fix: unit tests

.cursor/commands/build.md

@@ -1,3 +0,0 @@
-Build the full app and if you run into any errors, fix them and build again until the app builds.
-
-Complete when: This is complete only when the app build fully.

.cursor/commands/pr.md

@@ -1 +0,0 @@
-Open a draft PR with a concise description of what we’ve done in this PR and what remains to be done.

.cursor/commands/unit-tests.md

@@ -1,8 +0,0 @@
-Run the unit tests of all files we’ve changed so far:
-
-1. Check the diff to main
-2. Determine all files that we changed
-3. Run the corresponding unit tests
-4. If tests are failing, update the unit test following the guideline in the corresponding cursor rule.
-
-Complete when: This is complete when all unit tests pass.

.cursor/commands/wrap-up.md

@@ -1 +0,0 @@
-Run /unit-test and if complete /build and if complete /pr

.cursor/rules/cache-optimization.mdc

@@ -16,10 +16,9 @@ Formbricks uses a **hybrid caching approach** optimized for enterprise scale:
 ## Key Files
 
 ### Core Cache Infrastructure
-- [packages/cache/src/service.ts](mdc:packages/cache/src/service.ts) - Redis cache service
-- [packages/cache/src/client.ts](mdc:packages/cache/src/client.ts) - Cache client initialization and singleton management  
-- [apps/web/lib/cache/index.ts](mdc:apps/web/lib/cache/index.ts) - Cache service proxy for web app
-- [packages/cache/src/index.ts](mdc:packages/cache/src/index.ts) - Cache package exports and utilities
+- [apps/web/modules/cache/lib/service.ts](mdc:apps/web/modules/cache/lib/service.ts) - Redis cache service
+- [apps/web/modules/cache/lib/withCache.ts](mdc:apps/web/modules/cache/lib/withCache.ts) - Cache wrapper utilities
+- [apps/web/modules/cache/lib/cacheKeys.ts](mdc:apps/web/modules/cache/lib/cacheKeys.ts) - Enterprise cache key patterns and utilities
 
 ### Environment State Caching (Critical Endpoint)
 - [apps/web/app/api/v1/client/[environmentId]/environment/route.ts](mdc:apps/web/app/api/v1/client/[environmentId]/environment/route.ts) - Main endpoint serving hundreds of thousands of SDK clients
@@ -27,7 +26,7 @@ Formbricks uses a **hybrid caching approach** optimized for enterprise scale:
 
 ## Enterprise-Grade Cache Key Patterns
 
-**Always use** the `createCacheKey` utilities from the cache package:
+**Always use** the `createCacheKey` utilities from [cacheKeys.ts](mdc:apps/web/modules/cache/lib/cacheKeys.ts):
 
 ```typescript
 // ✅ Correct patterns
@@ -51,14 +50,14 @@ export const getEnterpriseLicense = reactCache(async () => {
 });
 ```
 
-### Use `cache.withCache()` for Simple Database Queries
+### Use `withCache()` for Simple Database Queries
 ```typescript
 // ✅ Simple caching with automatic fallback (TTL in milliseconds)
 export const getActionClasses = (environmentId: string) => {
-  return cache.withCache(() => fetchActionClassesFromDB(environmentId), 
-    createCacheKey.environment.actionClasses(environmentId),
-    60 * 30 * 1000 // 30 minutes in milliseconds
-  );
+  return withCache(() => fetchActionClassesFromDB(environmentId), {
+    key: createCacheKey.environment.actionClasses(environmentId),
+    ttl: 60 * 30 * 1000, // 30 minutes in milliseconds
+  })();
 };
 ```
 

.cursor/rules/database.mdc

@@ -1,110 +0,0 @@
----
-description: >
-  This rule provides comprehensive knowledge about the Formbricks database structure, relationships, 
-  and data patterns. It should be used **only when the agent explicitly requests database schema-level 
-  details** to support tasks such as: writing/debugging Prisma queries, designing/reviewing data models, 
-  investigating multi-tenancy behavior, creating API endpoints, or understanding data relationships.
-globs: []
-alwaysApply: agent-requested
----
-
-# Formbricks Database Schema Reference
-
-This rule provides a reference to the Formbricks database structure. For the most up-to-date and complete schema definitions, please refer to the schema.prisma file directly.
-
-## Database Overview
-
-Formbricks uses PostgreSQL with Prisma ORM. The schema is designed for multi-tenancy with strong data isolation between organizations.
-
-### Core Hierarchy
-
-```
-Organization
-└── Project
-    └── Environment (production/development)
-        ├── Survey
-        ├── Contact
-        ├── ActionClass
-        └── Integration
-```
-
-## Schema Reference
-
-For the complete and up-to-date database schema, please refer to:
-
-- Main schema: `packages/database/schema.prisma`
-- JSON type definitions: `packages/database/json-types.ts`
-
-The schema.prisma file contains all model definitions, relationships, enums, and field types. The json-types.ts file contains TypeScript type definitions for JSON fields.
-
-## Data Access Patterns
-
-### Multi-tenancy
-
-- All data is scoped by Organization
-- Environment-level isolation for surveys and contacts
-- Project-level grouping for related surveys
-
-### Soft Deletion
-
-Some models use soft deletion patterns:
-
-- Check `isActive` fields where present
-- Use proper filtering in queries
-
-### Cascading Deletes
-
-Configured cascade relationships:
-
-- Organization deletion cascades to all child entities
-- Survey deletion removes responses, displays, triggers
-- Contact deletion removes attributes and responses
-
-## Common Query Patterns
-
-### Survey with Responses
-
-```typescript
-// Include response count and latest responses
-const survey = await prisma.survey.findUnique({
-  where: { id: surveyId },
-  include: {
-    responses: {
-      take: 10,
-      orderBy: { createdAt: "desc" },
-    },
-    _count: {
-      select: { responses: true },
-    },
-  },
-});
-```
-
-### Environment Scoping
-
-```typescript
-// Always scope by environment
-const surveys = await prisma.survey.findMany({
-  where: {
-    environmentId: environmentId,
-    // Additional filters...
-  },
-});
-```
-
-### Contact with Attributes
-
-```typescript
-const contact = await prisma.contact.findUnique({
-  where: { id: contactId },
-  include: {
-    attributes: {
-      include: {
-        attributeKey: true,
-      },
-    },
-  },
-});
-```
-
-This schema supports Formbricks' core functionality: multi-tenant survey management, user targeting, response collection, and analysis, all while maintaining strict data isolation and security.

.cursor/rules/documentations.mdc

@@ -1,28 +0,0 @@
----
-description: Guideline for writing end-user facing documentation in the apps/docs folder
-globs:
-alwaysApply: false
----
-
-Follow these instructions and guidelines when asked to write documentation in the apps/docs folder
-
-Follow this structure to write the title, describtion and pick a matching icon and insert it at the top of the MDX file:
-
----
-
-title: "FEATURE NAME"
-description: "1 concise sentence to describe WHEN the feature is being used and FOR WHAT BENEFIT."
-icon: "link"
-
----
-
-- Description: 1 concise sentence to describe WHEN the feature is being used and FOR WHAT BENEFIT.
-- Make ample use of the Mintlify components you can find here https://mintlify.com/docs/llms.txt - e.g. if docs describe consecutive steps, always use Mintlify Step component.
-- In all Headlines, only capitalize the current feature and nothing else, to Camel Case.
-- The page should never start with H1 headline, because it's already part of the template.
-- Tonality: Keep it concise and to the point. Avoid Jargon where possible.
-- If a feature is part of the Enterprise Edition, use this note:
-
-<Note>
-  FEATURE NAME is part of the [Enterprise Edition](/self-hosting/advanced/license) 
-</Note>

.cursor/rules/eks-alb-optimization.mdc

@@ -0,0 +1,152 @@
+---
+description:
+globs:
+alwaysApply: false
+---
+# EKS & ALB Optimization Guide for Error Reduction
+
+## Infrastructure Overview
+
+This project uses AWS EKS with Application Load Balancer (ALB) for the Formbricks application. The infrastructure has been optimized to minimize ELB 502/504 errors through careful configuration of connection handling, health checks, and pod lifecycle management.
+
+## Key Infrastructure Files
+
+### Terraform Configuration
+- **Main Infrastructure**: [infra/terraform/main.tf](mdc:infra/terraform/main.tf) - EKS cluster, VPC, Karpenter, and core AWS resources
+- **Monitoring**: [infra/terraform/cloudwatch.tf](mdc:infra/terraform/cloudwatch.tf) - CloudWatch alarms for 502/504 error tracking and alerting
+- **Database**: [infra/terraform/rds.tf](mdc:infra/terraform/rds.tf) - Aurora PostgreSQL configuration
+
+### Helm Configuration
+- **Production**: [infra/formbricks-cloud-helm/values.yaml.gotmpl](mdc:infra/formbricks-cloud-helm/values.yaml.gotmpl) - Optimized ALB and pod configurations
+- **Staging**: [infra/formbricks-cloud-helm/values-staging.yaml.gotmpl](mdc:infra/formbricks-cloud-helm/values-staging.yaml.gotmpl) - Staging environment with spot instances
+- **Deployment**: [infra/formbricks-cloud-helm/helmfile.yaml.gotmpl](mdc:infra/formbricks-cloud-helm/helmfile.yaml.gotmpl) - Multi-environment Helm releases
+
+## ALB Optimization Patterns
+
+### Connection Handling Optimizations
+```yaml
+# Key ALB annotations for reducing 502/504 errors
+alb.ingress.kubernetes.io/load-balancer-attributes: |
+  idle_timeout.timeout_seconds=120,
+  connection_logs.s3.enabled=false,
+  access_logs.s3.enabled=false
+
+alb.ingress.kubernetes.io/target-group-attributes: |
+  deregistration_delay.timeout_seconds=30,
+  stickiness.enabled=false,
+  load_balancing.algorithm.type=least_outstanding_requests,
+  target_group_health.dns_failover.minimum_healthy_targets.count=1
+```
+
+### Health Check Configuration
+- **Interval**: 15 seconds for faster detection of unhealthy targets
+- **Timeout**: 5 seconds to prevent false positives
+- **Thresholds**: 2 healthy, 3 unhealthy for balanced responsiveness
+- **Path**: `/health` endpoint optimized for < 100ms response time
+
+## Pod Lifecycle Management
+
+### Graceful Shutdown Pattern
+```yaml
+# PreStop hook to allow connection draining
+lifecycle:
+  preStop:
+    exec:
+      command: ["/bin/sh", "-c", "sleep 15"]
+
+# Termination grace period for complete cleanup
+terminationGracePeriodSeconds: 45
+```
+
+### Health Probe Strategy
+- **Startup Probe**: 5s initial delay, 5s interval, max 60s startup time
+- **Readiness Probe**: 10s delay, 10s interval for traffic readiness
+- **Liveness Probe**: 30s delay, 30s interval for container health
+
+### Rolling Update Configuration
+```yaml
+strategy:
+  type: RollingUpdate
+  rollingUpdate:
+    maxUnavailable: 25%  # Maintain capacity during updates
+    maxSurge: 50%        # Allow faster rollouts
+```
+
+## Karpenter Node Management
+
+### Node Lifecycle Optimization
+- **Startup Taints**: Prevent traffic during node initialization
+- **Graceful Shutdown**: 30s grace period for pod eviction
+- **Consolidation Delay**: 60s to reduce unnecessary churn
+- **Eviction Policies**: Configured for smooth pod migrations
+
+### Instance Selection
+- **Families**: c8g, c7g, m8g, m7g, r8g, r7g (ARM64 Graviton)
+- **Sizes**: 2, 4, 8 vCPUs for cost optimization
+- **Bottlerocket AMI**: Enhanced security and performance
+
+## Monitoring & Alerting
+
+### Critical ALB Metrics
+1. **ELB 502 Errors**: Threshold 20 over 5 minutes
+2. **ELB 504 Errors**: Threshold 15 over 5 minutes  
+3. **Target Connection Errors**: Threshold 50 over 5 minutes
+4. **4XX Errors**: Threshold 100 over 10 minutes (client issues)
+
+### Expected Improvements
+- **60-80% reduction** in ELB 502 errors
+- **Faster recovery** during pod restarts
+- **Better connection reuse** efficiency
+- **Improved autoscaling** responsiveness
+
+## Deployment Patterns
+
+### Infrastructure Updates
+1. **Terraform First**: Apply infrastructure changes via [infra/deploy-improvements.sh](mdc:infra/deploy-improvements.sh)
+2. **Helm Second**: Deploy application configurations
+3. **Verification**: Check pod status, endpoints, and ALB health
+4. **Monitoring**: Watch CloudWatch metrics for 24-48 hours
+
+### Environment-Specific Configurations
+- **Production**: On-demand instances, stricter resource limits
+- **Staging**: Spot instances, rate limiting disabled, relaxed resources
+
+## Troubleshooting Patterns
+
+### 502 Error Investigation
+1. Check pod readiness and health probe status
+2. Verify ALB target group health
+3. Review deregistration timing during deployments
+4. Monitor connection pool utilization
+
+### 504 Error Analysis  
+1. Check application response times
+2. Verify timeout configurations (ALB: 120s, App: aligned)
+3. Review database query performance
+4. Monitor resource utilization during traffic spikes
+
+### Connection Error Patterns
+1. Verify Karpenter node lifecycle timing
+2. Check pod termination grace periods
+3. Review ALB connection draining settings
+4. Monitor cluster autoscaling events
+
+## Best Practices
+
+### When Making Changes
+- **Test in staging first** with same configurations
+- **Monitor metrics** for 24-48 hours after changes
+- **Use gradual rollouts** with proper health checks
+- **Maintain ALB timeout alignment** across all layers
+
+### Performance Optimization
+- **Health endpoint** should respond < 100ms consistently  
+- **Connection pooling** aligned with ALB idle timeouts
+- **Resource requests/limits** tuned for consistent performance
+- **Graceful shutdown** implemented in application code
+
+### Monitoring Strategy
+- **Real-time alerts** for error rate spikes
+- **Trend analysis** for connection patterns
+- **Capacity planning** based on LCU usage
+- **4XX pattern analysis** for client behavior insights

.cursor/rules/formbricks-architecture.mdc

@@ -18,6 +18,7 @@ apps/web/
 │   ├── (app)/             # Main application routes
 │   ├── (auth)/            # Authentication routes
 │   ├── api/               # API routes
+│   └── share/             # Public sharing routes
 ├── components/            # Shared components
 ├── lib/                   # Utility functions and services
 └── modules/               # Feature-specific modules
@@ -42,6 +43,7 @@ The application uses Next.js 13+ app router with route groups:
 ### Dynamic Routes
 - `[environmentId]` - Environment-specific routes
 - `[surveyId]` - Survey-specific routes
+- `[sharingKey]` - Public sharing routes
 
 ## Service Layer Pattern
 

.cursor/rules/github-actions-security.mdc

@@ -1,232 +0,0 @@
----
-description: Security best practices and guidelines for writing GitHub Actions and workflows
-globs: .github/workflows/*.yml,.github/workflows/*.yaml,.github/actions/*/action.yml,.github/actions/*/action.yaml
----
-
-# GitHub Actions Security Best Practices
-
-## Required Security Measures
-
-### 1. Set Minimum GITHUB_TOKEN Permissions
-
-Always explicitly set the minimum required permissions for GITHUB_TOKEN:
-
-```yaml
-permissions:
-  contents: read
-  # Only add additional permissions if absolutely necessary:
-  # pull-requests: write  # for commenting on PRs
-  # issues: write         # for creating/updating issues
-  # checks: write         # for publishing check results
-```
-
-### 2. Add Harden-Runner as First Step
-
-For **every job** on `ubuntu-latest`, add Harden-Runner as the first step:
-
-```yaml
-- name: Harden the runner
-  uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-  with:
-    egress-policy: audit # or 'block' for stricter security
-```
-
-### 3. Pin Actions to Full Commit SHA
-
-**Always** pin third-party actions to their full commit SHA, not tags:
-
-```yaml
-# ❌ BAD - uses mutable tag
-- uses: actions/checkout@v4
-
-# ✅ GOOD - pinned to immutable commit SHA
-- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-```
-
-### 4. Secure Variable Handling
-
-Prevent command injection by properly quoting variables:
-
-```yaml
-# ❌ BAD - potential command injection
-run: echo "Processing ${{ inputs.user_input }}"
-
-# ✅ GOOD - properly quoted
-env:
-  USER_INPUT: ${{ inputs.user_input }}
-run: echo "Processing ${USER_INPUT}"
-```
-
-Use `${VARIABLE}` syntax in shell scripts instead of `$VARIABLE`.
-
-### 5. Environment Variables for Secrets
-
-Store sensitive data in environment variables, not inline:
-
-```yaml
-# ❌ BAD
-run: curl -H "Authorization: Bearer ${{ secrets.TOKEN }}" api.example.com
-
-# ✅ GOOD
-env:
-  API_TOKEN: ${{ secrets.TOKEN }}
-run: curl -H "Authorization: Bearer ${API_TOKEN}" api.example.com
-```
-
-## Workflow Structure Best Practices
-
-### Required Workflow Elements
-
-```yaml
-name: "Descriptive Workflow Name"
-
-on:
-  # Define specific triggers
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-
-# Always set explicit permissions
-permissions:
-  contents: read
-
-jobs:
-  job-name:
-    name: "Descriptive Job Name"
-    runs-on: ubuntu-latest
-    timeout-minutes: 30 # tune per job; standardize repo-wide
-
-    # Set job-level permissions if different from workflow level
-    permissions:
-      contents: read
-
-    steps:
-      # Always start with Harden-Runner on ubuntu-latest
-      - name: Harden the runner
-        uses: step-security/harden-runner@v2
-        with:
-          egress-policy: audit
-
-      # Pin all actions to commit SHA
-      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-```
-
-### Input Validation for Actions
-
-For composite actions, always validate inputs:
-
-```yaml
-inputs:
-  user_input:
-    description: "User provided input"
-    required: true
-
-runs:
-  using: "composite"
-  steps:
-    - name: Validate input
-      shell: bash
-      run: |
-        # Harden shell and validate input format/content before use
-        set -euo pipefail
-
-        USER_INPUT="${{ inputs.user_input }}"
-
-        if [[ ! "${USER_INPUT}" =~ ^[A-Za-z0-9._-]+$ ]]; then
-          echo "❌ Invalid input format"
-          exit 1
-        fi
-```
-
-## Docker Security in Actions
-
-### Pin Docker Images to Digests
-
-```yaml
-# ❌ BAD - mutable tag
-container: node:18
-
-# ✅ GOOD - pinned to digest
-container: node:18@sha256:a1ba21bf0c92931d02a8416f0a54daad66cb36a85d6a37b82dfe1604c4c09cad
-```
-
-## Common Patterns
-
-### Secure File Operations
-
-```yaml
-- name: Process files securely
-  shell: bash
-  env:
-    FILE_PATH: ${{ inputs.file_path }}
-  run: |
-    set -euo pipefail  # Fail on errors, undefined vars, pipe failures
-
-    # Use absolute paths and validate
-    SAFE_PATH=$(realpath "${FILE_PATH}")
-    if [[ "$SAFE_PATH" != "${GITHUB_WORKSPACE}"/* ]]; then
-      echo "❌ Path outside workspace"
-      exit 1
-    fi
-```
-
-### Artifact Handling
-
-```yaml
-- name: Upload artifacts securely
-  uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
-  with:
-    name: build-artifacts
-    path: |
-      dist/
-      !dist/**/*.log  # Exclude sensitive files
-    retention-days: 30
-```
-
-### GHCR authentication for pulls/scans
-
-```yaml
-# Minimal permissions required for GHCR pulls/scans
-permissions:
-  contents: read
-  packages: read
-
-steps:
-  - name: Log in to GitHub Container Registry
-    uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
-    with:
-      registry: ghcr.io
-      username: ${{ github.actor }}
-      password: ${{ secrets.GITHUB_TOKEN }}
-```
-
-## Security Checklist
-
-- [ ] Minimum GITHUB_TOKEN permissions set
-- [ ] Harden-Runner added to all ubuntu-latest jobs
-- [ ] All third-party actions pinned to commit SHA
-- [ ] Input validation implemented for custom actions
-- [ ] Variables properly quoted in shell scripts
-- [ ] Secrets stored in environment variables
-- [ ] Docker images pinned to digests (if used)
-- [ ] Error handling with `set -euo pipefail`
-- [ ] File paths validated and sanitized
-- [ ] No sensitive data in logs or outputs
-- [ ] GHCR login performed before pulls/scans (packages: read)
-- [ ] Job timeouts configured (`timeout-minutes`)
-
-## Recommended Additional Workflows
-
-Consider adding these security-focused workflows to your repository:
-
-1. **CodeQL Analysis** - Static Application Security Testing (SAST)
-2. **Dependency Review** - Scan for vulnerable dependencies in PRs
-3. **Dependabot Configuration** - Automated dependency updates
-
-## Resources
-
-- [GitHub Security Hardening Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions)
-- [Step Security Harden-Runner](https://github.com/step-security/harden-runner)
-- [Secure-Repo Best Practices](https://github.com/step-security/secure-repo)

.cursor/rules/review-and-refine.mdc

@@ -1,179 +0,0 @@
----
-description: Apply these quality standards before finalizing code changes to ensure DRY principles, React best practices, TypeScript conventions, and maintainable code.
-globs:
-alwaysApply: false
----
-
-# Review & Refine
-
-Before finalizing any code changes, review your implementation against these quality standards:
-
-## Core Principles
-
-### DRY (Don't Repeat Yourself)
-
-- Extract duplicated logic into reusable functions or hooks
-- If the same code appears in multiple places, consolidate it
-- Create helper functions at appropriate scope (component-level, module-level, or utility files)
-- Avoid copy-pasting code blocks
-
-### Code Reduction
-
-- Remove unnecessary code, comments, and abstractions
-- Prefer built-in solutions over custom implementations
-- Consolidate similar logic
-- Remove dead code and unused imports
-- Question if every line of code is truly needed
-
-## React Best Practices
-
-### Component Design
-
-- Keep components focused on a single responsibility
-- Extract complex logic into custom hooks
-- Prefer composition over prop drilling
-- Use children props and render props when appropriate
-- Keep component files under 300 lines when possible
-
-### Hooks Usage
-
-- Follow Rules of Hooks (only call at top level, only in React functions)
-- Extract complex `useEffect` logic into custom hooks
-- Use `useMemo` and `useCallback` only when you have a measured performance issue
-- Declare dependencies arrays correctly - don't ignore exhaustive-deps warnings
-- Keep `useEffect` focused on a single concern
-
-### State Management
-
-- Colocate state as close as possible to where it's used
-- Lift state only when necessary
-- Use `useReducer` for complex state logic with multiple sub-values
-- Avoid derived state - compute values during render instead
-- Don't store values in state that can be computed from props
-
-### Event Handlers
-
-- Name event handlers with `handle` prefix (e.g., `handleClick`, `handleSubmit`)
-- Extract complex event handler logic into separate functions
-- Avoid inline arrow functions in JSX when they contain complex logic
-
-## TypeScript Best Practices
-
-### Type Safety
-
-- Prefer type inference over explicit types when possible
-- Use `const` assertions for literal types
-- Avoid `any` - use `unknown` if type is truly unknown
-- Use discriminated unions for complex conditional logic
-- Leverage type guards and narrowing
-
-### Interface & Type Usage
-
-- Use existing types from `@formbricks/types` - don't recreate them
-- Prefer `interface` for object shapes that might be extended
-- Prefer `type` for unions, intersections, and mapped types
-- Define types close to where they're used unless they're shared
-- Export types from index files for shared types
-
-### Type Assertions
-
-- Avoid type assertions (`as`) when possible
-- Use type guards instead of assertions
-- Only assert when you have more information than TypeScript
-
-## Code Organization
-
-### Separation of Concerns
-
-- Separate business logic from UI rendering
-- Extract API calls into separate functions or modules
-- Keep data transformation separate from component logic
-- Use custom hooks for stateful logic that doesn't render UI
-
-### Function Clarity
-
-- Functions should do one thing well
-- Name functions clearly and descriptively
-- Keep functions small (aim for under 20 lines)
-- Extract complex conditionals into named boolean variables or functions
-- Avoid deep nesting (max 3 levels)
-
-### File Structure
-
-- Group related functions together
-- Order declarations logically (types → hooks → helpers → component)
-- Keep imports organized (external → internal → relative)
-- Consider splitting large files by concern
-
-## Additional Quality Checks
-
-### Performance
-
-- Don't optimize prematurely - measure first
-- Avoid creating new objects/arrays/functions in render unnecessarily
-- Use keys properly in lists (stable, unique identifiers)
-- Lazy load heavy components when appropriate
-
-### Accessibility
-
-- Use semantic HTML elements
-- Include ARIA labels where needed
-- Ensure keyboard navigation works
-- Check color contrast and focus states
-
-### Error Handling
-
-- Handle error states in components
-- Provide user feedback for failed operations
-- Use error boundaries for component errors
-- Log errors appropriately (avoid swallowing errors silently)
-
-### Naming Conventions
-
-- Use descriptive names (avoid abbreviations unless very common)
-- Boolean variables/props should sound like yes/no questions (`isLoading`, `hasError`, `canEdit`)
-- Arrays should be plural (`users`, `choices`, `items`)
-- Event handlers: `handleX` in components, `onX` for props
-- Constants in UPPER_SNAKE_CASE only for true constants
-
-### Code Readability
-
-- Prefer early returns to reduce nesting
-- Use destructuring to make code clearer
-- Break complex expressions into named variables
-- Add comments only when code can't be made self-explanatory
-- Use whitespace to group related code
-
-### Testing Considerations
-
-- Write code that's easy to test (pure functions, clear inputs/outputs)
-- Avoid hard-to-mock dependencies when possible
-- Keep side effects at the edges of your code
-
-## Review Checklist
-
-Before submitting your changes, ask yourself:
-
-1. **DRY**: Is there any duplicated logic I can extract?
-2. **Clarity**: Would another developer understand this code easily?
-3. **Simplicity**: Is this the simplest solution that works?
-4. **Types**: Am I using TypeScript effectively?
-5. **React**: Am I following React idioms and best practices?
-6. **Performance**: Are there obvious performance issues?
-7. **Separation**: Are concerns properly separated?
-8. **Testing**: Is this code testable?
-9. **Maintenance**: Will this be easy to change in 6 months?
-10. **Deletion**: Can I remove any code and still accomplish the goal?
-
-## When to Apply This Rule
-
-Apply this rule:
-
-- After implementing a feature but before marking it complete
-- When you notice your code feels "messy" or complex
-- Before requesting code review
-- When you see yourself copy-pasting code
-- After receiving feedback about code quality
-
-Don't let perfect be the enemy of good, but always strive for:
-**Simple, readable, maintainable code that does one thing well.**

.cursor/rules/storybook-component-migration.mdc

@@ -1,216 +0,0 @@
----
-description: Migrate deprecated UI components to a unified component
-globs: 
-alwaysApply: false
----
-# Component Migration Automation Rule
-
-## Overview
-This rule automates the migration of deprecated components to new component systems in React/TypeScript codebases.
-
-## Trigger
-When the user requests component migration (e.g., "migrate [DeprecatedComponent] to [NewComponent]" or "component migration").
-
-## Process
-
-### Step 1: Discovery and Planning
-1. **Identify migration parameters:**
-   - Ask user for deprecated component name (e.g., "Modal")
-   - Ask user for new component name(s) (e.g., "Dialog")
-   - Ask for any components to exclude (e.g., "ModalWithTabs")
-   - Ask for specific import paths if needed
-
-2. **Scan codebase** for deprecated components:
-   - Search for `import.*[DeprecatedComponent]` patterns
-   - Exclude specified components that should not be migrated
-   - List all found components with file paths
-   - Present numbered list to user for confirmation
-
-### Step 2: Component-by-Component Migration
-For each component, follow this exact sequence:
-
-#### 2.1 Component Migration
-- **Import changes:**
-  - Ask user to provide the new import structure
-  - Example transformation pattern:
-  ```typescript
-  // FROM:
-  import { [DeprecatedComponent] } from "@/components/ui/[DeprecatedComponent]"
-  
-  // TO:
-  import {
-    [NewComponent],
-    [NewComponentPart1],
-    [NewComponentPart2],
-    // ... other parts
-  } from "@/components/ui/[NewComponent]"
-  ```
-
-- **Props transformation:**
-  - Ask user for prop mapping rules (e.g., `open` → `open`, `setOpen` → `onOpenChange`)
-  - Ask for props to remove (e.g., `noPadding`, `closeOnOutsideClick`, `size`)
-  - Apply transformations based on user specifications
-
-- **Structure transformation:**
-  - Ask user for the new component structure pattern
-  - Apply the transformation maintaining all functionality
-  - Preserve all existing logic, state management, and event handlers
-
-#### 2.2 Wait for User Approval
-- Present the migration changes
-- Wait for explicit user approval before proceeding
-- If rejected, ask for specific feedback and iterate
-#### 2.3 Re-read and Apply Additional Changes
-- Re-read the component file to capture any user modifications
-- Apply any additional improvements the user made
-- Ensure all changes are incorporated
-
-#### 2.4 Test File Updates
-- **Find corresponding test file** (same name with `.test.tsx` or `.test.ts`)
-- **Update test mocks:**
-  - Ask user for new component mock structure
-  - Replace old component mocks with new ones
-  - Example pattern:
-  ```typescript
-  // Add to test setup:
-  jest.mock("@/components/ui/[NewComponent]", () => ({
-    [NewComponent]: ({ children, [props] }: any) => ([mock implementation]),
-    [NewComponentPart1]: ({ children }: any) => <div data-testid="[new-component-part1]">{children}</div>,
-    [NewComponentPart2]: ({ children }: any) => <div data-testid="[new-component-part2]">{children}</div>,
-    // ... other parts
-  }));
-  ```
-- **Update test expectations:**
-  - Change test IDs from old component to new component
-  - Update any component-specific assertions
-  - Ensure all new component parts used in the component are mocked
-
-#### 2.5 Run Tests and Optimize
-- Execute `Node package manager test -- ComponentName.test.tsx`
-- Fix any failing tests
-- Optimize code quality (imports, formatting, etc.)
-- Re-run tests until all pass
-- **Maximum 3 iterations** - if still failing, ask user for guidance
-
-#### 2.6 Wait for Final Approval
-- Present test results and any optimizations made
-- Wait for user approval of the complete migration
-- If rejected, iterate based on feedback
-
-#### 2.7 Git Commit
-- Run: `git add .`
-- Run: `git commit -m "migrate [ComponentName] from [DeprecatedComponent] to [NewComponent]"`
-- Confirm commit was successful
-
-### Step 3: Final Report Generation
-After all components are migrated, generate a comprehensive GitHub PR report:
-
-#### PR Title
-```
-feat: migrate [DeprecatedComponent] components to [NewComponent] system
-```
-
-#### PR Description Template
-```markdown
-## 🔄 [DeprecatedComponent] to [NewComponent] Migration
-
-### Overview
-Migrated [X] [DeprecatedComponent] components to the new [NewComponent] component system to modernize the UI architecture and improve consistency.
-
-### Components Migrated
-[List each component with file path]
-
-### Technical Changes
-- **Imports:** Replaced `[DeprecatedComponent]` with `[NewComponent], [NewComponentParts...]`
-- **Props:** [List prop transformations]
-- **Structure:** Implemented proper [NewComponent] component hierarchy
-- **Styling:** [Describe styling changes]
-- **Tests:** Updated all test mocks and expectations
-
-### Migration Pattern
-```typescript
-// Before
-<[DeprecatedComponent] [oldProps]>
-  [oldStructure]
-</[DeprecatedComponent]>
-
-// After
-<[NewComponent] [newProps]>
-  [newStructure]
-</[NewComponent]>
-```
-
-### Testing
-- ✅ All existing tests updated and passing
-- ✅ Component functionality preserved
-- ✅ UI/UX behavior maintained
-
-### How to Test This PR
-1. **Functional Testing:**
-   - Navigate to each migrated component's usage
-   - Verify [component] opens and closes correctly
-   - Test all interactive elements within [components]
-   - Confirm styling and layout are preserved
-
-2. **Automated Testing:**
-   ```bash
-   Node package manager test
-   ```
-
-3. **Visual Testing:**
-   - Check that all [components] maintain proper styling
-   - Verify responsive behavior
-   - Test keyboard navigation and accessibility
-
-### Breaking Changes
-[List any breaking changes or state "None - this is a drop-in replacement maintaining all existing functionality."]
-
-### Notes
-- [Any excluded components] were preserved as they already use [NewComponent] internally
-- All form validation and complex state management preserved
-- Enhanced code quality with better imports and formatting
-```
-
-## Special Considerations
-
-### Excluded Components
-- **DO NOT MIGRATE** components specified by user as exclusions
-- They may already use the new component internally or have other reasons
-- Inform user these are skipped and why
-
-### Complex Components
-- Preserve all existing functionality (forms, validation, state management)
-- Maintain prop interfaces
-- Keep all event handlers and callbacks
-- Preserve accessibility features
-
-### Test Coverage
-- Ensure all new component parts are mocked when used
-- Mock all new component parts that appear in the component
-- Update test IDs from old component to new component
-- Maintain all existing test scenarios
-
-### Error Handling
-- If tests fail after 3 iterations, stop and ask user for guidance
-- If component is too complex, ask user for specific guidance
-- If unsure about functionality preservation, ask for clarification
-
-### Migration Patterns
-- Always ask user for specific migration patterns before starting
-- Confirm import structures, prop mappings, and component hierarchies
-- Adapt to different component architectures (simple replacements, complex restructuring, etc.)
-
-## Success Criteria
-- All deprecated components successfully migrated to new components
-- All tests passing
-- No functionality lost
-- Code quality maintained or improved
-- User approval on each component
-- Successful git commits for each migration
-- Comprehensive PR report generated
-
-## Usage Examples
-- "migrate Modal to Dialog"
-- "migrate Button to NewButton" 
-- "migrate Card to ModernCard"
-- "component migration" (will prompt for details) 

