made minor changes to structure. Included inclusion criteria in setup flow

Co-authored-by: pandeymangg <anshuman.pandey9999@gmail.com>
Co-authored-by: Victor Santos <victor@formbricks.com>

.cursor/rules/database.mdc

@@ -0,0 +1,101 @@
+---
+description: >
+  This rule provides comprehensive knowledge about the Formbricks database structure, relationships, 
+  and data patterns. It should be used **only when the agent explicitly requests database schema-level 
+  details** to support tasks such as: writing/debugging Prisma queries, designing/reviewing data models, 
+  investigating multi-tenancy behavior, creating API endpoints, or understanding data relationships.
+globs: []
+alwaysApply: agent-requested
+---
+# Formbricks Database Schema Reference
+
+This rule provides a reference to the Formbricks database structure. For the most up-to-date and complete schema definitions, please refer to the schema.prisma file directly.
+
+## Database Overview
+
+Formbricks uses PostgreSQL with Prisma ORM. The schema is designed for multi-tenancy with strong data isolation between organizations.
+
+### Core Hierarchy
+```
+Organization
+└── Project
+    └── Environment (production/development)
+        ├── Survey
+        ├── Contact
+        ├── ActionClass
+        └── Integration
+```
+
+## Schema Reference
+
+For the complete and up-to-date database schema, please refer to:
+- Main schema: `packages/database/schema.prisma`
+- JSON type definitions: `packages/database/json-types.ts`
+
+The schema.prisma file contains all model definitions, relationships, enums, and field types. The json-types.ts file contains TypeScript type definitions for JSON fields.
+
+## Data Access Patterns
+
+### Multi-tenancy
+- All data is scoped by Organization
+- Environment-level isolation for surveys and contacts
+- Project-level grouping for related surveys
+
+### Soft Deletion
+Some models use soft deletion patterns:
+- Check `isActive` fields where present
+- Use proper filtering in queries
+
+### Cascading Deletes
+Configured cascade relationships:
+- Organization deletion cascades to all child entities
+- Survey deletion removes responses, displays, triggers
+- Contact deletion removes attributes and responses
+
+## Common Query Patterns
+
+### Survey with Responses
+```typescript
+// Include response count and latest responses
+const survey = await prisma.survey.findUnique({
+  where: { id: surveyId },
+  include: {
+    responses: {
+      take: 10,
+      orderBy: { createdAt: 'desc' }
+    },
+    _count: {
+      select: { responses: true }
+    }
+  }
+});
+```
+
+### Environment Scoping
+```typescript
+// Always scope by environment
+const surveys = await prisma.survey.findMany({
+  where: {
+    environmentId: environmentId,
+    // Additional filters...
+  }
+});
+```
+
+### Contact with Attributes
+```typescript
+const contact = await prisma.contact.findUnique({
+  where: { id: contactId },
+  include: {
+    attributes: {
+      include: {
+        attributeKey: true
+      }
+    }
+  }
+});
+```
+
+This schema supports Formbricks' core functionality: multi-tenant survey management, user targeting, response collection, and analysis, all while maintaining strict data isolation and security.
+
+

.cursor/rules/documentations.mdc

@@ -0,0 +1,24 @@
+---
+description: Guideline for writing end-user facing documentation in the apps/docs folder
+globs: 
+alwaysApply: false
+---
+Follow these instructions and guidelines when asked to write documentation in the apps/docs folder
+
+Follow this structure to write the title, describtion and pick a matching icon and insert it at the top of the MDX file:
+
+---
+title: "FEATURE NAME"
+description: "1 concise sentence to describe WHEN the feature is being used and FOR WHAT BENEFIT."
+icon: "link"
+---
+
+- Description: 1 concise sentence to describe WHEN the feature is being used and FOR WHAT BENEFIT.
+- Make ample use of the Mintlify components you can find here https://mintlify.com/docs/llms.txt
+- In all headlines, only capitalize the current feature and nothing else, NO Camel Case
+- Update the mint.json file and add the nav item at the correct position corresponding to where the MDX file is located
+- If a feature is part of the Enterprise Edition, use this note:
+
+<Note>
+  FEATURE NAME is part of the [Enterprise Edition](/self-hosting/advanced/license).
+</Note>

.cursor/rules/testing.mdc

@@ -3,4 +3,5 @@ description: Whenever the user asks to write or update a test file for .tsx or .
 globs: 
 alwaysApply: false
 ---
-Use the rules in this file when writing tests [copilot-instructions.md](mdc:.github/copilot-instructions.md)
+Use the rules in this file when writing tests [copilot-instructions.md](mdc:.github/copilot-instructions.md).
+After writing the tests, run them and check if there's any issue with the tests and if all of them are passing. Fix the issues and rerun the tests until all pass.

.env.example

@@ -80,8 +80,8 @@ S3_ENDPOINT_URL=
 # Force path style for S3 compatible storage (0 for disabled, 1 for enabled)
 S3_FORCE_PATH_STYLE=0
 
-# Set this URL to add a custom domain to your survey links(default is WEBAPP_URL)
-# SURVEY_URL=https://survey.example.com
+# Set this URL to add a public domain for all your client facing routes(default is WEBAPP_URL)
+# PUBLIC_URL=https://survey.example.com
 
 #####################
 # Disable Features  #
@@ -190,7 +190,7 @@ UNSPLASH_ACCESS_KEY=
 
 # The below is used for Next Caching (uses In-Memory from Next Cache if not provided)
 # You can also add more configuration to Redis using the redis.conf file in the root directory
-# REDIS_URL=redis://localhost:6379
+REDIS_URL=redis://localhost:6379
 
 # The below is used for Rate Limiting (uses In-Memory LRU Cache if not provided) (You can use a service like Webdis for this)
 # REDIS_HTTP_URL:
@@ -216,3 +216,8 @@ UNKEY_ROOT_KEY=
 
 # Configure the maximum age for the session in seconds. Default is 86400 (24 hours)
 # SESSION_MAX_AGE=86400
+
+# Audit logs options. Requires REDIS_URL env varibale. Default 0.
+# AUDIT_LOG_ENABLED=0
+# If the ip should be added in the log or not. Default 0
+# AUDIT_LOG_GET_USER_IP=0

