Merge remote-tracking branch 'origin/main' into feat/atlassian-service-account

# Conflicts:
#	scripts/check-api-validation-contracts.ts

Author: TheodoreSpeaks

.github/workflows/test-build.yml

@@ -90,15 +90,15 @@ jobs:
 
           echo "✅ All feature flags are properly configured"
 
-      - name: Check subblock ID stability
+      - name: Check block registry invariants
         run: |
           if [ "${{ github.event_name }}" = "pull_request" ]; then
             BASE_REF="origin/${{ github.base_ref }}"
             git fetch --depth=1 origin "${{ github.base_ref }}" 2>/dev/null || true
           else
             BASE_REF="HEAD~1"
           fi
-          bun run apps/sim/scripts/check-subblock-id-stability.ts "$BASE_REF"
+          bun run apps/sim/scripts/check-block-registry.ts "$BASE_REF"
 
       - name: Lint code
         run: bun run lint:check

apps/docs/content/docs/en/tools/stt.mdx

@@ -120,7 +120,7 @@ Transcribe audio and video files to text using leading AI providers. Supports mu
 | --------- | ---- | -------- | ----------- |
 | `provider` | string | Yes | STT provider \(elevenlabs\) |
 | `apiKey` | string | Yes | ElevenLabs API key |
-| `model` | string | No | ElevenLabs model to use \(scribe_v1, scribe_v1_experimental\) |
+| `model` | string | No | ElevenLabs model to use \(scribe_v2\) |
 | `audioFile` | file | No | Audio or video file to transcribe \(e.g., MP3, WAV, M4A, WEBM\) |
 | `audioFileReference` | file | No | Reference to audio/video file from previous blocks |
 | `audioUrl` | string | No | URL to audio or video file |

apps/realtime/src/handlers/index.ts

@@ -2,6 +2,7 @@ import { setupConnectionHandlers } from '@/handlers/connection'
 import { setupOperationsHandlers } from '@/handlers/operations'
 import { setupPresenceHandlers } from '@/handlers/presence'
 import { setupSubblocksHandlers } from '@/handlers/subblocks'
+import { setupTableHandlers } from '@/handlers/tables'
 import { setupVariablesHandlers } from '@/handlers/variables'
 import { setupWorkflowHandlers } from '@/handlers/workflow'
 import type { AuthenticatedSocket } from '@/middleware/auth'
@@ -13,5 +14,6 @@ export function setupAllHandlers(socket: AuthenticatedSocket, roomManager: IRoom
   setupSubblocksHandlers(socket, roomManager)
   setupVariablesHandlers(socket, roomManager)
   setupPresenceHandlers(socket, roomManager)
+  setupTableHandlers(socket, roomManager)
   setupConnectionHandlers(socket, roomManager)
 }

apps/realtime/src/handlers/operations.ts

@@ -10,6 +10,7 @@ import {
 } from '@sim/realtime-protocol/constants'
 import { WorkflowOperationSchema } from '@sim/realtime-protocol/schemas'
 import { generateId } from '@sim/utils/id'
+import { assertWorkflowMutable, WorkflowLockedError } from '@sim/workflow-authz'
 import { ZodError } from 'zod'
 import { persistWorkflowOperation } from '@/database/operations'
 import type { AuthenticatedSocket } from '@/middleware/auth'
@@ -139,6 +140,24 @@ export function setupOperationsHandlers(socket: AuthenticatedSocket, roomManager
         }
       }
 