.cursor/rules/storybook-create-new-story.mdc

@@ -1,177 +0,0 @@
----
-description: Create a story in Storybook for a given component
-globs:
-alwaysApply: false
----
-
-# Formbricks Storybook Stories
-
-## When generating Storybook stories for Formbricks components:
-
-### 1. **File Structure**
-- Create `stories.tsx` (not `.stories.tsx`) in component directory
-- Use exact import: `import { Meta, StoryObj } from "@storybook/react-vite";`
-- Import component from `"./index"`
-
-### 2. **Story Structure Template**
-```tsx
-import { Meta, StoryObj } from "@storybook/react-vite";
-import { ComponentName } from "./index";
-
-// For complex components with configurable options
-// consider this as an example the options need to reflect the props types
-interface StoryOptions {
-  showIcon: boolean;
-  numberOfElements: number;
-  customLabels: string[];
-}
-
-type StoryProps = React.ComponentProps<typeof ComponentName> & StoryOptions;
-
-const meta: Meta<StoryProps> = {
-  title: "UI/ComponentName",
-  component: ComponentName,
-  tags: ["autodocs"],
-  parameters: {
-    layout: "centered",
-    controls: { sort: "alpha", exclude: [] },
-    docs: {
-      description: {
-        component: "The **ComponentName** component provides [description].",
-      },
-    },
-  },
-  argTypes: {
-    // Organize in exactly these categories: Behavior, Appearance, Content
-  },
-};
-
-export default meta;
-type Story = StoryObj<typeof ComponentName> & { args: StoryOptions };
-```
-
-### 3. **ArgTypes Organization**
-Organize ALL argTypes into exactly three categories:
-- **Behavior**: disabled, variant, onChange, etc.
-- **Appearance**: size, color, layout, styling, etc.  
-- **Content**: text, icons, numberOfElements, etc.
-
-Format:
-```tsx
-argTypes: {
-  propName: {
-    control: "select" | "boolean" | "text" | "number",
-    options: ["option1", "option2"], // for select
-    description: "Clear description",
-    table: {
-      category: "Behavior" | "Appearance" | "Content",
-      type: { summary: "string" },
-      defaultValue: { summary: "default" },
-    },
-    order: 1,
-  },
-}
-```
-
-### 4. **Required Stories**
-Every component must include:
-- `Default`: Most common use case
-- `Disabled`: If component supports disabled state
-- `WithIcon`: If component supports icons
-- Variant stories for each variant (Primary, Secondary, Error, etc.)
-- Edge case stories (ManyElements, LongText, CustomStyling)
-
-### 5. **Story Format**
-```tsx
-export const Default: Story = {
-  args: {
-    // Props with realistic values
-  },
-};
-
-export const EdgeCase: Story = {
-  args: { /* ... */ },
-  parameters: {
-    docs: {
-      description: {
-        story: "Use this when [specific scenario].",
-      },
-    },
-  },
-};
-```
-
-### 6. **Dynamic Content Pattern**
-For components with dynamic content, create render function:
-```tsx
-const renderComponent = (args: StoryProps) => {
-  const { numberOfElements, showIcon, customLabels } = args;
-  
-  // Generate dynamic content
-  const elements = Array.from({ length: numberOfElements }, (_, i) => ({
-    id: `element-${i}`,
-    label: customLabels[i] || `Element ${i + 1}`,
-    icon: showIcon ? <IconComponent /> : undefined,
-  }));
-  
-  return <ComponentName {...args} elements={elements} />;
-};
-
-export const Dynamic: Story = {
-  render: renderComponent,
-  args: {
-    numberOfElements: 3,
-    showIcon: true,
-    customLabels: ["First", "Second", "Third"],
-  },
-};
-```
-
-### 7. **State Management**
-For interactive components:
-```tsx
-import { useState } from "react";
-
-const ComponentWithState = (args: any) => {
-  const [value, setValue] = useState(args.defaultValue);
-  
-  return (
-    <ComponentName
-      {...args}
-      value={value}
-      onChange={(newValue) => {
-        setValue(newValue);
-        args.onChange?.(newValue);
-      }}
-    />
-  );
-};
-
-export const Interactive: Story = {
-  render: ComponentWithState,
-  args: { defaultValue: "initial" },
-};
-```
-
-### 8. **Quality Requirements**
-- Include component description in parameters.docs
-- Add story documentation for non-obvious use cases
-- Test edge cases (overflow, empty states, many elements)
-- Ensure no TypeScript errors
-- Use realistic prop values
-- Include at least 3-5 story variants
-- Example values need to be in the context of survey application
-
-### 9. **Naming Conventions**
-- **Story titles**: "UI/ComponentName"
-- **Story exports**: PascalCase (Default, WithIcon, ManyElements)
-- **Categories**: "Behavior", "Appearance", "Content" (exact spelling)
-- **Props**: camelCase matching component props
-
-### 10. **Special Cases**
-- **Generic components**: Remove `component` from meta if type conflicts
-- **Form components**: Include Invalid, WithValue stories
-- **Navigation**: Include ManyItems stories
-- **Modals, Dropdowns and Popups **: Include trigger and content structure
-
-## Generate stories that are comprehensive, well-documented, and reflect all component states and edge cases. 

.cursor/rules/testing-patterns.mdc

@@ -90,7 +90,7 @@ When testing hooks that use React Context:
 vi.mocked(useResponseFilter).mockReturnValue({
   selectedFilter: {
     filter: [],
-    responseStatus: "all",
+    onlyComplete: false,
   },
   setSelectedFilter: vi.fn(),
   selectedOptions: {
@@ -291,6 +291,11 @@ test("handles different modes", async () => {
     expect(vi.mocked(regularApi)).toHaveBeenCalled();
   });
   
+  // Test sharing mode
+  vi.mocked(useParams).mockReturnValue({ 
+    surveyId: "123", 
+    sharingKey: "share-123" 
+  });
   rerender();
   
   await waitFor(() => {

.env.example

@@ -62,6 +62,9 @@ SMTP_PASSWORD=smtpPassword
 
 # Uncomment the variables you would like to use and customize the values.
 
+# Custom local storage path for file uploads
+#UPLOADS_DIR=
+
 ##############
 # S3 STORAGE #
 ##############
@@ -77,8 +80,8 @@ S3_ENDPOINT_URL=
 # Force path style for S3 compatible storage (0 for disabled, 1 for enabled)
 S3_FORCE_PATH_STYLE=0
 
-# Set this URL to add a public domain for all your client facing routes(default is WEBAPP_URL)
-# PUBLIC_URL=https://survey.example.com
+# Set this URL to add a custom domain to your survey links(default is WEBAPP_URL)
+# SURVEY_URL=https://survey.example.com
 
 #####################
 # Disable Features  #
@@ -96,6 +99,8 @@ PASSWORD_RESET_DISABLED=1
 # Organization Invite. Disable the ability for invited users to create an account.
 # INVITE_DISABLED=1
 
+# Docker cron jobs. Disable the supercronic cron jobs in the Docker image (useful for cluster setups).
+# DOCKER_CRON_ENABLED=1
 
 ##########
 # Other  #
@@ -184,11 +189,15 @@ ENTERPRISE_LICENSE_KEY=
 UNSPLASH_ACCESS_KEY=
 
 # The below is used for Next Caching (uses In-Memory from Next Cache if not provided)
+# You can also add more configuration to Redis using the redis.conf file in the root directory
 REDIS_URL=redis://localhost:6379
 
 # The below is used for Rate Limiting (uses In-Memory LRU Cache if not provided) (You can use a service like Webdis for this)
 # REDIS_HTTP_URL:
 
+# The below is used for Rate Limiting for management API
+UNKEY_ROOT_KEY=
+
 # INTERCOM_APP_ID=
 # INTERCOM_SECRET_KEY=
 
@@ -201,8 +210,6 @@ REDIS_URL=redis://localhost:6379
 # The SENTRY_AUTH_TOKEN variable is picked up by the Sentry Build Plugin.
 # It's used automatically by Sentry during the build for authentication when uploading source maps.
 # SENTRY_AUTH_TOKEN=
-# The SENTRY_ENVIRONMENT is the environment which the error will belong to in the Sentry dashboard
-# SENTRY_ENVIRONMENT=
 
 # Configure the minimum role for user management from UI(owner, manager, disabled)
 # USER_MANAGEMENT_MINIMUM_ROLE="manager"
@@ -210,7 +217,7 @@ REDIS_URL=redis://localhost:6379
 # Configure the maximum age for the session in seconds. Default is 86400 (24 hours)
 # SESSION_MAX_AGE=86400
 
-# Audit logs options. Default 0.
+# Audit logs options. Requires REDIS_URL env varibale. Default 0.
 # AUDIT_LOG_ENABLED=0
 # If the ip should be added in the log or not. Default 0
 # AUDIT_LOG_GET_USER_IP=0

.eslintrc.cjs

@@ -1,13 +0,0 @@
-module.exports = {
-  root: true,
-  ignorePatterns: ["node_modules/", "dist/", "coverage/"],
-  overrides: [
-    {
-      files: ["packages/cache/**/*.{ts,js}"],
-      extends: ["@formbricks/eslint-config/library.js"],
-      parserOptions: {
-        project: "./packages/cache/tsconfig.json",
-      },
-    },
-  ],
-};

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,7 +1,6 @@
 name: Bug report
 description: "Found a bug? Please fill out the sections below. \U0001F44D"
 type: bug
-projects: "formbricks/8"
 labels: ["bug"]
 body:
   - type: textarea

.github/ISSUE_TEMPLATE/config.yml

@@ -1,4 +1,4 @@
-blank_issues_enabled: true
+blank_issues_enabled: false
 contact_links:
   - name: Questions
     url: https://github.com/formbricks/formbricks/discussions

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -1,7 +1,6 @@
 name: Feature request
 description: "Suggest an idea for this project \U0001F680"
 type: feature
-projects: "formbricks/21"
 body:
   - type: textarea
     id: problem-description

.github/ISSUE_TEMPLATE/task.yml

@@ -0,0 +1,11 @@
+name: Task (internal)
+description: "Template for creating a task. Used by the Formbricks Team only \U0001f4e5"
+type: task
+body:
+  - type: textarea
+    id: task-summary
+    attributes:
+      label: Task description
+      description: A clear detailed-rich description of the task.
+    validations:
+      required: true

.github/actions/build-and-push-docker/action.yml

@@ -1,319 +0,0 @@
-name: Build and Push Docker Image
-description: |
-  Unified Docker build and push action for both ECR and GHCR registries.
-
-  Supports:
-  - ECR builds for Formbricks Cloud deployment
-  - GHCR builds for community self-hosting
-  - Automatic version resolution and tagging
-  - Conditional signing and deployment tags
-
-inputs:
-  registry_type:
-    description: "Registry type: 'ecr' or 'ghcr'"
-    required: true
-
-  # Version input
-  version:
-    description: "Explicit version (SemVer only, e.g., 1.2.3). If provided, this version is used directly. If empty, version is auto-generated from branch name."
-    required: false
-  experimental_mode:
-    description: "Enable experimental timestamped versions"
-    required: false
-    default: "false"
-
-  # ECR specific inputs
-  ecr_registry:
-    description: "ECR registry URL (required for ECR builds)"
-    required: false
-  ecr_repository:
-    description: "ECR repository name (required for ECR builds)"
-    required: false
-  ecr_region:
-    description: "ECR AWS region (required for ECR builds)"
-    required: false
-  aws_role_arn:
-    description: "AWS role ARN for ECR authentication (required for ECR builds)"
-    required: false
-
-  # GHCR specific inputs
-  ghcr_image_name:
-    description: "GHCR image name (required for GHCR builds)"
-    required: false
-
-  # Deployment options
-  deploy_production:
-    description: "Tag image for production deployment"
-    required: false
-    default: "false"
-  deploy_staging:
-    description: "Tag image for staging deployment"
-    required: false
-    default: "false"
-  is_prerelease:
-    description: "Whether this is a prerelease (auto-tags for staging/production)"
-    required: false
-    default: "false"
-  make_latest:
-    description: "Whether to tag as latest/production (from GitHub release 'Set as the latest release' option)"
-    required: false
-    default: "false"
-
-  # Build options
-  dockerfile:
-    description: "Path to Dockerfile"
-    required: false
-    default: "apps/web/Dockerfile"
-  context:
-    description: "Build context"
-    required: false
-    default: "."
-
-outputs:
-  image_tag:
-    description: "Resolved image tag used for the build"
-    value: ${{ steps.version.outputs.version }}
-  registry_tags:
-    description: "Complete registry tags that were pushed"
-    value: ${{ steps.build.outputs.tags }}
-  image_digest:
-    description: "Image digest from the build"
-    value: ${{ steps.build.outputs.digest }}
-
-runs:
-  using: "composite"
-  steps:
-    - name: Validate inputs
-      shell: bash
-      env:
-        REGISTRY_TYPE: ${{ inputs.registry_type }}
-        ECR_REGISTRY: ${{ inputs.ecr_registry }}
-        ECR_REPOSITORY: ${{ inputs.ecr_repository }}
-        ECR_REGION: ${{ inputs.ecr_region }}
-        AWS_ROLE_ARN: ${{ inputs.aws_role_arn }}
-        GHCR_IMAGE_NAME: ${{ inputs.ghcr_image_name }}
-      run: |
-        set -euo pipefail
-
-        if [[ "$REGISTRY_TYPE" != "ecr" && "$REGISTRY_TYPE" != "ghcr" ]]; then
-          echo "ERROR: registry_type must be 'ecr' or 'ghcr', got: $REGISTRY_TYPE"
-          exit 1
-        fi
-
-        if [[ "$REGISTRY_TYPE" == "ecr" ]]; then
-          if [[ -z "$ECR_REGISTRY" || -z "$ECR_REPOSITORY" || -z "$ECR_REGION" || -z "$AWS_ROLE_ARN" ]]; then
-            echo "ERROR: ECR builds require ecr_registry, ecr_repository, ecr_region, and aws_role_arn"
-            exit 1
-          fi
-        fi
-
-        if [[ "$REGISTRY_TYPE" == "ghcr" ]]; then
-          if [[ -z "$GHCR_IMAGE_NAME" ]]; then
-            echo "ERROR: GHCR builds require ghcr_image_name"
-            exit 1
-          fi
-        fi
-
-        echo "SUCCESS: Input validation passed for $REGISTRY_TYPE build"
-
-    - name: Resolve Docker version
-      id: version
-      uses: ./.github/actions/resolve-docker-version
-      with:
-        version: ${{ inputs.version }}
-        current_branch: ${{ github.ref_name }}
-        experimental_mode: ${{ inputs.experimental_mode }}
-
-    - name: Update package.json version
-      uses: ./.github/actions/update-package-version
-      with:
-        version: ${{ steps.version.outputs.version }}
-
-    - name: Configure AWS credentials (ECR only)
-      if: ${{ inputs.registry_type == 'ecr' }}
-      uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.2.0
-      with:
-        role-to-assume: ${{ inputs.aws_role_arn }}
-        aws-region: ${{ inputs.ecr_region }}
-
-    - name: Log in to Amazon ECR (ECR only)
-      if: ${{ inputs.registry_type == 'ecr' }}
-      uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
-
-    - name: Set up Docker build tools
-      uses: ./.github/actions/docker-build-setup
-      with:
-        registry: ${{ inputs.registry_type == 'ghcr' && 'ghcr.io' || '' }}
-        setup_cosign: ${{ inputs.registry_type == 'ghcr' && 'true' || 'false' }}
-        skip_login_on_pr: ${{ inputs.registry_type == 'ghcr' && 'true' || 'false' }}
-
-    - name: Build ECR tag list
-      if: ${{ inputs.registry_type == 'ecr' }}
-      id: ecr-tags
-      shell: bash
-      env:
-        IMAGE_TAG: ${{ steps.version.outputs.version }}
-        ECR_REGISTRY: ${{ inputs.ecr_registry }}
-        ECR_REPOSITORY: ${{ inputs.ecr_repository }}
-        DEPLOY_PRODUCTION: ${{ inputs.deploy_production }}
-        DEPLOY_STAGING: ${{ inputs.deploy_staging }}
-        IS_PRERELEASE: ${{ inputs.is_prerelease }}
-        MAKE_LATEST: ${{ inputs.make_latest }}
-      run: |
-        set -euo pipefail
-
-        # Start with the base image tag
-        TAGS="${ECR_REGISTRY}/${ECR_REPOSITORY}:${IMAGE_TAG}"
-
-        # Handle automatic tagging based on release type
-        if [[ "${IS_PRERELEASE}" == "true" ]]; then
-          TAGS="${TAGS}\n${ECR_REGISTRY}/${ECR_REPOSITORY}:staging"
-          echo "Adding staging tag for prerelease"
-        elif [[ "${IS_PRERELEASE}" == "false" && "${MAKE_LATEST}" == "true" ]]; then
-          TAGS="${TAGS}\n${ECR_REGISTRY}/${ECR_REPOSITORY}:production"
-          echo "Adding production tag for stable release marked as latest"
-        fi
-
-        # Handle manual deployment overrides
-        if [[ "${DEPLOY_PRODUCTION}" == "true" ]]; then
-          TAGS="${TAGS}\n${ECR_REGISTRY}/${ECR_REPOSITORY}:production"
-          echo "Adding production tag (manual override)"
-        fi
-        if [[ "${DEPLOY_STAGING}" == "true" ]]; then
-          TAGS="${TAGS}\n${ECR_REGISTRY}/${ECR_REPOSITORY}:staging"
-          echo "Adding staging tag (manual override)"
-        fi
-
-        echo "ECR tags generated:"
-        echo -e "${TAGS}"
-
-        {
-          echo "tags<<EOF"
-          echo -e "${TAGS}"
-          echo "EOF"
-        } >> "${GITHUB_OUTPUT}"
-
-    - name: Generate additional GHCR tags for releases
-      if: ${{ inputs.registry_type == 'ghcr' && inputs.experimental_mode == 'false' && (github.event_name == 'workflow_call' || github.event_name == 'release' || github.event_name == 'workflow_dispatch') }}
-      id: ghcr-extra-tags
-      shell: bash
-      env:
-        VERSION: ${{ steps.version.outputs.version }}
-        IMAGE_NAME: ${{ inputs.ghcr_image_name }}
-        IS_PRERELEASE: ${{ inputs.is_prerelease }}
-        MAKE_LATEST: ${{ inputs.make_latest }}
-      run: |
-        set -euo pipefail
-
-        # Start with base version tag
-        TAGS="ghcr.io/${IMAGE_NAME}:${VERSION}"
-
-        # For proper SemVer releases, add major.minor and major tags
-        if [[ "${VERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-          # Extract major and minor versions
-          MAJOR=$(echo "${VERSION}" | cut -d. -f1)
-          MINOR=$(echo "${VERSION}" | cut -d. -f2)
-          
-          TAGS="${TAGS}\nghcr.io/${IMAGE_NAME}:${MAJOR}.${MINOR}"
-          TAGS="${TAGS}\nghcr.io/${IMAGE_NAME}:${MAJOR}"
-          
-          echo "Added SemVer tags: ${MAJOR}.${MINOR}, ${MAJOR}"
-        fi
-
-        # Add latest tag for stable releases marked as latest
-        if [[ "${IS_PRERELEASE}" == "false" && "${MAKE_LATEST}" == "true" ]]; then
-          TAGS="${TAGS}\nghcr.io/${IMAGE_NAME}:latest"
-          echo "Added latest tag for stable release marked as latest"
-        fi
-
-        echo "Generated GHCR tags:"
-        echo -e "${TAGS}"
-
-        # Debug: Show what will be passed to Docker build
-        echo "DEBUG: Tags for Docker build step:"
-        echo -e "${TAGS}"
-
-        {
-          echo "tags<<EOF"
-          echo -e "${TAGS}"
-          echo "EOF"
-        } >> "${GITHUB_OUTPUT}"
-
-    - name: Build GHCR metadata (experimental)
-      if: ${{ inputs.registry_type == 'ghcr' && inputs.experimental_mode == 'true' }}
-      id: ghcr-meta-experimental
-      uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
-      with:
-        images: ghcr.io/${{ inputs.ghcr_image_name }}
-        tags: |
-          type=ref,event=branch
-          type=raw,value=${{ steps.version.outputs.version }}
-
-    - name: Debug Docker build tags
-      shell: bash
-      run: |
-        echo "=== DEBUG: Docker Build Configuration ==="
-        echo "Registry Type: ${{ inputs.registry_type }}"
-        echo "Experimental Mode: ${{ inputs.experimental_mode }}"
-        echo "Event Name: ${{ github.event_name }}"
-        echo "Is Prerelease: ${{ inputs.is_prerelease }}"
-        echo "Make Latest: ${{ inputs.make_latest }}"
-        echo "Version: ${{ steps.version.outputs.version }}"
-
-        if [[ "${{ inputs.registry_type }}" == "ecr" ]]; then
-          echo "ECR Tags: ${{ steps.ecr-tags.outputs.tags }}"
-        elif [[ "${{ inputs.experimental_mode }}" == "true" ]]; then
-          echo "GHCR Experimental Tags: ${{ steps.ghcr-meta-experimental.outputs.tags }}"
-        else
-          echo "GHCR Extra Tags: ${{ steps.ghcr-extra-tags.outputs.tags }}"
-        fi
-
-    - name: Build and push Docker image
-      id: build
-      uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # v1.14.0
-      with:
-        project: tw0fqmsx3c
-        token: ${{ env.DEPOT_PROJECT_TOKEN }}
-        context: ${{ inputs.context }}
-        file: ${{ inputs.dockerfile }}
-        platforms: linux/amd64,linux/arm64
-        push: ${{ github.event_name != 'pull_request' }}
-        tags: ${{ inputs.registry_type == 'ecr' && steps.ecr-tags.outputs.tags || (inputs.registry_type == 'ghcr' && inputs.experimental_mode == 'true' && steps.ghcr-meta-experimental.outputs.tags) || (inputs.registry_type == 'ghcr' && inputs.experimental_mode == 'false' && steps.ghcr-extra-tags.outputs.tags) || (inputs.registry_type == 'ghcr' && format('ghcr.io/{0}:{1}', inputs.ghcr_image_name, steps.version.outputs.version)) || (inputs.registry_type == 'ecr' && format('{0}/{1}:{2}', inputs.ecr_registry, inputs.ecr_repository, steps.version.outputs.version)) }}
-        labels: ${{ inputs.registry_type == 'ghcr' && inputs.experimental_mode == 'true' && steps.ghcr-meta-experimental.outputs.labels || '' }}
-        secrets: |
-          database_url=${{ env.DUMMY_DATABASE_URL }}
-          encryption_key=${{ env.DUMMY_ENCRYPTION_KEY }}
-          redis_url=${{ env.DUMMY_REDIS_URL }}
-          sentry_auth_token=${{ env.SENTRY_AUTH_TOKEN }}
-      env:
-        DEPOT_PROJECT_TOKEN: ${{ env.DEPOT_PROJECT_TOKEN }}
-        DUMMY_DATABASE_URL: ${{ env.DUMMY_DATABASE_URL }}
-        DUMMY_ENCRYPTION_KEY: ${{ env.DUMMY_ENCRYPTION_KEY }}
-        DUMMY_REDIS_URL: ${{ env.DUMMY_REDIS_URL }}
-        SENTRY_AUTH_TOKEN: ${{ env.SENTRY_AUTH_TOKEN }}
-
-    - name: Sign GHCR image (GHCR only)
-      if: ${{ inputs.registry_type == 'ghcr' && (github.event_name == 'workflow_call' || github.event_name == 'release' || github.event_name == 'workflow_dispatch') }}
-      shell: bash
-      env:
-        TAGS: ${{ inputs.experimental_mode == 'true' && steps.ghcr-meta-experimental.outputs.tags || steps.ghcr-extra-tags.outputs.tags }}
-        DIGEST: ${{ steps.build.outputs.digest }}
-      run: |
-        set -euo pipefail
-        echo "${TAGS}" | xargs -I {} cosign sign --yes "{}@${DIGEST}"
-
-    - name: Output build summary
-      shell: bash
-      env:
-        REGISTRY_TYPE: ${{ inputs.registry_type }}
-        IMAGE_TAG: ${{ steps.version.outputs.version }}
-        VERSION_SOURCE: ${{ steps.version.outputs.source }}
-      run: |
-        echo "SUCCESS: Built and pushed Docker image to $REGISTRY_TYPE"
-        echo "Image Tag: $IMAGE_TAG (source: $VERSION_SOURCE)"
-        if [[ "$REGISTRY_TYPE" == "ecr" ]]; then
-          echo "ECR Registry: ${{ inputs.ecr_registry }}"
-          echo "ECR Repository: ${{ inputs.ecr_repository }}"
-        else
-          echo "GHCR Image: ghcr.io/${{ inputs.ghcr_image_name }}"
-        fi

.github/actions/cache-build-web/action.yml

@@ -62,12 +62,10 @@ runs:
       shell: bash
 
     - name: Fill ENCRYPTION_KEY, ENTERPRISE_LICENSE_KEY and E2E_TESTING in .env
-      env:
-        E2E_TESTING_MODE: ${{ inputs.e2e_testing_mode }}
       run: |
         RANDOM_KEY=$(openssl rand -hex 32)
         sed -i "s/ENCRYPTION_KEY=.*/ENCRYPTION_KEY=${RANDOM_KEY}/" .env
-        echo "E2E_TESTING=$E2E_TESTING_MODE" >> .env
+        echo "E2E_TESTING=${{ inputs.e2e_testing_mode }}" >> .env
       shell: bash
 
     - run: |

.github/actions/docker-build-setup/action.yml

@@ -1,106 +0,0 @@
-name: Docker Build Setup
-description: |
-  Sets up common Docker build tools and authentication with security validation.
-
-  Security Features:
-  - Registry URL validation
-  - Input sanitization
-  - Conditional setup based on event type
-  - Post-setup verification
-
-  Supports Depot CLI, Cosign signing, and Docker registry authentication.
-
-inputs:
-  registry:
-    description: "Docker registry hostname to login to (e.g., ghcr.io, registry.example.com:5000). No paths allowed."
-    required: false
-    default: "ghcr.io"
-  setup_cosign:
-    description: "Whether to install cosign for image signing"
-    required: false
-    default: "true"
-  skip_login_on_pr:
-    description: "Whether to skip registry login on pull requests"
-    required: false
-    default: "true"
-
-runs:
-  using: "composite"
-  steps:
-    - name: Validate inputs
-      shell: bash
-      env:
-        REGISTRY: ${{ inputs.registry }}
-        SETUP_COSIGN: ${{ inputs.setup_cosign }}
-        SKIP_LOGIN_ON_PR: ${{ inputs.skip_login_on_pr }}
-      run: |
-        set -euo pipefail
-
-        # Security: Validate registry input - must be hostname[:port] only, no paths
-        # Allow empty registry for cases where login is handled externally (e.g., ECR)
-        if [[ -n "$REGISTRY" ]]; then
-          if [[ "$REGISTRY" =~ / ]]; then
-            echo "ERROR: Invalid registry format: $REGISTRY"
-            echo "Registry must be host[:port] with no path (e.g., 'ghcr.io' or 'registry.example.com:5000')"
-            echo "Path components like 'ghcr.io/org' are not allowed as they break docker login"
-            exit 1
-          fi
-
-          # Validate hostname with optional port format
-          if [[ ! "$REGISTRY" =~ ^[a-zA-Z0-9.-]+(\:[0-9]+)?$ ]]; then
-            echo "ERROR: Invalid registry hostname format: $REGISTRY"
-            echo "Registry must be a valid hostname optionally with port (e.g., 'ghcr.io' or 'registry.example.com:5000')"
-            exit 1
-          fi
-        fi
-
-        # Validate boolean inputs
-        if [[ "$SETUP_COSIGN" != "true" && "$SETUP_COSIGN" != "false" ]]; then
-          echo "ERROR: setup_cosign must be 'true' or 'false', got: $SETUP_COSIGN"
-          exit 1
-        fi
-
-        if [[ "$SKIP_LOGIN_ON_PR" != "true" && "$SKIP_LOGIN_ON_PR" != "false" ]]; then
-          echo "ERROR: skip_login_on_pr must be 'true' or 'false', got: $SKIP_LOGIN_ON_PR"
-          exit 1
-        fi
-
-        echo "SUCCESS: Input validation passed"
-
-    - name: Set up Depot CLI
-      uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
-
-    - name: Install cosign
-      # Install cosign when requested AND when we might actually sign images
-      # (i.e., non-PR contexts or when we login on PRs)
-      if: ${{ inputs.setup_cosign == 'true' && (inputs.skip_login_on_pr == 'false' || github.event_name != 'pull_request') }}
-      uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
-
-    - name: Log into registry
-      if: ${{ inputs.registry != '' && (inputs.skip_login_on_pr == 'false' || github.event_name != 'pull_request') }}
-      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-      with:
-        registry: ${{ inputs.registry }}
-        username: ${{ github.actor }}
-        password: ${{ github.token }}
-
-    - name: Verify setup completion
-      shell: bash
-      run: |
-        set -euo pipefail
-
-        # Verify Depot CLI is available
-        if ! command -v depot >/dev/null 2>&1; then
-          echo "ERROR: Depot CLI not found in PATH"
-          exit 1
-        fi
-
-        # Verify cosign if it should be installed (same conditions as install step)
-        if [[ "${{ inputs.setup_cosign }}" == "true" ]] && [[ "${{ inputs.skip_login_on_pr }}" == "false" || "${{ github.event_name }}" != "pull_request" ]]; then
-          if ! command -v cosign >/dev/null 2>&1; then
-            echo "ERROR: Cosign not found in PATH despite being requested"
-            exit 1
-          fi
-        fi
-
-        echo "SUCCESS: Docker build setup completed successfully"