.github/workflows/deploy-formbricks-cloud.yml

@@ -4,16 +4,16 @@ on:
   workflow_dispatch:
     inputs:
       VERSION:
-        description: 'The version of the Docker image to release, full image tag if image tag is v0.0.0 enter v0.0.0.'
+        description: "The version of the Docker image to release, full image tag if image tag is v0.0.0 enter v0.0.0."
         required: true
         type: string
       REPOSITORY:
-        description: 'The repository to use for the Docker image'
+        description: "The repository to use for the Docker image"
         required: false
         type: string
-        default: 'ghcr.io/formbricks/formbricks'
+        default: "ghcr.io/formbricks/formbricks"
       ENVIRONMENT:
-        description: 'The environment to deploy to'
+        description: "The environment to deploy to"
         required: true
         type: choice
         options:
@@ -22,16 +22,16 @@ on:
   workflow_call:
     inputs:
       VERSION:
-        description: 'The version of the Docker image to release'
+        description: "The version of the Docker image to release"
         required: true
         type: string
       REPOSITORY:
-        description: 'The repository to use for the Docker image'
+        description: "The repository to use for the Docker image"
         required: false
         type: string
-        default: 'ghcr.io/formbricks/formbricks'
+        default: "ghcr.io/formbricks/formbricks"
       ENVIRONMENT:
-        description: 'The environment to deploy to'
+        description: "The environment to deploy to"
         required: true
         type: string
 
@@ -75,7 +75,7 @@ jobs:
           FORMBRICKS_INGRESS_CERT_ARN: ${{ secrets.FORMBRICKS_INGRESS_CERT_ARN }}
           FORMBRICKS_ROLE_ARN: ${{ secrets.FORMBRICKS_ROLE_ARN }}
         with:
-          helmfile-version: 'v1.0.0'
+          helmfile-version: "v1.0.0"
           helm-plugins: >
             https://github.com/databus23/helm-diff,
             https://github.com/jkroepke/helm-secrets
@@ -92,7 +92,7 @@ jobs:
           FORMBRICKS_INGRESS_CERT_ARN: ${{ secrets.STAGE_FORMBRICKS_INGRESS_CERT_ARN }}
           FORMBRICKS_ROLE_ARN: ${{ secrets.STAGE_FORMBRICKS_ROLE_ARN }}
         with:
-          helmfile-version: 'v1.0.0'
+          helmfile-version: "v1.0.0"
           helm-plugins: >
             https://github.com/databus23/helm-diff,
             https://github.com/jkroepke/helm-secrets
@@ -100,3 +100,43 @@ jobs:
           helmfile-auto-init: "false"
           helmfile-workdirectory: infra/formbricks-cloud-helm
 
+      - name: Purge Cloudflare Cache
+        if: ${{ inputs.ENVIRONMENT == 'prod' || inputs.ENVIRONMENT == 'stage' }}
+        env:
+          CF_ZONE_ID: ${{ secrets.CLOUDFLARE_ZONE_ID }}
+          CF_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+        run: |
+          # Set hostname based on environment
+          if [[ "${{ inputs.ENVIRONMENT }}" == "prod" ]]; then
+            PURGE_HOST="app.formbricks.com"
+          else
+            PURGE_HOST="stage.app.formbricks.com"
+          fi
+
+          echo "Purging Cloudflare cache for host: $PURGE_HOST (environment: ${{ inputs.ENVIRONMENT }}, zone: $CF_ZONE_ID)"
+
+          # Prepare JSON payload for selective cache purge
+          json_payload=$(cat << EOF
+          {
+            "hosts": ["$PURGE_HOST"]
+          }
+          EOF
+          )
+
+          # Make API call to Cloudflare
+          response=$(curl -s -X POST \
+            "https://api.cloudflare.com/client/v4/zones/$CF_ZONE_ID/purge_cache" \
+            -H "Authorization: Bearer $CF_API_TOKEN" \
+            -H "Content-Type: application/json" \
+            --data "$json_payload")
+
+          echo "Cloudflare API response: $response"
+
+          # Verify the operation was successful
+          if [[ "$(echo "$response" | jq -r .success)" == "true" ]]; then
+            echo "✅ Successfully purged cache for $PURGE_HOST"
+          else
+            echo "❌ Cloudflare cache purge failed"
+            echo "Error details: $(echo "$response" | jq -r .errors)"
+            exit 1
+          fi

.github/workflows/e2e.yml

@@ -45,6 +45,16 @@ jobs:
           --health-interval=10s
           --health-timeout=5s
           --health-retries=5
+      valkey:
+        image: valkey/valkey:8.1.1
+        ports:
+          - 6379:6379
+        options: >-
+          --entrypoint "valkey-server"
+          --health-cmd="valkey-cli ping"
+          --health-interval=10s
+          --health-timeout=5s
+          --health-retries=5
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0

.gitignore

@@ -73,3 +73,4 @@ infra/terraform/.terraform/
 /.idea/
 /*.iml
 packages/ios/FormbricksSDK/FormbricksSDK.xcodeproj/project.xcworkspace/xcuserdata
+.cursorrules

apps/web/app/(app)/(onboarding)/environments/[environmentId]/connect/components/ConnectWithFormbricks.test.tsx

@@ -27,7 +27,7 @@ describe("ConnectWithFormbricks", () => {
     render(
       <ConnectWithFormbricks
         environment={environment}
-        webAppUrl={webAppUrl}
+        publicDomain={webAppUrl}
         widgetSetupCompleted={false}
         channel={channel}
       />
@@ -40,7 +40,7 @@ describe("ConnectWithFormbricks", () => {
     render(
       <ConnectWithFormbricks
         environment={environment}
-        webAppUrl={webAppUrl}
+        publicDomain={webAppUrl}
         widgetSetupCompleted={true}
         channel={channel}
       />
@@ -53,7 +53,7 @@ describe("ConnectWithFormbricks", () => {
     render(
       <ConnectWithFormbricks
         environment={environment}
-        webAppUrl={webAppUrl}
+        publicDomain={webAppUrl}
         widgetSetupCompleted={true}
         channel={channel}
       />
@@ -67,7 +67,7 @@ describe("ConnectWithFormbricks", () => {
     render(
       <ConnectWithFormbricks
         environment={environment}
-        webAppUrl={webAppUrl}
+        publicDomain={webAppUrl}
         widgetSetupCompleted={false}
         channel={channel}
       />

apps/web/app/(app)/(onboarding)/environments/[environmentId]/connect/components/ConnectWithFormbricks.tsx

