim/app/api/tools/mysql/utils.ts b/apps/sim/app/api/tools/mysql/utils.ts
@@ -1,3 +1,4 @@
+import net from 'node:net'
 import mysql from 'mysql2/promise'
 import { validateDatabaseHost } from '@/lib/core/security/input-validation.server'
 
@@ -16,12 +17,19 @@ export async function createMySQLConnection(config: MySQLConnectionConfig) {
     throw new Error(hostValidation.error)
   }
 
+  const resolvedIP = hostValidation.resolvedIP ?? config.host
+
   const connectionConfig: mysql.ConnectionOptions = {
     host: config.host,
     port: config.port,
     database: config.database,
     user: config.username,
     password: config.password,
+    stream: () => {
+      const socket = net.connect({ host: resolvedIP, port: config.port, timeout: 10000 })
+      socket.setNoDelay(true)
+      return socket
+    },
   }
 
   if (config.ssl === 'disabled') {

diff --git a/apps/sim/app/api/tools/neo4j/utils.ts b/apps/sim/app/api/tools/neo4j/utils.ts
@@ -18,7 +18,14 @@ export async function createNeo4jDriver(config: Neo4jConnectionConfig) {
     protocol = config.encryption === 'enabled' ? 'bolt+s' : 'bolt'
   }
 
-  const uri = `${protocol}://${config.host}:${config.port}`
+  const useIPPinning = !protocol.endsWith('+s')
+  const resolvedIP = hostValidation.resolvedIP ?? config.host
+  const uriHost = useIPPinning
+    ? resolvedIP.includes(':')
+      ? `[${resolvedIP}]`
+      : resolvedIP
+    : config.host
+  const uri = `${protocol}://${uriHost}:${config.port}`
 
   const driverConfig: any = {
     maxConnectionPoolSize: 1,

diff --git a/apps/sim/app/api/tools/postgresql/utils.ts b/apps/sim/app/api/tools/postgresql/utils.ts
@@ -8,17 +8,18 @@ export async function createPostgresConnection(config: PostgresConnectionConfig)
     throw new Error(hostValidation.error)
   }
 
-  const sslConfig =
+  const resolvedHost = hostValidation.resolvedIP ?? config.host
+  const pinIP = config.ssl !== 'preferred'
+
+  const sslConfig: boolean | 'prefer' | { rejectUnauthorized: boolean; servername?: string } =
     config.ssl === 'disabled'
       ? false
-      : config.ssl === 'required'
-        ? 'require'
-        : config.ssl === 'preferred'
-          ? 'prefer'
-          : 'require'
+      : config.ssl === 'preferred'
+        ? 'prefer'
+        : { rejectUnauthorized: false, servername: config.host }
 
   const sql = postgres({
-    host: config.host,
+    host: pinIP ? resolvedHost : config.host,
     port: config.port,
     database: config.database,
     username: config.username,

diff --git a/apps/sim/app/api/tools/redis/execute/route.ts b/apps/sim/app/api/tools/redis/execute/route.ts
@@ -36,7 +36,33 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       return NextResponse.json({ error: hostValidation.error }, { status: 400 })
     }
 
-    client = new Redis(url, {
+    const resolvedIP = hostValidation.resolvedIP ?? hostname
+    const tlsEnabled = parsedUrl.protocol === 'rediss:'
+    const port = parsedUrl.port ? Number(parsedUrl.port) : 6379
+    const username = parsedUrl.username ? decodeURIComponent(parsedUrl.username) : undefined
+    const password = parsedUrl.password ? decodeURIComponent(parsedUrl.password) : undefined
+
+    let db = 0
+    if (parsedUrl.pathname && parsedUrl.pathname.length > 1) {
+      const dbSegment = parsedUrl.pathname.slice(1)
+      const parsedDb = Number.parseInt(dbSegment, 10)
+      if (!Number.isFinite(parsedDb) || String(parsedDb) !== dbSegment) {
+        return NextResponse.json(
+          { error: `Invalid Redis database index in URL path: '${dbSegment}'` },
+          { status: 400 }
+        )
+      }
+      db = parsedDb
+    }
+
+    client = new Redis({
+      host: resolvedIP,
+      port,
+      username,
+      password,
+      db,
+      family: resolvedIP.includes(':') ? 6 : 4,
+      tls: tlsEnabled ? { servername: hostname } : undefined,
       connectTimeout: 10000,
       commandTimeout: 10000,
       maxRetriesPerRequest: 1,