.github/actions/resolve-docker-version/action.yml

@@ -1,192 +0,0 @@
-name: Resolve Docker Version
-description: |
-  Resolves and validates Docker-compatible SemVer versions for container builds with comprehensive security.
-
-  Security Features:
-  - Command injection protection
-  - Input sanitization and validation
-  - Docker tag character restrictions
-  - Length limits and boundary checks
-  - Safe branch name handling
-
-  Supports multiple modes: release, manual override, branch auto-detection, and experimental timestamped versions.
-
-inputs:
-  version:
-    description: "Explicit version (SemVer only, e.g., 1.2.3-beta). If provided, this version is used directly. If empty, version is auto-generated from branch name."
-    required: false
-  current_branch:
-    description: "Current branch name for auto-detection"
-    required: true
-  experimental_mode:
-    description: "Enable experimental mode with timestamp-based versions"
-    required: false
-    default: "false"
-
-outputs:
-  version:
-    description: "Resolved Docker-compatible SemVer version"
-    value: ${{ steps.resolve.outputs.version }}
-  source:
-    description: "Source of version (release|override|branch)"
-    value: ${{ steps.resolve.outputs.source }}
-  normalized:
-    description: "Whether the version was normalized (true/false)"
-    value: ${{ steps.resolve.outputs.normalized }}
-
-runs:
-  using: "composite"
-  steps:
-    - name: Resolve and validate Docker version
-      id: resolve
-      shell: bash
-      env:
-        EXPLICIT_VERSION: ${{ inputs.version }}
-        CURRENT_BRANCH: ${{ inputs.current_branch }}
-        EXPERIMENTAL_MODE: ${{ inputs.experimental_mode }}
-      run: |
-        set -euo pipefail
-
-        # Function to validate SemVer format (Docker-compatible, no '+' build metadata)
-        validate_semver() {
-          local version="$1"
-          local context="$2"
-          
-          if [[ ! "$version" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?$ ]]; then
-            echo "ERROR: Invalid $context format. Must be semver without build metadata (e.g., 1.2.3, 1.2.3-alpha)"
-            echo "Provided: $version"
-            echo "Note: Docker tags cannot contain '+' characters. Use prerelease identifiers instead."
-            exit 1
-          fi
-        }
-
-        # Function to generate branch-based version
-        generate_branch_version() {
-          local branch="$1"
-          local use_timestamp="${2:-true}"
-          local timestamp
-          
-          if [[ "$use_timestamp" == "true" ]]; then
-            timestamp=$(date +%s)
-          else
-            timestamp=""
-          fi
-          
-          # Sanitize branch name for Docker compatibility
-          local sanitized_branch=$(echo "$branch" | sed 's/[^a-zA-Z0-9.-]/-/g' | sed 's/--*/-/g' | sed 's/^-\|-$//g')
-          
-          # Additional safety: truncate if too long (reserve space for prefix and timestamp)
-          if (( ${#sanitized_branch} > 80 )); then
-            sanitized_branch="${sanitized_branch:0:80}"
-            echo "INFO: Branch name truncated for Docker compatibility" >&2
-          fi
-          local version
-          
-          # Generate version based on branch name (unified approach)
-          # All branches get alpha versions with sanitized branch name
-          if [[ -n "$timestamp" ]]; then
-            version="0.0.0-alpha-$sanitized_branch-$timestamp"
-            echo "INFO: Branch '$branch' detected - alpha version: $version" >&2
-          else
-            version="0.0.0-alpha-$sanitized_branch"
-            echo "INFO: Branch '$branch' detected - alpha version: $version" >&2
-          fi
-          
-          echo "$version"
-        }
-
-
-        # Input validation and sanitization
-        if [[ -z "$CURRENT_BRANCH" ]]; then
-          echo "ERROR: current_branch input is required"
-          exit 1
-        fi
-
-        # Security: Validate inputs to prevent command injection
-        # Use grep to check for dangerous characters (more reliable than bash regex)
-        validate_input() {
-          local input="$1"
-          local name="$2"
-          
-          # Check for dangerous characters using grep
-          if echo "$input" | grep -q '[;|&`$(){}\\[:space:]]'; then
-            echo "ERROR: $name contains potentially dangerous characters: $input"
-            echo "Input should only contain letters, numbers, hyphens, underscores, dots, and forward slashes"
-            return 1
-          fi
-          
-          return 0
-        }
-
-        # Validate current branch
-        if ! validate_input "$CURRENT_BRANCH" "Branch name"; then
-          exit 1
-        fi
-
-        # Validate explicit version if provided
-        if [[ -n "$EXPLICIT_VERSION" ]] && ! validate_input "$EXPLICIT_VERSION" "Explicit version"; then
-          exit 1
-        fi
-
-        # Main resolution logic (ultra-simplified)
-        NORMALIZED="false"
-
-        if [[ -n "$EXPLICIT_VERSION" ]]; then
-          # Use provided explicit version (from either workflow_call or manual input)
-          validate_semver "$EXPLICIT_VERSION" "explicit version"
-          
-          # Normalize to lowercase for Docker/ECR compatibility
-          RESOLVED_VERSION="${EXPLICIT_VERSION,,}"
-          if [[ "$EXPLICIT_VERSION" != "$RESOLVED_VERSION" ]]; then
-            NORMALIZED="true"
-            echo "INFO: Original version contained uppercase characters, normalized: $EXPLICIT_VERSION -> $RESOLVED_VERSION"
-          fi
-          
-          SOURCE="explicit"
-          echo "INFO: Using explicit version: $RESOLVED_VERSION"
-          
-        else
-          # Auto-generate version from branch name
-          if [[ "$EXPERIMENTAL_MODE" == "true" ]]; then
-            # Use timestamped version generation
-            echo "INFO: Experimental mode: generating timestamped version from branch: $CURRENT_BRANCH"
-            RESOLVED_VERSION=$(generate_branch_version "$CURRENT_BRANCH" "true")
-            SOURCE="experimental"
-          else
-            # Standard branch version (no timestamp)
-            echo "INFO: Auto-detecting version from branch: $CURRENT_BRANCH"
-            RESOLVED_VERSION=$(generate_branch_version "$CURRENT_BRANCH" "false")
-            SOURCE="branch"
-          fi
-          echo "Generated version: $RESOLVED_VERSION"
-        fi
-
-        # Final validation - ensure result is valid Docker tag
-        if [[ -z "$RESOLVED_VERSION" ]]; then
-          echo "ERROR: Failed to resolve version"
-          exit 1
-        fi
-
-        if (( ${#RESOLVED_VERSION} > 128 )); then
-          echo "ERROR: Version must be at most 128 characters (Docker limitation)"
-          echo "Generated version: $RESOLVED_VERSION (${#RESOLVED_VERSION} chars)"
-          exit 1
-        fi
-
-        if [[ ! "$RESOLVED_VERSION" =~ ^[a-z0-9._-]+$ ]]; then
-          echo "ERROR: Version contains invalid characters for Docker tags"
-          echo "Version: $RESOLVED_VERSION"
-          exit 1
-        fi
-
-        if [[ "$RESOLVED_VERSION" =~ ^[.-] || "$RESOLVED_VERSION" =~ [.-]$ ]]; then
-          echo "ERROR: Version must not start or end with '.' or '-'"
-          echo "Version: $RESOLVED_VERSION"
-          exit 1
-        fi
-
-        # Output results
-        echo "SUCCESS: Resolved Docker version: $RESOLVED_VERSION (source: $SOURCE)"
-        echo "version=$RESOLVED_VERSION" >> $GITHUB_OUTPUT
-        echo "source=$SOURCE" >> $GITHUB_OUTPUT
-        echo "normalized=$NORMALIZED" >> $GITHUB_OUTPUT

.github/actions/update-package-version/action.yml

@@ -1,160 +0,0 @@
-name: Update Package Version
-description: |
-  Safely updates package.json version with comprehensive validation and atomic operations.
-
-  Security Features:
-  - Path traversal protection
-  - SemVer validation with length limits
-  - Atomic file operations with backup/recovery
-  - JSON validation before applying changes
-
-  This action is designed to be secure by default and prevent common attack vectors.
-
-inputs:
-  version:
-    description: "Version to set in package.json (must be valid SemVer)"
-    required: true
-  package_path:
-    description: "Path to package.json file"
-    required: false
-    default: "./apps/web/package.json"
-
-outputs:
-  updated_version:
-    description: "The version that was actually set in package.json"
-    value: ${{ steps.update.outputs.updated_version }}
-
-runs:
-  using: "composite"
-  steps:
-    - name: Update and verify package.json version
-      id: update
-      shell: bash
-      env:
-        VERSION: ${{ inputs.version }}
-        PACKAGE_PATH: ${{ inputs.package_path }}
-      run: |
-        set -euo pipefail
-
-        # Validate inputs
-        if [[ -z "$VERSION" ]]; then
-          echo "ERROR: version input is required"
-          exit 1
-        fi
-
-        # Security: Validate package_path to prevent path traversal attacks
-        # Only allow paths within the workspace and must end with package.json
-        if [[ "$PACKAGE_PATH" =~ \.\./|^/|^~ ]]; then
-          echo "ERROR: Invalid package path - path traversal detected: $PACKAGE_PATH"
-          echo "Package path must be relative to workspace root and cannot contain '../', start with '/', or '~'"
-          exit 1
-        fi
-
-        if [[ ! "$PACKAGE_PATH" =~ package\.json$ ]]; then
-          echo "ERROR: Package path must end with 'package.json': $PACKAGE_PATH"
-          exit 1
-        fi
-
-        # Resolve to absolute path within workspace for additional security
-        WORKSPACE_ROOT="${GITHUB_WORKSPACE:-$(pwd)}"
-
-        # Use realpath to resolve both paths and handle symlinks properly
-        WORKSPACE_ROOT=$(realpath "$WORKSPACE_ROOT")
-        RESOLVED_PATH=$(realpath "${WORKSPACE_ROOT}/${PACKAGE_PATH}")
-
-        # Ensure WORKSPACE_ROOT has a trailing slash for proper prefix matching
-        WORKSPACE_ROOT="${WORKSPACE_ROOT}/"
-
-        # Use shell string matching to ensure RESOLVED_PATH is within workspace
-        # This is more secure than regex and handles edge cases properly
-        if [[ "$RESOLVED_PATH" != "$WORKSPACE_ROOT"* ]]; then
-          echo "ERROR: Resolved path is outside workspace: $RESOLVED_PATH"
-          echo "Workspace root: $WORKSPACE_ROOT"
-          exit 1
-        fi
-
-        if [[ ! -f "$RESOLVED_PATH" ]]; then
-          echo "ERROR: package.json not found at: $RESOLVED_PATH"
-          exit 1
-        fi
-
-        # Use resolved path for operations
-        PACKAGE_PATH="$RESOLVED_PATH"
-
-        # Validate SemVer format with additional security checks
-        if [[ ${#VERSION} -gt 128 ]]; then
-          echo "ERROR: Version string too long (${#VERSION} chars, max 128): $VERSION"
-          exit 1
-        fi
-
-        if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?$ ]]; then
-          echo "ERROR: Invalid SemVer format: $VERSION"
-          echo "Expected format: MAJOR.MINOR.PATCH[-PRERELEASE]"
-          echo "Only alphanumeric characters, dots, and hyphens allowed in prerelease"
-          exit 1
-        fi
-
-        # Additional validation: Check for reasonable version component sizes
-        # Extract base version (MAJOR.MINOR.PATCH) without prerelease/build metadata
-        if [[ "$VERSION" =~ ^([0-9]+\.[0-9]+\.[0-9]+) ]]; then
-          BASE_VERSION="${BASH_REMATCH[1]}"
-        else
-          echo "ERROR: Could not extract base version from: $VERSION"
-          exit 1
-        fi
-
-        # Split version components safely
-        IFS='.' read -ra VERSION_PARTS <<< "$BASE_VERSION"
-
-        # Validate component sizes (should have exactly 3 parts due to regex above)
-        if (( ${VERSION_PARTS[0]} > 999 || ${VERSION_PARTS[1]} > 999 || ${VERSION_PARTS[2]} > 999 )); then
-          echo "ERROR: Version components too large (max 999 each): $VERSION"
-          echo "Components: ${VERSION_PARTS[0]}.${VERSION_PARTS[1]}.${VERSION_PARTS[2]}"
-          exit 1
-        fi
-
-        echo "Updating package.json version to: $VERSION"
-
-        # Create backup for atomic operations
-        BACKUP_PATH="${PACKAGE_PATH}.backup.$$"
-        cp "$PACKAGE_PATH" "$BACKUP_PATH"
-
-        # Use jq to safely update the version field with error handling
-        if ! jq --arg version "$VERSION" '.version = $version' "$PACKAGE_PATH" > "${PACKAGE_PATH}.tmp"; then
-          echo "ERROR: jq failed to process package.json"
-          rm -f "${PACKAGE_PATH}.tmp" "$BACKUP_PATH"
-          exit 1
-        fi
-
-        # Validate the generated JSON before applying changes
-        if ! jq empty "${PACKAGE_PATH}.tmp" 2>/dev/null; then
-          echo "ERROR: Generated invalid JSON"
-          rm -f "${PACKAGE_PATH}.tmp" "$BACKUP_PATH"
-          exit 1
-        fi
-
-        # Atomic move operation
-        if ! mv "${PACKAGE_PATH}.tmp" "$PACKAGE_PATH"; then
-          echo "ERROR: Failed to update package.json"
-          # Restore backup
-          mv "$BACKUP_PATH" "$PACKAGE_PATH"
-          exit 1
-        fi
-
-        # Verify the update was successful
-        UPDATED_VERSION=$(jq -r '.version' "$PACKAGE_PATH" 2>/dev/null)
-
-        if [[ "$UPDATED_VERSION" != "$VERSION" ]]; then
-          echo "ERROR: Version update failed!"
-          echo "Expected: $VERSION"
-          echo "Actual: $UPDATED_VERSION"
-          # Restore backup
-          mv "$BACKUP_PATH" "$PACKAGE_PATH"
-          exit 1
-        fi
-
-        # Clean up backup on success
-        rm -f "$BACKUP_PATH"
-
-        echo "SUCCESS: Updated package.json version to: $UPDATED_VERSION"
-        echo "updated_version=$UPDATED_VERSION" >> $GITHUB_OUTPUT

.github/workflows/apply-issue-labels-to-pr.yml

@@ -0,0 +1,82 @@
+name: "Apply issue labels to PR"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+
+permissions:
+  contents: read
+
+jobs:
+  label_on_pr:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: none
+      issues: read
+      pull-requests: write
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: Apply labels from linked issue to PR
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            async function getLinkedIssues(owner, repo, prNumber) {
+              const query = `query GetLinkedIssues($owner: String!, $repo: String!, $prNumber: Int!) {
+                repository(owner: $owner, name: $repo) {
+                  pullRequest(number: $prNumber) {
+                    closingIssuesReferences(first: 10) {
+                      nodes {
+                        number
+                        labels(first: 10) {
+                          nodes {
+                            name
+                          }
+                        }
+                      }
+                    }
+                  }
+                }
+              }`;
+
+              const variables = {
+                owner: owner,
+                repo: repo,
+                prNumber: prNumber,
+              };
+
+              const result = await github.graphql(query, variables);
+              return result.repository.pullRequest.closingIssuesReferences.nodes;
+            }
+
+            const pr = context.payload.pull_request;
+            const linkedIssues = await getLinkedIssues(
+              context.repo.owner,
+              context.repo.repo,
+              pr.number
+            );
+
+            const labelsToAdd = new Set();
+            for (const issue of linkedIssues) {
+              if (issue.labels && issue.labels.nodes) {
+                for (const label of issue.labels.nodes) {
+                  labelsToAdd.add(label.name);
+                }
+              }
+            }
+
+            if (labelsToAdd.size) {
+              await github.rest.issues.addLabels({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: pr.number,
+                labels: Array.from(labelsToAdd),
+              });
+            }

.github/workflows/build-and-push-ecr.yml

@@ -1,94 +0,0 @@
-name: Build Cloud Deployment Images
-
-# This workflow builds Formbricks Docker images for ECR deployment:
-# - workflow_call: Used by releases with explicit SemVer versions
-# - workflow_dispatch: Auto-detects version from current branch or uses override
-
-on:
-  workflow_dispatch:
-    inputs:
-      version_override:
-        description: "Override version (SemVer only, e.g., 1.2.3). Leave empty to auto-detect from branch."
-        required: false
-        type: string
-      deploy_production:
-        description: "Tag image for production deployment"
-        required: false
-        default: false
-        type: boolean
-      deploy_staging:
-        description: "Tag image for staging deployment"
-        required: false
-        default: false
-        type: boolean
-  workflow_call:
-    inputs:
-      image_tag:
-        description: "Image tag to push (required for workflow_call)"
-        required: true
-        type: string
-      IS_PRERELEASE:
-        description: "Whether this is a prerelease (auto-tags for staging/production)"
-        required: false
-        type: boolean
-        default: false
-      MAKE_LATEST:
-        description: "Whether to tag for production (from GitHub release 'Set as the latest release' option)"
-        required: false
-        type: boolean
-        default: false
-    outputs:
-      IMAGE_TAG:
-        description: "Normalized image tag used for the build"
-        value: ${{ jobs.build-and-push.outputs.IMAGE_TAG }}
-      TAGS:
-        description: "Newline-separated list of ECR tags pushed"
-        value: ${{ jobs.build-and-push.outputs.TAGS }}
-
-permissions:
-  contents: read
-  id-token: write
-
-env:
-  ECR_REGION: ${{ vars.ECR_REGION }}
-  # ECR settings are sourced from repository/environment variables for portability across envs/forks
-  ECR_REGISTRY: ${{ vars.ECR_REGISTRY }}
-  ECR_REPOSITORY: ${{ vars.ECR_REPOSITORY }}
-
-jobs:
-  build-and-push:
-    name: Build and Push
-    runs-on: ubuntu-latest
-    timeout-minutes: 45
-    outputs:
-      IMAGE_TAG: ${{ steps.build.outputs.image_tag }}
-      TAGS: ${{ steps.build.outputs.registry_tags }}
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Build and push cloud deployment image
-        id: build
-        uses: ./.github/actions/build-and-push-docker
-        with:
-          registry_type: "ecr"
-          ecr_registry: ${{ env.ECR_REGISTRY }}
-          ecr_repository: ${{ env.ECR_REPOSITORY }}
-          ecr_region: ${{ env.ECR_REGION }}
-          aws_role_arn: ${{ secrets.AWS_ECR_PUSH_ROLE_ARN }}
-          version: ${{ inputs.version_override || inputs.image_tag }}
-          deploy_production: ${{ inputs.deploy_production }}
-          deploy_staging: ${{ inputs.deploy_staging }}
-          is_prerelease: ${{ inputs.IS_PRERELEASE }}
-          make_latest: ${{ inputs.MAKE_LATEST }}
-        env:
-          DEPOT_PROJECT_TOKEN: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          DUMMY_DATABASE_URL: ${{ secrets.DUMMY_DATABASE_URL }}
-          DUMMY_ENCRYPTION_KEY: ${{ secrets.DUMMY_ENCRYPTION_KEY }}
-          DUMMY_REDIS_URL: ${{ secrets.DUMMY_REDIS_URL }}
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}

.github/workflows/chromatic.yml

@@ -6,14 +6,12 @@ on:
       - main
   workflow_dispatch:
 
-permissions:
-  contents: read
-
 jobs:
   chromatic:
     name: Run Chromatic
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       packages: write
       id-token: write
       actions: read

.github/workflows/dependency-review.yml

@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@38ecb5b593bf0eb19e335c03f97670f792489a8b # v4.7.0

.github/workflows/deploy-formbricks-cloud.yml

@@ -4,60 +4,54 @@ on:
   workflow_dispatch:
     inputs:
       VERSION:
-        description: "The version of the Docker image to release (clean SemVer, e.g., 1.2.3)"
+        description: 'The version of the Docker image to release, full image tag if image tag is v0.0.0 enter v0.0.0.'
         required: true
         type: string
       REPOSITORY:
-        description: "The repository to use for the Docker image"
+        description: 'The repository to use for the Docker image'
         required: false
         type: string
-        default: "ghcr.io/formbricks/formbricks"
+        default: 'ghcr.io/formbricks/formbricks'
       ENVIRONMENT:
-        description: "The environment to deploy to"
+        description: 'The environment to deploy to'
         required: true
         type: choice
         options:
-          - staging
-          - production
+          - stage
+          - prod
   workflow_call:
     inputs:
       VERSION:
-        description: "The version of the Docker image to release"
+        description: 'The version of the Docker image to release'
         required: true
         type: string
       REPOSITORY:
-        description: "The repository to use for the Docker image"
+        description: 'The repository to use for the Docker image'
         required: false
         type: string
-        default: "ghcr.io/formbricks/formbricks"
+        default: 'ghcr.io/formbricks/formbricks'
       ENVIRONMENT:
-        description: "The environment to deploy to"
+        description: 'The environment to deploy to'
         required: true
         type: string
 
 permissions:
   id-token: write
-  contents: read
+  contents: write
 
 jobs:
   helmfile-deploy:
     runs-on: ubuntu-latest
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4.2.2
 
       - name: Tailscale
-        uses: tailscale/github-action@84a3f23bb4d843bcf4da6cf824ec1be473daf4de # v3.2.3
+        uses: tailscale/github-action@v3
         with:
           oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
           oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
           tags: tag:github
-          args: --accept-routes
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@f24d7193d98baebaeacc7e2227925dd47cc267f5 # v4.2.0
@@ -71,9 +65,9 @@ jobs:
         env:
           AWS_REGION: eu-central-1
 
-      - uses: helmfile/helmfile-action@712000e3d4e28c72778ecc53857746082f555ef3 # v2.0.4
-        name: Deploy Formbricks Cloud Production
-        if: inputs.ENVIRONMENT == 'production'
+      - uses: helmfile/helmfile-action@v2
+        name: Deploy Formbricks Cloud Prod
+        if: inputs.ENVIRONMENT == 'prod'
         env:
           VERSION: ${{ inputs.VERSION }}
           REPOSITORY: ${{ inputs.REPOSITORY }}
@@ -81,7 +75,7 @@ jobs:
           FORMBRICKS_INGRESS_CERT_ARN: ${{ secrets.FORMBRICKS_INGRESS_CERT_ARN }}
           FORMBRICKS_ROLE_ARN: ${{ secrets.FORMBRICKS_ROLE_ARN }}
         with:
-          helmfile-version: "v1.0.0"
+          helmfile-version: 'v1.0.0'
           helm-plugins: >
             https://github.com/databus23/helm-diff,
             https://github.com/jkroepke/helm-secrets
@@ -89,16 +83,16 @@ jobs:
           helmfile-auto-init: "false"
           helmfile-workdirectory: infra/formbricks-cloud-helm
 
-      - uses: helmfile/helmfile-action@712000e3d4e28c72778ecc53857746082f555ef3 # v2.0.4
-        name: Deploy Formbricks Cloud Staging
-        if: inputs.ENVIRONMENT == 'staging'
+      - uses: helmfile/helmfile-action@v2
+        name: Deploy Formbricks Cloud Stage
+        if: inputs.ENVIRONMENT == 'stage'
         env:
           VERSION: ${{ inputs.VERSION }}
           REPOSITORY: ${{ inputs.REPOSITORY }}
           FORMBRICKS_INGRESS_CERT_ARN: ${{ secrets.STAGE_FORMBRICKS_INGRESS_CERT_ARN }}
           FORMBRICKS_ROLE_ARN: ${{ secrets.STAGE_FORMBRICKS_ROLE_ARN }}
         with:
-          helmfile-version: "v1.0.0"
+          helmfile-version: 'v1.0.0'
           helm-plugins: >
             https://github.com/databus23/helm-diff,
             https://github.com/jkroepke/helm-secrets
@@ -106,44 +100,3 @@ jobs:
           helmfile-auto-init: "false"
           helmfile-workdirectory: infra/formbricks-cloud-helm
 
-      - name: Purge Cloudflare Cache
-        if: ${{ inputs.ENVIRONMENT == 'production' || inputs.ENVIRONMENT == 'staging' }}
-        env:
-          CF_ZONE_ID: ${{ secrets.CLOUDFLARE_ZONE_ID }}
-          CF_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-          ENVIRONMENT: ${{ inputs.ENVIRONMENT }}
-        run: |
-          # Set hostname based on environment
-          if [[ "$ENVIRONMENT" == "production" ]]; then
-            PURGE_HOST="app.formbricks.com"
-          else
-            PURGE_HOST="stage.app.formbricks.com"
-          fi
-
-          echo "Purging Cloudflare cache for host: $PURGE_HOST (environment: $ENVIRONMENT, zone: $CF_ZONE_ID)"
-
-          # Prepare JSON payload for selective cache purge
-          json_payload=$(cat << EOF
-          {
-            "hosts": ["$PURGE_HOST"]
-          }
-          EOF
-          )
-
-          # Make API call to Cloudflare
-          response=$(curl -s -X POST \
-            "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/purge_cache" \
-            -H "Authorization: Bearer $CF_API_TOKEN" \
-            -H "Content-Type: application/json" \
-            --data "$json_payload")
-
-          echo "Cloudflare API response: $response"
-
-          # Verify the operation was successful
-          if [[ "$(echo "$response" | jq -r .success)" == "true" ]]; then
-            echo "✅ Successfully purged cache for $PURGE_HOST"
-          else
-            echo "❌ Cloudflare cache purge failed"
-            echo "Error details: $(echo "$response" | jq -r .errors)"
-            exit 1
-          fi

.github/workflows/docker-build-validation.yml

@@ -21,10 +21,10 @@ jobs:
     name: Validate Docker Build
     runs-on: ubuntu-latest
 
-    # Add PostgreSQL and Redis service containers
+    # Add PostgreSQL service container
     services:
       postgres:
-        image: pgvector/pgvector@sha256:9ae02a756ba16a2d69dd78058e25915e36e189bb36ddf01ceae86390d7ed786a
+        image: pgvector/pgvector:pg17
         env:
           POSTGRES_USER: test
           POSTGRES_PASSWORD: test
@@ -38,98 +38,43 @@ jobs:
           --health-timeout 5s
           --health-retries 5
 
-      redis:
-        image: valkey/valkey@sha256:12ba4f45a7c3e1d0f076acd616cb230834e75a77e8516dde382720af32832d6d
-        ports:
-          - 6379:6379
-
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
       - name: Checkout Repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
+        uses: actions/checkout@v4.2.2
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@v3
 
       - name: Build Docker Image
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        env:
-          GITHUB_SHA: ${{ github.sha }}
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./apps/web/Dockerfile
           push: false
           load: true
-          tags: formbricks-test:${{ env.GITHUB_SHA }}
+          tags: formbricks-test:${{ github.sha }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
           secrets: |
             database_url=${{ secrets.DUMMY_DATABASE_URL }}
             encryption_key=${{ secrets.DUMMY_ENCRYPTION_KEY }}
-            redis_url=redis://localhost:6379
 
-      - name: Verify and Initialize PostgreSQL
+      - name: Verify PostgreSQL Connection
         run: |
           echo "Verifying PostgreSQL connection..."
           # Install PostgreSQL client to test connection
           sudo apt-get update && sudo apt-get install -y postgresql-client
 
-          # Test connection using psql with timeout and proper error handling
-          echo "Testing PostgreSQL connection with 30 second timeout..."
-          if timeout 30 bash -c 'until PGPASSWORD=test psql -h localhost -U test -d formbricks -c "\dt" >/dev/null 2>&1; do
-            echo "Waiting for PostgreSQL to be ready..."
-            sleep 2
-          done'; then
-            echo "✅ PostgreSQL connection successful"
-            PGPASSWORD=test psql -h localhost -U test -d formbricks -c "SELECT version();"
-
-            # Enable necessary extensions that might be required by migrations
-            echo "Enabling required PostgreSQL extensions..."
-            PGPASSWORD=test psql -h localhost -U test -d formbricks -c "CREATE EXTENSION IF NOT EXISTS vector;" || echo "Vector extension already exists or not available"
-
-          else
-            echo "❌ PostgreSQL connection failed after 30 seconds"
-            exit 1
-          fi
+          # Test connection using psql
+          PGPASSWORD=test psql -h localhost -U test -d formbricks -c "\dt" || echo "Failed to connect to PostgreSQL"
 
           # Show network configuration
           echo "Network configuration:"
+          ip addr show
           netstat -tulpn | grep 5432 || echo "No process listening on port 5432"
 
-      - name: Verify Redis/Valkey Connection
-        run: |
-          echo "Verifying Redis/Valkey connection..."
-          # Install Redis client to test connection
-          sudo apt-get update && sudo apt-get install -y redis-tools
-
-          # Test connection using redis-cli with timeout and proper error handling
-          echo "Testing Redis connection with 30 second timeout..."
-          if timeout 30 bash -c 'until redis-cli -h localhost -p 6379 ping >/dev/null 2>&1; do
-            echo "Waiting for Redis to be ready..."
-            sleep 2
-          done'; then
-            echo "✅ Redis connection successful"
-            redis-cli -h localhost -p 6379 info server | head -5
-          else
-            echo "❌ Redis connection failed after 30 seconds"
-            exit 1
-          fi
-
-          # Show network configuration for Redis
-          echo "Redis network configuration:"
-          netstat -tulpn | grep 6379 || echo "No process listening on port 6379"
-
       - name: Test Docker Image with Health Check
         shell: bash
-        env:
-          GITHUB_SHA: ${{ github.sha }}
-          DUMMY_ENCRYPTION_KEY: ${{ secrets.DUMMY_ENCRYPTION_KEY }}
         run: |
           echo "🧪 Testing if the Docker image starts correctly..."
 