+      try {
+        await assertWorkflowMutable(workflowId)
+      } catch (error) {
+        if (error instanceof WorkflowLockedError) {
+          emitOperationError(
+            {
+              type: 'WORKFLOW_LOCKED',
+              message: error.message,
+              operation,
+              target,
+            },
+            { error: error.message, retryable: false }
+          )
+          return
+        }
+        throw error
+      }
+
       // Broadcast first for position updates to minimize latency, then persist
       // For other operations, persist first for consistency
       if (isPositionUpdate) {

apps/realtime/src/handlers/subblocks.ts

@@ -2,6 +2,7 @@ import { db } from '@sim/db'
 import { workflow, workflowBlocks } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { SUBBLOCK_OPERATIONS } from '@sim/realtime-protocol/constants'
+import { assertWorkflowMutable, WorkflowLockedError } from '@sim/workflow-authz'
 import { and, eq } from 'drizzle-orm'
 import type { AuthenticatedSocket } from '@/middleware/auth'
 import { checkRolePermission } from '@/middleware/permissions'
@@ -151,6 +152,28 @@ export function setupSubblocksHandlers(socket: AuthenticatedSocket, roomManager:
         return
       }
 
+      try {
+        await assertWorkflowMutable(workflowId)
+      } catch (error) {
+        if (error instanceof WorkflowLockedError) {
+          socket.emit('operation-forbidden', {
+            type: 'WORKFLOW_LOCKED',
+            message: error.message,
+            operation: SUBBLOCK_OPERATIONS.UPDATE,
+            target: 'subblock',
+          })
+          if (operationId) {
+            socket.emit('operation-failed', {
+              operationId,
+              error: error.message,
+              retryable: false,
+            })
+          }
+          return
+        }
+        throw error
+      }
+
       // Update user activity
       await roomManager.updateUserActivity(workflowId, socket.id, { lastActivity: Date.now() })
 
@@ -231,6 +254,22 @@ async function flushSubblockUpdate(
       return
     }
 
+    try {
+      await assertWorkflowMutable(workflowId)
+    } catch (error) {
+      if (error instanceof WorkflowLockedError) {
+        pending.opToSocket.forEach((socketId, opId) => {
+          io.to(socketId).emit('operation-failed', {
+            operationId: opId,
+            error: error.message,
+            retryable: false,
+          })
+        })
+        return
+      }
+      throw error
+    }
+
     let updateSuccessful = false
     let blockLocked = false
     await db.transaction(async (tx) => {

apps/realtime/src/handlers/tables.ts

@@ -0,0 +1,73 @@
+import { createLogger } from '@sim/logger'
+import type { AuthenticatedSocket } from '@/middleware/auth'
+import { verifyTableAccess } from '@/middleware/permissions'
+import { type IRoomManager, tableRoomName } from '@/rooms/types'
+
+const logger = createLogger('TableHandlers')
+
+/**
+ * Wires `join-table` / `leave-table` socket events. Tables don't track presence
+ * or last-modified state — joining is a thin wrapper around `socket.join` so the
+ * Sim API → Realtime HTTP bridge can broadcast row updates back to subscribed clients.
+ */
+export function setupTableHandlers(socket: AuthenticatedSocket, _roomManager: IRoomManager) {
+  socket.on('join-table', async ({ tableId }: { tableId?: string }) => {
+    try {
+      if (!tableId || typeof tableId !== 'string') {
+        socket.emit('join-table-error', {
+          tableId: tableId ?? null,
+          error: 'tableId required',
+          code: 'INVALID_TABLE_ID',
+          retryable: false,
+        })
+        return
+      }
+
+      const userId = socket.userId
+      if (!userId) {
+        socket.emit('join-table-error', {
+          tableId,
+          error: 'Authentication required',
+          code: 'AUTHENTICATION_REQUIRED',
+          retryable: false,
+        })
+        return
+      }
+
+      const { hasAccess } = await verifyTableAccess(userId, tableId)
+      if (!hasAccess) {
+        socket.emit('join-table-error', {
+          tableId,
+          error: 'Access denied to table',
+          code: 'ACCESS_DENIED',
+          retryable: false,
+        })
+        return
+      }
+
+      const room = tableRoomName(tableId)
+      socket.join(room)
+      socket.emit('join-table-success', { tableId, socketId: socket.id })
+      logger.debug(`Socket ${socket.id} (user ${userId}) joined ${room}`)
+    } catch (error) {
+      logger.error(`Error joining table room:`, error)
+      socket.emit('join-table-error', {
+        tableId: null,
+        error: 'Failed to join table',
+        code: 'JOIN_TABLE_FAILED',
+        retryable: true,
+      })
+    }
+  })
+
+  socket.on('leave-table', async ({ tableId }: { tableId?: string }) => {
+    try {
+      if (!tableId || typeof tableId !== 'string') return
+      const room = tableRoomName(tableId)
+      socket.leave(room)
+      logger.debug(`Socket ${socket.id} left ${room}`)
+    } catch (error) {
+      logger.error(`Error leaving table room:`, error)
+    }
+  })
+}