@@ -12,14 +12,14 @@ import { OnboardingSetupInstructions } from "./OnboardingSetupInstructions";
 
 interface ConnectWithFormbricksProps {
   environment: TEnvironment;
-  webAppUrl: string;
+  publicDomain: string;
   widgetSetupCompleted: boolean;
   channel: TProjectConfigChannel;
 }
 
 export const ConnectWithFormbricks = ({
   environment,
-  webAppUrl,
+  publicDomain,
   widgetSetupCompleted,
   channel,
 }: ConnectWithFormbricksProps) => {
@@ -49,7 +49,7 @@ export const ConnectWithFormbricks = ({
         <div className="flex w-1/2 flex-col space-y-4">
           <OnboardingSetupInstructions
             environmentId={environment.id}
-            webAppUrl={webAppUrl}
+            publicDomain={publicDomain}
             channel={channel}
             widgetSetupCompleted={widgetSetupCompleted}
           />

apps/web/app/(app)/(onboarding)/environments/[environmentId]/connect/components/OnboardingSetupInstructions.test.tsx

@@ -33,7 +33,7 @@ describe("OnboardingSetupInstructions", () => {
   // Provide some default props for testing
   const defaultProps = {
     environmentId: "env-123",
-    webAppUrl: "https://example.com",
+    publicDomain: "https://example.com",
     channel: "app" as const, // Assuming channel is either "app" or "website"
     widgetSetupCompleted: false,
   };

apps/web/app/(app)/(onboarding)/environments/[environmentId]/connect/components/OnboardingSetupInstructions.tsx

@@ -18,14 +18,14 @@ const tabs = [
 
 interface OnboardingSetupInstructionsProps {
   environmentId: string;
-  webAppUrl: string;
+  publicDomain: string;
   channel: TProjectConfigChannel;
   widgetSetupCompleted: boolean;
 }
 
 export const OnboardingSetupInstructions = ({
   environmentId,
-  webAppUrl,
+  publicDomain,
   channel,
   widgetSetupCompleted,
 }: OnboardingSetupInstructionsProps) => {
@@ -34,7 +34,7 @@ export const OnboardingSetupInstructions = ({
   const htmlSnippetForAppSurveys = `<!-- START Formbricks Surveys -->
   <script type="text/javascript">
   !function(){
-      var appUrl = "${webAppUrl}";
+      var appUrl = "${publicDomain}";
       var environmentId = "${environmentId}";
       var t=document.createElement("script");t.type="text/javascript",t.async=!0,t.src=appUrl+"/js/formbricks.umd.cjs",t.onload=function(){window.formbricks?window.formbricks.setup({environmentId:environmentId,appUrl:appUrl}):console.error("Formbricks library failed to load properly. The formbricks object is not available.");};var e=document.getElementsByTagName("script")[0];e.parentNode.insertBefore(t,e)}();
   </script>
@@ -44,7 +44,7 @@ export const OnboardingSetupInstructions = ({
   const htmlSnippetForWebsiteSurveys = `<!-- START Formbricks Surveys -->
   <script type="text/javascript">
   !function(){
-    var appUrl = "${webAppUrl}";
+    var appUrl = "${publicDomain}";
     var environmentId = "${environmentId}";
     var t=document.createElement("script");t.type="text/javascript",t.async=!0,t.src=appUrl+"/js/formbricks.umd.cjs",t.onload=function(){window.formbricks?window.formbricks.setup({environmentId:environmentId,appUrl:appUrl}):console.error("Formbricks library failed to load properly. The formbricks object is not available.");};var e=document.getElementsByTagName("script")[0];e.parentNode.insertBefore(t,e)}();
   </script>
@@ -57,7 +57,7 @@ export const OnboardingSetupInstructions = ({
   if (typeof window !== "undefined") {
     formbricks.setup({
       environmentId: "${environmentId}",
-      appUrl: "${webAppUrl}",
+      appUrl: "${publicDomain}",
     });
   }
   
@@ -75,7 +75,7 @@ export const OnboardingSetupInstructions = ({
   if (typeof window !== "undefined") {
     formbricks.setup({
       environmentId: "${environmentId}",
-      appUrl: "${webAppUrl}",
+      appUrl: "${publicDomain}",
     });
   }
   

apps/web/app/(app)/(onboarding)/environments/[environmentId]/connect/page.tsx

@@ -1,6 +1,6 @@
 import { ConnectWithFormbricks } from "@/app/(app)/(onboarding)/environments/[environmentId]/connect/components/ConnectWithFormbricks";
-import { WEBAPP_URL } from "@/lib/constants";
 import { getEnvironment } from "@/lib/environment/service";
+import { getPublicDomain } from "@/lib/getPublicUrl";
 import { getProjectByEnvironmentId } from "@/lib/project/service";
 import { Button } from "@/modules/ui/components/button";
 import { Header } from "@/modules/ui/components/header";
@@ -30,6 +30,8 @@ const Page = async (props: ConnectPageProps) => {
 
   const channel = project.config.channel || null;
 
+  const publicDomain = getPublicDomain();
+
   return (
     <div className="flex min-h-full flex-col items-center justify-center py-10">
       <Header title={t("environments.connect.headline")} subtitle={t("environments.connect.subtitle")} />
@@ -39,7 +41,7 @@ const Page = async (props: ConnectPageProps) => {
       </div>
       <ConnectWithFormbricks
         environment={environment}
-        webAppUrl={WEBAPP_URL}
+        publicDomain={publicDomain}
         widgetSetupCompleted={environment.appSetupCompleted}
         channel={channel}
       />

apps/web/app/(app)/(onboarding)/environments/[environmentId]/layout.test.tsx

@@ -11,7 +11,7 @@ vi.mock("@/lib/constants", () => ({
   IS_DEVELOPMENT: true,
   E2E_TESTING: false,
   WEBAPP_URL: "http://localhost:3000",
-  SURVEY_URL: "http://localhost:3000/survey",
+  PUBLIC_URL: "http://localhost:3000/survey",
   ENCRYPTION_KEY: "mock-encryption-key",
   CRON_SECRET: "mock-cron-secret",
   DEFAULT_BRAND_COLOR: "#64748b",
@@ -86,6 +86,8 @@ vi.mock("@/lib/constants", () => ({
   OIDC_ISSUER: "https://mock-oidc-issuer.com",
   OIDC_SIGNING_ALGORITHM: "RS256",
   SESSION_MAX_AGE: 1000,
+  REDIS_URL: "test-redis-url",
+  AUDIT_LOG_ENABLED: true,
 }));
 
 vi.mock("next/navigation", () => ({

apps/web/app/(app)/(onboarding)/organizations/[organizationId]/landing/components/landing-sidebar.test.tsx