@@ -141,13 +86,29 @@ jobs:
             $DOCKER_RUN_ARGS \
             -p 3000:3000 \
             -e DATABASE_URL="postgresql://test:test@host.docker.internal:5432/formbricks" \
-            -e ENCRYPTION_KEY="$DUMMY_ENCRYPTION_KEY" \
-            -e REDIS_URL="redis://host.docker.internal:6379" \
-            -d "formbricks-test:$GITHUB_SHA"
+            -e ENCRYPTION_KEY="${{ secrets.DUMMY_ENCRYPTION_KEY }}" \
+            -d formbricks-test:${{ github.sha }}
 
-          # Start health check polling immediately (every 5 seconds for up to 5 minutes)
-          echo "🏥 Polling /health endpoint every 5 seconds for up to 5 minutes..."
-          MAX_RETRIES=60  # 60 attempts × 5 seconds = 5 minutes
+          # Give it more time to start up
+          echo "Waiting 45 seconds for application to start..."
+          sleep 45
+
+          # Check if the container is running
+          if [ "$(docker inspect -f '{{.State.Running}}' formbricks-test)" != "true" ]; then
+            echo "❌ Container failed to start properly!"
+            docker logs formbricks-test
+            exit 1
+          else
+            echo "✅ Container started successfully!"
+          fi
+
+          # Try connecting to PostgreSQL from inside the container
+          echo "Testing PostgreSQL connection from inside container..."
+          docker exec formbricks-test sh -c 'apt-get update && apt-get install -y postgresql-client && PGPASSWORD=test psql -h host.docker.internal -U test -d formbricks -c "\dt" || echo "Failed to connect to PostgreSQL from container"'
+
+          # Try to access the health endpoint
+          echo "🏥 Testing /health endpoint..."
+          MAX_RETRIES=10
           RETRY_COUNT=0
           HEALTH_CHECK_SUCCESS=false
 
@@ -155,32 +116,38 @@ jobs:
 
           while [ $RETRY_COUNT -lt $MAX_RETRIES ]; do
             RETRY_COUNT=$((RETRY_COUNT + 1))
-
-            # Check if container is still running
-            if [ "$(docker inspect -f '{{.State.Running}}' formbricks-test 2>/dev/null)" != "true" ]; then
-              echo "❌ Container stopped running after $((RETRY_COUNT * 5)) seconds!"
-              echo "📋 Container logs:"
-              docker logs formbricks-test
-              exit 1
+            echo "Attempt $RETRY_COUNT of $MAX_RETRIES..."
+            
+            # Show container logs before each attempt to help debugging
+            if [ $RETRY_COUNT -gt 1 ]; then
+              echo "📋 Current container logs:"
+              docker logs --tail 20 formbricks-test
             fi
-
-            # Show progress and diagnostic info every 12 attempts (1 minute intervals)
-            if [ $((RETRY_COUNT % 12)) -eq 0 ] || [ $RETRY_COUNT -eq 1 ]; then
-              echo "Health check attempt $RETRY_COUNT of $MAX_RETRIES ($(($RETRY_COUNT * 5)) seconds elapsed)..."
-              echo "📋 Recent container logs:"
-              docker logs --tail 10 formbricks-test
+            
+            # Get detailed curl output for debugging
+            HTTP_OUTPUT=$(curl -v -s -m 30 http://localhost:3000/health 2>&1)
+            CURL_EXIT_CODE=$?
+            
+            echo "Curl exit code: $CURL_EXIT_CODE"
+            echo "Curl output: $HTTP_OUTPUT"
+            
+            if [ $CURL_EXIT_CODE -eq 0 ]; then
+              STATUS_CODE=$(echo "$HTTP_OUTPUT" | grep -oP "HTTP/\d(\.\d)? \K\d+")
+              echo "Status code detected: $STATUS_CODE"
+              
+              if [ "$STATUS_CODE" = "200" ]; then
+                echo "✅ Health check successful!"
+                HEALTH_CHECK_SUCCESS=true
+                break
+              else
+                echo "❌ Health check returned non-200 status code: $STATUS_CODE"
+              fi
+            else
+              echo "❌ Curl command failed with exit code: $CURL_EXIT_CODE"
             fi
-
-            # Try health endpoint with shorter timeout for faster polling
-            # Use -f flag to make curl fail on HTTP error status codes (4xx, 5xx)
-            if curl -f -s -m 10 http://localhost:3000/health >/dev/null 2>&1; then
-              echo "✅ Health check successful after $((RETRY_COUNT * 5)) seconds!"
-              HEALTH_CHECK_SUCCESS=true
-              break
-            fi
-
-            # Wait 5 seconds before next attempt
-            sleep 5
+            
+            echo "Waiting 15 seconds before next attempt..."
+            sleep 15
           done
 
           # Show full container logs for debugging
@@ -193,7 +160,7 @@ jobs:
 
           # Exit with failure if health check did not succeed
           if [ "$HEALTH_CHECK_SUCCESS" != "true" ]; then
-            echo "❌ Health check failed after $((MAX_RETRIES * 5)) seconds (5 minutes)"
+            echo "❌ Health check failed after $MAX_RETRIES attempts"
             exit 1
           fi
 

.github/workflows/docker-security-scan.yml

@@ -1,70 +0,0 @@
-name: Docker Security Scan
-
-on:
-  schedule:
-    - cron: "0 2 * * *" # Daily at 2 AM UTC
-  workflow_dispatch:
-  workflow_run:
-    workflows: ["Docker Release to Github"]
-    types: [completed]
-
-permissions:
-  contents: read
-  packages: read
-  security-events: write
-
-jobs:
-  scan:
-    name: Vulnerability Scan
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    steps:
-      - name: Harden the runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout (for SARIF fingerprinting only)
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 1
-
-      - name: Determine ref and commit for upload
-        id: gitref
-        shell: bash
-        env:
-          EVENT_NAME: ${{ github.event_name }}
-          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
-          HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
-        run: |
-          set -euo pipefail
-          if [[ "${EVENT_NAME}" == "workflow_run" ]]; then
-            echo "ref=refs/heads/${HEAD_BRANCH}" >> "$GITHUB_OUTPUT"
-            echo "sha=${HEAD_SHA}" >> "$GITHUB_OUTPUT"
-          else
-            echo "ref=${GITHUB_REF}" >> "$GITHUB_OUTPUT"
-            echo "sha=${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
-          fi
-      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
-        with:
-          image-ref: "ghcr.io/${{ github.repository }}:latest"
-          format: "sarif"
-          output: "trivy-results.sarif"
-          severity: "CRITICAL,HIGH,MEDIUM,LOW"
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@a4e1a019f5e24960714ff6296aee04b736cbc3cf # v3.29.6
-        if: ${{ always() }}
-        with:
-          sarif_file: "trivy-results.sarif"
-          ref: ${{ steps.gitref.outputs.ref }}
-          sha: ${{ steps.gitref.outputs.sha }}
-          category: "trivy-container-scan"

.github/workflows/e2e.yml

@@ -33,7 +33,7 @@ jobs:
     timeout-minutes: 60
     services:
       postgres:
-        image: pgvector/pgvector@sha256:9ae02a756ba16a2d69dd78058e25915e36e189bb36ddf01ceae86390d7ed786a
+        image: pgvector/pgvector:pg17
         env:
           POSTGRES_DB: postgres
           POSTGRES_USER: postgres
@@ -41,23 +41,27 @@ jobs:
         ports:
           - 5432:5432
         options: >-
-          --health-cmd="pg_isready -U postgres"
+          --health-cmd="pg_isready -U testuser"
           --health-interval=10s
           --health-timeout=5s
           --health-retries=5
       valkey:
-        image: valkey/valkey@sha256:12ba4f45a7c3e1d0f076acd616cb230834e75a77e8516dde382720af32832d6d
+        image: valkey/valkey:8.1.1
         ports:
           - 6379:6379
+        options: >-
+          --entrypoint "valkey-server"
+          --health-cmd="valkey-cli ping"
+          --health-interval=10s
+          --health-timeout=5s
+          --health-retries=5
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
         with:
-          egress-policy: audit
+          egress-policy: allow
           allowed-endpoints: |
             ee.formbricks.com:443
-            registry-1.docker.io:443
-            docker.io:443
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: ./.github/actions/dangerous-git-checkout
@@ -85,72 +89,10 @@ jobs:
           sed -i "s/CRON_SECRET=.*/CRON_SECRET=${RANDOM_KEY}/" .env
           sed -i "s/NEXTAUTH_SECRET=.*/NEXTAUTH_SECRET=${RANDOM_KEY}/" .env
           sed -i "s/ENTERPRISE_LICENSE_KEY=.*/ENTERPRISE_LICENSE_KEY=${{ secrets.ENTERPRISE_LICENSE_KEY }}/" .env
-          sed -i "s|REDIS_URL=.*|REDIS_URL=redis://localhost:6379|" .env
           echo "" >> .env
           echo "E2E_TESTING=1" >> .env
-          echo "S3_REGION=us-east-1" >> .env
-          echo "S3_BUCKET_NAME=formbricks-e2e" >> .env
-          echo "S3_ENDPOINT_URL=http://localhost:9000" >> .env
-          echo "S3_ACCESS_KEY=devminio" >> .env
-          echo "S3_SECRET_KEY=devminio123" >> .env
-          echo "S3_FORCE_PATH_STYLE=1" >> .env
         shell: bash
 
-      - name: Install MinIO client (mc)
-        run: |
-          set -euo pipefail
-          MC_VERSION="RELEASE.2025-08-13T08-35-41Z"
-          MC_BASE="https://dl.min.io/client/mc/release/linux-amd64/archive"
-          MC_BIN="mc.${MC_VERSION}"
-          MC_SUM="${MC_BIN}.sha256sum"
-
-          curl -fsSL "${MC_BASE}/${MC_BIN}" -o "${MC_BIN}"
-          curl -fsSL "${MC_BASE}/${MC_SUM}" -o "${MC_SUM}"
-
-          sha256sum -c "${MC_SUM}"
-
-          chmod +x "${MC_BIN}"
-          sudo mv "${MC_BIN}" /usr/local/bin/mc
-
-      - name: Start MinIO Server
-        run: |
-          set -euo pipefail
-          
-          # Start MinIO server in background
-          docker run -d \
-            --name minio-server \
-            -p 9000:9000 \
-            -p 9001:9001 \
-            -e MINIO_ROOT_USER=devminio \
-            -e MINIO_ROOT_PASSWORD=devminio123 \
-            minio/minio:RELEASE.2025-09-07T16-13-09Z \
-            server /data --console-address :9001
-          
-          echo "MinIO server started"
-
-      - name: Wait for MinIO and create S3 bucket
-        run: |
-          set -euo pipefail
-
-          echo "Waiting for MinIO to be ready..."
-          ready=0
-          for i in {1..60}; do
-            if curl -fsS http://localhost:9000/minio/health/live >/dev/null; then
-              echo "MinIO is up after ${i} seconds"
-              ready=1
-              break
-            fi
-            sleep 1
-          done
-
-          if [ "$ready" -ne 1 ]; then
-            echo "::error::MinIO did not become ready within 60 seconds"
-            exit 1
-          fi
-
-          mc alias set local http://localhost:9000 devminio devminio123
-          mc mb --ignore-existing local/formbricks-e2e
-
       - name: Build App
         run: |
           pnpm build --filter=@formbricks/web...
@@ -160,18 +102,6 @@ jobs:
           # pnpm prisma migrate deploy
           pnpm db:migrate:dev
 
-      - name: Run Rate Limiter Load Tests
-        run: |
-          echo "Running rate limiter load tests with Redis/Valkey..."
-          cd apps/web && pnpm vitest run modules/core/rate-limit/rate-limit-load.test.ts
-        shell: bash
-
-      - name: Run Cache Integration Tests
-        run: |
-          echo "Running cache integration tests with Redis/Valkey..."
-          cd packages/cache && pnpm vitest run src/cache-integration.test.ts
-        shell: bash
-
       - name: Check for Enterprise License
         run: |
           LICENSE_KEY=$(grep '^ENTERPRISE_LICENSE_KEY=' .env | cut -d'=' -f2-)
@@ -181,12 +111,6 @@ jobs:
           fi
           echo "License key length: ${#LICENSE_KEY}"
 
-      - name: Disable rate limiting for E2E tests
-        run: |
-          echo "RATE_LIMITING_DISABLED=1" >> .env
-          echo "Rate limiting disabled for E2E tests"
-        shell: bash
-
       - name: Run App
         run: |
           echo "Starting app with enterprise license..."
@@ -228,14 +152,11 @@ jobs:
         if: env.AZURE_ENABLED == 'true'
         env:
           PLAYWRIGHT_SERVICE_URL: ${{ secrets.PLAYWRIGHT_SERVICE_URL }}
-          CI: true
         run: |
           pnpm test-e2e:azure
 
       - name: Run E2E Tests (Local)
         if: env.AZURE_ENABLED == 'false'
-        env:
-          CI: true
         run: |
           pnpm test:e2e
 

.github/workflows/formbricks-release.yml

@@ -1,157 +1,34 @@
 name: Build, release & deploy Formbricks images
 
 on:
-  release:
-    types: [published]
-
-permissions:
-  contents: read
+  workflow_dispatch:
+  push:
+    tags:
+      - "v*"
 
 jobs:
-  check-latest-release:
-    name: Check if this is the latest release
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    permissions:
-      contents: read
-    outputs:
-      is_latest: ${{ steps.compare_tags.outputs.is_latest }}
-    # This job determines if the current release was marked as "Set as the latest release"
-    # by comparing it with the latest release from GitHub API
-    steps:
-      - name: Harden the runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
-      - name: Get latest release tag from API
-        id: get_latest_release
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          REPO: ${{ github.repository }}
-        run: |
-          set -euo pipefail
-          
-          # Get the latest release tag from GitHub API with error handling
-          echo "Fetching latest release from GitHub API..."
-          
-          # Use curl with error handling - API returns 404 if no releases exist
-          http_code=$(curl -s -w "%{http_code}" -H "Authorization: token ${GITHUB_TOKEN}" \
-            "https://api.github.com/repos/${REPO}/releases/latest" -o /tmp/latest_release.json)
-          
-          if [[ "$http_code" == "404" ]]; then
-            echo "⚠️  No previous releases found (404). This appears to be the first release."
-            echo "latest_release=" >> $GITHUB_OUTPUT
-          elif [[ "$http_code" == "200" ]]; then
-            latest_release=$(jq -r .tag_name /tmp/latest_release.json)
-            if [[ "$latest_release" == "null" || -z "$latest_release" ]]; then
-              echo "⚠️  API returned null/empty tag_name. Treating as first release."
-              echo "latest_release=" >> $GITHUB_OUTPUT
-            else
-              echo "Latest release from API: ${latest_release}"
-              echo "latest_release=${latest_release}" >> $GITHUB_OUTPUT
-            fi
-          else
-            echo "❌ GitHub API error (HTTP ${http_code}). Treating as first release."
-            echo "latest_release=" >> $GITHUB_OUTPUT
-          fi
-          
-          echo "Current release tag: ${{ github.event.release.tag_name }}"
-
-      - name: Compare release tags
-        id: compare_tags
-        env:
-          CURRENT_TAG: ${{ github.event.release.tag_name }}
-          LATEST_TAG: ${{ steps.get_latest_release.outputs.latest_release }}
-        run: |
-          set -euo pipefail
-          
-          # Handle first release case (no previous releases)
-          if [[ -z "${LATEST_TAG}" ]]; then
-            echo "🎉 This is the first release (${CURRENT_TAG}) - treating as latest"
-            echo "is_latest=true" >> $GITHUB_OUTPUT
-          elif [[ "${CURRENT_TAG}" == "${LATEST_TAG}" ]]; then
-            echo "✅ This release (${CURRENT_TAG}) is marked as the latest release"
-            echo "is_latest=true" >> $GITHUB_OUTPUT
-          else
-            echo "ℹ️  This release (${CURRENT_TAG}) is not the latest release (latest: ${LATEST_TAG})"
-            echo "is_latest=false" >> $GITHUB_OUTPUT
-          fi
-  docker-build-community:
-    name: Build & release community docker image
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
+  docker-build:
+    name: Build & release stable docker image
+    if: startsWith(github.ref, 'refs/tags/v')
     uses: ./.github/workflows/release-docker-github.yml
     secrets: inherit
-    needs:
-      - check-latest-release
-    with:
-      IS_PRERELEASE: ${{ github.event.release.prerelease }}
-      MAKE_LATEST: ${{ needs.check-latest-release.outputs.is_latest }}
-
-  docker-build-cloud:
-    name: Build & push Formbricks Cloud to ECR
-    permissions:
-      contents: read
-      id-token: write
-    uses: ./.github/workflows/build-and-push-ecr.yml
-    secrets: inherit
-    with:
-      image_tag: ${{ needs.docker-build-community.outputs.VERSION }}
-      IS_PRERELEASE: ${{ github.event.release.prerelease }}
-      MAKE_LATEST: ${{ needs.check-latest-release.outputs.is_latest }}
-    needs:
-      - check-latest-release
-      - docker-build-community
 
   helm-chart-release:
     name: Release Helm Chart
-    permissions:
-      contents: read
-      packages: write
     uses: ./.github/workflows/release-helm-chart.yml
     secrets: inherit
     needs:
-      - docker-build-community
+      - docker-build
     with:
-      VERSION: ${{ needs.docker-build-community.outputs.VERSION }}
+      VERSION: ${{ needs.docker-build.outputs.VERSION }}
 
-  verify-cloud-build:
-    name: Verify Cloud Build Outputs
-    runs-on: ubuntu-latest
-    timeout-minutes: 5 # Simple verification should be quick
+  deploy-formbricks-cloud:
+    name: Deploy Helm Chart to Formbricks Cloud
+    secrets: inherit
+    uses: ./.github/workflows/deploy-formbricks-cloud.yml
     needs:
-      - docker-build-cloud
-    steps:
-      - name: Harden the runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
-      - name: Display ECR build outputs
-        env:
-          IMAGE_TAG: ${{ needs.docker-build-cloud.outputs.IMAGE_TAG }}
-          TAGS: ${{ needs.docker-build-cloud.outputs.TAGS }}
-        run: |
-          set -euo pipefail
-
-          echo "✅ ECR Build Completed Successfully"
-          echo "Image Tag: ${IMAGE_TAG}"
-          echo "ECR Tags:"
-          printf '%s\n' "${TAGS}"
-
-  move-stable-tag:
-    name: Move stable tag to release
-    permissions:
-      contents: write # Required for tag push operations in called workflow
-    uses: ./.github/workflows/move-stable-tag.yml
-    needs:
-      - check-latest-release
-      - docker-build-community # Ensure release is successful first
+      - docker-build
+      - helm-chart-release
     with:
-      release_tag: ${{ github.event.release.tag_name }}
-      commit_sha: ${{ github.sha }}
-      is_prerelease: ${{ github.event.release.prerelease }}
-      make_latest: ${{ needs.check-latest-release.outputs.is_latest }}
+      VERSION: v${{ needs.docker-build.outputs.VERSION }}
+      ENVIRONMENT: "prod"

.github/workflows/move-stable-tag.yml

@@ -1,101 +0,0 @@
-name: Move Stable Tag
-
-on:
-  workflow_call:
-    inputs:
-      release_tag:
-        description: "The release tag name (e.g., 1.2.3)"
-        required: true
-        type: string
-      commit_sha:
-        description: "The commit SHA to point the stable tag to"
-        required: true
-        type: string
-      is_prerelease:
-        description: "Whether this is a prerelease (stable tag won't be moved for prereleases)"
-        required: false
-        type: boolean
-        default: false
-      make_latest:
-        description: "Whether to move stable tag (from GitHub release 'Set as the latest release' option)"
-        required: false
-        type: boolean
-        default: false
-
-permissions:
-  contents: read
-
-# Prevent concurrent stable tag operations to avoid race conditions
-concurrency:
-  group: move-stable-tag-${{ github.repository }}
-  cancel-in-progress: true
-
-jobs:
-  move-stable-tag:
-    name: Move stable tag to release
-    runs-on: ubuntu-latest
-    timeout-minutes: 10 # Prevent hung git operations
-    permissions:
-      contents: write # Required to push tags
-    # Only move stable tag for non-prerelease versions AND when make_latest is true
-    if: ${{ !inputs.is_prerelease && inputs.make_latest }}
-    steps:
-      - name: Harden the runner
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0 # Full history needed for tag operations
-
-      - name: Validate inputs
-        env:
-          RELEASE_TAG: ${{ inputs.release_tag }}
-          COMMIT_SHA: ${{ inputs.commit_sha }}
-        run: |
-          set -euo pipefail
-
-          # Validate release tag format
-          if [[ ! "$RELEASE_TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$ ]]; then
-            echo "❌ Error: Invalid release tag format. Expected format: 1.2.3, 1.2.3-alpha"
-            echo "Provided: $RELEASE_TAG"
-            exit 1
-          fi
-
-          # Validate commit SHA format (40 character hex)
-          if [[ ! "$COMMIT_SHA" =~ ^[a-f0-9]{40}$ ]]; then
-            echo "❌ Error: Invalid commit SHA format. Expected 40 character hex string"
-            echo "Provided: $COMMIT_SHA"
-            exit 1
-          fi
-
-          echo "✅ Input validation passed"
-          echo "Release tag: $RELEASE_TAG"
-          echo "Commit SHA: $COMMIT_SHA"
-
-      - name: Move stable tag
-        env:
-          RELEASE_TAG: ${{ inputs.release_tag }}
-          COMMIT_SHA: ${{ inputs.commit_sha }}
-        run: |
-          set -euo pipefail
-
-          # Configure git
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-
-          # Verify the commit exists
-          if ! git cat-file -e "$COMMIT_SHA"; then
-            echo "❌ Error: Commit $COMMIT_SHA does not exist in this repository"
-            exit 1
-          fi
-
-          # Move stable tag to the release commit
-          echo "📌 Moving stable tag to commit: $COMMIT_SHA (release: $RELEASE_TAG)"
-          git tag -f stable "$COMMIT_SHA"
-          git push origin stable --force
-
-          echo "✅ Successfully moved stable tag to release $RELEASE_TAG"
-          echo "🔗 Stable tag now points to: https://github.com/${{ github.repository }}/commit/$COMMIT_SHA"

.github/workflows/pr-size-check.yml

@@ -1,165 +0,0 @@
-name: PR Size Check
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
-
-permissions:
-  contents: read
-  pull-requests: write
-
-jobs:
-  check-pr-size:
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    
-    steps:
-      - name: Harden the runner
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-      
-      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-      
-      - name: Check PR size
-        id: check-size
-        run: |
-          set -euo pipefail
-          
-          # Fetch the base branch
-          git fetch origin "${{ github.base_ref }}"
-          
-          # Get diff stats
-          diff_output=$(git diff --numstat "origin/${{ github.base_ref }}"...HEAD)
-          
-          # Count lines, excluding:
-          # - Test files (*.test.ts, *.spec.tsx, etc.)
-          # - Locale files (locales/*.json, i18n/*.json)
-          # - Lock files (pnpm-lock.yaml, package-lock.json, yarn.lock)
-          # - Generated files (dist/, coverage/, build/, .next/)
-          # - Storybook stories (*.stories.tsx)
-          
-          total_additions=0
-          total_deletions=0
-          counted_files=0
-          excluded_files=0
-          
-          while IFS=$'\t' read -r additions deletions file; do
-            # Skip if additions or deletions are "-" (binary files)
-            if [ "$additions" = "-" ] || [ "$deletions" = "-" ]; then
-              continue
-            fi
-            
-            # Check if file should be excluded
-            case "$file" in
-              *.test.ts|*.test.tsx|*.spec.ts|*.spec.tsx|*.test.js|*.test.jsx|*.spec.js|*.spec.jsx)
-                excluded_files=$((excluded_files + 1))
-                continue
-                ;;
-              */locales/*.json|*/i18n/*.json)
-                excluded_files=$((excluded_files + 1))
-                continue
-                ;;
-              pnpm-lock.yaml|package-lock.json|yarn.lock)
-                excluded_files=$((excluded_files + 1))
-                continue
-                ;;
-              dist/*|coverage/*|build/*|node_modules/*|test-results/*|playwright-report/*|.next/*|*.tsbuildinfo)
-                excluded_files=$((excluded_files + 1))
-                continue
-                ;;
-              *.stories.ts|*.stories.tsx|*.stories.js|*.stories.jsx)
-                excluded_files=$((excluded_files + 1))
-                continue
-                ;;
-            esac
-            
-            total_additions=$((total_additions + additions))
-            total_deletions=$((total_deletions + deletions))
-            counted_files=$((counted_files + 1))
-          done <<EOF
-          ${diff_output}
-          EOF
-          
-          total_changes=$((total_additions + total_deletions))
-          
-          echo "counted_files=${counted_files}" >> "${GITHUB_OUTPUT}"
-          echo "excluded_files=${excluded_files}" >> "${GITHUB_OUTPUT}"
-          echo "total_additions=${total_additions}" >> "${GITHUB_OUTPUT}"
-          echo "total_deletions=${total_deletions}" >> "${GITHUB_OUTPUT}"
-          echo "total_changes=${total_changes}" >> "${GITHUB_OUTPUT}"
-          
-          # Set flag if PR is too large (> 800 lines)
-          if [ ${total_changes} -gt 800 ]; then
-            echo "is_too_large=true" >> "${GITHUB_OUTPUT}"
-          else
-            echo "is_too_large=false" >> "${GITHUB_OUTPUT}"
-          fi
-      
-      - name: Comment on PR if too large
-        if: steps.check-size.outputs.is_too_large == 'true'
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const totalChanges = ${{ steps.check-size.outputs.total_changes }};
-            const countedFiles = ${{ steps.check-size.outputs.counted_files }};
-            const excludedFiles = ${{ steps.check-size.outputs.excluded_files }};
-            const additions = ${{ steps.check-size.outputs.total_additions }};
-            const deletions = ${{ steps.check-size.outputs.total_deletions }};
-            
-            const body = `## 🚨 PR Size Warning
-            
-This PR has approximately **${totalChanges} lines** of changes (${additions} additions, ${deletions} deletions across ${countedFiles} files).
-
-Large PRs (>800 lines) are significantly harder to review and increase the chance of merge conflicts. Consider splitting this into smaller, self-contained PRs.
-
-### 💡 Suggestions:
-- **Split by feature or module** - Break down into logical, independent pieces
-- **Create a sequence of PRs** - Each building on the previous one
-- **Branch off PR branches** - Don't wait for reviews to continue dependent work
-
-### 📊 What was counted:
-- ✅ Source files, stylesheets, configuration files
-- ❌ Excluded ${excludedFiles} files (tests, locales, locks, generated files)
-
-### 📚 Guidelines:
-- **Ideal:** 300-500 lines per PR
-- **Warning:** 500-800 lines
-- **Critical:** 800+ lines ⚠️
-
-If this large PR is unavoidable (e.g., migration, dependency update, major refactor), please explain in the PR description why it couldn't be split.`;
-            
-            // Check if we already commented
-            const { data: comments } = await github.rest.issues.listComments({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.issue.number,
-            });
-            
-            const botComment = comments.find(comment => 
-              comment.user.type === 'Bot' && 
-              comment.body.includes('🚨 PR Size Warning')
-            );
-            
-            if (botComment) {
-              // Update existing comment
-              await github.rest.issues.updateComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                comment_id: botComment.id,
-                body: body
-              });
-            } else {
-              // Create new comment
-              await github.rest.issues.createComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.issue.number,
-                body: body
-              });
-            }
-

.github/workflows/pr.yml

@@ -10,6 +10,8 @@ permissions:
 
 on:
   pull_request:
+    branches:
+      - main
   merge_group:
   workflow_dispatch:
 

.github/workflows/release-docker-github-experimental.yml

@@ -1,50 +1,99 @@
-name: Build Community Testing Images
+name: Docker Release to Github Experimental
 
-# This workflow builds experimental/testing versions of Formbricks for self-hosting customers
-# to test fixes and features before official releases. Images are pushed to GHCR with
-# timestamped experimental versions for easy identification and testing.
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
 
 on:
   workflow_dispatch:
-    inputs:
-      version_override:
-        description: "Override version (SemVer only, e.g., 1.2.3-beta). Leave empty for auto-generated experimental version."
-        required: false
-        type: string
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: ghcr.io
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}-experimental
+  TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
+  TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
 
 permissions:
   contents: read
-  packages: write
-  id-token: write
 
 jobs:
-  build-community-testing:
-    name: Build Community Testing Image
+  build:
     runs-on: ubuntu-latest
-    timeout-minutes: 45
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
         with:
           egress-policy: audit
 
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
 
-      - name: Build and push community testing image
-        uses: ./.github/actions/build-and-push-docker
+      - name: Set up Depot CLI
+        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
+
+      # Install the cosign tool except on PR
+      # https://github.com/sigstore/cosign-installer
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
-          registry_type: "ghcr"
-          ghcr_image_name: "${{ github.repository }}-experimental"
-          experimental_mode: "true"
-          version: ${{ inputs.version_override }}
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # v1.14.0
+        with:
+          project: tw0fqmsx3c
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          context: .
+          file: ./apps/web/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          secrets: |
+            database_url=${{ secrets.DUMMY_DATABASE_URL }}
+            encryption_key=${{ secrets.DUMMY_ENCRYPTION_KEY }}
+
+      # Sign the resulting Docker image digest except on PRs.
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data.  If you would like to publish
+      # transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+      - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          DEPOT_PROJECT_TOKEN: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          DUMMY_DATABASE_URL: ${{ secrets.DUMMY_DATABASE_URL }}
-          DUMMY_ENCRYPTION_KEY: ${{ secrets.DUMMY_ENCRYPTION_KEY }}
-          DUMMY_REDIS_URL: ${{ secrets.DUMMY_REDIS_URL }}
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}

.github/workflows/release-docker-github.yml

@@ -1,4 +1,4 @@
-name: Release Community Docker Images
+name: Docker Release to Github
 
 # This workflow uses actions that are not certified by GitHub.
 # They are provided by a third-party and are governed by
@@ -7,17 +7,6 @@ name: Release Community Docker Images
 
 on:
   workflow_call:
-    inputs:
-      IS_PRERELEASE:
-        description: "Whether this is a prerelease (affects latest tag)"
-        required: false
-        type: boolean
-        default: false
-      MAKE_LATEST:
-        description: "Whether to tag as latest (from GitHub release 'Set as the latest release' option)"
-        required: false
-        type: boolean
-        default: false
     outputs:
       VERSION:
         description: release version
@@ -28,14 +17,12 @@ env:
   REGISTRY: ghcr.io
   # github.repository as <account>/<repo>
   IMAGE_NAME: ${{ github.repository }}
-
-permissions:
-  contents: read
+  TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
+  TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
 
 jobs:
   build:
     runs-on: ubuntu-latest
-    timeout-minutes: 45
     permissions:
       contents: read
       packages: write
@@ -48,61 +35,82 @@ jobs:
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
         with:
           egress-policy: audit
 
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: Extract release version from tag
+      - name: Get Release Tag
         id: extract_release_tag
         run: |
-          set -euo pipefail
-
-          # Extract tag name with fallback logic for different trigger contexts
-          if [[ -n "${RELEASE_TAG:-}" ]]; then
-            TAG="$RELEASE_TAG"
-            echo "Using RELEASE_TAG override: $TAG"
-          elif [[ "$GITHUB_REF_NAME" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?$ ]] || [[ "$GITHUB_REF_NAME" =~ ^v[0-9] ]]; then
-            TAG="$GITHUB_REF_NAME"
-            echo "Using GITHUB_REF_NAME (looks like tag): $TAG"
-          else
-            # Fallback: extract from GITHUB_REF for direct tag triggers
-            TAG="${GITHUB_REF#refs/tags/}"
-            if [[ -z "$TAG" || "$TAG" == "$GITHUB_REF" ]]; then
-              TAG="$GITHUB_REF_NAME"
-              echo "Using GITHUB_REF_NAME as final fallback: $TAG"
-            else
-              echo "Extracted from GITHUB_REF: $TAG"
-            fi
-          fi
-
-          # Strip v-prefix if present (normalize to clean SemVer)
-          TAG=${TAG#[vV]}
-
-          # Validate SemVer format (supports prereleases like 4.0.0-rc.1)
-          if [[ ! "$TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?$ ]]; then
-            echo "ERROR: Invalid tag format '$TAG'. Expected SemVer (e.g., 1.2.3, 4.0.0-rc.1)"
-            exit 1
-          fi
-
+          TAG=${{ github.ref }}
+          TAG=${TAG#refs/tags/v}
+          echo "RELEASE_TAG=$TAG" >> $GITHUB_ENV
           echo "VERSION=$TAG" >> $GITHUB_OUTPUT
-          echo "Using version: $TAG"
 
-      - name: Build and push community release image
-        id: build
-        uses: ./.github/actions/build-and-push-docker
+      - name: Update package.json version
+        run: |
+          sed -i "s/\"version\": \"0.0.0\"/\"version\": \"${{ env.RELEASE_TAG }}\"/" ./apps/web/package.json
+          cat ./apps/web/package.json | grep version
+
+      - name: Set up Depot CLI
+        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
+
+      # Install the cosign tool except on PR
+      # https://github.com/sigstore/cosign-installer
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
-          registry_type: "ghcr"
-          ghcr_image_name: ${{ env.IMAGE_NAME }}
-          version: ${{ steps.extract_release_tag.outputs.VERSION }}
-          is_prerelease: ${{ inputs.IS_PRERELEASE }}
-          make_latest: ${{ inputs.MAKE_LATEST }}
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # v1.14.0
+        with:
+          project: tw0fqmsx3c
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          context: .
+          file: ./apps/web/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          secrets: |
+            database_url=${{ secrets.DUMMY_DATABASE_URL }}
+            encryption_key=${{ secrets.DUMMY_ENCRYPTION_KEY }}
+
+      # Sign the resulting Docker image digest except on PRs.
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data.  If you would like to publish
+      # transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+      - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          DEPOT_PROJECT_TOKEN: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          DUMMY_DATABASE_URL: ${{ secrets.DUMMY_DATABASE_URL }}
-          DUMMY_ENCRYPTION_KEY: ${{ secrets.DUMMY_ENCRYPTION_KEY }}
-          DUMMY_REDIS_URL: ${{ secrets.DUMMY_REDIS_URL }}
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}

.github/workflows/release-helm-chart.yml

@@ -19,30 +19,15 @@ jobs:
       contents: read
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
         with:
           egress-policy: audit
 
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: Validate input version
-        env:
-          INPUT_VERSION: ${{ inputs.VERSION }}
-        run: |
-          set -euo pipefail
-          # Validate input version format (expects clean semver without 'v' prefix)
-          if [[ ! "$INPUT_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$ ]]; then
-            echo "❌ Error: Invalid version format. Must be clean semver (e.g., 1.2.3, 1.2.3-alpha)"
-            echo "Expected: clean version without 'v' prefix"
-            echo "Provided: $INPUT_VERSION"
-            exit 1
-          fi
-
-          # Store validated version in environment variable
-          echo "VERSION<<EOF" >> $GITHUB_ENV
-          echo "$INPUT_VERSION" >> $GITHUB_ENV
-          echo "EOF" >> $GITHUB_ENV
+      - name: Extract release version
+        run: echo "VERSION=${{ github.event.release.tag_name }}" >> $GITHUB_ENV
 
       - name: Set up Helm
         uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
@@ -50,44 +35,20 @@ jobs:
           version: latest
 
       - name: Log in to GitHub Container Registry
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITHUB_ACTOR: ${{ github.actor }}
-        run: printf '%s' "$GITHUB_TOKEN" | helm registry login ghcr.io --username "$GITHUB_ACTOR" --password-stdin
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io --username ${{ github.actor }} --password-stdin
 
       - name: Install YQ
         uses: dcarbone/install-yq-action@4075b4dca348d74bd83f2bf82d30f25d7c54539b # v1.3.1
 
       - name: Update Chart.yaml with new version
-        env:
-          VERSION: ${{ env.VERSION }}
         run: |
-          set -euo pipefail
-
-          echo "Updating Chart.yaml with version: ${VERSION}"
-          yq -i ".version = \"${VERSION}\"" helm-chart/Chart.yaml
-          yq -i ".appVersion = \"${VERSION}\"" helm-chart/Chart.yaml
-
-          echo "✅ Successfully updated Chart.yaml"
+          yq -i ".version = \"${{ inputs.VERSION }}\"" helm-chart/Chart.yaml
+          yq -i ".appVersion = \"v${{ inputs.VERSION }}\"" helm-chart/Chart.yaml
 
       - name: Package Helm chart
-        env:
-          VERSION: ${{ env.VERSION }}
         run: |
-          set -euo pipefail
-
-          echo "Packaging Helm chart version: ${VERSION}"
           helm package ./helm-chart
 
-          echo "✅ Successfully packaged formbricks-${VERSION}.tgz"
-
       - name: Push Helm chart to GitHub Container Registry
-        env:
-          VERSION: ${{ env.VERSION }}
         run: |
-          set -euo pipefail
-
-          echo "Pushing Helm chart to registry: formbricks-${VERSION}.tgz"
-          helm push "formbricks-${VERSION}.tgz" oci://ghcr.io/formbricks/helm-charts
-
-          echo "✅ Successfully pushed Helm chart to registry"
+          helm push formbricks-${{ inputs.VERSION }}.tgz oci://ghcr.io/formbricks/helm-charts

