fix(settings): fix handlePaste silent swallow, quote-strip bug, and credential sync efficiency

- Move e.preventDefault() inside parsedVars guard in handlePaste so KEY= lines
  don't silently discard input (mirrors handleWorkspacePaste fix from same PR)
- Add value.length >= 2 guard before quote-stripping to prevent single-char
  values like KEY=\" from being stripped to empty and silently dropped
- Introduce createWorkspaceEnvCredentials and deleteWorkspaceEnvCredentials
  for delta-aware credential sync (O(k) instead of O(n*m) for env var mutations)
- Fix createWorkspaceEnvCredentials early-return bug that skipped credential
  record creation when workspace had zero members
- Update credentials/[id] DELETE to use deleteWorkspaceEnvCredentials instead
  of full syncWorkspaceEnvCredentials
- Optimize syncWorkspaceEnvCredentials to fetch workspace+member IDs in parallel
  once instead of once per credential

Author: waleedlatif1

apps/sim/app/api/credentials/[id]/route.ts

@@ -10,8 +10,8 @@ import { getSession } from '@/lib/auth'
 import { encryptSecret } from '@/lib/core/security/encryption'
 import { getCredentialActorContext } from '@/lib/credentials/access'
 import {
+  deleteWorkspaceEnvCredentials,
   syncPersonalEnvCredentialsForUser,
-  syncWorkspaceEnvCredentials,
 } from '@/lib/credentials/environment'
 import { captureServerEvent } from '@/lib/posthog/server'
 
@@ -317,10 +317,9 @@ export async function DELETE(
           set: { variables: current, updatedAt: new Date() },
         })
 
-      await syncWorkspaceEnvCredentials({
+      await deleteWorkspaceEnvCredentials({
         workspaceId: access.credential.workspaceId,
-        envKeys: Object.keys(current),
-        actingUserId: session.user.id,
+        removedKeys: [access.credential.envKey],
       })
 
       captureServerEvent(

apps/sim/app/api/workspaces/[id]/environment/route.ts

@@ -9,7 +9,10 @@ import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { encryptSecret } from '@/lib/core/security/encryption'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
+import {
+  createWorkspaceEnvCredentials,
+  deleteWorkspaceEnvCredentials,
+} from '@/lib/credentials/environment'
 import { getPersonalAndWorkspaceEnv } from '@/lib/environment/utils'
 import { getUserEntityPermissions, getWorkspaceById } from '@/lib/workspaces/permissions/utils'
 
@@ -126,11 +129,8 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
         set: { variables: merged, updatedAt: new Date() },
       })
 
-    await syncWorkspaceEnvCredentials({
-      workspaceId,
-      envKeys: Object.keys(merged),
-      actingUserId: userId,
-    })
+    const newKeys = Object.keys(variables).filter((k) => !(k in existingEncrypted))
+    await createWorkspaceEnvCredentials({ workspaceId, newKeys, actingUserId: userId })
 
     recordAudit({
       workspaceId,
@@ -215,11 +215,7 @@ export async function DELETE(
         set: { variables: current, updatedAt: new Date() },
       })
 
-    await syncWorkspaceEnvCredentials({
-      workspaceId,
-      envKeys: Object.keys(current),
-      actingUserId: userId,
-    })
+    await deleteWorkspaceEnvCredentials({ workspaceId, removedKeys: keys })
 
     recordAudit({
       workspaceId,

apps/sim/app/workspace/[workspaceId]/settings/components/credentials/credentials-manager.tsx

@@ -157,9 +157,10 @@ function parseEnvVarLine(line: string): UIEnvironmentVariable | null {
   value = value.trim()
 
   if (
-    (value.startsWith('"') && value.endsWith('"')) ||
-    (value.startsWith("'") && value.endsWith("'")) ||
-    (value.startsWith('`') && value.endsWith('`'))
+    value.length >= 2 &&
+    ((value.startsWith('"') && value.endsWith('"')) ||
+      (value.startsWith("'") && value.endsWith("'")) ||
+      (value.startsWith('`') && value.endsWith('`')))
   ) {
     value = value.slice(1, -1)
   }
@@ -904,7 +905,9 @@ export function CredentialsManager() {
 
