simstudioai
diff --git a/‎apps/sim/app/api/workflows/[id]/route.ts‎
Lines changed: 1 addition & 1 deletion b/‎apps/sim/app/api/workflows/[id]/route.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎apps/sim/app/api/workflows/[id]/state/route.ts‎
Lines changed: 3 additions & 4 deletions b/‎apps/sim/app/api/workflows/[id]/state/route.ts‎
Lines changed: 3 additions & 4 deletions
diff --git a/‎apps/sim/app/api/workflows/[id]/variables/route.test.ts‎
Lines changed: 3 additions & 0 deletions b/‎apps/sim/app/api/workflows/[id]/variables/route.test.ts‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎apps/sim/app/api/workflows/[id]/variables/route.ts‎
Lines changed: 2 additions & 3 deletions b/‎apps/sim/app/api/workflows/[id]/variables/route.ts‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎apps/sim/app/workspace/[workspaceId]/logs/components/logs-toolbar/components/notifications/notifications.tsx‎
Lines changed: 5 additions & 7 deletions b/‎apps/sim/app/workspace/[workspaceId]/logs/components/logs-toolbar/components/notifications/notifications.tsx‎
Lines changed: 5 additions & 7 deletions
diff --git a/‎apps/sim/ee/access-control/hooks/permission-groups.ts‎
Lines changed: 4 additions & 7 deletions b/‎apps/sim/ee/access-control/hooks/permission-groups.ts‎
Lines changed: 4 additions & 7 deletions
diff --git a/‎apps/sim/ee/data-retention/hooks/data-retention.ts‎
Lines changed: 4 additions & 12 deletions b/‎apps/sim/ee/data-retention/hooks/data-retention.ts‎
Lines changed: 4 additions & 12 deletions
diff --git a/‎apps/sim/lib/api/contracts/audit-logs.ts‎
Lines changed: 11 additions & 0 deletions b/‎apps/sim/lib/api/contracts/audit-logs.ts‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎apps/sim/lib/api/contracts/organization.ts‎
Lines changed: 12 additions & 6 deletions b/‎apps/sim/lib/api/contracts/organization.ts‎
Lines changed: 12 additions & 6 deletions
diff --git a/‎apps/sim/lib/api/contracts/permission-groups.ts‎
Lines changed: 4 additions & 0 deletions b/‎apps/sim/lib/api/contracts/permission-groups.ts‎
Lines changed: 4 additions & 0 deletions
@@ -83,7 +83,7 @@ export const GET = withRouteHandler(
 
       // Stamp `workflowId` from the path param on each variable so the
       // global client-side variables store can filter by workflow without
-      // requiring the wire contract to carry a redundant `workflowId`.
+      // requiring persisted variables to carry a redundant `workflowId`.
       // The persisted blob may or may not include `workflowId` depending on
       // when the variable was last written; the path param is authoritative.
       const persistedVariables =
 
@@ -55,9 +55,8 @@ export const GET = withRouteHandler(
 
       // Stamp `workflowId` from the path param on each variable so the
       // global client-side variables store can filter by workflow without
-      // requiring clients to thread the path param through. The wire
-      // contract (`workflowVariableSchema`) intentionally omits
-      // `workflowId`; the server is the single source of truth.
+      // requiring clients to thread the path param through. The read
+      // contract requires this server-stamped field.
       const persistedVariables =
         (authorization.workflow?.variables as Record<string, Record<string, unknown>>) || {}
       const variables: Record<string, Record<string, unknown>> = {}
@@ -131,7 +130,7 @@ export const PUT = withRouteHandler(
       }
 
       // Note: prior versions cross-checked that each variable's `workflowId`
-      // equalled the path param. The contract no longer carries `workflowId`
+      // equalled the path param. The write contract does not carry `workflowId`
       // per variable (the path param is the source of truth), so the check
       // is unreachable and was removed.
 