@@ -1,15 +1,33 @@
 import "@testing-library/jest-dom/vitest";
 import { cleanup, render, screen } from "@testing-library/react";
 import userEvent from "@testing-library/user-event";
-import { signOut } from "next-auth/react";
 import { afterEach, describe, expect, test, vi } from "vitest";
 import { LandingSidebar } from "./landing-sidebar";
 
+// Mock constants that this test needs
+vi.mock("@/lib/constants", () => ({
+  IS_FORMBRICKS_CLOUD: false,
+  WEBAPP_URL: "http://localhost:3000",
+}));
+
+// Mock server actions that this test needs
+vi.mock("@/modules/auth/actions/sign-out", () => ({
+  logSignOutAction: vi.fn().mockResolvedValue(undefined),
+}));
+
 // Module mocks must be declared before importing the component
 vi.mock("@tolgee/react", () => ({
   useTranslate: () => ({ t: (key: string) => key, isLoading: false }),
 }));
-vi.mock("next-auth/react", () => ({ signOut: vi.fn() }));
+
+// Mock our useSignOut hook
+const mockSignOut = vi.fn();
+vi.mock("@/modules/auth/hooks/use-sign-out", () => ({
+  useSignOut: () => ({
+    signOut: mockSignOut,
+  }),
+}));
+
 vi.mock("next/navigation", () => ({ useRouter: () => ({ push: vi.fn() }) }));
 vi.mock("@/modules/organization/components/CreateOrganizationModal", () => ({
   CreateOrganizationModal: ({ open }: { open: boolean }) => (
@@ -70,6 +88,12 @@ describe("LandingSidebar component", () => {
     const logoutItem = await screen.findByText("common.logout");
     await userEvent.click(logoutItem);
 
-    expect(signOut).toHaveBeenCalledWith({ callbackUrl: "/auth/login" });
+    expect(mockSignOut).toHaveBeenCalledWith({
+      reason: "user_initiated",
+      redirectUrl: "/auth/login",
+      organizationId: "o1",
+      redirect: true,
+      callbackUrl: "/auth/login",
+    });
   });
 });

apps/web/app/(app)/(onboarding)/organizations/[organizationId]/landing/components/landing-sidebar.tsx

@@ -3,6 +3,7 @@
 import FBLogo from "@/images/formbricks-wordmark.svg";
 import { cn } from "@/lib/cn";
 import { capitalizeFirstLetter } from "@/lib/utils/strings";
+import { useSignOut } from "@/modules/auth/hooks/use-sign-out";
 import { CreateOrganizationModal } from "@/modules/organization/components/CreateOrganizationModal";
 import { ProfileAvatar } from "@/modules/ui/components/avatars";
 import {
@@ -20,7 +21,6 @@ import {
 } from "@/modules/ui/components/dropdown-menu";
 import { useTranslate } from "@tolgee/react";
 import { ArrowUpRightIcon, ChevronRightIcon, LogOutIcon, PlusIcon } from "lucide-react";
-import { signOut } from "next-auth/react";
 import Image from "next/image";
 import Link from "next/link";
 import { useRouter } from "next/navigation";
@@ -44,6 +44,7 @@ export const LandingSidebar = ({
   const [openCreateOrganizationModal, setOpenCreateOrganizationModal] = useState<boolean>(false);
 
   const { t } = useTranslate();
+  const { signOut: signOutWithAudit } = useSignOut({ id: user.id, email: user.email });
 
   const router = useRouter();
 
@@ -123,7 +124,13 @@ export const LandingSidebar = ({
 
             <DropdownMenuItem
               onClick={async () => {
-                await signOut({ callbackUrl: "/auth/login" });
+                await signOutWithAudit({
+                  reason: "user_initiated",
+                  redirectUrl: "/auth/login",
+                  organizationId: organization.id,
+                  redirect: true,
+                  callbackUrl: "/auth/login",
+                });
               }}
               icon={<LogOutIcon className="mr-2 h-4 w-4" strokeWidth={1.5} />}>
               {t("common.logout")}

apps/web/app/(app)/(onboarding)/organizations/[organizationId]/landing/layout.test.tsx

@@ -14,7 +14,7 @@ vi.mock("@/lib/constants", () => ({
   IS_DEVELOPMENT: true,
   E2E_TESTING: false,
   WEBAPP_URL: "http://localhost:3000",
-  SURVEY_URL: "http://localhost:3000/survey",
+  PUBLIC_URL: "http://localhost:3000/survey",
   ENCRYPTION_KEY: "mock-encryption-key",
   CRON_SECRET: "mock-cron-secret",
   DEFAULT_BRAND_COLOR: "#64748b",
@@ -89,6 +89,8 @@ vi.mock("@/lib/constants", () => ({
   OIDC_ISSUER: "https://mock-oidc-issuer.com",
   OIDC_SIGNING_ALGORITHM: "RS256",
   SESSION_MAX_AGE: 1000,
+  REDIS_URL: "test-redis-url",
+  AUDIT_LOG_ENABLED: true,
 }));
 
 vi.mock("@/lib/environment/service");

apps/web/app/(app)/(onboarding)/organizations/[organizationId]/landing/page.test.tsx