   /**
    * Paste handler for personal env var rows.
-   * Always prevents default: KV patterns destructure into new rows; plain values overwrite the field.
+   * Only prevents default when it actually handles the paste: KV patterns destructure into new rows,
+   * plain values overwrite the field. Falls through to native paste if pattern is detected but all
+   * values are empty (e.g. KEY=), avoiding silently swallowed input.
    */
   const handlePaste = (e: React.ClipboardEvent<HTMLInputElement>, index: number) => {
     const text = e.clipboardData.getData('text').trim()
@@ -913,21 +916,24 @@ export function CredentialsManager() {
     const lines = text.split('\n').filter((line) => line.trim())
     if (lines.length === 0) return
 
-    e.preventDefault()
-
     const inputType = (e.target as HTMLInputElement).getAttribute('data-input-type') as
       | 'key'
       | 'value'
 
     if (inputType) {
       const hasValidEnvVarPattern = lines.some((line) => parseEnvVarLine(line) !== null)
       if (!hasValidEnvVarPattern) {
+        e.preventDefault()
         handleSingleValuePaste(text, index, inputType)
         return
       }
     }
 
-    handleKeyValuePaste(lines)
+    const parsedVars = parseValidEnvVars(lines)
+    if (parsedVars.length > 0) {
+      e.preventDefault()
+      handleKeyValuePaste(lines)
+    }
   }
 
   /**

apps/sim/lib/credentials/environment.ts

@@ -100,11 +100,10 @@ async function upsertCredentialAdminMember(credentialId: string, adminUserId: st
 
 async function ensureWorkspaceCredentialMemberships(
   credentialId: string,
-  workspaceId: string,
+  memberUserIds: string[],
   ownerUserId: string
 ) {
-  const workspaceMemberUserIds = await getWorkspaceMemberUserIds(workspaceId)
-  if (!workspaceMemberUserIds.length) return
+  if (!memberUserIds.length) return
 
   const existingMemberships = await db
     .select({
@@ -117,14 +116,14 @@ async function ensureWorkspaceCredentialMemberships(
     .where(
       and(
         eq(credentialMember.credentialId, credentialId),
-        inArray(credentialMember.userId, workspaceMemberUserIds)
+        inArray(credentialMember.userId, memberUserIds)
       )
     )
 
   const byUserId = new Map(existingMemberships.map((row) => [row.userId, row]))
   const now = new Date()
 
-  for (const memberUserId of workspaceMemberUserIds) {
+  for (const memberUserId of memberUserIds) {
     const targetRole = memberUserId === ownerUserId ? 'admin' : 'member'
     const existing = byUserId.get(memberUserId)
     if (existing) {
@@ -164,11 +163,14 @@ export async function syncWorkspaceEnvCredentials(params: {
   actingUserId: string
 }) {
   const { workspaceId, envKeys, actingUserId } = params
-  const [workspaceRow] = await db
-    .select({ ownerId: workspace.ownerId })
-    .from(workspace)
-    .where(eq(workspace.id, workspaceId))
-    .limit(1)
+  const [[workspaceRow], memberUserIds] = await Promise.all([
+    db
+      .select({ ownerId: workspace.ownerId })
+      .from(workspace)
+      .where(eq(workspace.id, workspaceId))
+      .limit(1),
+    getWorkspaceMemberUserIds(workspaceId),
+  ])
 
   if (!workspaceRow) return
 
@@ -217,7 +219,7 @@ export async function syncWorkspaceEnvCredentials(params: {
   }
 
   for (const credentialId of credentialIdsToEnsureMembership) {
-    await ensureWorkspaceCredentialMemberships(credentialId, workspaceId, workspaceRow.ownerId)
+    await ensureWorkspaceCredentialMemberships(credentialId, memberUserIds, workspaceRow.ownerId)
   }
 
   if (normalizedKeys.length > 0) {
@@ -238,6 +240,97 @@ export async function syncWorkspaceEnvCredentials(params: {
     .where(and(eq(credential.workspaceId, workspaceId), eq(credential.type, 'env_workspace')))
 }
 