 
@@ -12,6 +12,7 @@ import {
 } from '@sim/testing'
 import { NextRequest } from 'next/server'
 import { beforeEach, describe, expect, it, vi } from 'vitest'
+import { getWorkflowVariablesContract } from '@/lib/api/contracts/workflows'
 
 vi.mock('@sim/audit', () => auditMock)
 
@@ -103,6 +104,8 @@ describe('Workflow Variables API Route', () => {
           workflowId: 'workflow-123',
         },
       })
+      const parsed = getWorkflowVariablesContract.response.schema.parse(data)
+      expect(parsed.data['var-1'].workflowId).toBe('workflow-123')
     })
 
     it('should allow access when user has workspace permissions', async () => {
 
@@ -54,7 +54,7 @@ export const POST = withRouteHandler(
       if (!parsed.success) return parsed.response
       const { variables } = parsed.data.body
       // Note: prior versions cross-checked that each variable's `workflowId`
-      // equalled the path param. The contract no longer carries `workflowId`
+      // equalled the path param. The write contract does not carry `workflowId`
       // per variable (the path param is the source of truth), so the check
       // is unreachable and was removed.
 
@@ -132,8 +132,7 @@ export const GET = withRouteHandler(
 
       // Return variables if they exist. Stamp `workflowId` from the path
       // param on each entry so the global client-side variables store can
-      // filter by workflow without requiring the wire contract to carry a
-      // redundant `workflowId` field.
+      // filter by workflow; the read contract requires this stamped field.
       const persistedVariables =
         (workflowData.variables as Record<string, Record<string, unknown>>) || {}
       const variables: Record<string, Variable> = {}
 
@@ -3,7 +3,6 @@
 import { memo, useCallback, useEffect, useMemo, useState } from 'react'
 import { createLogger } from '@sim/logger'
 import { Plus, X } from 'lucide-react'
-import type { z } from 'zod'
 import {
   Badge,
   Button,
@@ -25,9 +24,9 @@ import {
 } from '@/components/emcn'
 import { SlackIcon } from '@/components/icons'
 import type {
-  alertRuleSchema,
-  notificationLevelSchema,
-  notificationTypeSchema,
+  NotificationAlertRule,
+  NotificationLogLevel,
+  NotificationType,
 } from '@/lib/api/contracts/notifications'
 import { dollarsToCredits } from '@/lib/billing/credits/conversion'
 import { getTriggerOptions } from '@/lib/logs/get-trigger-options'
@@ -53,10 +52,9 @@ const logger = createLogger('NotificationSettings')
 const TRIGGER_OPTIONS = getTriggerOptions()
 const ALL_TRIGGER_VALUES = TRIGGER_OPTIONS.map((t) => t.value)
 
-type NotificationType = z.output<typeof notificationTypeSchema>
-type LogLevel = z.output<typeof notificationLevelSchema>
+type LogLevel = NotificationLogLevel
 /** Contract alert rule plus a UI-only `'none'` sentinel meaning "no alert config". */
-type AlertRule = z.output<typeof alertRuleSchema> | 'none'
+type AlertRule = NotificationAlertRule | 'none'
 
 const ALERT_RULES: { value: AlertRule; label: string; description: string }[] = [
   { value: 'none', label: 'None', description: 'Notify on every matching execution' },
 
@@ -1,7 +1,6 @@
 'use client'
 
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
-import type { z } from 'zod'
 import { requestJson } from '@/lib/api/client/request'
 import {
   bulkAddPermissionGroupMembersContract,
@@ -10,17 +9,15 @@ import {
   getUserPermissionConfigContract,
   listPermissionGroupMembersContract,
   listPermissionGroupsContract,
-  type permissionGroupMemberSchema,
-  type permissionGroupSchema,
+  type PermissionGroup,
+  type PermissionGroupMember,
   removePermissionGroupMemberContract,
+  type UserPermissionConfig,
   updatePermissionGroupContract,
-  type userPermissionConfigSchema,
 } from '@/lib/api/contracts'
 import type { PermissionGroupConfig } from '@/lib/permission-groups/types'
 
-export type PermissionGroup = z.output<typeof permissionGroupSchema>
-export type PermissionGroupMember = z.output<typeof permissionGroupMemberSchema>
-export type UserPermissionConfig = z.output<typeof userPermissionConfigSchema>
+export type { PermissionGroup, PermissionGroupMember, UserPermissionConfig }
 
 export const permissionGroupKeys = {
   all: ['permissionGroups'] as const,
 
@@ -4,21 +4,13 @@ import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
 import { requestJson } from '@/lib/api/client/request'
 import {
   getOrganizationDataRetentionContract,
+  type OrganizationDataRetention,
+  type OrganizationRetentionValues,
   updateOrganizationDataRetentionContract,
 } from '@/lib/api/contracts/organization'
 