@@ -23,7 +23,6 @@ vi.mock("@/lib/constants", () => ({
   IS_DEVELOPMENT: true,
   E2E_TESTING: false,
   WEBAPP_URL: "http://localhost:3000",
-  SURVEY_URL: "http://localhost:3000/survey",
   ENCRYPTION_KEY: "mock-encryption-key",
   CRON_SECRET: "mock-cron-secret",
   DEFAULT_BRAND_COLOR: "#64748b",
@@ -98,6 +97,8 @@ vi.mock("@/lib/constants", () => ({
   OIDC_ISSUER: "https://mock-oidc-issuer.com",
   OIDC_SIGNING_ALGORITHM: "RS256",
   SESSION_MAX_AGE: 1000,
+  REDIS_URL: "test-redis-url",
+  AUDIT_LOG_ENABLED: true,
 }));
 
 vi.mock("@/app/(app)/(onboarding)/organizations/[organizationId]/landing/components/landing-sidebar", () => ({

apps/web/app/(app)/(onboarding)/organizations/[organizationId]/layout.test.tsx

@@ -35,6 +35,8 @@ vi.mock("@/lib/constants", () => ({
   WEBAPP_URL: "test-webapp-url",
   IS_PRODUCTION: false,
   SESSION_MAX_AGE: 1000,
+  REDIS_URL: "test-redis-url",
+  AUDIT_LOG_ENABLED: true,
 }));
 
 vi.mock("next-auth", () => ({

apps/web/app/(app)/(onboarding)/organizations/[organizationId]/projects/new/layout.test.tsx

@@ -34,6 +34,8 @@ vi.mock("@/lib/constants", () => ({
   WEBAPP_URL: "test-webapp-url",
   IS_PRODUCTION: false,
   SESSION_MAX_AGE: 1000,
+  REDIS_URL: "test-redis-url",
+  AUDIT_LOG_ENABLED: true,
 }));
 
 // Mock dependencies

apps/web/app/(app)/environments/[environmentId]/(contacts)/contacts/[contactId]/page.test.tsx

@@ -26,6 +26,14 @@ vi.mock("@/lib/constants", () => ({
   SMTP_PORT: "mock-smtp-port",
   IS_POSTHOG_CONFIGURED: true,
   SESSION_MAX_AGE: 1000,
+  AUDIT_LOG_ENABLED: 1,
+  REDIS_URL: "redis://localhost:6379",
+}));
+
+vi.mock("@/lib/env", () => ({
+  env: {
+    PUBLIC_URL: "https://public-domain.com",
+  },
 }));
 
 describe("Contact Page Re-export", () => {

apps/web/app/(app)/environments/[environmentId]/actions.ts

@@ -4,7 +4,9 @@ import { getOrganization } from "@/lib/organization/service";
 import { getOrganizationProjectsCount } from "@/lib/project/service";
 import { updateUser } from "@/lib/user/service";
 import { authenticatedActionClient } from "@/lib/utils/action-client";
-import { checkAuthorizationUpdated } from "@/lib/utils/action-client-middleware";
+import { checkAuthorizationUpdated } from "@/lib/utils/action-client/action-client-middleware";
+import { AuthenticatedActionClientCtx } from "@/lib/utils/action-client/types/context";
+import { withAuditLogging } from "@/modules/ee/audit-logs/lib/handler";
 import {
   getOrganizationProjectsLimit,
   getRoleManagementPermission,
@@ -20,62 +22,69 @@ const ZCreateProjectAction = z.object({
   data: ZProjectUpdateInput,
 });
 
-export const createProjectAction = authenticatedActionClient
-  .schema(ZCreateProjectAction)
-  .action(async ({ parsedInput, ctx }) => {
-    const { user } = ctx;
+export const createProjectAction = authenticatedActionClient.schema(ZCreateProjectAction).action(
+  withAuditLogging(
+    "created",
+    "project",
+    async ({ ctx, parsedInput }: { ctx: AuthenticatedActionClientCtx; parsedInput: Record<string, any> }) => {
+      const { user } = ctx;
 
-    const organizationId = parsedInput.organizationId;
+      const organizationId = parsedInput.organizationId;
 
-    await checkAuthorizationUpdated({
-      userId: user.id,
-      organizationId: parsedInput.organizationId,
-      access: [
-        {
-          data: parsedInput.data,
-          schema: ZProjectUpdateInput,
-          type: "organization",
-          roles: ["owner", "manager"],
-        },
-      ],
-    });
+      await checkAuthorizationUpdated({
+        userId: user.id,
+        organizationId: parsedInput.organizationId,
+        access: [
+          {
+            data: parsedInput.data,
+            schema: ZProjectUpdateInput,
+            type: "organization",
+            roles: ["owner", "manager"],
+          },
+        ],
+      });
 
-    const organization = await getOrganization(organizationId);
+      const organization = await getOrganization(organizationId);
 
-    if (!organization) {
-      throw new Error("Organization not found");
-    }
-
-    const organizationProjectsLimit = await getOrganizationProjectsLimit(organization.billing.limits);
-    const organizationProjectsCount = await getOrganizationProjectsCount(organization.id);
-
-    if (organizationProjectsCount >= organizationProjectsLimit) {
-      throw new OperationNotAllowedError("Organization project limit reached");
-    }
-
-    if (parsedInput.data.teamIds && parsedInput.data.teamIds.length > 0) {
-      const canDoRoleManagement = await getRoleManagementPermission(organization.billing.plan);
-
-      if (!canDoRoleManagement) {
-        throw new OperationNotAllowedError("You do not have permission to manage roles");
+      if (!organization) {
+        throw new Error("Organization not found");
       }
+
+      const organizationProjectsLimit = await getOrganizationProjectsLimit(organization.billing.limits);
+      const organizationProjectsCount = await getOrganizationProjectsCount(organization.id);
+
+      if (organizationProjectsCount >= organizationProjectsLimit) {
+        throw new OperationNotAllowedError("Organization project limit reached");
+      }
+
+      if (parsedInput.data.teamIds && parsedInput.data.teamIds.length > 0) {
+        const canDoRoleManagement = await getRoleManagementPermission(organization.billing.plan);
+
+        if (!canDoRoleManagement) {
+          throw new OperationNotAllowedError("You do not have permission to manage roles");
+        }
+      }
+
+      const project = await createProject(parsedInput.organizationId, parsedInput.data);
+      const updatedNotificationSettings = {
+        ...user.notificationSettings,
+        alert: {
+          ...user.notificationSettings?.alert,
+        },
+        weeklySummary: {
+          ...user.notificationSettings?.weeklySummary,
+          [project.id]: true,
+        },
+      };
+
+      await updateUser(user.id, {
+        notificationSettings: updatedNotificationSettings,
+      });
+
+      ctx.auditLoggingCtx.organizationId = organizationId;
+      ctx.auditLoggingCtx.projectId = project.id;
+      ctx.auditLoggingCtx.newObject = project;
+      return project;
     }
-
-    const project = await createProject(parsedInput.organizationId, parsedInput.data);
-    const updatedNotificationSettings = {
-      ...user.notificationSettings,
-      alert: {
-        ...user.notificationSettings?.alert,
-      },
-      weeklySummary: {
-        ...user.notificationSettings?.weeklySummary,
-        [project.id]: true,
-      },
-    };
-
-    await updateUser(user.id, {
-      notificationSettings: updatedNotificationSettings,
-    });
-
-    return project;
-  });
+  )
+);

