Merge remote-tracking branch 'origin/staging' into fix/billing-lock-hold

Author: TheodoreSpeaks

.claude/rules/sim-testing.md

@@ -144,7 +144,7 @@ vi.useFakeTimers()
 | `@/app/api/auth/oauth/utils` | `authOAuthUtilsMock`, `authOAuthUtilsMockFns` | `vi.mock('@/app/api/auth/oauth/utils', () => authOAuthUtilsMock)` |
 | `@/app/api/knowledge/utils` | `knowledgeApiUtilsMock`, `knowledgeApiUtilsMockFns` | `vi.mock('@/app/api/knowledge/utils', () => knowledgeApiUtilsMock)` |
 | `@/app/api/workflows/utils` | `workflowsApiUtilsMock`, `workflowsApiUtilsMockFns` | `vi.mock('@/app/api/workflows/utils', () => workflowsApiUtilsMock)` |
-| `@/lib/audit/log` | `auditMock`, `auditMockFns` | `vi.mock('@/lib/audit/log', () => auditMock)` |
+| `@sim/audit` | `auditMock`, `auditMockFns` | `vi.mock('@sim/audit', () => auditMock)` |
 | `@/lib/auth` | `authMock`, `authMockFns` | `vi.mock('@/lib/auth', () => authMock)` |
 | `@/lib/auth/hybrid` | `hybridAuthMock`, `hybridAuthMockFns` | `vi.mock('@/lib/auth/hybrid', () => hybridAuthMock)` |
 | `@/lib/copilot/request/http` | `copilotHttpMock`, `copilotHttpMockFns` | `vi.mock('@/lib/copilot/request/http', () => copilotHttpMock)` |

.cursor/rules/sim-testing.mdc

@@ -144,7 +144,7 @@ vi.useFakeTimers()
 | `@/app/api/auth/oauth/utils` | `authOAuthUtilsMock`, `authOAuthUtilsMockFns` | `vi.mock('@/app/api/auth/oauth/utils', () => authOAuthUtilsMock)` |
 | `@/app/api/knowledge/utils` | `knowledgeApiUtilsMock`, `knowledgeApiUtilsMockFns` | `vi.mock('@/app/api/knowledge/utils', () => knowledgeApiUtilsMock)` |
 | `@/app/api/workflows/utils` | `workflowsApiUtilsMock`, `workflowsApiUtilsMockFns` | `vi.mock('@/app/api/workflows/utils', () => workflowsApiUtilsMock)` |
-| `@/lib/audit/log` | `auditMock`, `auditMockFns` | `vi.mock('@/lib/audit/log', () => auditMock)` |
+| `@sim/audit` | `auditMock`, `auditMockFns` | `vi.mock('@sim/audit', () => auditMock)` |
 | `@/lib/auth` | `authMock`, `authMockFns` | `vi.mock('@/lib/auth', () => authMock)` |
 | `@/lib/auth/hybrid` | `hybridAuthMock`, `hybridAuthMockFns` | `vi.mock('@/lib/auth/hybrid', () => hybridAuthMock)` |
 | `@/lib/copilot/request/http` | `copilotHttpMock`, `copilotHttpMockFns` | `vi.mock('@/lib/copilot/request/http', () => copilotHttpMock)` |

.devcontainer/post-create.sh

@@ -71,14 +71,26 @@ fi
 
 # Set up environment variables if .env doesn't exist for the sim app
 if [ ! -f "apps/sim/.env" ]; then
-  echo "📄 Creating .env file from template..."
+  echo "📄 Creating apps/sim/.env from template..."
   if [ -f "apps/sim/.env.example" ]; then
     cp apps/sim/.env.example apps/sim/.env
   else
     echo "DATABASE_URL=postgresql://postgres:postgres@db:5432/simstudio" > apps/sim/.env
   fi
 fi
 
+# Set up env for the realtime server (must match the shared values in apps/sim/.env)
+if [ ! -f "apps/realtime/.env" ] && [ -f "apps/realtime/.env.example" ]; then
+  echo "📄 Creating apps/realtime/.env from template..."
+  cp apps/realtime/.env.example apps/realtime/.env
+fi
+
+# Set up packages/db/.env for drizzle-kit and migration scripts
+if [ ! -f "packages/db/.env" ] && [ -f "packages/db/.env.example" ]; then
+  echo "📄 Creating packages/db/.env from template..."
+  cp packages/db/.env.example packages/db/.env
+fi
+
 # Generate schema and run database migrations
 echo "🗃️ Running database schema generation and migrations..."
 echo "Generating schema..."