-export interface RetentionValues {
-  logRetentionHours: number | null
-  softDeleteRetentionHours: number | null
-  taskCleanupHours: number | null
-}
-
-export interface DataRetentionResponse {
-  isEnterprise: boolean
-  defaults: RetentionValues
-  configured: RetentionValues
-  effective: RetentionValues
-}
+export type RetentionValues = OrganizationRetentionValues
+export type DataRetentionResponse = OrganizationDataRetention
 
 export const dataRetentionKeys = {
   all: ['dataRetention'] as const,
 
@@ -77,6 +77,17 @@ export const v1AdminAuditLogsQuerySchema = z.object({
   endDate: z.preprocess((value) => (value === '' ? undefined : value), isoDateString.optional()),
 })
 
+/**
+ * Generic wrapper used by v1 admin audit-log responses. The `data` and
+ * `limits` halves are intentionally `z.unknown()` because this proxy returns
+ * provider-shaped payloads that vary per route family; tightening here would
+ * require a discriminated union per route, which is tracked as a follow-up.
+ *
+ * boundary-policy: this is the "validates nothing" alias form that the audit
+ * script's `untyped-response` regex doesn't currently catch. Treat any new
+ * wrapper of this shape the same way and either annotate at the contract use
+ * site with `// untyped-response: <reason>` or replace with a concrete schema.
+ */
 const apiResponseWithLimitsSchema = z
   .object({
     data: z.unknown(),
 
@@ -113,14 +113,20 @@ const organizationRetentionValuesSchema = z.object({
   taskCleanupHours: z.number().int().nullable(),
 })
 
+export type OrganizationRetentionValues = z.output<typeof organizationRetentionValuesSchema>
+
+const organizationDataRetentionDataSchema = z.object({
+  isEnterprise: z.boolean(),
+  defaults: organizationRetentionValuesSchema,
+  configured: organizationRetentionValuesSchema,
+  effective: organizationRetentionValuesSchema,
+})
+
+export type OrganizationDataRetention = z.output<typeof organizationDataRetentionDataSchema>
+
 export const organizationDataRetentionResponseSchema = z.object({
   success: z.boolean(),
-  data: z.object({
-    isEnterprise: z.boolean(),
-    defaults: organizationRetentionValuesSchema,
-    configured: organizationRetentionValuesSchema,
-    effective: organizationRetentionValuesSchema,
-  }),
+  data: organizationDataRetentionDataSchema,
 })
 
 export const updateOrganizationWhitelabelBodySchema = z.object({
 
@@ -52,6 +52,7 @@ export const permissionGroupSchema = z.object({
   memberCount: z.number(),
   autoAddNewMembers: z.boolean(),
 })
+export type PermissionGroup = z.output<typeof permissionGroupSchema>
 
 export const permissionGroupWriteSchema = z.object({
   id: z.string(),
@@ -64,6 +65,7 @@ export const permissionGroupWriteSchema = z.object({
   updatedAt: z.string(),
   autoAddNewMembers: z.boolean(),
 })
+export type PermissionGroupWrite = z.output<typeof permissionGroupWriteSchema>
 
 export const permissionGroupMemberSchema = z.object({
   id: z.string(),
@@ -73,6 +75,7 @@ export const permissionGroupMemberSchema = z.object({
   userEmail: z.string().nullable(),
   userImage: z.string().nullable(),
 })
+export type PermissionGroupMember = z.output<typeof permissionGroupMemberSchema>
 
 export const userPermissionConfigQuerySchema = z.object({
   workspaceId: z.string().min(1),
@@ -84,6 +87,7 @@ export const userPermissionConfigSchema = z.object({
   config: permissionGroupFullConfigSchema.nullable(),
   entitled: z.boolean(),
 })
+export type UserPermissionConfig = z.output<typeof userPermissionConfigSchema>
 
 export const createPermissionGroupBodySchema = z.object({
   name: z.string().trim().min(1).max(100),