.github/workflows/scorecard.yml

@@ -0,0 +1,81 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: "17 17 * * 6"
+  push:
+    branches: ["main"]
+  workflow_dispatch:
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Add this permission
+      actions: write # Required for artifact upload
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: sarif
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
+        with:
+          sarif_file: results.sarif

.github/workflows/semantic-pull-requests.yml

@@ -56,3 +56,11 @@ jobs:
             ```
             ${{ steps.lint_pr_title.outputs.error_message }}
             ```
+
+      # Delete a previous comment when the issue has been resolved
+      - if: ${{ steps.lint_pr_title.outputs.error_message == null }}
+        uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db # v2.9.2
+        with:
+          header: pr-title-lint-error
+          message: |
+            Thank you for following the naming conventions for pull request titles! 🙏

.github/workflows/sonarqube.yml

@@ -43,7 +43,6 @@ jobs:
           sed -i "s/ENCRYPTION_KEY=.*/ENCRYPTION_KEY=${RANDOM_KEY}/" .env
           sed -i "s/CRON_SECRET=.*/CRON_SECRET=${RANDOM_KEY}/" .env
           sed -i "s/NEXTAUTH_SECRET=.*/NEXTAUTH_SECRET=${RANDOM_KEY}/" .env
-          sed -i "s|REDIS_URL=.*|REDIS_URL=|" .env
 
       - name: Run tests with coverage
         run: |

.github/workflows/terraform-plan-and-apply.yml

@@ -0,0 +1,84 @@
+name: "Terraform"
+
+on:
+  workflow_dispatch:
+  # TODO: enable it back when migration is completed.
+  push:
+    branches:
+      - main
+    paths:
+      - "infra/terraform/**"
+  pull_request:
+    branches:
+      - main
+    paths:
+      - "infra/terraform/**"
+
+jobs:
+  terraform:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Tailscale
+        uses: tailscale/github-action@v3
+        with:
+          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
+          oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
+          tags: tag:github
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@f24d7193d98baebaeacc7e2227925dd47cc267f5 # v4.2.0
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
+          aws-region: "eu-central-1"
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+
+      - name: Terraform Format
+        id: fmt
+        run: terraform fmt -check -recursive
+        continue-on-error: true
+        working-directory: infra/terraform
+
+      - name: Terraform Init
+        id: init
+        run: terraform init
+        working-directory: infra/terraform
+
+      - name: Terraform Validate
+        id: validate
+        run: terraform validate
+        working-directory: infra/terraform
+
+      - name: Terraform Plan
+        id: plan
+        run: terraform plan -out .planfile
+        working-directory: infra/terraform
+
+      - name: Post PR comment
+        uses: borchero/terraform-plan-comment@434458316f8f24dd073cd2561c436cce41dc8f34 # v2.4.1
+        if: always() && github.ref != 'refs/heads/main' && (steps.plan.outcome == 'success' || steps.plan.outcome == 'failure')
+        with:
+          token: ${{ github.token }}
+          planfile: .planfile
+          working-directory: "infra/terraform"
+
+      - name: Terraform Apply
+        id: apply
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        run: terraform apply .planfile
+        working-directory: "infra/terraform"

.github/workflows/test.yml

@@ -41,7 +41,6 @@ jobs:
           sed -i "s/ENCRYPTION_KEY=.*/ENCRYPTION_KEY=${RANDOM_KEY}/" .env
           sed -i "s/CRON_SECRET=.*/CRON_SECRET=${RANDOM_KEY}/" .env
           sed -i "s/NEXTAUTH_SECRET=.*/NEXTAUTH_SECRET=${RANDOM_KEY}/" .env
-          sed -i "s|REDIS_URL=.*|REDIS_URL=|" .env
 
       - name: Test
         run: pnpm test

.github/workflows/tolgee.yml

@@ -27,18 +27,10 @@ jobs:
 
       - name: Get source branch name
         id: branch-name
-        env:
-          RAW_BRANCH: ${{ github.head_ref }}
         run: |
-          # Validate and sanitize branch name - only allow alphanumeric, dots, underscores, hyphens, and forward slashes
+          RAW_BRANCH="${{ github.head_ref }}"
           SOURCE_BRANCH=$(echo "$RAW_BRANCH" | sed 's/[^a-zA-Z0-9._\/-]//g')
 
-          # Additional validation - ensure branch name is not empty after sanitization
-          if [[ -z "$SOURCE_BRANCH" ]]; then
-            echo "❌ Error: Branch name is empty after sanitization"
-            echo "Original branch: $RAW_BRANCH"
-            exit 1
-          fi
 
           # Safely add to environment variables using GitHub's recommended method
           # This prevents environment variable injection attacks

.github/workflows/welcome-new-contributors.yml

@@ -0,0 +1,32 @@
+name: "Welcome new contributors"
+
+on:
+  issues:
+    types: opened
+  pull_request_target:
+    types: opened
+
+permissions:
+  pull-requests: write
+  issues: write
+
+jobs:
+  welcome-message:
+    name: Welcoming New Users
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    if: github.event.action == 'opened'
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/first-interaction@3c71ce730280171fd1cfb57c00c774f8998586f7 # v1
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          pr-message: |-
+            Thank you so much for making your first Pull Request and taking the time to improve Formbricks! 🚀🙏❤️
+            Feel free to join the conversation on [Github Discussions](https://github.com/formbricks/formbricks/discussions) if you need any help or have any questions. 😊
+          issue-message: |
+            Thank you for opening your first issue! 🙏❤️ One of our team members will review it and get back to you as soon as it possible. 😊

.gitignore

@@ -56,9 +56,20 @@ packages/database/migrations
 branch.json
 .vercel
 
+# Terraform
+infra/terraform/.terraform/
+**/.terraform.lock.hcl
+**/terraform.tfstate
+**/terraform.tfstate.*
+**/crash.log
+**/override.tf
+**/override.tf.json
+**/*.tfvars
+**/*.tfvars.json
+**/.terraformrc
+**/terraform.rc
+
 # IntelliJ IDEA
 /.idea/
 /*.iml
 packages/ios/FormbricksSDK/FormbricksSDK.xcodeproj/project.xcworkspace/xcuserdata
-.cursorrules
-i18n.cache

.tolgeerc.json

@@ -31,18 +31,6 @@
       {
         "language": "pt-PT",
         "path": "./apps/web/locales/pt-PT.json"
-      },
-      {
-        "language": "ro-RO",
-        "path": "./apps/web/locales/ro-RO.json"
-      },
-      {
-        "language": "ja-JP",
-        "path": "./apps/web/locales/ja-JP.json"
-      },
-      {
-        "language": "zh-Hans-CN",
-        "path": "./apps/web/locales/zh-Hans-CN.json"
       }
     ],
     "forceMode": "OVERRIDE"

.vscode/settings.json

@@ -1,6 +1,4 @@
 {
-  "eslint.validate": ["javascript", "javascriptreact", "typescript", "typescriptreact"],
-  "eslint.workingDirectories": [{ "mode": "auto" }],
   "javascript.updateImportsOnFileMove.enabled": "always",
   "sonarlint.connectedMode.project": {
     "connectionId": "formbricks",

CONTRIBUTING.md

@@ -14,7 +14,17 @@ Are you brimming with brilliant ideas? For new features that can elevate Formbri
 
 ## 🛠 Crafting Pull Requests
 
-For the time being, we don't have the capacity to properly facilitate community contributions. It's a lot of engineering attention often spent on issues which don't follow our prioritization, so we've decided to only facilitate community code contributions in rare exceptions in the coming months.
+Ready to dive into the code and make a real impact? Here's your path:
+
+1. **Read our Best Practices**: [It takes 5 minutes](https://formbricks.com/docs/developer-docs/contributing/get-started) but will help you save hours 🤓
+
+1. **Fork the Repository:** Fork our repository or use [Gitpod](https://gitpod.io) or use [Github Codespaces](https://github.com/features/codespaces) to get started instantly.
+
+1. **Tweak and Transform:** Work your coding magic and apply your changes.
+
+1. **Pull Request Act:** If you're ready to go, craft a new pull request closely following our PR template 🙏
+
+Would you prefer a chat before you dive into a lot of work? [Github Discussions](https://github.com/formbricks/formbricks/discussions) is your harbor. Share your thoughts, and we'll meet you there with open arms. We're responsive and friendly, promise!
 
 ## 🚀 Aspiring Features
 

README.md

@@ -21,7 +21,6 @@ The Open Source Qualtrics Alternative
 
 <p align="center">
 <a href="https://github.com/formbricks/formbricks/blob/main/LICENSE"><img src="https://img.shields.io/badge/License-AGPL-purple" alt="License"></a> <a href="https://github.com/formbricks/formbricks/stargazers"><img src="https://img.shields.io/github/stars/formbricks/formbricks?logo=github" alt="Github Stars"></a>
-<a href="https://insights.linuxfoundation.org/project/formbricks"><img src="https://insights.linuxfoundation.org/api/badge/health-score?project=formbricks"></a>
 <a href="https://news.ycombinator.com/item?id=32303986"><img src="https://img.shields.io/badge/Hacker%20News-122-%23FF6600" alt="Hacker News"></a>
 <a href="[https://www.producthunt.com/products/formbricks](https://www.producthunt.com/posts/formbricks)"><img src="https://img.shields.io/badge/Product%20Hunt-455-orange?logo=producthunt&logoColor=%23fff" alt="Product Hunt"></a>
 <a href="https://github.blog/2023-04-12-github-accelerator-our-first-cohort-and-whats-next/"><img src="https://img.shields.io/badge/2023-blue?logo=github&label=Github%20Accelerator" alt="Github Accelerator"></a>
@@ -193,7 +192,7 @@ Here are a few options:
 
 - Upvote issues with 👍 reaction so we know what the demand for a particular issue is to prioritize it within the roadmap.
 
-- Note: For the time being, we can only facilitate code contributions as an exception.
+Please check out [our contribution guide](https://formbricks.com/docs/developer-docs/contributing/get-started) and our [list of open issues](https://github.com/formbricks/formbricks/issues) for more information.
 
 ## All Thanks To Our Contributors
 

apps/storybook/.storybook/main.ts

@@ -1,25 +1,23 @@
 import type { StorybookConfig } from "@storybook/react-vite";
-import { createRequire } from "module";
 import { dirname, join } from "path";
 
-const require = createRequire(import.meta.url);
-
 /**
  * This function is used to resolve the absolute path of a package.
  * It is needed in projects that use Yarn PnP or are set up within a monorepo.
  */
-function getAbsolutePath(value: string): any {
+const getAbsolutePath = (value: string) => {
   return dirname(require.resolve(join(value, "package.json")));
-}
+};
 
 const config: StorybookConfig = {
   stories: ["../src/**/*.mdx", "../../web/modules/ui/**/stories.@(js|jsx|mjs|ts|tsx)"],
   addons: [
     getAbsolutePath("@storybook/addon-onboarding"),
     getAbsolutePath("@storybook/addon-links"),
+    getAbsolutePath("@storybook/addon-essentials"),
     getAbsolutePath("@chromatic-com/storybook"),
+    getAbsolutePath("@storybook/addon-interactions"),
     getAbsolutePath("@storybook/addon-a11y"),
-    getAbsolutePath("@storybook/addon-docs"),
   ],
   framework: {
     name: getAbsolutePath("@storybook/react-vite"),

apps/storybook/.storybook/preview.ts

@@ -1,32 +1,5 @@
-import type { Preview } from "@storybook/react-vite";
-import { TolgeeProvider } from "@tolgee/react";
-import React from "react";
-// Import translation data for Storybook
-import enUSTranslations from "../../web/locales/en-US.json";
+import type { Preview } from "@storybook/react";
 import "../../web/modules/ui/globals.css";
-import { TolgeeBase } from "../../web/tolgee/shared";
-
-// Create a Storybook-specific Tolgee decorator
-const withTolgee = (Story: any) => {
-  const tolgee = TolgeeBase().init({
-    tagNewKeys: [], // No branch tagging in Storybook
-  });
-
-  return React.createElement(
-    TolgeeProvider,
-    {
-      tolgee,
-      fallback: "Loading",
-      ssr: {
-        language: "en-US",
-        staticData: {
-          "en-US": enUSTranslations,
-        },
-      },
-    },
-    React.createElement(Story)
-  );
-};
 
 const preview: Preview = {
   parameters: {
@@ -37,7 +10,6 @@ const preview: Preview = {
       },
     },
   },
-  decorators: [withTolgee],
 };
 
 export default preview;

apps/storybook/package.json

@@ -14,19 +14,23 @@
     "eslint-plugin-react-refresh": "0.4.20"
   },
   "devDependencies": {
-    "@chromatic-com/storybook": "^4.0.1",
-    "@storybook/addon-a11y": "9.0.15",
-    "@storybook/addon-links": "9.0.15",
-    "@storybook/addon-onboarding": "9.0.15",
-    "@storybook/react-vite": "9.0.15",
+    "@chromatic-com/storybook": "3.2.6",
+    "@storybook/addon-a11y": "8.6.12",
+    "@storybook/addon-essentials": "8.6.12",
+    "@storybook/addon-interactions": "8.6.12",
+    "@storybook/addon-links": "8.6.12",
+    "@storybook/addon-onboarding": "8.6.12",
+    "@storybook/blocks": "8.6.12",
+    "@storybook/react": "8.6.12",
+    "@storybook/react-vite": "8.6.12",
+    "@storybook/test": "8.6.12",
     "@typescript-eslint/eslint-plugin": "8.32.0",
     "@typescript-eslint/parser": "8.32.0",
     "@vitejs/plugin-react": "4.4.1",
     "esbuild": "0.25.4",
-    "eslint-plugin-storybook": "9.0.15",
+    "eslint-plugin-storybook": "0.12.0",
     "prop-types": "15.8.1",
-    "storybook": "9.0.15",
-    "vite": "6.3.6",
-    "@storybook/addon-docs": "9.0.15"
+    "storybook": "8.6.12",
+    "vite": "6.3.5"
   }
 }

apps/storybook/src/stories/Configure.mdx

@@ -1,4 +1,4 @@
-import { Meta } from "@storybook/addon-docs/blocks";
+import { Meta } from "@storybook/blocks";
 
 import Accessibility from "./assets/accessibility.png";
 import AddonLibrary from "./assets/addon-library.png";

apps/web/Dockerfile

@@ -1,4 +1,4 @@
-FROM node:22-alpine3.22 AS base
+FROM node:22-alpine3.21 AS base
 
 #
 ## step 1: Prune monorepo
@@ -25,18 +25,26 @@ RUN corepack prepare pnpm@9.15.9 --activate
 # Install necessary build tools and compilers
 RUN apk update && apk add --no-cache cmake g++ gcc jq make openssl-dev python3
 
-# Copy the secrets handling script
-COPY apps/web/scripts/docker/read-secrets.sh /tmp/read-secrets.sh
-RUN chmod +x /tmp/read-secrets.sh
+# BuildKit secret handling without hardcoded fallback values
+# This approach relies entirely on secrets passed from GitHub Actions
+RUN echo '#!/bin/sh' > /tmp/read-secrets.sh && \
+    echo 'if [ -f "/run/secrets/database_url" ]; then' >> /tmp/read-secrets.sh && \
+    echo '  export DATABASE_URL=$(cat /run/secrets/database_url)' >> /tmp/read-secrets.sh && \
+    echo 'else' >> /tmp/read-secrets.sh && \
+    echo '  echo "DATABASE_URL secret not found. Build may fail if this is required."' >> /tmp/read-secrets.sh && \
+    echo 'fi' >> /tmp/read-secrets.sh && \
+    echo 'if [ -f "/run/secrets/encryption_key" ]; then' >> /tmp/read-secrets.sh && \
+    echo '  export ENCRYPTION_KEY=$(cat /run/secrets/encryption_key)' >> /tmp/read-secrets.sh && \
+    echo 'else' >> /tmp/read-secrets.sh && \
+    echo '  echo "ENCRYPTION_KEY secret not found. Build may fail if this is required."' >> /tmp/read-secrets.sh && \
+    echo 'fi' >> /tmp/read-secrets.sh && \
+    echo 'exec "$@"' >> /tmp/read-secrets.sh && \
+    chmod +x /tmp/read-secrets.sh
 
 # Increase Node.js memory limit as a regular build argument
-ARG NODE_OPTIONS="--max_old_space_size=8192"
+ARG NODE_OPTIONS="--max_old_space_size=4096"
 ENV NODE_OPTIONS=${NODE_OPTIONS}
 
-# Target architecture - automatically provided by Docker in multi-platform builds
-# but needs explicit declaration for some build systems (like Depot)
-ARG TARGETARCH
-
 # Set the working directory
 WORKDIR /app
 
@@ -54,15 +62,10 @@ RUN touch apps/web/.env
 # Install the dependencies
 RUN pnpm install --ignore-scripts
 
-# Build the database package first
-RUN pnpm build --filter=@formbricks/database
-
 # Build the project using our secret reader script
 # This mounts the secrets only during this build step without storing them in layers
 RUN --mount=type=secret,id=database_url \
     --mount=type=secret,id=encryption_key \
-    --mount=type=secret,id=redis_url \
-    --mount=type=secret,id=sentry_auth_token \
     /tmp/read-secrets.sh pnpm build --filter=@formbricks/web...
 
 # Extract Prisma version
@@ -103,8 +106,20 @@ RUN chown -R nextjs:nextjs ./apps/web/public && chmod -R 755 ./apps/web/public
 COPY --from=installer /app/packages/database/schema.prisma ./packages/database/schema.prisma
 RUN chown nextjs:nextjs ./packages/database/schema.prisma && chmod 644 ./packages/database/schema.prisma
 
-COPY --from=installer /app/packages/database/dist ./packages/database/dist
-RUN chown -R nextjs:nextjs ./packages/database/dist && chmod -R 755 ./packages/database/dist
+COPY --from=installer /app/packages/database/package.json ./packages/database/package.json
+RUN chown nextjs:nextjs ./packages/database/package.json && chmod 644 ./packages/database/package.json
+
+COPY --from=installer /app/packages/database/migration ./packages/database/migration
+RUN chown -R nextjs:nextjs ./packages/database/migration && chmod -R 755 ./packages/database/migration
+
+COPY --from=installer /app/packages/database/src ./packages/database/src
+RUN chown -R nextjs:nextjs ./packages/database/src && chmod -R 755 ./packages/database/src
+
+COPY --from=installer /app/packages/database/node_modules ./packages/database/node_modules
+RUN chown -R nextjs:nextjs ./packages/database/node_modules && chmod -R 755 ./packages/database/node_modules
+
+COPY --from=installer /app/packages/logger/dist ./packages/database/node_modules/@formbricks/logger/dist
+RUN chown -R nextjs:nextjs ./packages/database/node_modules/@formbricks/logger/dist && chmod -R 755 ./packages/database/node_modules/@formbricks/logger/dist
 
 COPY --from=installer /app/node_modules/@prisma/client ./node_modules/@prisma/client
 RUN chown -R nextjs:nextjs ./node_modules/@prisma/client && chmod -R 755 ./node_modules/@prisma/client
@@ -115,6 +130,9 @@ RUN chown -R nextjs:nextjs ./node_modules/.prisma && chmod -R 755 ./node_modules
 COPY --from=installer /prisma_version.txt .
 RUN chown nextjs:nextjs ./prisma_version.txt && chmod 644 ./prisma_version.txt
 
+COPY /docker/cronjobs /app/docker/cronjobs
+RUN chmod -R 755 /app/docker/cronjobs
+
 COPY --from=installer /app/node_modules/@paralleldrive/cuid2 ./node_modules/@paralleldrive/cuid2
 RUN chmod -R 755 ./node_modules/@paralleldrive/cuid2
 
@@ -124,14 +142,12 @@ RUN chmod -R 755 ./node_modules/@noble/hashes
 COPY --from=installer /app/node_modules/zod ./node_modules/zod
 RUN chmod -R 755 ./node_modules/zod
 
+RUN npm install --ignore-scripts -g tsx typescript pino-pretty 
 RUN npm install -g prisma
 
-# Create a startup script to handle the conditional logic
-COPY --from=installer /app/apps/web/scripts/docker/next-start.sh /home/nextjs/start.sh
-RUN chown nextjs:nextjs /home/nextjs/start.sh && chmod +x /home/nextjs/start.sh
-
 EXPOSE 3000
-ENV HOSTNAME="0.0.0.0"
+ENV HOSTNAME "0.0.0.0"
+ENV NODE_ENV="production"
 USER nextjs
 
 # Prepare volume for uploads
@@ -142,4 +158,12 @@ VOLUME /home/nextjs/apps/web/uploads/
 RUN mkdir -p /home/nextjs/apps/web/saml-connection
 VOLUME /home/nextjs/apps/web/saml-connection
 
-CMD ["/home/nextjs/start.sh"]
+CMD if [ "${DOCKER_CRON_ENABLED:-1}" = "1" ]; then \
+      echo "Starting cron jobs..."; \
+      supercronic -quiet /app/docker/cronjobs & \
+    else \
+      echo "Docker cron jobs are disabled via DOCKER_CRON_ENABLED=0"; \
+    fi; \
+    (cd packages/database && npm run db:migrate:deploy) && \
+    (cd packages/database && npm run db:create-saml-database:deploy) && \
+    exec node apps/web/server.js

apps/web/app/(app)/(onboarding)/environments/[environmentId]/connect/components/ConnectWithFormbricks.test.tsx

@@ -23,12 +23,12 @@ describe("ConnectWithFormbricks", () => {
   const webAppUrl = "http://app";
   const channel = {} as any;
 
-  test("renders waiting state when appSetupCompleted is false", () => {
+  test("renders waiting state when widgetSetupCompleted is false", () => {
     render(
       <ConnectWithFormbricks
         environment={environment}
-        publicDomain={webAppUrl}
-        appSetupCompleted={false}
+        webAppUrl={webAppUrl}
+        widgetSetupCompleted={false}
         channel={channel}
       />
     );
@@ -36,12 +36,12 @@ describe("ConnectWithFormbricks", () => {
     expect(screen.getByText("environments.connect.waiting_for_your_signal")).toBeInTheDocument();
   });
 
-  test("renders success state when appSetupCompleted is true", () => {
+  test("renders success state when widgetSetupCompleted is true", () => {
     render(
       <ConnectWithFormbricks
         environment={environment}
-        publicDomain={webAppUrl}
-        appSetupCompleted={true}
+        webAppUrl={webAppUrl}
+        widgetSetupCompleted={true}
         channel={channel}
       />
     );
@@ -53,8 +53,8 @@ describe("ConnectWithFormbricks", () => {
     render(
       <ConnectWithFormbricks
         environment={environment}
-        publicDomain={webAppUrl}
-        appSetupCompleted={true}
+        webAppUrl={webAppUrl}
+        widgetSetupCompleted={true}
         channel={channel}
       />
     );
@@ -67,8 +67,8 @@ describe("ConnectWithFormbricks", () => {
     render(
       <ConnectWithFormbricks
         environment={environment}
-        publicDomain={webAppUrl}
-        appSetupCompleted={false}
+        webAppUrl={webAppUrl}
+        widgetSetupCompleted={false}
         channel={channel}
       />
     );

apps/web/app/(app)/(onboarding)/environments/[environmentId]/connect/components/ConnectWithFormbricks.tsx

@@ -12,15 +12,15 @@ import { OnboardingSetupInstructions } from "./OnboardingSetupInstructions";
 
 interface ConnectWithFormbricksProps {
   environment: TEnvironment;
-  publicDomain: string;
-  appSetupCompleted: boolean;
+  webAppUrl: string;
+  widgetSetupCompleted: boolean;
   channel: TProjectConfigChannel;
 }
 
 export const ConnectWithFormbricks = ({
   environment,
-  publicDomain,
-  appSetupCompleted,
+  webAppUrl,
+  widgetSetupCompleted,
   channel,
 }: ConnectWithFormbricksProps) => {
   const { t } = useTranslate();
@@ -49,17 +49,17 @@ export const ConnectWithFormbricks = ({
         <div className="flex w-1/2 flex-col space-y-4">
           <OnboardingSetupInstructions
             environmentId={environment.id}
-            publicDomain={publicDomain}
+            webAppUrl={webAppUrl}
             channel={channel}
-            appSetupCompleted={appSetupCompleted}
+            widgetSetupCompleted={widgetSetupCompleted}
           />
         </div>
         <div
           className={cn(
             "flex h-[30rem] w-1/2 flex-col items-center justify-center rounded-lg border text-center",
-            appSetupCompleted ? "border-green-500 bg-green-100" : "border-slate-300 bg-slate-200"
+            widgetSetupCompleted ? "border-green-500 bg-green-100" : "border-slate-300 bg-slate-200"
           )}>
-          {appSetupCompleted ? (
+          {widgetSetupCompleted ? (
             <div>
               <p className="text-3xl">{t("environments.connect.congrats")}</p>
               <p className="pt-4 text-sm font-medium text-slate-600">
@@ -81,9 +81,9 @@ export const ConnectWithFormbricks = ({
       </div>
       <Button
         id="finishOnboarding"
-        variant={appSetupCompleted ? "default" : "ghost"}
+        variant={widgetSetupCompleted ? "default" : "ghost"}
         onClick={handleFinishOnboarding}>
-        {appSetupCompleted
+        {widgetSetupCompleted
           ? t("environments.connect.finish_onboarding")
           : t("environments.connect.do_it_later")}
         <ArrowRight />

apps/web/app/(app)/(onboarding)/environments/[environmentId]/connect/components/OnboardingSetupInstructions.test.tsx

@@ -33,9 +33,9 @@ describe("OnboardingSetupInstructions", () => {
   // Provide some default props for testing
   const defaultProps = {
     environmentId: "env-123",
-    publicDomain: "https://example.com",
+    webAppUrl: "https://example.com",
     channel: "app" as const, // Assuming channel is either "app" or "website"
-    appSetupCompleted: false,
+    widgetSetupCompleted: false,
   };
 
   test("renders HTML tab content by default", () => {

apps/web/app/(app)/(onboarding)/environments/[environmentId]/connect/components/OnboardingSetupInstructions.tsx

@@ -18,23 +18,23 @@ const tabs = [
 
 interface OnboardingSetupInstructionsProps {
   environmentId: string;
-  publicDomain: string;
+  webAppUrl: string;
   channel: TProjectConfigChannel;
-  appSetupCompleted: boolean;
+  widgetSetupCompleted: boolean;
 }
 
 export const OnboardingSetupInstructions = ({
   environmentId,
-  publicDomain,
+  webAppUrl,
   channel,
-  appSetupCompleted,
+  widgetSetupCompleted,
 }: OnboardingSetupInstructionsProps) => {
   const { t } = useTranslate();
   const [activeTab, setActiveTab] = useState(tabs[0].id);
   const htmlSnippetForAppSurveys = `<!-- START Formbricks Surveys -->
   <script type="text/javascript">
   !function(){
-      var appUrl = "${publicDomain}";
+      var appUrl = "${webAppUrl}";
       var environmentId = "${environmentId}";
       var t=document.createElement("script");t.type="text/javascript",t.async=!0,t.src=appUrl+"/js/formbricks.umd.cjs",t.onload=function(){window.formbricks?window.formbricks.setup({environmentId:environmentId,appUrl:appUrl}):console.error("Formbricks library failed to load properly. The formbricks object is not available.");};var e=document.getElementsByTagName("script")[0];e.parentNode.insertBefore(t,e)}();
   </script>
@@ -44,7 +44,7 @@ export const OnboardingSetupInstructions = ({
   const htmlSnippetForWebsiteSurveys = `<!-- START Formbricks Surveys -->
   <script type="text/javascript">
   !function(){
-    var appUrl = "${publicDomain}";
+    var appUrl = "${webAppUrl}";
     var environmentId = "${environmentId}";
     var t=document.createElement("script");t.type="text/javascript",t.async=!0,t.src=appUrl+"/js/formbricks.umd.cjs",t.onload=function(){window.formbricks?window.formbricks.setup({environmentId:environmentId,appUrl:appUrl}):console.error("Formbricks library failed to load properly. The formbricks object is not available.");};var e=document.getElementsByTagName("script")[0];e.parentNode.insertBefore(t,e)}();
   </script>
@@ -57,7 +57,7 @@ export const OnboardingSetupInstructions = ({
   if (typeof window !== "undefined") {
     formbricks.setup({
       environmentId: "${environmentId}",
-      appUrl: "${publicDomain}",
+      appUrl: "${webAppUrl}",
     });
   }
   
@@ -75,7 +75,7 @@ export const OnboardingSetupInstructions = ({
   if (typeof window !== "undefined") {
     formbricks.setup({
       environmentId: "${environmentId}",
-      appUrl: "${publicDomain}",
+      appUrl: "${webAppUrl}",
     });
   }
   
@@ -137,7 +137,7 @@ export const OnboardingSetupInstructions = ({
             <div className="mt-4 flex justify-between space-x-2">
               <Button
                 id="onboarding-inapp-connect-copy-code"
-                variant={appSetupCompleted ? "secondary" : "default"}
+                variant={widgetSetupCompleted ? "secondary" : "default"}
                 onClick={() => {
                   navigator.clipboard.writeText(
                     channel === "app" ? htmlSnippetForAppSurveys : htmlSnippetForWebsiteSurveys

apps/web/app/(app)/(onboarding)/environments/[environmentId]/connect/page.tsx

@@ -1,6 +1,6 @@
 import { ConnectWithFormbricks } from "@/app/(app)/(onboarding)/environments/[environmentId]/connect/components/ConnectWithFormbricks";
+import { WEBAPP_URL } from "@/lib/constants";
 import { getEnvironment } from "@/lib/environment/service";
-import { getPublicDomain } from "@/lib/getPublicUrl";
 import { getProjectByEnvironmentId } from "@/lib/project/service";
 import { Button } from "@/modules/ui/components/button";
 import { Header } from "@/modules/ui/components/header";
@@ -30,8 +30,6 @@ const Page = async (props: ConnectPageProps) => {
 
   const channel = project.config.channel || null;
 
-  const publicDomain = getPublicDomain();
-
   return (
     <div className="flex min-h-full flex-col items-center justify-center py-10">
       <Header title={t("environments.connect.headline")} subtitle={t("environments.connect.subtitle")} />
@@ -41,8 +39,8 @@ const Page = async (props: ConnectPageProps) => {
       </div>
       <ConnectWithFormbricks
         environment={environment}
-        publicDomain={publicDomain}
-        appSetupCompleted={environment.appSetupCompleted}
+        webAppUrl={WEBAPP_URL}
+        widgetSetupCompleted={environment.appSetupCompleted}
         channel={channel}
       />
       <Button

apps/web/app/(app)/(onboarding)/environments/[environmentId]/layout.test.tsx

@@ -11,7 +11,7 @@ vi.mock("@/lib/constants", () => ({
   IS_DEVELOPMENT: true,
   E2E_TESTING: false,
   WEBAPP_URL: "http://localhost:3000",
-  PUBLIC_URL: "http://localhost:3000/survey",
+  SURVEY_URL: "http://localhost:3000/survey",
   ENCRYPTION_KEY: "mock-encryption-key",
   CRON_SECRET: "mock-cron-secret",
   DEFAULT_BRAND_COLOR: "#64748b",
@@ -86,7 +86,7 @@ vi.mock("@/lib/constants", () => ({
   OIDC_ISSUER: "https://mock-oidc-issuer.com",
   OIDC_SIGNING_ALGORITHM: "RS256",
   SESSION_MAX_AGE: 1000,
-  REDIS_URL: undefined,
+  REDIS_URL: "test-redis-url",
   AUDIT_LOG_ENABLED: true,
 }));
 

apps/web/app/(app)/(onboarding)/environments/[environmentId]/xm-templates/lib/xm-templates.ts

@@ -1,7 +1,3 @@
-import { createId } from "@paralleldrive/cuid2";
-import { TFnType } from "@tolgee/react";
-import { logger } from "@formbricks/logger";
-import { TXMTemplate } from "@formbricks/types/templates";
 import {
   buildCTAQuestion,
   buildNPSQuestion,
@@ -9,6 +5,10 @@ import {
   buildRatingQuestion,
   getDefaultEndingCard,
 } from "@/app/lib/survey-builder";
+import { createId } from "@paralleldrive/cuid2";
+import { TFnType } from "@tolgee/react";
+import { logger } from "@formbricks/logger";
+import { TXMTemplate } from "@formbricks/types/templates";
 
 export const getXMSurveyDefault = (t: TFnType): TXMTemplate => {
   try {
@@ -105,7 +105,7 @@ const starRatingSurvey = (t: TFnType): TXMTemplate => {
       }),
       buildCTAQuestion({
         id: reusableQuestionIds[1],
-        subheader: t("templates.star_rating_survey_question_2_html"),
+        html: t("templates.star_rating_survey_question_2_html"),
         logic: [
           {
             id: createId(),
@@ -322,7 +322,7 @@ const smileysRatingSurvey = (t: TFnType): TXMTemplate => {
       }),
       buildCTAQuestion({
         id: reusableQuestionIds[1],
-        subheader: t("templates.smileys_survey_question_2_html"),
+        html: t("templates.smileys_survey_question_2_html"),
         logic: [
           {
             id: createId(),

apps/web/app/(app)/(onboarding)/organizations/[organizationId]/landing/components/landing-sidebar.test.tsx