+/**
+ * Creates credential records and bulk-inserts memberships for newly added workspace env keys.
+ * Use this instead of `syncWorkspaceEnvCredentials` when the caller knows exactly which keys are new.
+ */
+export async function createWorkspaceEnvCredentials(params: {
+  workspaceId: string
+  newKeys: string[]
+  actingUserId: string
+}): Promise<void> {
+  const { workspaceId, newKeys, actingUserId } = params
+  const keys = Array.from(new Set(newKeys.filter(Boolean)))
+  if (keys.length === 0) return
+
+  const [[workspaceRow], memberUserIds] = await Promise.all([
+    db
+      .select({ ownerId: workspace.ownerId })
+      .from(workspace)
+      .where(eq(workspace.id, workspaceId))
+      .limit(1),
+    getWorkspaceMemberUserIds(workspaceId),
+  ])
+
+  if (!workspaceRow) return
+
+  const ownerUserId = workspaceRow.ownerId
+  const now = new Date()
+  const createdIds: string[] = []
+
+  for (const envKey of keys) {
+    const createdId = generateId()
+    try {
+      await db.insert(credential).values({
+        id: createdId,
+        workspaceId,
+        type: 'env_workspace',
+        displayName: envKey,
+        envKey,
+        createdBy: actingUserId,
+        createdAt: now,
+        updatedAt: now,
+      })
+      createdIds.push(createdId)
+    } catch (error: unknown) {
+      const code = getPostgresErrorCode(error)
+      if (code !== '23505') throw error
+    }
+  }
+
+  if (createdIds.length === 0 || memberUserIds.length === 0) return
+
+  // Bulk-insert memberships for all new credentials × all workspace members in one query
+  const membershipValues = createdIds.flatMap((credentialId) =>
+    memberUserIds.map((memberUserId) => ({
+      id: generateId(),
+      credentialId,
+      userId: memberUserId,
+      role: (memberUserId === ownerUserId ? 'admin' : 'member') as 'admin' | 'member',
+      status: 'active' as const,
+      joinedAt: now,
+      invitedBy: ownerUserId,
+      createdAt: now,
+      updatedAt: now,
+    }))
+  )
+
+  await db.insert(credentialMember).values(membershipValues).onConflictDoNothing()
+}
+
+/**
+ * Deletes credential records (and their memberships via cascade) for removed workspace env keys.
+ * Use this instead of `syncWorkspaceEnvCredentials` when the caller knows exactly which keys were deleted.
+ */
+export async function deleteWorkspaceEnvCredentials(params: {
+  workspaceId: string
+  removedKeys: string[]
+}): Promise<void> {
+  const { workspaceId, removedKeys } = params
+  const keys = removedKeys.filter(Boolean)
+  if (keys.length === 0) return
+
+  await db
+    .delete(credential)
+    .where(
+      and(
+        eq(credential.workspaceId, workspaceId),
+        eq(credential.type, 'env_workspace'),
+        inArray(credential.envKey, keys)
+      )
+    )
+}
+
 export async function syncPersonalEnvCredentialsForUser(params: {
   userId: string
   envKeys: string[]

apps/sim/lib/environment/utils.ts

@@ -5,9 +5,9 @@ import { generateId } from '@sim/utils/id'
 import { eq, inArray } from 'drizzle-orm'
 import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
 import {
+  createWorkspaceEnvCredentials,
   getAccessibleEnvCredentials,
   syncPersonalEnvCredentialsForUser,
-  syncWorkspaceEnvCredentials,
 } from '@/lib/credentials/environment'
 
 const logger = createLogger('EnvironmentUtils')
@@ -305,7 +305,8 @@ export async function upsertWorkspaceEnvVars(
       set: { variables: merged, updatedAt: new Date() },
     })
 
-  await syncWorkspaceEnvCredentials({ workspaceId, envKeys: Object.keys(merged), actingUserId })
+  const newKeys = Object.keys(newVars).filter((k) => !(k in existingWsEncrypted))
+  await createWorkspaceEnvCredentials({ workspaceId, newKeys, actingUserId })
 
   return updatedKeys
 }