.github/workflows/test-build.yml

@@ -103,6 +103,15 @@ jobs:
       - name: Lint code
         run: bun run lint:check
 
+      - name: Enforce monorepo boundaries
+        run: bun run check:boundaries
+
+      - name: Verify realtime prune graph
+        run: bun run check:realtime-prune
+
+      - name: Type-check realtime server
+        run: bunx turbo run type-check --filter=@sim/realtime
+
       - name: Run tests with coverage
         env:
           NODE_OPTIONS: '--no-warnings --max-old-space-size=8192'

AGENTS.md

@@ -20,19 +20,42 @@ You are a professional software engineer. All code must follow best practices: a
 
 ### Root Structure
 ```
-apps/sim/
-├── app/           # Next.js app router (pages, API routes)
-├── blocks/        # Block definitions and registry
-├── components/    # Shared UI (emcn/, ui/)
-├── executor/      # Workflow execution engine
-├── hooks/         # Shared hooks (queries/, selectors/)
-├── lib/           # App-wide utilities
-├── providers/     # LLM provider integrations
-├── stores/        # Zustand stores
-├── tools/         # Tool definitions
-└── triggers/      # Trigger definitions
+apps/
+├── sim/                    # Next.js app (UI + API routes + workflow editor)
+│   ├── app/                # Next.js app router (pages, API routes)
+│   ├── blocks/             # Block definitions and registry
+│   ├── components/         # Shared UI (emcn/, ui/)
+│   ├── executor/           # Workflow execution engine
+│   ├── hooks/              # Shared hooks (queries/, selectors/)
+│   ├── lib/                # App-wide utilities
+│   ├── providers/          # LLM provider integrations
+│   ├── stores/             # Zustand stores
+│   ├── tools/              # Tool definitions
+│   └── triggers/           # Trigger definitions
+└── realtime/               # Bun Socket.IO server (collaborative canvas)
+    └── src/                # auth, config, database, handlers, middleware,
+                            # rooms, routes, internal/webhook-cleanup.ts
+
+packages/
+├── audit/                  # @sim/audit — recordAudit + AuditAction + AuditResourceType
+├── auth/                   # @sim/auth — @sim/auth/verify (shared Better Auth verifier)
+├── db/                     # @sim/db — drizzle schema + client
+├── logger/                 # @sim/logger
+├── realtime-protocol/      # @sim/realtime-protocol — socket operation constants + zod schemas
+├── security/               # @sim/security — safeCompare
+├── tsconfig/               # shared tsconfig presets
+├── utils/                  # @sim/utils
+├── workflow-authz/         # @sim/workflow-authz — authorizeWorkflowByWorkspacePermission
+├── workflow-persistence/   # @sim/workflow-persistence — raw load/save + subflow helpers
+└── workflow-types/         # @sim/workflow-types — pure BlockState/Loop/Parallel/... types
 ```
 
+### Package boundaries
+- `apps/* → packages/*` only. Packages never import from `apps/*`.
+- Each package has explicit subpath `exports` maps; no barrels that accidentally pull in heavy halves.
+- `apps/realtime` intentionally avoids Next.js, React, the block/tool registry, provider SDKs, and the executor. CI enforces this via `scripts/check-monorepo-boundaries.ts` and `scripts/check-realtime-prune-graph.ts`.
+- Auth is shared across services via the Better Auth "Shared Database Session" pattern: both apps read the same `BETTER_AUTH_SECRET` and point at the same DB via `@sim/db`.
+
 ### Naming Conventions
 - Components: PascalCase (`WorkflowList`)
 - Hooks: `use` prefix (`useWorkflowOperations`)

apps/docs/content/docs/en/enterprise/data-retention.mdx

@@ -6,7 +6,7 @@ description: Control how long execution logs, deleted resources, and copilot dat
 import { FAQ } from '@/components/ui/faq'
 import { Image } from '@/components/ui/image'
 
-Data Retention lets workspace admins on Enterprise plans configure how long three categories of data are kept before they are permanently deleted. Each workspace in your organization can have its own independent configuration.
+Data Retention lets organization owners and admins on Enterprise plans configure how long three categories of data are kept before they are permanently deleted. The configuration applies to every workspace in the organization.
 
 ---
 
@@ -58,9 +58,9 @@ Each setting is independent. You can configure a short log retention period alon
 
 ---
 
-## Per-workspace configuration
+## Organization-wide configuration
 
-Retention is configured at the **workspace level**, not organization-wide. Each workspace in your organization can have a different configuration. Changes to one workspace's settings do not affect other workspaces.
+Retention is configured at the **organization level**. A single configuration applies to every workspace in the organization — there are no per-workspace overrides.
 