@@ -45,11 +45,22 @@ afterEach(() => {
 });
 
 describe("LandingSidebar component", () => {
-  const user = { id: "u1", name: "Alice", email: "alice@example.com" } as any;
+  const user = { id: "u1", name: "Alice", email: "alice@example.com", imageUrl: "" } as any;
   const organization = { id: "o1", name: "orgOne" } as any;
+  const organizations = [
+    { id: "o2", name: "betaOrg" },
+    { id: "o1", name: "alphaOrg" },
+  ] as any;
 
   test("renders logo, avatar, and initial modal closed", () => {
-    render(<LandingSidebar user={user} organization={organization} />);
+    render(
+      <LandingSidebar
+        isMultiOrgEnabled={false}
+        user={user}
+        organization={organization}
+        organizations={organizations}
+      />
+    );
 
     // Formbricks logo
     expect(screen.getByAltText("environments.formbricks_logo")).toBeInTheDocument();
@@ -60,7 +71,14 @@ describe("LandingSidebar component", () => {
   });
 
   test("clicking logout triggers signOut", async () => {
-    render(<LandingSidebar user={user} organization={organization} />);
+    render(
+      <LandingSidebar
+        isMultiOrgEnabled={false}
+        user={user}
+        organization={organization}
+        organizations={organizations}
+      />
+    );
 
     // Open user dropdown by clicking on avatar trigger
     const trigger = screen.getByTestId("avatar").parentElement;
@@ -76,7 +94,6 @@ describe("LandingSidebar component", () => {
       organizationId: "o1",
       redirect: true,
       callbackUrl: "/auth/login",
-      clearEnvironmentId: true,
     });
   });
 });

apps/web/app/(app)/(onboarding)/organizations/[organizationId]/landing/components/landing-sidebar.tsx

@@ -1,14 +1,8 @@
 "use client";
 
-import { useTranslate } from "@tolgee/react";
-import { ArrowUpRightIcon, ChevronRightIcon, LogOutIcon } from "lucide-react";
-import Image from "next/image";
-import Link from "next/link";
-import { useState } from "react";
-import { TOrganization } from "@formbricks/types/organizations";
-import { TUser } from "@formbricks/types/user";
 import FBLogo from "@/images/formbricks-wordmark.svg";
 import { cn } from "@/lib/cn";
+import { capitalizeFirstLetter } from "@/lib/utils/strings";
 import { useSignOut } from "@/modules/auth/hooks/use-sign-out";
 import { CreateOrganizationModal } from "@/modules/organization/components/CreateOrganizationModal";
 import { ProfileAvatar } from "@/modules/ui/components/avatars";
@@ -16,20 +10,48 @@ import {
   DropdownMenu,
   DropdownMenuContent,
   DropdownMenuItem,
+  DropdownMenuPortal,
+  DropdownMenuRadioGroup,
+  DropdownMenuRadioItem,
+  DropdownMenuSeparator,
+  DropdownMenuSub,
+  DropdownMenuSubContent,
+  DropdownMenuSubTrigger,
   DropdownMenuTrigger,
 } from "@/modules/ui/components/dropdown-menu";
+import { useTranslate } from "@tolgee/react";
+import { ArrowUpRightIcon, ChevronRightIcon, LogOutIcon, PlusIcon } from "lucide-react";
+import Image from "next/image";
+import Link from "next/link";
+import { useRouter } from "next/navigation";
+import { useMemo, useState } from "react";
+import { TOrganization } from "@formbricks/types/organizations";
+import { TUser } from "@formbricks/types/user";
 
 interface LandingSidebarProps {
+  isMultiOrgEnabled: boolean;
   user: TUser;
   organization: TOrganization;
+  organizations: TOrganization[];
 }
 
-export const LandingSidebar = ({ user, organization }: LandingSidebarProps) => {
+export const LandingSidebar = ({
+  isMultiOrgEnabled,
+  user,
+  organization,
+  organizations,
+}: LandingSidebarProps) => {
   const [openCreateOrganizationModal, setOpenCreateOrganizationModal] = useState<boolean>(false);
 
   const { t } = useTranslate();
   const { signOut: signOutWithAudit } = useSignOut({ id: user.id, email: user.email });
 
+  const router = useRouter();
+
+  const handleEnvironmentChangeByOrganization = (organizationId: string) => {
+    router.push(`/organizations/${organizationId}/`);
+  };
+
   const dropdownNavigation = [
     {
       label: t("common.documentation"),
@@ -39,6 +61,13 @@ export const LandingSidebar = ({ user, organization }: LandingSidebarProps) => {
     },
   ];
 
+  const currentOrganizationId = organization?.id;
+  const currentOrganizationName = capitalizeFirstLetter(organization?.name);
+
+  const sortedOrganizations = useMemo(() => {
+    return [...organizations].sort((a, b) => a.name.localeCompare(b.name));
+  }, [organizations]);
+
   return (
     <aside
       className={cn(
@@ -51,26 +80,27 @@ export const LandingSidebar = ({ user, organization }: LandingSidebarProps) => {
           <DropdownMenuTrigger
             asChild
             id="userDropdownTrigger"
-            className="w-full rounded-br-xl border-t p-4 transition-colors duration-200 hover:bg-slate-50 focus:outline-none">
-            <button
-              type="button"
-              className={cn("flex w-full cursor-pointer flex-row items-center gap-3 text-left")}
-              aria-haspopup="menu">
-              <ProfileAvatar userId={user.id} />
-              <div className="grow overflow-hidden">
-                <p
-                  title={user?.email}
-                  className={cn(
-                    "ph-no-capture ph-no-capture -mb-0.5 truncate text-sm font-bold text-slate-700"
-                  )}>
-                  {user?.name ? <span>{user?.name}</span> : <span>{user?.email}</span>}
-                </p>
-                <p title={organization?.name} className="truncate text-sm text-slate-500">
-                  {organization?.name}
-                </p>
-              </div>
-              <ChevronRightIcon className={cn("h-5 w-5 shrink-0 text-slate-700 hover:text-slate-500")} />
-            </button>
+            className="w-full rounded-br-xl border-t py-4 pl-4 transition-colors duration-200 hover:bg-slate-50 focus:outline-none">
+            <div tabIndex={0} className={cn("flex cursor-pointer flex-row items-center space-x-3")}>
+              <ProfileAvatar userId={user.id} imageUrl={user.imageUrl} />
+              <>
+                <div>
+                  <p
+                    title={user?.email}
+                    className={cn(
+                      "ph-no-capture ph-no-capture -mb-0.5 max-w-28 truncate text-sm font-bold text-slate-700"
+                    )}>
+                    {user?.name ? <span>{user?.name}</span> : <span>{user?.email}</span>}
+                  </p>
+                  <p
+                    title={capitalizeFirstLetter(organization?.name)}
+                    className="max-w-28 truncate text-sm text-slate-500">
+                    {capitalizeFirstLetter(organization?.name)}
+                  </p>
+                </div>
+                <ChevronRightIcon className={cn("h-5 w-5 text-slate-700 hover:text-slate-500")} />
+              </>
+            </div>
           </DropdownMenuTrigger>
 
           <DropdownMenuContent
@@ -82,13 +112,7 @@ export const LandingSidebar = ({ user, organization }: LandingSidebarProps) => {
             {/* Dropdown Items */}
 
             {dropdownNavigation.map((link) => (
-              <Link
-                key={link.href}
-                id={link.href}
-                href={link.href}
-                target={link.target}
-                rel={link.target === "_blank" ? "noopener noreferrer" : undefined}
-                className="flex w-full items-center">
+              <Link id={link.href} href={link.href} target={link.target} className="flex w-full items-center">
                 <DropdownMenuItem>
                   <link.icon className="mr-2 h-4 w-4" strokeWidth={1.5} />
                   {link.label}
@@ -97,6 +121,7 @@ export const LandingSidebar = ({ user, organization }: LandingSidebarProps) => {
             ))}
 
             {/* Logout */}
+
             <DropdownMenuItem
               onClick={async () => {
                 await signOutWithAudit({
@@ -105,12 +130,50 @@ export const LandingSidebar = ({ user, organization }: LandingSidebarProps) => {
                   organizationId: organization.id,
                   redirect: true,
                   callbackUrl: "/auth/login",
-                  clearEnvironmentId: true,
                 });
               }}
               icon={<LogOutIcon className="mr-2 h-4 w-4" strokeWidth={1.5} />}>
               {t("common.logout")}
             </DropdownMenuItem>
+
+            {/* Organization Switch */}
+
+            {(isMultiOrgEnabled || organizations.length > 1) && (
+              <DropdownMenuSub>
+                <DropdownMenuSubTrigger className="rounded-lg">
+                  <div>
+                    <p>{currentOrganizationName}</p>
+                    <p className="block text-xs text-slate-500">{t("common.switch_organization")}</p>
+                  </div>
+                </DropdownMenuSubTrigger>
+                <DropdownMenuPortal>
+                  <DropdownMenuSubContent sideOffset={10} alignOffset={5}>
+                    <DropdownMenuRadioGroup
+                      value={currentOrganizationId}
+                      onValueChange={(organizationId) =>
+                        handleEnvironmentChangeByOrganization(organizationId)
+                      }>
+                      {sortedOrganizations.map((organization) => (
+                        <DropdownMenuRadioItem
+                          value={organization.id}
+                          className="cursor-pointer rounded-lg"
+                          key={organization.id}>
+                          {organization.name}
+                        </DropdownMenuRadioItem>
+                      ))}
+                    </DropdownMenuRadioGroup>
+                    <DropdownMenuSeparator />
+                    {isMultiOrgEnabled && (
+                      <DropdownMenuItem
+                        onClick={() => setOpenCreateOrganizationModal(true)}
+                        icon={<PlusIcon className="mr-2 h-4 w-4" />}>
+                        <span>{t("common.create_new_organization")}</span>
+                      </DropdownMenuItem>
+                    )}
+                  </DropdownMenuSubContent>
+                </DropdownMenuPortal>
+              </DropdownMenuSub>
+            )}
           </DropdownMenuContent>
         </DropdownMenu>
       </div>

apps/web/app/(app)/(onboarding)/organizations/[organizationId]/landing/layout.test.tsx

@@ -14,7 +14,7 @@ vi.mock("@/lib/constants", () => ({
   IS_DEVELOPMENT: true,
   E2E_TESTING: false,
   WEBAPP_URL: "http://localhost:3000",
-  PUBLIC_URL: "http://localhost:3000/survey",
+  SURVEY_URL: "http://localhost:3000/survey",
   ENCRYPTION_KEY: "mock-encryption-key",
   CRON_SECRET: "mock-cron-secret",
   DEFAULT_BRAND_COLOR: "#64748b",
@@ -89,7 +89,7 @@ vi.mock("@/lib/constants", () => ({
   OIDC_ISSUER: "https://mock-oidc-issuer.com",
   OIDC_SIGNING_ALGORITHM: "RS256",
   SESSION_MAX_AGE: 1000,
-  REDIS_URL: undefined,
+  REDIS_URL: "test-redis-url",
   AUDIT_LOG_ENABLED: true,
 }));
 

apps/web/app/(app)/(onboarding)/organizations/[organizationId]/landing/page.test.tsx

@@ -1,4 +1,3 @@
-import { getMembershipByUserIdOrganizationId } from "@/lib/membership/service";
 import { getOrganizationsByUserId } from "@/lib/organization/service";
 import { getUser } from "@/lib/user/service";
 import { getOrganizationAuth } from "@/modules/organization/lib/utils";
@@ -16,7 +15,6 @@ vi.mock("@/modules/ee/license-check/lib/license", () => ({
     isPendingDowngrade: false,
     fallbackLevel: "live",
   }),
-  getLicenseFeatures: vi.fn().mockResolvedValue({ isMultiOrgEnabled: true }),
 }));
 
 vi.mock("@/lib/constants", () => ({
@@ -25,6 +23,7 @@ vi.mock("@/lib/constants", () => ({
   IS_DEVELOPMENT: true,
   E2E_TESTING: false,
   WEBAPP_URL: "http://localhost:3000",
+  SURVEY_URL: "http://localhost:3000/survey",
   ENCRYPTION_KEY: "mock-encryption-key",
   CRON_SECRET: "mock-cron-secret",
   DEFAULT_BRAND_COLOR: "#64748b",
@@ -99,36 +98,20 @@ vi.mock("@/lib/constants", () => ({
   OIDC_ISSUER: "https://mock-oidc-issuer.com",
   OIDC_SIGNING_ALGORITHM: "RS256",
   SESSION_MAX_AGE: 1000,
-  REDIS_URL: undefined,
+  REDIS_URL: "test-redis-url",
   AUDIT_LOG_ENABLED: true,
 }));
 
-vi.mock("@/lib/getPublicUrl", () => ({
-  getPublicDomain: vi.fn().mockReturnValue("http://localhost:3000"),
-}));
-
 vi.mock("@/app/(app)/(onboarding)/organizations/[organizationId]/landing/components/landing-sidebar", () => ({
   LandingSidebar: () => <div data-testid="landing-sidebar" />,
 }));
-vi.mock("@/app/(app)/environments/[environmentId]/components/project-and-org-switch", () => ({
-  ProjectAndOrgSwitch: () => <div data-testid="project-and-org-switch" />,
-}));
 vi.mock("@/modules/organization/lib/utils");
 vi.mock("@/lib/user/service");
 vi.mock("@/lib/organization/service");
-vi.mock("@/lib/membership/service");
 vi.mock("@/tolgee/server");
 vi.mock("next/navigation", () => ({
   redirect: vi.fn(() => "REDIRECT_STUB"),
   notFound: vi.fn(() => "NOT_FOUND_STUB"),
-  usePathname: vi.fn(() => "/organizations/org1"),
-  useRouter: vi.fn(() => ({
-    push: vi.fn(),
-    replace: vi.fn(),
-    back: vi.fn(),
-    forward: vi.fn(),
-    refresh: vi.fn(),
-  })),
 }));
 
 // Mock the React cache function
@@ -160,7 +143,6 @@ describe("Page component", () => {
         isPendingDowngrade: false,
         fallbackLevel: "live",
       }),
-      getLicenseFeatures: vi.fn().mockResolvedValue({ isMultiOrgEnabled: true }),
     }));
     const { default: Page } = await import("./page");
     const result = await Page({ params: { organizationId: "org1" } });
@@ -182,7 +164,6 @@ describe("Page component", () => {
         isPendingDowngrade: false,
         fallbackLevel: "live",
       }),
-      getLicenseFeatures: vi.fn().mockResolvedValue({ isMultiOrgEnabled: true }),
     }));
     const { default: Page } = await import("./page");
     const result = await Page({ params: { organizationId: "org1" } });
@@ -193,16 +174,10 @@ describe("Page component", () => {
   test("renders header and sidebar for authenticated user", async () => {
     vi.mocked(getOrganizationAuth).mockResolvedValue({
       session: { user: { id: "user1" } },
-      organization: { id: "org1", billing: { plan: "free" } },
+      organization: { id: "org1" },
     } as any);
     vi.mocked(getUser).mockResolvedValue({ id: "user1", name: "Test User" } as any);
     vi.mocked(getOrganizationsByUserId).mockResolvedValue([{ id: "org1", name: "Org One" } as any]);
-    vi.mocked(getMembershipByUserIdOrganizationId).mockResolvedValue({
-      organizationId: "org1",
-      userId: "user1",
-      accepted: true,
-      role: "member",
-    } as any);
     vi.mocked(getTranslate).mockResolvedValue((props: any) =>
       typeof props === "string" ? props : props.key || ""
     );
@@ -214,13 +189,11 @@ describe("Page component", () => {
         isPendingDowngrade: false,
         fallbackLevel: "live",
       }),
-      getLicenseFeatures: vi.fn().mockResolvedValue({ isMultiOrgEnabled: true }),
     }));
     const { default: Page } = await import("./page");
     const element = await Page({ params: { organizationId: "org1" } });
     render(element as React.ReactElement);
     expect(screen.getByTestId("landing-sidebar")).toBeInTheDocument();
-    expect(screen.getByTestId("project-and-org-switch")).toBeInTheDocument();
     expect(screen.getByText("organizations.landing.no_projects_warning_title")).toBeInTheDocument();
     expect(screen.getByText("organizations.landing.no_projects_warning_subtitle")).toBeInTheDocument();
   });

apps/web/app/(app)/(onboarding)/organizations/[organizationId]/landing/page.tsx

@@ -1,11 +1,7 @@
 import { LandingSidebar } from "@/app/(app)/(onboarding)/organizations/[organizationId]/landing/components/landing-sidebar";
-import { ProjectAndOrgSwitch } from "@/app/(app)/environments/[environmentId]/components/project-and-org-switch";
-import { IS_FORMBRICKS_CLOUD } from "@/lib/constants";
-import { getMembershipByUserIdOrganizationId } from "@/lib/membership/service";
-import { getAccessFlags } from "@/lib/membership/utils";
 import { getOrganizationsByUserId } from "@/lib/organization/service";
 import { getUser } from "@/lib/user/service";
-import { getIsMultiOrgEnabled } from "@/modules/ee/license-check/lib/utils";
+import { getEnterpriseLicense } from "@/modules/ee/license-check/lib/license";
 import { getOrganizationAuth } from "@/modules/organization/lib/utils";
 import { Header } from "@/modules/ui/components/header";
 import { getTranslate } from "@/tolgee/server";
@@ -26,38 +22,24 @@ const Page = async (props) => {
 
   const organizations = await getOrganizationsByUserId(session.user.id);
 
-  const isMultiOrgEnabled = await getIsMultiOrgEnabled();
+  const { features } = await getEnterpriseLicense();
 
-  const membership = await getMembershipByUserIdOrganizationId(session.user.id, organization.id);
-  const { isMember } = getAccessFlags(membership?.role);
+  const isMultiOrgEnabled = features?.isMultiOrgEnabled ?? false;
 
   return (
     <div className="flex min-h-full min-w-full flex-row">
-      <LandingSidebar user={user} organization={organization} />
+      <LandingSidebar
+        user={user}
+        organization={organization}
+        isMultiOrgEnabled={isMultiOrgEnabled}
+        organizations={organizations}
+      />
       <div className="flex-1">
-        <div className="flex h-full flex-col">
-          <div className="p-6">
-            {/* we only need to render organization breadcrumb on this page, so we pass some default value without actually calculating them to ProjectAndOrgSwitch component  */}
-            <ProjectAndOrgSwitch
-              currentOrganizationId={organization.id}
-              organizations={organizations}
-              projects={[]}
-              isMultiOrgEnabled={isMultiOrgEnabled}
-              organizationProjectsLimit={0}
-              isFormbricksCloud={IS_FORMBRICKS_CLOUD}
-              isLicenseActive={false}
-              isOwnerOrManager={false}
-              isAccessControlAllowed={false}
-              isMember={isMember}
-              environments={[]}
-            />
-          </div>
-          <div className="flex h-full flex-col items-center justify-center space-y-12">
-            <Header
-              title={t("organizations.landing.no_projects_warning_title")}
-              subtitle={t("organizations.landing.no_projects_warning_subtitle")}
-            />
-          </div>
+        <div className="flex h-full flex-col items-center justify-center space-y-12">
+          <Header
+            title={t("organizations.landing.no_projects_warning_title")}
+            subtitle={t("organizations.landing.no_projects_warning_subtitle")}
+          />
         </div>
       </div>
     </div>

apps/web/app/(app)/(onboarding)/organizations/[organizationId]/layout.test.tsx

@@ -35,7 +35,7 @@ vi.mock("@/lib/constants", () => ({
   WEBAPP_URL: "test-webapp-url",
   IS_PRODUCTION: false,
   SESSION_MAX_AGE: 1000,
-  REDIS_URL: undefined,
+  REDIS_URL: "test-redis-url",
   AUDIT_LOG_ENABLED: true,
 }));
 

apps/web/app/(app)/(onboarding)/organizations/[organizationId]/projects/new/layout.test.tsx

@@ -34,7 +34,7 @@ vi.mock("@/lib/constants", () => ({
   WEBAPP_URL: "test-webapp-url",
   IS_PRODUCTION: false,
   SESSION_MAX_AGE: 1000,
-  REDIS_URL: undefined,
+  REDIS_URL: "test-redis-url",
   AUDIT_LOG_ENABLED: true,
 }));
 

apps/web/app/(app)/(onboarding)/organizations/[organizationId]/projects/new/settings/components/ProjectSettings.test.tsx

@@ -62,7 +62,7 @@ describe("ProjectSettings component", () => {
     industry: "ind",
     defaultBrandColor: "#fff",
     organizationTeams: [],
-    isAccessControlAllowed: false,
+    canDoRoleManagement: false,
     userProjectsCount: 0,
   } as any;
 

apps/web/app/(app)/(onboarding)/organizations/[organizationId]/projects/new/settings/components/ProjectSettings.tsx

@@ -42,7 +42,7 @@ interface ProjectSettingsProps {
   industry: TProjectConfigIndustry;
   defaultBrandColor: string;
   organizationTeams: TOrganizationTeam[];
-  isAccessControlAllowed: boolean;
+  canDoRoleManagement: boolean;
   userProjectsCount: number;
 }
 
@@ -53,7 +53,7 @@ export const ProjectSettings = ({
   industry,
   defaultBrandColor,
   organizationTeams,
-  isAccessControlAllowed = false,
+  canDoRoleManagement = false,
   userProjectsCount,
 }: ProjectSettingsProps) => {
   const [createTeamModalOpen, setCreateTeamModalOpen] = useState(false);
@@ -174,7 +174,7 @@ export const ProjectSettings = ({
               )}
             />
 
-            {isAccessControlAllowed && userProjectsCount > 0 && (
+            {canDoRoleManagement && userProjectsCount > 0 && (
               <FormField
                 control={form.control}
                 name="teamIds"

apps/web/app/(app)/(onboarding)/organizations/[organizationId]/projects/new/settings/page.test.tsx

@@ -1,6 +1,6 @@
 import { getTeamsByOrganizationId } from "@/app/(app)/(onboarding)/lib/onboarding";
 import { getUserProjects } from "@/lib/project/service";
-import { getAccessControlPermission } from "@/modules/ee/license-check/lib/utils";
+import { getRoleManagementPermission } from "@/modules/ee/license-check/lib/utils";
 import { getOrganizationAuth } from "@/modules/organization/lib/utils";
 import "@testing-library/jest-dom/vitest";
 import { cleanup, render, screen } from "@testing-library/react";
@@ -12,7 +12,7 @@ vi.mock("@/lib/constants", () => ({ DEFAULT_BRAND_COLOR: "#fff" }));
 // Mocks before component import
 vi.mock("@/app/(app)/(onboarding)/lib/onboarding", () => ({ getTeamsByOrganizationId: vi.fn() }));
 vi.mock("@/lib/project/service", () => ({ getUserProjects: vi.fn() }));
-vi.mock("@/modules/ee/license-check/lib/utils", () => ({ getAccessControlPermission: vi.fn() }));
+vi.mock("@/modules/ee/license-check/lib/utils", () => ({ getRoleManagementPermission: vi.fn() }));
 vi.mock("@/modules/organization/lib/utils", () => ({ getOrganizationAuth: vi.fn() }));
 vi.mock("@/tolgee/server", () => ({ getTranslate: () => Promise.resolve((key: string) => key) }));
 vi.mock("next/navigation", () => ({ redirect: vi.fn() }));
@@ -61,7 +61,7 @@ describe("ProjectSettingsPage", () => {
     } as any);
     vi.mocked(getUserProjects).mockResolvedValueOnce([] as any);
     vi.mocked(getTeamsByOrganizationId).mockResolvedValueOnce(null as any);
-    vi.mocked(getAccessControlPermission).mockResolvedValueOnce(false as any);
+    vi.mocked(getRoleManagementPermission).mockResolvedValueOnce(false as any);
 
     await expect(Page({ params, searchParams })).rejects.toThrow("common.organization_teams_not_found");
   });
@@ -73,7 +73,7 @@ describe("ProjectSettingsPage", () => {
     } as any);
     vi.mocked(getUserProjects).mockResolvedValueOnce([{ id: "p1" }] as any);
     vi.mocked(getTeamsByOrganizationId).mockResolvedValueOnce([{ id: "t1", name: "Team1" }] as any);
-    vi.mocked(getAccessControlPermission).mockResolvedValueOnce(true as any);
+    vi.mocked(getRoleManagementPermission).mockResolvedValueOnce(true as any);
 
     const element = await Page({ params, searchParams });
     render(element as React.ReactElement);
@@ -96,7 +96,7 @@ describe("ProjectSettingsPage", () => {
     } as any);
     vi.mocked(getUserProjects).mockResolvedValueOnce([] as any);
     vi.mocked(getTeamsByOrganizationId).mockResolvedValueOnce([{ id: "t1", name: "Team1" }] as any);
-    vi.mocked(getAccessControlPermission).mockResolvedValueOnce(true as any);
+    vi.mocked(getRoleManagementPermission).mockResolvedValueOnce(true as any);
 
     const element = await Page({ params, searchParams });
     render(element as React.ReactElement);

apps/web/app/(app)/(onboarding)/organizations/[organizationId]/projects/new/settings/page.tsx

@@ -2,7 +2,7 @@ import { getTeamsByOrganizationId } from "@/app/(app)/(onboarding)/lib/onboardin
 import { ProjectSettings } from "@/app/(app)/(onboarding)/organizations/[organizationId]/projects/new/settings/components/ProjectSettings";
 import { DEFAULT_BRAND_COLOR } from "@/lib/constants";
 import { getUserProjects } from "@/lib/project/service";
-import { getAccessControlPermission } from "@/modules/ee/license-check/lib/utils";
+import { getRoleManagementPermission } from "@/modules/ee/license-check/lib/utils";
 import { getOrganizationAuth } from "@/modules/organization/lib/utils";
 import { Button } from "@/modules/ui/components/button";
 import { Header } from "@/modules/ui/components/header";
@@ -41,7 +41,7 @@ const Page = async (props: ProjectSettingsPageProps) => {
 
   const organizationTeams = await getTeamsByOrganizationId(params.organizationId);
 
-  const isAccessControlAllowed = await getAccessControlPermission(organization.billing.plan);
+  const canDoRoleManagement = await getRoleManagementPermission(organization.billing.plan);
 
   if (!organizationTeams) {
     throw new Error(t("common.organization_teams_not_found"));
@@ -60,7 +60,7 @@ const Page = async (props: ProjectSettingsPageProps) => {
         industry={industry}
         defaultBrandColor={DEFAULT_BRAND_COLOR}
         organizationTeams={organizationTeams}
-        isAccessControlAllowed={isAccessControlAllowed}
+        canDoRoleManagement={canDoRoleManagement}
         userProjectsCount={projects.length}
       />
       {projects.length >= 1 && (

apps/web/app/(app)/(survey-editor)/environments/[environmentId]/layout.test.tsx

@@ -18,6 +18,11 @@ vi.mock("@/modules/ui/components/environmentId-base-layout", () => ({
     </div>
   ),
 }));
+vi.mock("@/modules/ui/components/dev-environment-banner", () => ({
+  DevEnvironmentBanner: ({ environment }: any) => (
+    <div data-testid="DevEnvironmentBanner">{environment.id}</div>
+  ),
+}));
 
 // Mocks for dependencies
 vi.mock("@/modules/environments/lib/utils", () => ({
@@ -53,6 +58,7 @@ describe("SurveyEditorEnvironmentLayout", () => {
     render(result);
 
     expect(screen.getByTestId("EnvironmentIdBaseLayout")).toHaveTextContent("env1");
+    expect(screen.getByTestId("DevEnvironmentBanner")).toHaveTextContent("env1");
     expect(screen.getByTestId("child")).toHaveTextContent("Survey Editor Content");
   });
 

apps/web/app/(app)/(survey-editor)/environments/[environmentId]/layout.tsx

@@ -1,5 +1,6 @@
 import { getEnvironment } from "@/lib/environment/service";
 import { environmentIdLayoutChecks } from "@/modules/environments/lib/utils";
+import { DevEnvironmentBanner } from "@/modules/ui/components/dev-environment-banner";
 import { EnvironmentIdBaseLayout } from "@/modules/ui/components/environmentId-base-layout";
 import { redirect } from "next/navigation";
 
@@ -31,6 +32,7 @@ const SurveyEditorEnvironmentLayout = async (props) => {
       user={user}
       organization={organization}>
       <div className="flex h-screen flex-col">
+        <DevEnvironmentBanner environment={environment} />
         <div className="h-full overflow-y-auto bg-slate-50">{children}</div>
       </div>
     </EnvironmentIdBaseLayout>

apps/web/app/(app)/environments/[environmentId]/(contacts)/contacts/[contactId]/page.test.tsx

@@ -27,13 +27,7 @@ vi.mock("@/lib/constants", () => ({
   IS_POSTHOG_CONFIGURED: true,
   SESSION_MAX_AGE: 1000,
   AUDIT_LOG_ENABLED: 1,
-  REDIS_URL: undefined,
-}));
-
-vi.mock("@/lib/env", () => ({
-  env: {
-    PUBLIC_URL: "https://public-domain.com",
-  },
+  REDIS_URL: "redis://localhost:6379",
 }));
 
 describe("Contact Page Re-export", () => {

apps/web/app/(app)/environments/[environmentId]/actions.ts

@@ -8,8 +8,8 @@ import { checkAuthorizationUpdated } from "@/lib/utils/action-client/action-clie
 import { AuthenticatedActionClientCtx } from "@/lib/utils/action-client/types/context";
 import { withAuditLogging } from "@/modules/ee/audit-logs/lib/handler";
 import {
-  getAccessControlPermission,
   getOrganizationProjectsLimit,
+  getRoleManagementPermission,
 } from "@/modules/ee/license-check/lib/utils";
 import { createProject } from "@/modules/projects/settings/lib/project";
 import { z } from "zod";
@@ -58,9 +58,9 @@ export const createProjectAction = authenticatedActionClient.schema(ZCreateProje
       }
 
       if (parsedInput.data.teamIds && parsedInput.data.teamIds.length > 0) {
-        const isAccessControlAllowed = await getAccessControlPermission(organization.billing.plan);
+        const canDoRoleManagement = await getRoleManagementPermission(organization.billing.plan);
 
-        if (!isAccessControlAllowed) {
+        if (!canDoRoleManagement) {
           throw new OperationNotAllowedError("You do not have permission to manage roles");
         }
       }
@@ -71,6 +71,10 @@ export const createProjectAction = authenticatedActionClient.schema(ZCreateProje
         alert: {
           ...user.notificationSettings?.alert,
         },
+        weeklySummary: {
+          ...user.notificationSettings?.weeklySummary,
+          [project.id]: true,
+        },
       };
 
       await updateUser(user.id, {

apps/web/app/(app)/environments/[environmentId]/actions/actions.ts

@@ -1,9 +1,5 @@
 "use server";
 
-import { z } from "zod";
-import { ZActionClassInput } from "@formbricks/types/action-classes";
-import { ZId } from "@formbricks/types/common";
-import { ResourceNotFoundError } from "@formbricks/types/errors";
 import { deleteActionClass, getActionClass, updateActionClass } from "@/lib/actionClass/service";
 import { getSurveysByActionClassId } from "@/lib/survey/service";
 import { actionClient, authenticatedActionClient } from "@/lib/utils/action-client";
@@ -11,6 +7,10 @@ import { checkAuthorizationUpdated } from "@/lib/utils/action-client/action-clie
 import { AuthenticatedActionClientCtx } from "@/lib/utils/action-client/types/context";
 import { getOrganizationIdFromActionClassId, getProjectIdFromActionClassId } from "@/lib/utils/helper";
 import { withAuditLogging } from "@/modules/ee/audit-logs/lib/handler";
+import { z } from "zod";
+import { ZActionClassInput } from "@formbricks/types/action-classes";
+import { ZId } from "@formbricks/types/common";
+import { ResourceNotFoundError } from "@formbricks/types/errors";
 
 const ZDeleteActionClassAction = z.object({
   actionClassId: ZId,
@@ -124,16 +124,20 @@ export const getActiveInactiveSurveysAction = authenticatedActionClient
 
 const getLatestStableFbRelease = async (): Promise<string | null> => {
   try {
-    const res = await fetch("https://api.github.com/repos/formbricks/formbricks/releases/latest");
-    const release = await res.json();
+    const res = await fetch("https://api.github.com/repos/formbricks/formbricks/releases");
+    const releases = await res.json();
 
