fix(settings): restore paste-to-destructure for workspace secrets, cleanup hooks and design tokens (#4231)

* fix(settings): restore paste-to-destructure for workspace secrets, cleanup hooks and design tokens

Restores the env-var paste feature (KEY=VALUE → split rows, multi-line
→ multi rows) for workspace secrets that was lost when the unified
Credentials tab was split into Secrets and Integrations. Adds
`parseEnvVarLine`, `parseValidEnvVars`, and `handleWorkspacePaste` with
full support for export prefix, quoted values, inline comments, and
base64 false-positive guards. Also adds consistent value masking
(show on focus / mask on blur) to new workspace input rows.

Cleans up ~20 unnecessary `useCallback` wrappers, fixes a direct state
mutation in `handleSingleValuePaste`, moves `e.preventDefault()` inside
the `parsedVars.length > 0` guard, replaces all hardcoded hex colors
with CSS variable tokens, converts template-literal classNames to `cn()`,
and replaces raw `<button>` with emcn `Button`.

* fix(settings): fix handlePaste silent swallow, quote-strip bug, and credential sync efficiency

- Move e.preventDefault() inside parsedVars guard in handlePaste so KEY= lines
  don't silently discard input (mirrors handleWorkspacePaste fix from same PR)
- Add value.length >= 2 guard before quote-stripping to prevent single-char
  values like KEY=\" from being stripped to empty and silently dropped
- Introduce createWorkspaceEnvCredentials and deleteWorkspaceEnvCredentials
  for delta-aware credential sync (O(k) instead of O(n*m) for env var mutations)
- Fix createWorkspaceEnvCredentials early-return bug that skipped credential
  record creation when workspace had zero members
- Update credentials/[id] DELETE to use deleteWorkspaceEnvCredentials instead
  of full syncWorkspaceEnvCredentials
- Optimize syncWorkspaceEnvCredentials to fetch workspace+member IDs in parallel
  once instead of once per credential

* fix(settings): normalize Windows line endings in paste handlers

* fix(settings): eliminate double-parse in handlePaste by inlining handleKeyValuePaste

Author: waleedlatif1

apps/sim/app/api/credentials/[id]/route.ts

@@ -10,8 +10,8 @@ import { getSession } from '@/lib/auth'
 import { encryptSecret } from '@/lib/core/security/encryption'
 import { getCredentialActorContext } from '@/lib/credentials/access'
 import {
+  deleteWorkspaceEnvCredentials,
   syncPersonalEnvCredentialsForUser,
-  syncWorkspaceEnvCredentials,
 } from '@/lib/credentials/environment'
 import { captureServerEvent } from '@/lib/posthog/server'
 
@@ -317,10 +317,9 @@ export async function DELETE(
           set: { variables: current, updatedAt: new Date() },
         })
 
-      await syncWorkspaceEnvCredentials({
+      await deleteWorkspaceEnvCredentials({
         workspaceId: access.credential.workspaceId,
-        envKeys: Object.keys(current),
-        actingUserId: session.user.id,
+        removedKeys: [access.credential.envKey],
       })
 
       captureServerEvent(

apps/sim/app/api/workspaces/[id]/environment/route.ts

@@ -9,7 +9,10 @@ import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { encryptSecret } from '@/lib/core/security/encryption'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
+import {
+  createWorkspaceEnvCredentials,
+  deleteWorkspaceEnvCredentials,
+} from '@/lib/credentials/environment'
 import { getPersonalAndWorkspaceEnv } from '@/lib/environment/utils'
 import { getUserEntityPermissions, getWorkspaceById } from '@/lib/workspaces/permissions/utils'
 
@@ -126,11 +129,8 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
         set: { variables: merged, updatedAt: new Date() },
       })
 
-    await syncWorkspaceEnvCredentials({
-      workspaceId,
-      envKeys: Object.keys(merged),
-      actingUserId: userId,
-    })
+    const newKeys = Object.keys(variables).filter((k) => !(k in existingEncrypted))
+    await createWorkspaceEnvCredentials({ workspaceId, newKeys, actingUserId: userId })
 
     recordAudit({
       workspaceId,
@@ -215,11 +215,7 @@ export async function DELETE(
         set: { variables: current, updatedAt: new Date() },
       })
 
-    await syncWorkspaceEnvCredentials({
-      workspaceId,
-      envKeys: Object.keys(current),
-      actingUserId: userId,
-    })
+    await deleteWorkspaceEnvCredentials({ workspaceId, removedKeys: keys })
 
     recordAudit({
       workspaceId,