apps/realtime/src/handlers/variables.ts

@@ -2,6 +2,7 @@ import { db } from '@sim/db'
 import { workflow } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { VARIABLE_OPERATIONS } from '@sim/realtime-protocol/constants'
+import { assertWorkflowMutable, WorkflowLockedError } from '@sim/workflow-authz'
 import { eq } from 'drizzle-orm'
 import type { AuthenticatedSocket } from '@/middleware/auth'
 import { checkRolePermission } from '@/middleware/permissions'
@@ -140,6 +141,28 @@ export function setupVariablesHandlers(socket: AuthenticatedSocket, roomManager:
         return
       }
 
+      try {
+        await assertWorkflowMutable(workflowId)
+      } catch (error) {
+        if (error instanceof WorkflowLockedError) {
+          socket.emit('operation-forbidden', {
+            type: 'WORKFLOW_LOCKED',
+            message: error.message,
+            operation: VARIABLE_OPERATIONS.UPDATE,
+            target: 'variable',
+          })
+          if (operationId) {
+            socket.emit('operation-failed', {
+              operationId,
+              error: error.message,
+              retryable: false,
+            })
+          }
+          return
+        }
+        throw error
+      }
+
       // Update user activity
       await roomManager.updateUserActivity(workflowId, socket.id, { lastActivity: Date.now() })
 
@@ -218,6 +241,22 @@ async function flushVariableUpdate(
       return
     }
 
+    try {
+      await assertWorkflowMutable(workflowId)
+    } catch (error) {
+      if (error instanceof WorkflowLockedError) {
+        pending.opToSocket.forEach((socketId, opId) => {
+          io.to(socketId).emit('operation-failed', {
+            operationId: opId,
+            error: error.message,
+            retryable: false,
+          })
+        })
+        return
+      }
+      throw error
+    }
+
     let updateSuccessful = false
     await db.transaction(async (tx) => {
       const [workflowRecord] = await tx

apps/realtime/src/middleware/permissions.ts

@@ -131,3 +131,51 @@ export async function verifyWorkflowAccess(
     return { hasAccess: false }
   }
 }
+
+/**
+ * Verify a user has read access to a table by virtue of workspace permission.
+ * Mirrors `verifyWorkflowAccess` for the table-room socket join check.
+ */
+export async function verifyTableAccess(
+  userId: string,
+  tableId: string
+): Promise<{ hasAccess: boolean; workspaceId?: string }> {
+  try {
+    const { userTableDefinitions, permissions } = await import('@sim/db')
+    const tableData = await db
+      .select({ workspaceId: userTableDefinitions.workspaceId })
+      .from(userTableDefinitions)
+      .where(and(eq(userTableDefinitions.id, tableId), isNull(userTableDefinitions.archivedAt)))
+      .limit(1)
+
+    if (!tableData.length) {
+      logger.warn(`Table ${tableId} not found`)
+      return { hasAccess: false }
+    }
+    const { workspaceId } = tableData[0]
+    if (!workspaceId) return { hasAccess: false }
+
+    const [permissionRow] = await db
+      .select({ permissionType: permissions.permissionType })
+      .from(permissions)
+      .where(
+        and(
+          eq(permissions.userId, userId),
+          eq(permissions.entityType, 'workspace'),
+          eq(permissions.entityId, workspaceId)
+        )
+      )
+      .limit(1)
+
+    if (!permissionRow?.permissionType) {
+      logger.warn(
+        `User ${userId} has no permission for workspace ${workspaceId} (table ${tableId})`
+      )
+      return { hasAccess: false }
+    }
+    return { hasAccess: true, workspaceId }
+  } catch (error) {
+    logger.error(`Error verifying table access for user ${userId}, table ${tableId}:`, error)
+    return { hasAccess: false }
+  }
+}