-    if (release && release.tag_name) {
-      return release.tag_name;
+    if (Array.isArray(releases)) {
+      const latestStableReleaseTag = releases.filter((release) => !release.prerelease)?.[0]
+        ?.tag_name as string;
+      if (latestStableReleaseTag) {
+        return latestStableReleaseTag;
+      }
     }
 
     return null;
-  } catch (error) {
-    throw new Error("Failed to get latest stable Formbricks release", { cause: error });
+  } catch (err) {
+    return null;
   }
 };
 

apps/web/app/(app)/environments/[environmentId]/actions/components/ActionActivityTab.test.tsx

@@ -1,48 +1,22 @@
+import { createActionClassAction } from "@/modules/survey/editor/actions";
 import { cleanup, render, screen } from "@testing-library/react";
 import userEvent from "@testing-library/user-event";
 import toast from "react-hot-toast";
 import { afterEach, beforeEach, describe, expect, test, vi } from "vitest";
 import { TActionClass } from "@formbricks/types/action-classes";
 import { TEnvironment } from "@formbricks/types/environment";
-import { getActiveInactiveSurveysAction } from "@/modules/projects/settings/(setup)/app-connection/actions";
-import { createActionClassAction } from "@/modules/survey/editor/actions";
+import { getActiveInactiveSurveysAction } from "../actions";
 import { ActionActivityTab } from "./ActionActivityTab";
 
 // Mock dependencies
-vi.mock("@/modules/projects/settings/(setup)/app-connection/utils", () => ({
+vi.mock("@/app/(app)/environments/[environmentId]/actions/utils", () => ({
   ACTION_TYPE_ICON_LOOKUP: {
     noCode: <div>NoCodeIcon</div>,
+    automatic: <div>AutomaticIcon</div>,
     code: <div>CodeIcon</div>,
   },
 }));
 
-vi.mock("@/lib/constants", () => ({
-  IS_FORMBRICKS_CLOUD: false,
-  POSTHOG_API_KEY: "mock-posthog-api-key",
-  POSTHOG_HOST: "mock-posthog-host",
-  IS_POSTHOG_CONFIGURED: true,
-  ENCRYPTION_KEY: "mock-encryption-key",
-  ENTERPRISE_LICENSE_KEY: "mock-enterprise-license-key",
-  GITHUB_ID: "mock-github-id",
-  GITHUB_SECRET: "test-githubID",
-  GOOGLE_CLIENT_ID: "test-google-client-id",
-  GOOGLE_CLIENT_SECRET: "test-google-client-secret",
-  AZUREAD_CLIENT_ID: "test-azuread-client-id",
-  AZUREAD_CLIENT_SECRET: "test-azure",
-  AZUREAD_TENANT_ID: "test-azuread-tenant-id",
-  OIDC_DISPLAY_NAME: "test-oidc-display-name",
-  OIDC_CLIENT_ID: "test-oidc-client-id",
-  OIDC_ISSUER: "test-oidc-issuer",
-  OIDC_CLIENT_SECRET: "test-oidc-client-secret",
-  OIDC_SIGNING_ALGORITHM: "test-oidc-signing-algorithm",
-  WEBAPP_URL: "test-webapp-url",
-  IS_PRODUCTION: false,
-  SENTRY_DSN: "mock-sentry-dsn",
-  SENTRY_RELEASE: "mock-sentry-release",
-  SENTRY_ENVIRONMENT: "mock-sentry-environment",
-  SESSION_MAX_AGE: 1000,
-}));
-
 vi.mock("@/lib/time", () => ({
   convertDateTimeStringShort: (dateString: string) => `formatted-${dateString}`,
 }));
@@ -51,6 +25,10 @@ vi.mock("@/lib/utils/helper", () => ({
   getFormattedErrorMessage: (error: any) => `Formatted error: ${error?.message || "Unknown error"}`,
 }));
 
+vi.mock("@/lib/utils/strings", () => ({
+  capitalizeFirstLetter: (str: string) => str.charAt(0).toUpperCase() + str.slice(1),
+}));
+
 vi.mock("@/modules/survey/editor/actions", () => ({
   createActionClassAction: vi.fn(),
 }));
@@ -75,14 +53,10 @@ vi.mock("@/modules/ui/components/loading-spinner", () => ({
   LoadingSpinner: () => <div>LoadingSpinner</div>,
 }));
 
-vi.mock("@/modules/projects/settings/(setup)/app-connection/actions", () => ({
+vi.mock("../actions", () => ({
   getActiveInactiveSurveysAction: vi.fn(),
 }));
 
-vi.mock("react-hot-toast", () => ({
-  default: { success: vi.fn(), error: vi.fn() },
-}));
-
 const mockActionClass = {
   id: "action1",
   createdAt: new Date("2023-01-01T10:00:00Z"),
@@ -205,7 +179,7 @@ describe("ActionActivityTab", () => {
     expect(screen.getByText(`formatted-${mockActionClass.createdAt.toString()}`)).toBeInTheDocument(); // Created on
     expect(screen.getByText(`formatted-${mockActionClass.updatedAt.toString()}`)).toBeInTheDocument(); // Last updated
     expect(screen.getByText("NoCodeIcon")).toBeInTheDocument(); // Type icon
-    expect(screen.getByText("noCode")).toBeInTheDocument(); // Type text (now lowercase, capitalized via CSS)
+    expect(screen.getByText("NoCode")).toBeInTheDocument(); // Type text
     expect(screen.getByText("Development")).toBeInTheDocument(); // Environment
     expect(screen.getByText("Copy to Production")).toBeInTheDocument(); // Copy button text
   });

apps/web/app/(app)/environments/[environmentId]/actions/components/ActionActivityTab.tsx

@@ -1,19 +1,20 @@
 "use client";
 
-import { useTranslate } from "@tolgee/react";
-import { useEffect, useMemo, useState } from "react";
-import toast from "react-hot-toast";
-import { TActionClass, TActionClassInput, TActionClassInputCode } from "@formbricks/types/action-classes";
-import { TEnvironment } from "@formbricks/types/environment";
+import { ACTION_TYPE_ICON_LOOKUP } from "@/app/(app)/environments/[environmentId]/actions/utils";
 import { convertDateTimeStringShort } from "@/lib/time";
 import { getFormattedErrorMessage } from "@/lib/utils/helper";
-import { getActiveInactiveSurveysAction } from "@/modules/projects/settings/(setup)/app-connection/actions";
-import { ACTION_TYPE_ICON_LOOKUP } from "@/modules/projects/settings/(setup)/app-connection/utils";
+import { capitalizeFirstLetter } from "@/lib/utils/strings";
 import { createActionClassAction } from "@/modules/survey/editor/actions";
 import { Button } from "@/modules/ui/components/button";
 import { ErrorComponent } from "@/modules/ui/components/error-component";
 import { Label } from "@/modules/ui/components/label";
 import { LoadingSpinner } from "@/modules/ui/components/loading-spinner";
+import { useTranslate } from "@tolgee/react";
+import { useEffect, useMemo, useState } from "react";
+import toast from "react-hot-toast";
+import { TActionClass, TActionClassInput, TActionClassInputCode } from "@formbricks/types/action-classes";
+import { TEnvironment } from "@formbricks/types/environment";
+import { getActiveInactiveSurveysAction } from "../actions";
 
 interface ActivityTabProps {
   actionClass: TActionClass;
@@ -151,7 +152,7 @@ export const ActionActivityTab = ({
           <Label className="block text-xs font-normal text-slate-500">Type</Label>
           <div className="mt-1 flex items-center">
             <div className="mr-1.5 h-4 w-4 text-slate-600">{ACTION_TYPE_ICON_LOOKUP[actionClass.type]}</div>
-            <p className="text-sm capitalize text-slate-700">{actionClass.type}</p>
+            <p className="text-sm text-slate-700">{capitalizeFirstLetter(actionClass.type)}</p>
           </div>
         </div>
         <div className="">

apps/web/app/(app)/environments/[environmentId]/actions/components/ActionClassesTable.tsx

@@ -24,17 +24,14 @@ export const ActionClassesTable = ({
   otherEnvActionClasses,
   otherEnvironment,
 }: ActionClassesTableProps) => {
-  const [isActionDetailModalOpen, setIsActionDetailModalOpen] = useState(false);
+  const [isActionDetailModalOpen, setActionDetailModalOpen] = useState(false);
 
   const [activeActionClass, setActiveActionClass] = useState<TActionClass>();
 
-  const handleOpenActionDetailModalClick = (
-    e: React.MouseEvent<HTMLButtonElement>,
-    actionClass: TActionClass
-  ) => {
+  const handleOpenActionDetailModalClick = (e, actionClass: TActionClass) => {
     e.preventDefault();
     setActiveActionClass(actionClass);
-    setIsActionDetailModalOpen(true);
+    setActionDetailModalOpen(true);
   };
 
   return (
@@ -45,7 +42,7 @@ export const ActionClassesTable = ({
           {actionClasses.length > 0 ? (
             actionClasses.map((actionClass, index) => (
               <button
-                onClick={(e: React.MouseEvent<HTMLButtonElement>) => {
+                onClick={(e) => {
                   handleOpenActionDetailModalClick(e, actionClass);
                 }}
                 className="w-full"
@@ -66,7 +63,7 @@ export const ActionClassesTable = ({
           environmentId={environmentId}
           environment={environment}
           open={isActionDetailModalOpen}
-          setOpen={setIsActionDetailModalOpen}
+          setOpen={setActionDetailModalOpen}
           actionClasses={actionClasses}
           actionClass={activeActionClass}
           isReadOnly={isReadOnly}

apps/web/app/(app)/environments/[environmentId]/actions/components/ActionDetailModal.test.tsx

@@ -0,0 +1,180 @@
+import { ModalWithTabs } from "@/modules/ui/components/modal-with-tabs";
+import { cleanup, render } from "@testing-library/react";
+import { afterEach, describe, expect, test, vi } from "vitest";
+import { TActionClass } from "@formbricks/types/action-classes";
+import { TEnvironment } from "@formbricks/types/environment";
+import { ActionActivityTab } from "./ActionActivityTab";
+import { ActionDetailModal } from "./ActionDetailModal";
+// Import mocked components
+import { ActionSettingsTab } from "./ActionSettingsTab";
+
+// Mock child components
+vi.mock("@/modules/ui/components/modal-with-tabs", () => ({
+  ModalWithTabs: vi.fn(({ tabs, icon, label, description, open, setOpen }) => (
+    <div data-testid="modal-with-tabs">
+      <span data-testid="modal-label">{label}</span>
+      <span data-testid="modal-description">{description}</span>
+      <span data-testid="modal-open">{open.toString()}</span>
+      <button onClick={() => setOpen(false)}>Close</button>
+      {icon}
+      {tabs.map((tab) => (
+        <div key={tab.title}>
+          <h2>{tab.title}</h2>
+          {tab.children}
+        </div>
+      ))}
+    </div>
+  )),
+}));
+
+vi.mock("./ActionActivityTab", () => ({
+  ActionActivityTab: vi.fn(() => <div data-testid="action-activity-tab">ActionActivityTab</div>),
+}));
+
+vi.mock("./ActionSettingsTab", () => ({
+  ActionSettingsTab: vi.fn(() => <div data-testid="action-settings-tab">ActionSettingsTab</div>),
+}));
+
+// Mock the utils file to control ACTION_TYPE_ICON_LOOKUP
+vi.mock("@/app/(app)/environments/[environmentId]/actions/utils", () => ({
+  ACTION_TYPE_ICON_LOOKUP: {
+    code: <div data-testid="code-icon">Code Icon Mock</div>,
+    noCode: <div data-testid="nocode-icon">No Code Icon Mock</div>,
+    // Add other types if needed by other tests or default props
+  },
+}));
+
+const mockEnvironmentId = "test-env-id";
+const mockSetOpen = vi.fn();
+
+const mockEnvironment = {
+  id: mockEnvironmentId,
+  createdAt: new Date(),
+  updatedAt: new Date(),
+  type: "production", // Use string literal as TEnvironmentType is not exported
+  appSetupCompleted: false,
+} as unknown as TEnvironment;
+
+const mockActionClass: TActionClass = {
+  id: "action-class-1",
+  createdAt: new Date(),
+  updatedAt: new Date(),
+  name: "Test Action",
+  description: "This is a test action",
+  type: "code", // Ensure this matches a key in the mocked ACTION_TYPE_ICON_LOOKUP
+  environmentId: mockEnvironmentId,
+  noCodeConfig: null,
+  key: "test-action-key",
+};
+
+const mockActionClasses: TActionClass[] = [mockActionClass];
+const mockOtherEnvActionClasses: TActionClass[] = [];
+const mockOtherEnvironment = { ...mockEnvironment, id: "other-env-id", name: "Other Environment" };
+
+const defaultProps = {
+  environmentId: mockEnvironmentId,
+  environment: mockEnvironment,
+  open: true,
+  setOpen: mockSetOpen,
+  actionClass: mockActionClass,
+  actionClasses: mockActionClasses,
+  isReadOnly: false,
+  otherEnvironment: mockOtherEnvironment,
+  otherEnvActionClasses: mockOtherEnvActionClasses,
+};
+
+describe("ActionDetailModal", () => {
+  afterEach(() => {
+    cleanup();
+    vi.clearAllMocks(); // Clear mocks after each test
+  });
+
+  test("renders ModalWithTabs with correct props", () => {
+    render(<ActionDetailModal {...defaultProps} />);
+
+    const mockedModalWithTabs = vi.mocked(ModalWithTabs);
+
+    expect(mockedModalWithTabs).toHaveBeenCalled();
+    const props = mockedModalWithTabs.mock.calls[0][0];
+
+    // Check basic props
+    expect(props.open).toBe(true);
+    expect(props.setOpen).toBe(mockSetOpen);
+    expect(props.label).toBe(mockActionClass.name);
+    expect(props.description).toBe(mockActionClass.description);
+
+    // Check icon data-testid based on the mock for the default 'code' type
+    expect(props.icon).toBeDefined();
+    if (!props.icon) {
+      throw new Error("Icon prop is not defined");
+    }
+    expect((props.icon as any).props["data-testid"]).toBe("code-icon");
+
+    // Check tabs structure
+    expect(props.tabs).toHaveLength(2);
+    expect(props.tabs[0].title).toBe("common.activity");
+    expect(props.tabs[1].title).toBe("common.settings");
+
+    // Check if the correct mocked components are used as children
+    // Access the mocked functions directly
+    const mockedActionActivityTab = vi.mocked(ActionActivityTab);
+    const mockedActionSettingsTab = vi.mocked(ActionSettingsTab);
+
+    if (!props.tabs[0].children || !props.tabs[1].children) {
+      throw new Error("Tabs children are not defined");
+    }
+
+    expect((props.tabs[0].children as any).type).toBe(mockedActionActivityTab);
+    expect((props.tabs[1].children as any).type).toBe(mockedActionSettingsTab);
+
+    // Check props passed to child components
+    const activityTabProps = (props.tabs[0].children as any).props;
+    expect(activityTabProps.otherEnvActionClasses).toBe(mockOtherEnvActionClasses);
+    expect(activityTabProps.otherEnvironment).toBe(mockOtherEnvironment);
+    expect(activityTabProps.isReadOnly).toBe(false);
+    expect(activityTabProps.environment).toBe(mockEnvironment);
+    expect(activityTabProps.actionClass).toBe(mockActionClass);
+    expect(activityTabProps.environmentId).toBe(mockEnvironmentId);
+
+    const settingsTabProps = (props.tabs[1].children as any).props;
+    expect(settingsTabProps.actionClass).toBe(mockActionClass);
+    expect(settingsTabProps.actionClasses).toBe(mockActionClasses);
+    expect(settingsTabProps.setOpen).toBe(mockSetOpen);
+    expect(settingsTabProps.isReadOnly).toBe(false);
+  });
+
+  test("renders correct icon based on action type", () => {
+    // Test with 'noCode' type
+    const noCodeAction: TActionClass = { ...mockActionClass, type: "noCode" } as TActionClass;
+    render(<ActionDetailModal {...defaultProps} actionClass={noCodeAction} />);
+
+    const mockedModalWithTabs = vi.mocked(ModalWithTabs);
+    const props = mockedModalWithTabs.mock.calls[0][0];
+
+    // Expect the 'nocode-icon' based on the updated mock and action type
+    expect(props.icon).toBeDefined();
+
+    if (!props.icon) {
+      throw new Error("Icon prop is not defined");
+    }
+
+    expect((props.icon as any).props["data-testid"]).toBe("nocode-icon");
+  });
+
+  test("passes isReadOnly prop correctly", () => {
+    render(<ActionDetailModal {...defaultProps} isReadOnly={true} />);
+    // Access the mocked component directly
+    const mockedModalWithTabs = vi.mocked(ModalWithTabs);
+    const props = mockedModalWithTabs.mock.calls[0][0];
+
+    if (!props.tabs[0].children || !props.tabs[1].children) {
+      throw new Error("Tabs children are not defined");
+    }
+
+    const activityTabProps = (props.tabs[0].children as any).props;
+    expect(activityTabProps.isReadOnly).toBe(true);
+
+    const settingsTabProps = (props.tabs[1].children as any).props;
+    expect(settingsTabProps.isReadOnly).toBe(true);
+  });
+});

apps/web/app/(app)/environments/[environmentId]/actions/components/ActionDetailModal.tsx

@@ -1,6 +1,6 @@
 "use client";
 
-import { ACTION_TYPE_ICON_LOOKUP } from "@/modules/projects/settings/(setup)/app-connection/utils";
+import { ACTION_TYPE_ICON_LOOKUP } from "@/app/(app)/environments/[environmentId]/actions/utils";
 import { ModalWithTabs } from "@/modules/ui/components/modal-with-tabs";
 import { useTranslate } from "@tolgee/react";
 import { TActionClass } from "@formbricks/types/action-classes";
@@ -59,24 +59,16 @@ export const ActionDetailModal = ({
     },
   ];
 
-  const typeDescription = () => {
-    if (actionClass.description) return actionClass.description;
-    else
-      return (
-        (actionClass.type && actionClass.type === "noCode" ? t("common.no_code") : t("common.code")) +
-        " " +
-        t("common.action").toLowerCase()
-      );
-  };
-
   return (
-    <ModalWithTabs
-      open={open}
-      setOpen={setOpen}
-      tabs={tabs}
-      icon={ACTION_TYPE_ICON_LOOKUP[actionClass.type]}
-      label={actionClass.name}
-      description={typeDescription()}
-    />
+    <>
+      <ModalWithTabs
+        open={open}
+        setOpen={setOpen}
+        tabs={tabs}
+        icon={ACTION_TYPE_ICON_LOOKUP[actionClass.type]}
+        label={actionClass.name}
+        description={actionClass.description || ""}
+      />
+    </>
   );
 };

apps/web/app/(app)/environments/[environmentId]/actions/components/ActionRowData.tsx

@@ -0,0 +1,32 @@
+import { ACTION_TYPE_ICON_LOOKUP } from "@/app/(app)/environments/[environmentId]/actions/utils";
+import { timeSince } from "@/lib/time";
+import { TActionClass } from "@formbricks/types/action-classes";
+import { TUserLocale } from "@formbricks/types/user";
+
+export const ActionClassDataRow = ({
+  actionClass,
+  locale,
+}: {
+  actionClass: TActionClass;
+  locale: TUserLocale;
+}) => {
+  return (
+    <div className="m-2 grid h-16 grid-cols-6 content-center rounded-lg transition-colors ease-in-out hover:bg-slate-100">
+      <div className="col-span-4 flex items-center pl-6 text-sm">
+        <div className="flex items-center">
+          <div className="h-5 w-5 flex-shrink-0 text-slate-500">
+            {ACTION_TYPE_ICON_LOOKUP[actionClass.type]}
+          </div>
+          <div className="ml-4 text-left">
+            <div className="font-medium text-slate-900">{actionClass.name}</div>
+            <div className="text-xs text-slate-400">{actionClass.description}</div>
+          </div>
+        </div>
+      </div>
+      <div className="col-span-2 my-auto whitespace-nowrap text-center text-sm text-slate-500">
+        {timeSince(actionClass.createdAt.toString(), locale)}
+      </div>
+      <div className="text-center"></div>
+    </div>
+  );
+};

apps/web/app/(app)/environments/[environmentId]/actions/components/ActionSettingsTab.test.tsx

@@ -6,28 +6,13 @@ import { TActionClass, TActionClassNoCodeConfig, TActionClassType } from "@formb
 import { ActionSettingsTab } from "./ActionSettingsTab";
 
 // Mock actions
-vi.mock("@/modules/projects/settings/(setup)/app-connection/actions", () => ({
+vi.mock("@/app/(app)/environments/[environmentId]/actions/actions", () => ({
   deleteActionClassAction: vi.fn(),
   updateActionClassAction: vi.fn(),
 }));
 
-// Mock action utils
-vi.mock("@/modules/survey/editor/lib/action-utils", () => ({
-  useActionClassKeys: vi.fn(() => ["existing-key"]),
-  createActionClassZodResolver: vi.fn(() => vi.fn()),
-  validatePermissions: vi.fn(),
-}));
-
-// Mock action builder
-vi.mock("@/modules/survey/editor/lib/action-builder", () => ({
-  buildActionObject: vi.fn((data, environmentId) => ({
-    ...data,
-    environmentId,
-  })),
-}));
-
 // Mock utils
-vi.mock("@/modules/projects/settings/(setup)/app-connection/utils", () => ({
+vi.mock("@/app/lib/actionClass/actionClass", () => ({
   isValidCssSelector: vi.fn((selector) => selector !== "invalid-selector"),
 }));
 
@@ -39,7 +24,6 @@ vi.mock("@/modules/ui/components/button", () => ({
     </button>
   ),
 }));
-
 vi.mock("@/modules/ui/components/code-action-form", () => ({
   CodeActionForm: ({ isReadOnly }: { isReadOnly: boolean }) => (
     <div data-testid="code-action-form" data-readonly={isReadOnly}>
@@ -47,7 +31,6 @@ vi.mock("@/modules/ui/components/code-action-form", () => ({
     </div>
   ),
 }));
-
 vi.mock("@/modules/ui/components/delete-dialog", () => ({
   DeleteDialog: ({ open, setOpen, isDeleting, onDelete }: any) =>
     open ? (
@@ -60,26 +43,6 @@ vi.mock("@/modules/ui/components/delete-dialog", () => ({
       </div>
     ) : null,
 }));
-
-vi.mock("@/modules/ui/components/action-name-description-fields", () => ({
-  ActionNameDescriptionFields: ({ isReadOnly, nameInputId, descriptionInputId }: any) => (
-    <div data-testid="action-name-description-fields">
-      <input
-        data-testid={`name-input-${nameInputId}`}
-        placeholder="environments.actions.eg_clicked_download"
-        disabled={isReadOnly}
-        defaultValue="Test Action"
-      />
-      <input
-        data-testid={`description-input-${descriptionInputId}`}
-        placeholder="environments.actions.user_clicked_download_button"
-        disabled={isReadOnly}
-        defaultValue="Test Description"
-      />
-    </div>
-  ),
-}));
-
 vi.mock("@/modules/ui/components/no-code-action-form", () => ({
   NoCodeActionForm: ({ isReadOnly }: { isReadOnly: boolean }) => (
     <div data-testid="no-code-action-form" data-readonly={isReadOnly}>
@@ -93,28 +56,6 @@ vi.mock("lucide-react", () => ({
   TrashIcon: () => <div data-testid="trash-icon">Trash</div>,
 }));
 
-// Mock react-hot-toast
-vi.mock("react-hot-toast", () => ({
-  toast: { success: vi.fn(), error: vi.fn() },
-}));
-
-// Mock react-hook-form
-const mockHandleSubmit = vi.fn();
-const mockForm = {
-  handleSubmit: mockHandleSubmit,
-  control: {},
-  formState: { errors: {} },
-};
-
-vi.mock("react-hook-form", async () => {
-  const actual = await vi.importActual("react-hook-form");
-  return {
-    ...actual,
-    useForm: vi.fn(() => mockForm),
-    FormProvider: ({ children }: any) => <div>{children}</div>,
-  };
-});
-
 const mockSetOpen = vi.fn();
 const mockActionClasses: TActionClass[] = [
   {
@@ -147,7 +88,6 @@ const createMockActionClass = (id: string, type: TActionClassType, name: string)
 describe("ActionSettingsTab", () => {
   beforeEach(() => {
     vi.clearAllMocks();
-    mockHandleSubmit.mockImplementation((fn) => fn);
   });
 
   afterEach(() => {
@@ -165,9 +105,13 @@ describe("ActionSettingsTab", () => {
       />
     );
 
-    expect(screen.getByTestId("action-name-description-fields")).toBeInTheDocument();
-    expect(screen.getByTestId("name-input-actionNameSettingsInput")).toBeInTheDocument();
-    expect(screen.getByTestId("description-input-actionDescriptionSettingsInput")).toBeInTheDocument();
+    // Use getByPlaceholderText or getByLabelText now that Input isn't mocked
+    expect(screen.getByPlaceholderText("environments.actions.eg_clicked_download")).toHaveValue(
+      actionClass.name
+    );
+    expect(screen.getByPlaceholderText("environments.actions.user_clicked_download_button")).toHaveValue(
+      actionClass.description
+    );
     expect(screen.getByTestId("code-action-form")).toBeInTheDocument();
     expect(
       screen.getByText("environments.actions.this_is_a_code_action_please_make_changes_in_your_code_base")
@@ -187,108 +131,22 @@ describe("ActionSettingsTab", () => {
       />
     );
 
-    expect(screen.getByTestId("action-name-description-fields")).toBeInTheDocument();
+    // Use getByPlaceholderText or getByLabelText now that Input isn't mocked
+    expect(screen.getByPlaceholderText("environments.actions.eg_clicked_download")).toHaveValue(
+      actionClass.name
+    );
+    expect(screen.getByPlaceholderText("environments.actions.user_clicked_download_button")).toHaveValue(
+      actionClass.description
+    );
     expect(screen.getByTestId("no-code-action-form")).toBeInTheDocument();
     expect(screen.getByRole("button", { name: "common.save_changes" })).toBeInTheDocument();
     expect(screen.getByRole("button", { name: /common.delete/ })).toBeInTheDocument();
   });
 
-  test("renders correctly for other action types (fallback)", () => {
-    const actionClass = {
-      ...createMockActionClass("auto1", "noCode", "Auto Action"),
-      type: "automatic" as any,
-    };
-    render(
-      <ActionSettingsTab
-        actionClass={actionClass}
-        actionClasses={mockActionClasses}
-        setOpen={mockSetOpen}
-        isReadOnly={false}
-      />
-    );
-
-    expect(screen.getByTestId("action-name-description-fields")).toBeInTheDocument();
-    expect(
-      screen.getByText(
-        "environments.actions.this_action_was_created_automatically_you_cannot_make_changes_to_it"
-      )
-    ).toBeInTheDocument();
-  });
-
-  test("calls utility functions on initialization", async () => {
-    const actionUtilsMock = await import("@/modules/survey/editor/lib/action-utils");
-
-    const actionClass = createMockActionClass("noCode1", "noCode", "No Code Action");
-    render(
-      <ActionSettingsTab
-        actionClass={actionClass}
-        actionClasses={mockActionClasses}
-        setOpen={mockSetOpen}
-        isReadOnly={false}
-      />
-    );
-
-    expect(actionUtilsMock.useActionClassKeys).toHaveBeenCalledWith(mockActionClasses);
-    expect(actionUtilsMock.createActionClassZodResolver).toHaveBeenCalled();
-  });
-
-  test("handles successful form submission", async () => {
-    const { updateActionClassAction } = await import(
-      "@/modules/projects/settings/(setup)/app-connection/actions"
-    );
-    const actionUtilsMock = await import("@/modules/survey/editor/lib/action-utils");
-
-    vi.mocked(updateActionClassAction).mockResolvedValue({ data: {} } as any);
-
-    const actionClass = createMockActionClass("noCode1", "noCode", "No Code Action");
-    render(
-      <ActionSettingsTab
-        actionClass={actionClass}
-        actionClasses={mockActionClasses}
-        setOpen={mockSetOpen}
-        isReadOnly={false}
-      />
-    );
-
-    // Check that utility functions were called during component initialization
-    expect(actionUtilsMock.useActionClassKeys).toHaveBeenCalledWith(mockActionClasses);
-    expect(actionUtilsMock.createActionClassZodResolver).toHaveBeenCalled();
-  });
-
-  test("handles permission validation error", async () => {
-    const actionUtilsMock = await import("@/modules/survey/editor/lib/action-utils");
-    vi.mocked(actionUtilsMock.validatePermissions).mockImplementation(() => {
-      throw new Error("Not authorized");
-    });
-
-    const actionClass = createMockActionClass("noCode1", "noCode", "No Code Action");
-    render(
-      <ActionSettingsTab
-        actionClass={actionClass}
-        actionClasses={mockActionClasses}
-        setOpen={mockSetOpen}
-        isReadOnly={false}
-      />
-    );
-
-    const submitButton = screen.getByRole("button", { name: "common.save_changes" });
-
-    mockHandleSubmit.mockImplementation((fn) => (e) => {
-      e.preventDefault();
-      return fn({ name: "Test", type: "noCode" });
-    });
-
-    await userEvent.click(submitButton);
-
-    await waitFor(() => {
-      expect(toast.error).toHaveBeenCalledWith("Not authorized");
-    });
-  });
-
   test("handles successful deletion", async () => {
     const actionClass = createMockActionClass("noCode1", "noCode", "No Code Action");
     const { deleteActionClassAction } = await import(
-      "@/modules/projects/settings/(setup)/app-connection/actions"
+      "@/app/(app)/environments/[environmentId]/actions/actions"
     );
     vi.mocked(deleteActionClassAction).mockResolvedValue({ data: actionClass } as any);
 
@@ -319,7 +177,7 @@ describe("ActionSettingsTab", () => {
   test("handles deletion failure", async () => {
     const actionClass = createMockActionClass("noCode1", "noCode", "No Code Action");
     const { deleteActionClassAction } = await import(
-      "@/modules/projects/settings/(setup)/app-connection/actions"
+      "@/app/(app)/environments/[environmentId]/actions/actions"
     );
     vi.mocked(deleteActionClassAction).mockRejectedValue(new Error("Deletion failed"));
 
@@ -351,24 +209,26 @@ describe("ActionSettingsTab", () => {
         actionClass={actionClass}
         actionClasses={mockActionClasses}
         setOpen={mockSetOpen}
-        isReadOnly={true}
+        isReadOnly={true} // Set to read-only
       />
     );
 
-    expect(screen.getByTestId("name-input-actionNameSettingsInput")).toBeDisabled();
-    expect(screen.getByTestId("description-input-actionDescriptionSettingsInput")).toBeDisabled();
+    // Use getByPlaceholderText or getByLabelText now that Input isn't mocked
+    expect(screen.getByPlaceholderText("environments.actions.eg_clicked_download")).toBeDisabled();
+    expect(screen.getByPlaceholderText("environments.actions.user_clicked_download_button")).toBeDisabled();
     expect(screen.getByTestId("no-code-action-form")).toHaveAttribute("data-readonly", "true");
     expect(screen.queryByRole("button", { name: "common.save_changes" })).not.toBeInTheDocument();
     expect(screen.queryByRole("button", { name: /common.delete/ })).not.toBeInTheDocument();
-    expect(screen.getByRole("link", { name: "common.read_docs" })).toBeInTheDocument();
+    expect(screen.getByRole("link", { name: "common.read_docs" })).toBeInTheDocument(); // Docs link still visible
   });
 
   test("prevents delete when read-only", async () => {
     const actionClass = createMockActionClass("noCode1", "noCode", "No Code Action");
     const { deleteActionClassAction } = await import(
-      "@/modules/projects/settings/(setup)/app-connection/actions"
+      "@/app/(app)/environments/[environmentId]/actions/actions"
     );
 
+    // Render with isReadOnly=true, but simulate a delete attempt
     render(
       <ActionSettingsTab
         actionClass={actionClass}
@@ -378,6 +238,12 @@ describe("ActionSettingsTab", () => {
       />
     );
 