apps/web/app/(app)/environments/[environmentId]/actions/actions.ts

@@ -3,8 +3,10 @@
 import { deleteActionClass, getActionClass, updateActionClass } from "@/lib/actionClass/service";
 import { getSurveysByActionClassId } from "@/lib/survey/service";
 import { actionClient, authenticatedActionClient } from "@/lib/utils/action-client";
-import { checkAuthorizationUpdated } from "@/lib/utils/action-client-middleware";
+import { checkAuthorizationUpdated } from "@/lib/utils/action-client/action-client-middleware";
+import { AuthenticatedActionClientCtx } from "@/lib/utils/action-client/types/context";
 import { getOrganizationIdFromActionClassId, getProjectIdFromActionClassId } from "@/lib/utils/helper";
+import { withAuditLogging } from "@/modules/ee/audit-logs/lib/handler";
 import { z } from "zod";
 import { ZActionClassInput } from "@formbricks/types/action-classes";
 import { ZId } from "@formbricks/types/common";
@@ -14,63 +16,80 @@ const ZDeleteActionClassAction = z.object({
   actionClassId: ZId,
 });
 
-export const deleteActionClassAction = authenticatedActionClient
-  .schema(ZDeleteActionClassAction)
-  .action(async ({ ctx, parsedInput }) => {
-    await checkAuthorizationUpdated({
-      userId: ctx.user.id,
-      organizationId: await getOrganizationIdFromActionClassId(parsedInput.actionClassId),
-      access: [
-        {
-          type: "organization",
-          roles: ["owner", "manager"],
-        },
-        {
-          type: "projectTeam",
-          minPermission: "readWrite",
-          projectId: await getProjectIdFromActionClassId(parsedInput.actionClassId),
-        },
-      ],
-    });
-
-    await deleteActionClass(parsedInput.actionClassId);
-  });
+export const deleteActionClassAction = authenticatedActionClient.schema(ZDeleteActionClassAction).action(
+  withAuditLogging(
+    "deleted",
+    "actionClass",
+    async ({ ctx, parsedInput }: { ctx: AuthenticatedActionClientCtx; parsedInput: Record<string, any> }) => {
+      const organizationId = await getOrganizationIdFromActionClassId(parsedInput.actionClassId);
+      await checkAuthorizationUpdated({
+        userId: ctx.user.id,
+        organizationId,
+        access: [
+          {
+            type: "organization",
+            roles: ["owner", "manager"],
+          },
+          {
+            type: "projectTeam",
+            minPermission: "readWrite",
+            projectId: await getProjectIdFromActionClassId(parsedInput.actionClassId),
+          },
+        ],
+      });
+      ctx.auditLoggingCtx.organizationId = organizationId;
+      ctx.auditLoggingCtx.actionClassId = parsedInput.actionClassId;
+      ctx.auditLoggingCtx.oldObject = await getActionClass(parsedInput.actionClassId);
+      return await deleteActionClass(parsedInput.actionClassId);
+    }
+  )
+);
 
 const ZUpdateActionClassAction = z.object({
   actionClassId: ZId,
   updatedAction: ZActionClassInput,
 });
 
-export const updateActionClassAction = authenticatedActionClient
-  .schema(ZUpdateActionClassAction)
-  .action(async ({ ctx, parsedInput }) => {
-    const actionClass = await getActionClass(parsedInput.actionClassId);
-    if (actionClass === null) {
-      throw new ResourceNotFoundError("ActionClass", parsedInput.actionClassId);
+export const updateActionClassAction = authenticatedActionClient.schema(ZUpdateActionClassAction).action(
+  withAuditLogging(
+    "updated",
+    "actionClass",
+    async ({ ctx, parsedInput }: { ctx: AuthenticatedActionClientCtx; parsedInput: Record<string, any> }) => {
+      const actionClass = await getActionClass(parsedInput.actionClassId);
+      if (actionClass === null) {
+        throw new ResourceNotFoundError("ActionClass", parsedInput.actionClassId);
+      }
+
+      const organizationId = await getOrganizationIdFromActionClassId(parsedInput.actionClassId);
+
+      await checkAuthorizationUpdated({
+        userId: ctx.user.id,
+        organizationId,
+        access: [
+          {
+            type: "organization",
+            roles: ["owner", "manager"],
+          },
+          {
+            type: "projectTeam",
+            minPermission: "readWrite",
+            projectId: await getProjectIdFromActionClassId(parsedInput.actionClassId),
+          },
+        ],
+      });
+      ctx.auditLoggingCtx.organizationId = organizationId;
+      ctx.auditLoggingCtx.actionClassId = parsedInput.actionClassId;
+      ctx.auditLoggingCtx.oldObject = actionClass;
+      const result = await updateActionClass(
+        actionClass.environmentId,
+        parsedInput.actionClassId,
+        parsedInput.updatedAction
+      );
+      ctx.auditLoggingCtx.newObject = result;
+      return result;
     }
-
-    await checkAuthorizationUpdated({
-      userId: ctx.user.id,
-      organizationId: await getOrganizationIdFromActionClassId(parsedInput.actionClassId),
-      access: [
-        {
-          type: "organization",
-          roles: ["owner", "manager"],
-        },
-        {
-          type: "projectTeam",
-          minPermission: "readWrite",
-          projectId: await getProjectIdFromActionClassId(parsedInput.actionClassId),
-        },
-      ],
-    });
-
-    return await updateActionClass(
-      actionClass.environmentId,
-      parsedInput.actionClassId,
-      parsedInput.updatedAction
-    );
-  });
+  )
+);
 
 const ZGetActiveInactiveSurveysAction = z.object({
   actionClassId: ZId,

apps/web/app/(app)/environments/[environmentId]/components/MainNavigation.test.tsx