apps/realtime/src/rooms/memory-manager.ts

@@ -1,6 +1,13 @@
 import { createLogger } from '@sim/logger'
 import type { Server } from 'socket.io'
-import type { IRoomManager, UserPresence, UserSession, WorkflowRoom } from '@/rooms/types'
+import {
+  type IRoomManager,
+  type TableRowUpdatedPayload,
+  tableRoomName,
+  type UserPresence,
+  type UserSession,
+  type WorkflowRoom,
+} from '@/rooms/types'
 
 const logger = createLogger('MemoryRoomManager')
 
@@ -255,4 +262,23 @@ export class MemoryRoomManager implements IRoomManager {
 
     logger.info(`Notified ${room.users.size} users about workflow deployment change: ${workflowId}`)
   }
+
+  emitToTable<T = unknown>(tableId: string, event: string, payload: T): void {
+    this._io.to(tableRoomName(tableId)).emit(event, payload)
+  }
+
+  async handleTableRowUpdated(tableId: string, payload: TableRowUpdatedPayload): Promise<void> {
+    this.emitToTable(tableId, 'table-row-updated', { tableId, ...payload })
+  }
+
+  async handleTableRowDeleted(tableId: string, rowId: string): Promise<void> {
+    this.emitToTable(tableId, 'table-row-deleted', { tableId, rowId })
+  }
+
+  async handleTableDeleted(tableId: string): Promise<void> {
+    logger.info(`Handling table deletion notification for ${tableId}`)
+    this.emitToTable(tableId, 'table-deleted', { tableId, timestamp: Date.now() })
+    // Eject sockets so they don't hold a stale room. Cross-pod safe via socket.io.
+    await this._io.in(tableRoomName(tableId)).socketsLeave(tableRoomName(tableId))
+  }
 }

apps/realtime/src/rooms/redis-manager.ts

@@ -1,7 +1,13 @@
 import { createLogger } from '@sim/logger'
 import { createClient, type RedisClientType } from 'redis'
 import type { Server } from 'socket.io'
-import type { IRoomManager, UserPresence, UserSession } from '@/rooms/types'
+import {
+  type IRoomManager,
+  type TableRowUpdatedPayload,
+  tableRoomName,
+  type UserPresence,
+  type UserSession,
+} from '@/rooms/types'
 
 const logger = createLogger('RedisRoomManager')
 
@@ -457,4 +463,23 @@ export class RedisRoomManager implements IRoomManager {
     const userCount = await this.getUniqueUserCount(workflowId)
     logger.info(`Notified ${userCount} users about workflow deployment change: ${workflowId}`)
   }
+
+  emitToTable<T = unknown>(tableId: string, event: string, payload: T): void {
+    this._io.to(tableRoomName(tableId)).emit(event, payload)
+  }
+
+  async handleTableRowUpdated(tableId: string, payload: TableRowUpdatedPayload): Promise<void> {
+    this.emitToTable(tableId, 'table-row-updated', { tableId, ...payload })
+  }
+
+  async handleTableRowDeleted(tableId: string, rowId: string): Promise<void> {
+    this.emitToTable(tableId, 'table-row-deleted', { tableId, rowId })
+  }
+
+  async handleTableDeleted(tableId: string): Promise<void> {
+    logger.info(`Handling table deletion notification for ${tableId}`)
+    this.emitToTable(tableId, 'table-deleted', { tableId, timestamp: Date.now() })
+    // Eject sockets across all pods via socket.io's Redis adapter.
+    await this._io.in(tableRoomName(tableId)).socketsLeave(tableRoomName(tableId))
+  }
 }