 ---
 
@@ -73,7 +73,7 @@ By default, all three settings are unconfigured — no data is automatically del
 <FAQ items={[
   {
     question: "Who can configure data retention settings?",
-    answer: "Only workspace admins can configure data retention settings. On Sim Cloud, the workspace must be on an Enterprise plan."
+    answer: "Only organization owners and admins can configure data retention settings. On Sim Cloud, the organization must be on an Enterprise plan."
   },
   {
     question: "Is deletion immediate once the retention period expires?",
@@ -85,7 +85,7 @@ By default, all three settings are unconfigured — no data is automatically del
   },
   {
     question: "Does the retention period apply to all workspaces in my organization?",
-    answer: "No. Retention is configured per workspace. Each workspace in your organization can have a different configuration."
+    answer: "Yes. Retention is configured once per organization and applies to every workspace in the organization."
   },
   {
     question: "What happens if I shorten the retention period?",

apps/realtime/.env.example

@@ -0,0 +1,30 @@
+# Environment variables required by the @sim/realtime (Socket.IO) server.
+# These MUST match the corresponding values in apps/sim/.env for auth to work.
+# See apps/realtime/src/env.ts for the full zod schema.
+
+# Core
+NODE_ENV=development
+PORT=3002
+
+# Database — must point at the same Postgres as the main app
+DATABASE_URL=postgresql://postgres:postgres@localhost:5432/simstudio
+
+# Auth — shared with apps/sim (Better Auth "Shared Database Session" pattern)
+BETTER_AUTH_URL=http://localhost:3000
+BETTER_AUTH_SECRET=your_better_auth_secret_min_32_chars
+
+# Internal RPC — shared with apps/sim
+INTERNAL_API_SECRET=your_internal_api_secret_min_32_chars
+
+# Public app URL — used for CORS allow-list and base URL resolution
+NEXT_PUBLIC_APP_URL=http://localhost:3000
+
+# Optional: Redis for cross-pod room management
+# Leave unset for single-pod / in-memory rooms
+# REDIS_URL=redis://localhost:6379
+
+# Optional: extra Socket.IO CORS allow-list (comma-separated)
+# ALLOWED_ORIGINS=https://embed.example.com,https://admin.example.com
+
+# Optional: disable auth entirely for trusted private networks
+# DISABLE_AUTH=true

apps/realtime/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "@sim/realtime",
+  "version": "0.1.0",
+  "private": true,
+  "license": "Apache-2.0",
+  "type": "module",
+  "engines": {
+    "bun": ">=1.2.13",
+    "node": ">=20.0.0"
+  },
+  "scripts": {
+    "dev": "bun --watch src/index.ts",
+    "start": "bun src/index.ts",
+    "type-check": "tsc --noEmit",
+    "lint": "biome check --write --unsafe .",
+    "lint:check": "biome check .",
+    "format": "biome format --write .",
+    "format:check": "biome format .",
+    "test": "vitest run",
+    "test:watch": "vitest"
+  },
+  "dependencies": {
+    "@sim/audit": "workspace:*",
+    "@sim/auth": "workspace:*",
+    "@sim/db": "workspace:*",
+    "@sim/logger": "workspace:*",
+    "@sim/realtime-protocol": "workspace:*",
+    "@sim/security": "workspace:*",
+    "@sim/utils": "workspace:*",
+    "@sim/workflow-authz": "workspace:*",
+    "@sim/workflow-persistence": "workspace:*",
+    "@sim/workflow-types": "workspace:*",
+    "@socket.io/redis-adapter": "8.3.0",
+    "drizzle-orm": "^0.45.2",
+    "postgres": "^3.4.5",
+    "redis": "5.10.0",
+    "socket.io": "^4.8.1",
+    "zod": "^3.24.2"
+  },
+  "devDependencies": {
+    "@sim/testing": "workspace:*",
+    "@sim/tsconfig": "workspace:*",
+    "@types/node": "24.2.1",
+    "socket.io-client": "4.8.1",
+    "typescript": "^5.7.3",
+    "vitest": "^3.0.8"
+  }
+}

apps/realtime/src/auth.ts

@@ -0,0 +1,17 @@
+import { createVerifyAuth } from '@sim/auth/verify'
+import { env } from '@/env'
+
+export const ANONYMOUS_USER_ID = '00000000-0000-0000-0000-000000000000'
+
+export const ANONYMOUS_USER = {
+  id: ANONYMOUS_USER_ID,
+  name: 'Anonymous',
+  email: 'anonymous@localhost',
+  emailVerified: true,
+  image: null,
+} as const
+
+export const auth = createVerifyAuth({
+  secret: env.BETTER_AUTH_SECRET,
+  baseURL: env.BETTER_AUTH_URL,
+})

apps/sim/socket/config/socket.ts apps/realtime/src/config/socket.tsapps/sim/socket/config/socket.ts renamed to apps/realtime/src/config/socket.ts

@@ -3,9 +3,7 @@ import { createLogger } from '@sim/logger'
 import { createAdapter } from '@socket.io/redis-adapter'
 import { createClient, type RedisClientType } from 'redis'
 import { Server } from 'socket.io'
-import { env } from '@/lib/core/config/env'
-import { isProd } from '@/lib/core/config/feature-flags'
-import { getBaseUrl } from '@/lib/core/utils/urls'
+import { env, getBaseUrl, isProd } from '@/env'
 
 const logger = createLogger('SocketIOConfig')