+    // Try to open and confirm delete dialog (buttons won't exist, so we simulate the flow)
+    // This test primarily checks the logic within handleDeleteAction if it were called.
+    // A better approach might be to export handleDeleteAction for direct testing,
+    // but for now, we assume the UI prevents calling it.
+
+    // We can assert that the delete button isn't there to prevent the flow
     expect(screen.queryByRole("button", { name: /common.delete/ })).not.toBeInTheDocument();
     expect(deleteActionClassAction).not.toHaveBeenCalled();
   });
@@ -396,19 +262,4 @@ describe("ActionSettingsTab", () => {
     expect(docsLink).toHaveAttribute("href", "https://formbricks.com/docs/actions/no-code");
     expect(docsLink).toHaveAttribute("target", "_blank");
   });
-
-  test("uses correct input IDs for ActionNameDescriptionFields", () => {
-    const actionClass = createMockActionClass("noCode1", "noCode", "No Code Action");
-    render(
-      <ActionSettingsTab
-        actionClass={actionClass}
-        actionClasses={mockActionClasses}
-        setOpen={mockSetOpen}
-        isReadOnly={false}
-      />
-    );
-
-    expect(screen.getByTestId("name-input-actionNameSettingsInput")).toBeInTheDocument();
-    expect(screen.getByTestId("description-input-actionDescriptionSettingsInput")).toBeInTheDocument();
-  });
 });

apps/web/app/(app)/environments/[environmentId]/actions/components/ActionSettingsTab.tsx

@@ -0,0 +1,255 @@
+"use client";
+
+import {
+  deleteActionClassAction,
+  updateActionClassAction,
+} from "@/app/(app)/environments/[environmentId]/actions/actions";
+import { isValidCssSelector } from "@/app/lib/actionClass/actionClass";
+import { Button } from "@/modules/ui/components/button";
+import { CodeActionForm } from "@/modules/ui/components/code-action-form";
+import { DeleteDialog } from "@/modules/ui/components/delete-dialog";
+import { FormControl, FormError, FormField, FormItem, FormLabel } from "@/modules/ui/components/form";
+import { Input } from "@/modules/ui/components/input";
+import { NoCodeActionForm } from "@/modules/ui/components/no-code-action-form";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { useTranslate } from "@tolgee/react";
+import { TrashIcon } from "lucide-react";
+import Link from "next/link";
+import { useRouter } from "next/navigation";
+import { useMemo, useState } from "react";
+import { FormProvider, useForm } from "react-hook-form";
+import { toast } from "react-hot-toast";
+import { z } from "zod";
+import { TActionClass, TActionClassInput, ZActionClassInput } from "@formbricks/types/action-classes";
+
+interface ActionSettingsTabProps {
+  actionClass: TActionClass;
+  actionClasses: TActionClass[];
+  setOpen: (v: boolean) => void;
+  isReadOnly: boolean;
+}
+
+export const ActionSettingsTab = ({
+  actionClass,
+  actionClasses,
+  setOpen,
+  isReadOnly,
+}: ActionSettingsTabProps) => {
+  const { createdAt, updatedAt, id, ...restActionClass } = actionClass;
+  const router = useRouter();
+  const [openDeleteDialog, setOpenDeleteDialog] = useState(false);
+  const { t } = useTranslate();
+  const [isUpdatingAction, setIsUpdatingAction] = useState(false);
+  const [isDeletingAction, setIsDeletingAction] = useState(false);
+
+  const actionClassNames = useMemo(
+    () =>
+      actionClasses.filter((action) => action.id !== actionClass.id).map((actionClass) => actionClass.name),
+    [actionClass.id, actionClasses]
+  );
+
+  const form = useForm<TActionClassInput>({
+    defaultValues: {
+      ...restActionClass,
+    },
+    resolver: zodResolver(
+      ZActionClassInput.superRefine((data, ctx) => {
+        if (data.name && actionClassNames.includes(data.name)) {
+          ctx.addIssue({
+            code: z.ZodIssueCode.custom,
+            path: ["name"],
+            message: t("environments.actions.action_with_name_already_exists", { name: data.name }),
+          });
+        }
+      })
+    ),
+
+    mode: "onChange",
+  });
+
+  const { handleSubmit, control } = form;
+
+  const onSubmit = async (data: TActionClassInput) => {
+    try {
+      if (isReadOnly) {
+        throw new Error(t("common.you_are_not_authorised_to_perform_this_action"));
+      }
+      setIsUpdatingAction(true);
+
+      if (data.name && actionClassNames.includes(data.name)) {
+        throw new Error(t("environments.actions.action_with_name_already_exists", { name: data.name }));
+      }
+
+      if (
+        data.type === "noCode" &&
+        data.noCodeConfig?.type === "click" &&
+        data.noCodeConfig.elementSelector.cssSelector &&
+        !isValidCssSelector(data.noCodeConfig.elementSelector.cssSelector)
+      ) {
+        throw new Error(t("environments.actions.invalid_css_selector"));
+      }
+
+      const updatedData: TActionClassInput = {
+        ...data,
+        ...(data.type === "noCode" &&
+          data.noCodeConfig?.type === "click" && {
+            noCodeConfig: {
+              ...data.noCodeConfig,
+              elementSelector: {
+                cssSelector: data.noCodeConfig.elementSelector.cssSelector,
+                innerHtml: data.noCodeConfig.elementSelector.innerHtml,
+              },
+            },
+          }),
+      };
+      await updateActionClassAction({
+        actionClassId: actionClass.id,
+        updatedAction: updatedData,
+      });
+      setOpen(false);
+      router.refresh();
+      toast.success(t("environments.actions.action_updated_successfully"));
+    } catch (error) {
+      toast.error(error.message);
+    } finally {
+      setIsUpdatingAction(false);
+    }
+  };
+
+  const handleDeleteAction = async () => {
+    try {
+      setIsDeletingAction(true);
+      await deleteActionClassAction({ actionClassId: actionClass.id });
+      router.refresh();
+      toast.success(t("environments.actions.action_deleted_successfully"));
+      setOpen(false);
+    } catch (error) {
+      toast.error(t("common.something_went_wrong_please_try_again"));
+    } finally {
+      setIsDeletingAction(false);
+    }
+  };
+
+  return (
+    <div>
+      <FormProvider {...form}>
+        <form onSubmit={handleSubmit(onSubmit)}>
+          <div className="max-h-[400px] w-full space-y-4 overflow-y-auto">
+            <div className="grid w-full grid-cols-2 gap-x-4">
+              <div className="col-span-1">
+                <FormField
+                  control={control}
+                  name="name"
+                  disabled={isReadOnly}
+                  render={({ field, fieldState: { error } }) => (
+                    <FormItem>
+                      <FormLabel htmlFor="actionNameSettingsInput">
+                        {actionClass.type === "noCode"
+                          ? t("environments.actions.what_did_your_user_do")
+                          : t("environments.actions.display_name")}
+                      </FormLabel>
+
+                      <FormControl>
+                        <Input
+                          type="text"
+                          id="actionNameSettingsInput"
+                          {...field}
+                          placeholder={t("environments.actions.eg_clicked_download")}
+                          isInvalid={!!error?.message}
+                          disabled={isReadOnly}
+                        />
+                      </FormControl>
+
+                      <FormError />
+                    </FormItem>
+                  )}
+                />
+              </div>
+
+              <div className="col-span-1">
+                <FormField
+                  control={control}
+                  name="description"
+                  render={({ field }) => (
+                    <FormItem>
+                      <FormLabel htmlFor="actionDescriptionSettingsInput">
+                        {t("common.description")}
+                      </FormLabel>
+
+                      <FormControl>
+                        <Input
+                          type="text"
+                          id="actionDescriptionSettingsInput"
+                          {...field}
+                          placeholder={t("environments.actions.user_clicked_download_button")}
+                          value={field.value ?? ""}
+                          disabled={isReadOnly}
+                        />
+                      </FormControl>
+                    </FormItem>
+                  )}
+                />
+              </div>
+            </div>
+
+            {actionClass.type === "code" ? (
+              <>
+                <CodeActionForm form={form} isReadOnly={true} />
+                <p className="text-sm text-slate-600">
+                  {t("environments.actions.this_is_a_code_action_please_make_changes_in_your_code_base")}
+                </p>
+              </>
+            ) : actionClass.type === "noCode" ? (
+              <NoCodeActionForm form={form} isReadOnly={isReadOnly} />
+            ) : (
+              <p className="text-sm text-slate-600">
+                {t(
+                  "environments.actions.this_action_was_created_automatically_you_cannot_make_changes_to_it"
+                )}
+              </p>
+            )}
+          </div>
+
+          <div className="flex justify-between border-t border-slate-200 py-6">
+            <div>
+              {!isReadOnly ? (
+                <Button
+                  type="button"
+                  variant="destructive"
+                  onClick={() => setOpenDeleteDialog(true)}
+                  className="mr-3"
+                  id="deleteActionModalTrigger">
+                  <TrashIcon />
+                  {t("common.delete")}
+                </Button>
+              ) : null}
+
+              <Button variant="secondary" asChild>
+                <Link href="https://formbricks.com/docs/actions/no-code" target="_blank">
+                  {t("common.read_docs")}
+                </Link>
+              </Button>
+            </div>
+
+            {!isReadOnly ? (
+              <div className="flex space-x-2">
+                <Button type="submit" loading={isUpdatingAction}>
+                  {t("common.save_changes")}
+                </Button>
+              </div>
+            ) : null}
+          </div>
+        </form>
+      </FormProvider>
+
+      <DeleteDialog
+        open={openDeleteDialog}
+        setOpen={setOpenDeleteDialog}
+        isDeleting={isDeletingAction}
+        deleteWhat={t("common.action")}
+        text={t("environments.actions.delete_action_text")}
+        onDelete={handleDeleteAction}
+      />
+    </div>
+  );
+};

apps/web/app/(app)/environments/[environmentId]/actions/components/ActionTableHeading.tsx

@@ -0,0 +1,14 @@
+import { getTranslate } from "@/tolgee/server";
+
+export const ActionTableHeading = async () => {
+  const t = await getTranslate();
+  return (
+    <>
+      <div className="grid h-12 grid-cols-6 content-center border-b border-slate-200 text-left text-sm font-semibold text-slate-900">
+        <span className="sr-only">{t("common.edit")}</span>
+        <div className="col-span-4 pl-6">{t("environments.actions.user_actions")}</div>
+        <div className="col-span-2 text-center">{t("common.created")}</div>
+      </div>
+    </>
+  );
+};

apps/web/app/(app)/environments/[environmentId]/actions/components/AddActionModal.test.tsx

@@ -0,0 +1,142 @@
+import { cleanup, render, screen } from "@testing-library/react";
+import userEvent from "@testing-library/user-event";
+import { afterEach, describe, expect, test, vi } from "vitest";
+import { TActionClass, TActionClassNoCodeConfig } from "@formbricks/types/action-classes";
+import { AddActionModal } from "./AddActionModal";
+
+// Mock child components and hooks
+vi.mock("@/modules/survey/editor/components/create-new-action-tab", () => ({
+  CreateNewActionTab: vi.fn(({ setOpen }) => (
+    <div data-testid="create-new-action-tab">
+      <span>CreateNewActionTab Content</span>
+      <button onClick={() => setOpen(false)}>Close from Tab</button>
+    </div>
+  )),
+}));
+
+vi.mock("@/modules/ui/components/button", () => ({
+  Button: ({ children, onClick, ...props }: any) => (
+    <button onClick={onClick} {...props}>
+      {children}
+    </button>
+  ),
+}));
+
+vi.mock("@/modules/ui/components/modal", () => ({
+  Modal: ({ children, open, setOpen, ...props }: any) =>
+    open ? (
+      <div data-testid="modal" {...props}>
+        {children}
+        <button onClick={() => setOpen(false)}>Close Modal</button>
+      </div>
+    ) : null,
+}));
+
+vi.mock("@tolgee/react", () => ({
+  useTranslate: () => ({
+    t: (key: string) => key,
+  }),
+}));
+
+vi.mock("lucide-react", () => ({
+  MousePointerClickIcon: () => <div data-testid="mouse-pointer-icon" />,
+  PlusIcon: () => <div data-testid="plus-icon" />,
+}));
+
+const mockActionClasses: TActionClass[] = [
+  {
+    id: "action1",
+    createdAt: new Date(),
+    updatedAt: new Date(),
+    name: "Action 1",
+    description: "Description 1",
+    type: "noCode",
+    environmentId: "env1",
+    noCodeConfig: { type: "click" } as unknown as TActionClassNoCodeConfig,
+  } as unknown as TActionClass,
+];
+
+const environmentId = "env1";
+
+describe("AddActionModal", () => {
+  afterEach(() => {
+    cleanup();
+    vi.clearAllMocks();
+  });
+
+  test("renders the 'Add Action' button initially", () => {
+    render(
+      <AddActionModal environmentId={environmentId} actionClasses={mockActionClasses} isReadOnly={false} />
+    );
+    expect(screen.getByRole("button", { name: "common.add_action" })).toBeInTheDocument();
+    expect(screen.getByTestId("plus-icon")).toBeInTheDocument();
+    expect(screen.queryByTestId("modal")).not.toBeInTheDocument();
+  });
+
+  test("opens the modal when the 'Add Action' button is clicked", async () => {
+    render(
+      <AddActionModal environmentId={environmentId} actionClasses={mockActionClasses} isReadOnly={false} />
+    );
+    const addButton = screen.getByRole("button", { name: "common.add_action" });
+    await userEvent.click(addButton);
+
+    expect(screen.getByTestId("modal")).toBeInTheDocument();
+    expect(screen.getByTestId("mouse-pointer-icon")).toBeInTheDocument();
+    expect(screen.getByText("environments.actions.track_new_user_action")).toBeInTheDocument();
+    expect(
+      screen.getByText("environments.actions.track_user_action_to_display_surveys_or_create_user_segment")
+    ).toBeInTheDocument();
+    expect(screen.getByTestId("create-new-action-tab")).toBeInTheDocument();
+  });
+
+  test("passes correct props to CreateNewActionTab", async () => {
+    const { CreateNewActionTab } = await import("@/modules/survey/editor/components/create-new-action-tab");
+    const mockedCreateNewActionTab = vi.mocked(CreateNewActionTab);
+
+    render(
+      <AddActionModal environmentId={environmentId} actionClasses={mockActionClasses} isReadOnly={false} />
+    );
+    const addButton = screen.getByRole("button", { name: "common.add_action" });
+    await userEvent.click(addButton);
+
+    expect(mockedCreateNewActionTab).toHaveBeenCalled();
+    const props = mockedCreateNewActionTab.mock.calls[0][0];
+    expect(props.environmentId).toBe(environmentId);
+    expect(props.actionClasses).toEqual(mockActionClasses); // Initial state check
+    expect(props.isReadOnly).toBe(false);
+    expect(props.setOpen).toBeInstanceOf(Function);
+    expect(props.setActionClasses).toBeInstanceOf(Function);
+  });
+
+  test("closes the modal when the close button (simulated) is clicked", async () => {
+    render(
+      <AddActionModal environmentId={environmentId} actionClasses={mockActionClasses} isReadOnly={false} />
+    );
+    const addButton = screen.getByRole("button", { name: "common.add_action" });
+    await userEvent.click(addButton);
+
+    expect(screen.getByTestId("modal")).toBeInTheDocument();
+
+    // Simulate closing via the mocked Modal's close button
+    const closeModalButton = screen.getByText("Close Modal");
+    await userEvent.click(closeModalButton);
+
+    expect(screen.queryByTestId("modal")).not.toBeInTheDocument();
+  });
+
+  test("closes the modal when setOpen is called from CreateNewActionTab", async () => {
+    render(
+      <AddActionModal environmentId={environmentId} actionClasses={mockActionClasses} isReadOnly={false} />
+    );
+    const addButton = screen.getByRole("button", { name: "common.add_action" });
+    await userEvent.click(addButton);
+
+    expect(screen.getByTestId("modal")).toBeInTheDocument();
+
+    // Simulate closing via the mocked CreateNewActionTab's button
+    const closeFromTabButton = screen.getByText("Close from Tab");
+    await userEvent.click(closeFromTabButton);
+
+    expect(screen.queryByTestId("modal")).not.toBeInTheDocument();
+  });
+});

apps/web/app/(app)/environments/[environmentId]/actions/components/AddActionModal.tsx

@@ -0,0 +1,61 @@
+"use client";
+
+import { CreateNewActionTab } from "@/modules/survey/editor/components/create-new-action-tab";
+import { Button } from "@/modules/ui/components/button";
+import { Modal } from "@/modules/ui/components/modal";
+import { useTranslate } from "@tolgee/react";
+import { MousePointerClickIcon, PlusIcon } from "lucide-react";
+import { useState } from "react";
+import { TActionClass } from "@formbricks/types/action-classes";
+
+interface AddActionModalProps {
+  environmentId: string;
+  actionClasses: TActionClass[];
+  isReadOnly: boolean;
+}
+
+export const AddActionModal = ({ environmentId, actionClasses, isReadOnly }: AddActionModalProps) => {
+  const { t } = useTranslate();
+  const [open, setOpen] = useState(false);
+
+  const [newActionClasses, setNewActionClasses] = useState<TActionClass[]>(actionClasses);
+
+  return (
+    <>
+      <Button size="sm" onClick={() => setOpen(true)}>
+        {t("common.add_action")}
+        <PlusIcon />
+      </Button>
+      <Modal open={open} setOpen={setOpen} noPadding closeOnOutsideClick={false} restrictOverflow>
+        <div className="flex h-full flex-col rounded-lg">
+          <div className="rounded-t-lg bg-slate-100">
+            <div className="flex w-full items-center justify-between p-6">
+              <div className="flex items-center space-x-2">
+                <div className="mr-1.5 h-6 w-6 text-slate-500">
+                  <MousePointerClickIcon className="h-5 w-5" />
+                </div>
+                <div>
+                  <div className="text-xl font-medium text-slate-700">
+                    {t("environments.actions.track_new_user_action")}
+                  </div>
+                  <div className="text-sm text-slate-500">
+                    {t("environments.actions.track_user_action_to_display_surveys_or_create_user_segment")}
+                  </div>
+                </div>
+              </div>
+            </div>
+          </div>
+        </div>
+        <div className="px-6 py-4">
+          <CreateNewActionTab
+            actionClasses={newActionClasses}
+            environmentId={environmentId}
+            isReadOnly={isReadOnly}
+            setActionClasses={setNewActionClasses}
+            setOpen={setOpen}
+          />
+        </div>
+      </Modal>
+    </>
+  );
+};

apps/web/app/(app)/environments/[environmentId]/actions/loading.test.tsx

@@ -0,0 +1,44 @@
+import { cleanup, render, screen } from "@testing-library/react";
+import { afterEach, describe, expect, test, vi } from "vitest";
+import Loading from "./loading";
+
+// Mock child components
+vi.mock("@/modules/ui/components/page-content-wrapper", () => ({
+  PageContentWrapper: ({ children }: { children: React.ReactNode }) => (
+    <div data-testid="page-content-wrapper">{children}</div>
+  ),
+}));
+
+vi.mock("@/modules/ui/components/page-header", () => ({
+  PageHeader: ({ pageTitle }: { pageTitle: string }) => <div data-testid="page-header">{pageTitle}</div>,
+}));
+
+describe("Loading", () => {
+  afterEach(() => {
+    cleanup();
+  });
+
+  test("renders loading state correctly", () => {
+    render(<Loading />);
+
+    // Check if mocked components are rendered
+    expect(screen.getByTestId("page-content-wrapper")).toBeInTheDocument();
+    expect(screen.getByTestId("page-header")).toBeInTheDocument();
+    expect(screen.getByTestId("page-header")).toHaveTextContent("common.actions");
+
+    // Check for translated table headers
+    expect(screen.getByText("environments.actions.user_actions")).toBeInTheDocument();
+    expect(screen.getByText("common.created")).toBeInTheDocument();
+    expect(screen.getByText("common.edit")).toBeInTheDocument(); // Screen reader text
+
+    // Check for skeleton elements (presence of animate-pulse class)
+    const skeletonElements = document.querySelectorAll(".animate-pulse");
+    expect(skeletonElements.length).toBeGreaterThan(0); // Ensure some skeleton elements are rendered
+
+    // Check for the presence of multiple skeleton rows (3 rows * 4 pulse elements per row = 12)
+    const pulseDivs = screen.getAllByText((_, element) => {
+      return element?.tagName.toLowerCase() === "div" && element.classList.contains("animate-pulse");
+    });
+    expect(pulseDivs.length).toBe(3 * 4); // 3 rows, 4 pulsing divs per row (icon, name, desc, created)
+  });
+});

apps/web/app/(app)/environments/[environmentId]/actions/loading.tsx

@@ -0,0 +1,46 @@
+"use client";
+
+import { PageContentWrapper } from "@/modules/ui/components/page-content-wrapper";
+import { PageHeader } from "@/modules/ui/components/page-header";
+import { useTranslate } from "@tolgee/react";
+
+const Loading = () => {
+  const { t } = useTranslate();
+  return (
+    <>
+      <PageContentWrapper>
+        <PageHeader pageTitle={t("common.actions")} />
+        <div className="rounded-xl border border-slate-200 bg-white shadow-sm">
+          <div className="grid h-12 grid-cols-6 content-center border-b border-slate-200 text-left text-sm font-semibold text-slate-900">
+            <span className="sr-only">{t("common.edit")}</span>
+            <div className="col-span-4 pl-6">{t("environments.actions.user_actions")}</div>
+            <div className="col-span-2 text-center">{t("common.created")}</div>
+          </div>
+          {[...Array(3)].map((_, index) => (
+            <div
+              key={index}
+              className="m-2 grid h-16 grid-cols-6 content-center rounded-lg transition-colors ease-in-out hover:bg-slate-100">
+              <div className="col-span-4 flex items-center pl-6 text-sm">
+                <div className="flex items-center">
+                  <div className="h-6 w-6 flex-shrink-0 animate-pulse rounded-full bg-slate-200 text-slate-500" />
+                  <div className="ml-4 text-left">
+                    <div className="font-medium text-slate-900">
+                      <div className="mt-0 h-4 w-48 animate-pulse rounded-full bg-slate-200"></div>
+                    </div>
+                    <div className="mt-1 text-xs text-slate-400">
+                      <div className="h-2 w-24 animate-pulse rounded-full bg-slate-200"></div>
+                    </div>
+                  </div>
+                </div>
+              </div>
+              <div className="col-span-2 my-auto flex justify-center whitespace-nowrap text-center text-sm text-slate-500">
+                <div className="h-4 w-28 animate-pulse rounded-full bg-slate-200"></div>
+              </div>
+            </div>
+          ))}
+        </div>
+      </PageContentWrapper>
+    </>
+  );
+};
+export default Loading;

apps/web/app/(app)/environments/[environmentId]/actions/page.test.tsx

@@ -0,0 +1,161 @@
+import { getActionClasses } from "@/lib/actionClass/service";
+import { getEnvironments } from "@/lib/environment/service";
+import { findMatchingLocale } from "@/lib/utils/locale";
+import { getEnvironmentAuth } from "@/modules/environments/lib/utils";
+import { TEnvironmentAuth } from "@/modules/environments/types/environment-auth";
+import { cleanup, render, screen } from "@testing-library/react";
+import { redirect } from "next/navigation";
+import { afterEach, beforeEach, describe, expect, test, vi } from "vitest";
+import { TActionClass } from "@formbricks/types/action-classes";
+import { TEnvironment } from "@formbricks/types/environment";
+import { TProject } from "@formbricks/types/project";
+// Import the component after mocks
+import Page from "./page";
+
+// Mock dependencies
+vi.mock("@/lib/actionClass/service", () => ({
+  getActionClasses: vi.fn(),
+}));
+vi.mock("@/lib/environment/service", () => ({
+  getEnvironments: vi.fn(),
+}));
+vi.mock("@/lib/utils/locale", () => ({
+  findMatchingLocale: vi.fn(),
+}));
+vi.mock("@/modules/environments/lib/utils", () => ({
+  getEnvironmentAuth: vi.fn(),
+}));
+vi.mock("@/tolgee/server", () => ({
+  getTranslate: async () => (key: string) => key,
+}));
+vi.mock("next/navigation", () => ({
+  redirect: vi.fn(),
+}));
+vi.mock("@/app/(app)/environments/[environmentId]/actions/components/ActionClassesTable", () => ({
+  ActionClassesTable: ({ children }) => <div>ActionClassesTable Mock{children}</div>,
+}));
+vi.mock("@/app/(app)/environments/[environmentId]/actions/components/ActionRowData", () => ({
+  ActionClassDataRow: ({ actionClass }) => <div>ActionClassDataRow Mock: {actionClass.name}</div>,
+}));
+vi.mock("@/app/(app)/environments/[environmentId]/actions/components/ActionTableHeading", () => ({
+  ActionTableHeading: () => <div>ActionTableHeading Mock</div>,
+}));
+vi.mock("@/app/(app)/environments/[environmentId]/actions/components/AddActionModal", () => ({
+  AddActionModal: () => <div>AddActionModal Mock</div>,
+}));
+vi.mock("@/modules/ui/components/page-content-wrapper", () => ({
+  PageContentWrapper: ({ children }) => <div>PageContentWrapper Mock{children}</div>,
+}));
+vi.mock("@/modules/ui/components/page-header", () => ({
+  PageHeader: ({ pageTitle, cta }) => (
+    <div>
+      PageHeader Mock: {pageTitle} {cta && <div>CTA Mock</div>}
+    </div>
+  ),
+}));
+
+// Mock data
+const mockEnvironmentId = "test-env-id";
+const mockProjectId = "test-project-id";
+const mockEnvironment = {
+  id: mockEnvironmentId,
+  name: "Test Environment",
+  type: "development",
+} as unknown as TEnvironment;
+const mockOtherEnvironment = {
+  id: "other-env-id",
+  name: "Other Environment",
+  type: "production",
+} as unknown as TEnvironment;
+const mockProject = { id: mockProjectId, name: "Test Project" } as unknown as TProject;
+const mockActionClasses = [
+  { id: "action1", name: "Action 1", type: "code", environmentId: mockEnvironmentId } as TActionClass,
+  { id: "action2", name: "Action 2", type: "noCode", environmentId: mockEnvironmentId } as TActionClass,
+];
+const mockOtherEnvActionClasses = [
+  { id: "action3", name: "Action 3", type: "code", environmentId: mockOtherEnvironment.id } as TActionClass,
+];
+const mockLocale = "en-US";
+
+const mockParams = { environmentId: mockEnvironmentId };
+const mockProps = { params: mockParams };
+
+describe("Actions Page", () => {
+  beforeEach(() => {
+    vi.mocked(getActionClasses)
+      .mockResolvedValueOnce(mockActionClasses) // First call for current env
+      .mockResolvedValueOnce(mockOtherEnvActionClasses); // Second call for other env
+    vi.mocked(getEnvironments).mockResolvedValue([mockEnvironment, mockOtherEnvironment]);
+    vi.mocked(findMatchingLocale).mockResolvedValue(mockLocale);
+  });
+
+  afterEach(() => {
+    cleanup();
+    vi.resetAllMocks();
+  });
+
+  test("renders the page correctly with actions", async () => {
+    vi.mocked(getEnvironmentAuth).mockResolvedValue({
+      isReadOnly: false,
+      project: mockProject,
+      isBilling: false,
+      environment: mockEnvironment,
+    } as TEnvironmentAuth);
+
+    const PageComponent = await Page(mockProps);
+    render(PageComponent);
+
+    expect(screen.getByText("PageHeader Mock: common.actions")).toBeInTheDocument();
+    expect(screen.getByText("CTA Mock")).toBeInTheDocument(); // AddActionModal rendered via CTA
+    expect(screen.getByText("ActionClassesTable Mock")).toBeInTheDocument();
+    expect(screen.getByText("ActionTableHeading Mock")).toBeInTheDocument();
+    expect(screen.getByText("ActionClassDataRow Mock: Action 1")).toBeInTheDocument();
+    expect(screen.getByText("ActionClassDataRow Mock: Action 2")).toBeInTheDocument();
+    expect(vi.mocked(redirect)).not.toHaveBeenCalled();
+  });
+
+  test("redirects if isBilling is true", async () => {
+    vi.mocked(getEnvironmentAuth).mockResolvedValue({
+      isReadOnly: false,
+      project: mockProject,
+      isBilling: true,
+      environment: mockEnvironment,
+    } as TEnvironmentAuth);
+
+    await Page(mockProps);
+
+    expect(vi.mocked(redirect)).toHaveBeenCalledWith(`/environments/${mockEnvironmentId}/settings/billing`);
+  });
+
+  test("does not render AddActionModal CTA if isReadOnly is true", async () => {
+    vi.mocked(getEnvironmentAuth).mockResolvedValue({
+      isReadOnly: true,
+      project: mockProject,
+      isBilling: false,
+      environment: mockEnvironment,
+    } as TEnvironmentAuth);
+
+    const PageComponent = await Page(mockProps);
+    render(PageComponent);
+
+    expect(screen.getByText("PageHeader Mock: common.actions")).toBeInTheDocument();
+    expect(screen.queryByText("CTA Mock")).not.toBeInTheDocument(); // CTA should not be present
+    expect(screen.getByText("ActionClassesTable Mock")).toBeInTheDocument();
+  });
+
+  test("renders AddActionModal CTA if isReadOnly is false", async () => {
+    vi.mocked(getEnvironmentAuth).mockResolvedValue({
+      isReadOnly: false,
+      project: mockProject,
+      isBilling: false,
+      environment: mockEnvironment,
+    } as TEnvironmentAuth);
+
+    const PageComponent = await Page(mockProps);
+    render(PageComponent);
+
+    expect(screen.getByText("PageHeader Mock: common.actions")).toBeInTheDocument();
+    expect(screen.getByText("CTA Mock")).toBeInTheDocument(); // CTA should be present
+    expect(screen.getByText("ActionClassesTable Mock")).toBeInTheDocument();
+  });
+});

apps/web/app/(app)/environments/[environmentId]/actions/page.tsx

@@ -0,0 +1,66 @@
+import { ActionClassesTable } from "@/app/(app)/environments/[environmentId]/actions/components/ActionClassesTable";
+import { ActionClassDataRow } from "@/app/(app)/environments/[environmentId]/actions/components/ActionRowData";
+import { ActionTableHeading } from "@/app/(app)/environments/[environmentId]/actions/components/ActionTableHeading";
+import { AddActionModal } from "@/app/(app)/environments/[environmentId]/actions/components/AddActionModal";
+import { getActionClasses } from "@/lib/actionClass/service";
+import { getEnvironments } from "@/lib/environment/service";
+import { findMatchingLocale } from "@/lib/utils/locale";
+import { getEnvironmentAuth } from "@/modules/environments/lib/utils";
+import { PageContentWrapper } from "@/modules/ui/components/page-content-wrapper";
+import { PageHeader } from "@/modules/ui/components/page-header";
+import { getTranslate } from "@/tolgee/server";
+import { Metadata } from "next";
+import { redirect } from "next/navigation";
+
+export const metadata: Metadata = {
+  title: "Actions",
+};
+
+const Page = async (props) => {
+  const params = await props.params;
+
+  const { isReadOnly, project, isBilling, environment } = await getEnvironmentAuth(params.environmentId);
+
+  const t = await getTranslate();
+
+  const [actionClasses] = await Promise.all([getActionClasses(params.environmentId)]);
+
+  const locale = await findMatchingLocale();
+  const environments = await getEnvironments(project.id);
+
+  const otherEnvironment = environments.filter((env) => env.id !== params.environmentId)[0];
+
+  const otherEnvActionClasses = await getActionClasses(otherEnvironment.id);
+
+  if (isBilling) {
+    return redirect(`/environments/${params.environmentId}/settings/billing`);
+  }
+
+  const renderAddActionButton = () => (
+    <AddActionModal
+      environmentId={params.environmentId}
+      actionClasses={actionClasses}
+      isReadOnly={isReadOnly}
+    />
+  );
+
+  return (
+    <PageContentWrapper>
+      <PageHeader pageTitle={t("common.actions")} cta={!isReadOnly ? renderAddActionButton() : undefined} />
+      <ActionClassesTable
+        environment={environment}
+        otherEnvironment={otherEnvironment}
+        otherEnvActionClasses={otherEnvActionClasses}
+        environmentId={params.environmentId}
+        actionClasses={actionClasses}
+        isReadOnly={isReadOnly}>
+        <ActionTableHeading />
+        {actionClasses.map((actionClass) => (
+          <ActionClassDataRow key={actionClass.id} actionClass={actionClass} locale={locale} />
+        ))}
+      </ActionClassesTable>
+    </PageContentWrapper>
+  );
+};
+
+export default Page;

apps/web/app/(app)/environments/[environmentId]/actions/utils.tsx

@@ -0,0 +1,6 @@
+import { Code2Icon, MousePointerClickIcon } from "lucide-react";
+
+export const ACTION_TYPE_ICON_LOOKUP = {
+  code: <Code2Icon className="h-4 w-4" />,
+  noCode: <MousePointerClickIcon className="h-4 w-4" />,
+};