@@ -1,6 +1,6 @@
+import { useSignOut } from "@/modules/auth/hooks/use-sign-out";
 import { cleanup, render, screen, waitFor } from "@testing-library/react";
 import userEvent from "@testing-library/user-event";
-import { signOut } from "next-auth/react";
 import { usePathname, useRouter } from "next/navigation";
 import { afterEach, beforeEach, describe, expect, test, vi } from "vitest";
 import { TEnvironment } from "@formbricks/types/environment";
@@ -10,6 +10,17 @@ import { TUser } from "@formbricks/types/user";
 import { getLatestStableFbReleaseAction } from "../actions/actions";
 import { MainNavigation } from "./MainNavigation";
 
+// Mock constants that this test needs
+vi.mock("@/lib/constants", () => ({
+  IS_FORMBRICKS_CLOUD: false,
+  WEBAPP_URL: "http://localhost:3000",
+}));
+
+// Mock server actions that this test needs
+vi.mock("@/modules/auth/actions/sign-out", () => ({
+  logSignOutAction: vi.fn().mockResolvedValue(undefined),
+}));
+
 // Mock dependencies
 vi.mock("next/navigation", () => ({
   useRouter: vi.fn(() => ({ push: vi.fn() })),
@@ -18,6 +29,9 @@ vi.mock("next/navigation", () => ({
 vi.mock("next-auth/react", () => ({
   signOut: vi.fn(),
 }));
+vi.mock("@/modules/auth/hooks/use-sign-out", () => ({
+  useSignOut: vi.fn(() => ({ signOut: vi.fn() })),
+}));
 vi.mock("@/app/(app)/environments/[environmentId]/actions/actions", () => ({
   getLatestStableFbReleaseAction: vi.fn(),
 }));
@@ -203,7 +217,12 @@ describe("MainNavigation", () => {
   });
 
   test("renders user dropdown and handles logout", async () => {
-    vi.mocked(signOut).mockResolvedValue({ url: "/auth/login" });
+    const mockSignOut = vi.fn().mockResolvedValue({ url: "/auth/login" });
+    vi.mocked(useSignOut).mockReturnValue({ signOut: mockSignOut });
+
+    // Set up localStorage spy on the mocked localStorage
+    const removeItemSpy = vi.spyOn(window.localStorage, "removeItem");
+
     render(<MainNavigation {...defaultProps} />);
 
     // Find the avatar and get its parent div which acts as the trigger
@@ -224,10 +243,23 @@ describe("MainNavigation", () => {
     const logoutButton = screen.getByText("common.logout");
     await userEvent.click(logoutButton);
 
-    expect(signOut).toHaveBeenCalledWith({ redirect: false, callbackUrl: "/auth/login" });
+    // Verify localStorage.removeItem is called with the correct key
+    expect(removeItemSpy).toHaveBeenCalledWith("formbricks-environment-id");
+
+    expect(mockSignOut).toHaveBeenCalledWith({
+      reason: "user_initiated",
+      redirectUrl: "/auth/login",
+      organizationId: "org1",
+      redirect: false,
+      callbackUrl: "/auth/login",
+    });
+
     await waitFor(() => {
       expect(mockRouterPush).toHaveBeenCalledWith("/auth/login");
     });
+
+    // Clean up spy
+    removeItemSpy.mockRestore();
   });
 
   test("handles organization switching", async () => {

apps/web/app/(app)/environments/[environmentId]/components/MainNavigation.tsx

@@ -4,8 +4,10 @@ import { getLatestStableFbReleaseAction } from "@/app/(app)/environments/[enviro
 import { NavigationLink } from "@/app/(app)/environments/[environmentId]/components/NavigationLink";
 import FBLogo from "@/images/formbricks-wordmark.svg";
 import { cn } from "@/lib/cn";
+import { FORMBRICKS_ENVIRONMENT_ID_LS } from "@/lib/localStorage";
 import { getAccessFlags } from "@/lib/membership/utils";
 import { capitalizeFirstLetter } from "@/lib/utils/strings";
+import { useSignOut } from "@/modules/auth/hooks/use-sign-out";
 import { CreateOrganizationModal } from "@/modules/organization/components/CreateOrganizationModal";
 import { ProjectSwitcher } from "@/modules/projects/components/project-switcher";
 import { ProfileAvatar } from "@/modules/ui/components/avatars";
@@ -42,7 +44,6 @@ import {
   UserIcon,
   UsersIcon,
 } from "lucide-react";
-import { signOut } from "next-auth/react";
 import Image from "next/image";
 import Link from "next/link";
 import { usePathname, useRouter } from "next/navigation";
@@ -90,6 +91,7 @@ export const MainNavigation = ({
   const [isCollapsed, setIsCollapsed] = useState(true);
   const [isTextVisible, setIsTextVisible] = useState(true);
   const [latestVersion, setLatestVersion] = useState("");
+  const { signOut: signOutWithAudit } = useSignOut({ id: user.id, email: user.email });
 
   const project = projects.find((project) => project.id === environment.projectId);
   const { isManager, isOwner, isMember, isBilling } = getAccessFlags(membershipRole);
@@ -389,8 +391,16 @@ export const MainNavigation = ({
 
                   <DropdownMenuItem
                     onClick={async () => {
-                      const route = await signOut({ redirect: false, callbackUrl: "/auth/login" });
-                      router.push(route.url);
+                      localStorage.removeItem(FORMBRICKS_ENVIRONMENT_ID_LS);
+
+                      const route = await signOutWithAudit({
+                        reason: "user_initiated",
+                        redirectUrl: "/auth/login",
+                        organizationId: organization.id,
+                        redirect: false,
+                        callbackUrl: "/auth/login",
+                      });
+                      router.push(route?.url || "/auth/login"); // NOSONAR // We want to check for empty strings
                     }}
                     icon={<LogOutIcon className="mr-2 h-4 w-4" strokeWidth={1.5} />}>
                     {t("common.logout")}

apps/web/app/(app)/environments/[environmentId]/integrations/actions.ts

@@ -2,13 +2,15 @@
 
 import { createOrUpdateIntegration, deleteIntegration } from "@/lib/integration/service";
 import { authenticatedActionClient } from "@/lib/utils/action-client";
-import { checkAuthorizationUpdated } from "@/lib/utils/action-client-middleware";
+import { checkAuthorizationUpdated } from "@/lib/utils/action-client/action-client-middleware";
+import { AuthenticatedActionClientCtx } from "@/lib/utils/action-client/types/context";
 import {
   getOrganizationIdFromEnvironmentId,
   getOrganizationIdFromIntegrationId,
   getProjectIdFromEnvironmentId,
   getProjectIdFromIntegrationId,
 } from "@/lib/utils/helper";
+import { withAuditLogging } from "@/modules/ee/audit-logs/lib/handler";
 import { z } from "zod";
 import { ZId } from "@formbricks/types/common";
 import { ZIntegrationInput } from "@formbricks/types/integration";
@@ -20,48 +22,79 @@ const ZCreateOrUpdateIntegrationAction = z.object({
 
 export const createOrUpdateIntegrationAction = authenticatedActionClient
   .schema(ZCreateOrUpdateIntegrationAction)
-  .action(async ({ ctx, parsedInput }) => {
-    await checkAuthorizationUpdated({
-      userId: ctx.user.id,
-      organizationId: await getOrganizationIdFromEnvironmentId(parsedInput.environmentId),
-      access: [
-        {
-          type: "organization",
-          roles: ["owner", "manager"],
-        },
-        {
-          type: "projectTeam",
-          minPermission: "readWrite",
-          projectId: await getProjectIdFromEnvironmentId(parsedInput.environmentId),
-        },
-      ],
-    });
+  .action(
+    withAuditLogging(
+      "createdUpdated",
+      "integration",
+      async ({
+        ctx,
+        parsedInput,
+      }: {
+        ctx: AuthenticatedActionClientCtx;
+        parsedInput: Record<string, any>;
+      }) => {
+        const organizationId = await getOrganizationIdFromEnvironmentId(parsedInput.environmentId);
 
-    return await createOrUpdateIntegration(parsedInput.environmentId, parsedInput.integrationData);
-  });
+        await checkAuthorizationUpdated({
+          userId: ctx.user.id,
+          organizationId,
+          access: [
+            {
+              type: "organization",
+              roles: ["owner", "manager"],
+            },
+            {
+              type: "projectTeam",
+              minPermission: "readWrite",
+              projectId: await getProjectIdFromEnvironmentId(parsedInput.environmentId),
+            },
+          ],
+        });
+
+        ctx.auditLoggingCtx.organizationId = organizationId;
+        const result = await createOrUpdateIntegration(
+          parsedInput.environmentId,
+          parsedInput.integrationData
+        );
+        ctx.auditLoggingCtx.integrationId = result.id;
+        ctx.auditLoggingCtx.newObject = result;
+        return result;
+      }
+    )
+  );
 
 const ZDeleteIntegrationAction = z.object({
   integrationId: ZId,
 });
 
-export const deleteIntegrationAction = authenticatedActionClient
-  .schema(ZDeleteIntegrationAction)
-  .action(async ({ ctx, parsedInput }) => {
-    await checkAuthorizationUpdated({
-      userId: ctx.user.id,
-      organizationId: await getOrganizationIdFromIntegrationId(parsedInput.integrationId),
-      access: [
-        {
-          type: "organization",
-          roles: ["owner", "manager"],
-        },
-        {
-          type: "projectTeam",
-          projectId: await getProjectIdFromIntegrationId(parsedInput.integrationId),
-          minPermission: "readWrite",
-        },
-      ],
-    });
+export const deleteIntegrationAction = authenticatedActionClient.schema(ZDeleteIntegrationAction).action(
+  withAuditLogging(
+    "deleted",
+    "integration",
+    async ({ ctx, parsedInput }: { ctx: AuthenticatedActionClientCtx; parsedInput: Record<string, any> }) => {
+      const organizationId = await getOrganizationIdFromIntegrationId(parsedInput.integrationId);
 
-    return await deleteIntegration(parsedInput.integrationId);
-  });
+      await checkAuthorizationUpdated({
+        userId: ctx.user.id,
+        organizationId,
+        access: [
+          {
+            type: "organization",
+            roles: ["owner", "manager"],
+          },
+          {
+            type: "projectTeam",
+            projectId: await getProjectIdFromIntegrationId(parsedInput.integrationId),
+            minPermission: "readWrite",
+          },
+        ],
+      });
+
+      ctx.auditLoggingCtx.organizationId = organizationId;
+      ctx.auditLoggingCtx.integrationId = parsedInput.integrationId;
+      const result = await deleteIntegration(parsedInput.integrationId);
+      ctx.auditLoggingCtx.oldObject = result;
+      return result;
+    }
+  )
+);

apps/web/app/(app)/environments/[environmentId]/integrations/airtable/page.test.tsx

@@ -49,6 +49,8 @@ vi.mock("@/lib/constants", () => ({
   OIDC_SIGNING_ALGORITHM: "test-oidc-signing-algorithm",
   SENTRY_DSN: "mock-sentry-dsn",
   SESSION_MAX_AGE: 1000,
+  REDIS_URL: "test-redis-url",
+  AUDIT_LOG_ENABLED: true,
 }));
 
 vi.mock("@/lib/integration/service");

apps/web/app/(app)/environments/[environmentId]/integrations/google-sheets/actions.ts

@@ -2,7 +2,7 @@
 
 import { getSpreadsheetNameById } from "@/lib/googleSheet/service";
 import { authenticatedActionClient } from "@/lib/utils/action-client";
-import { checkAuthorizationUpdated } from "@/lib/utils/action-client-middleware";
+import { checkAuthorizationUpdated } from "@/lib/utils/action-client/action-client-middleware";
 import { getOrganizationIdFromEnvironmentId, getProjectIdFromEnvironmentId } from "@/lib/utils/helper";
 import { z } from "zod";
 import { ZIntegrationGoogleSheets } from "@formbricks/types/integration/google-sheet";

apps/web/app/(app)/environments/[environmentId]/integrations/notion/components/NotionWrapper.test.tsx

@@ -32,6 +32,8 @@ vi.mock("@/lib/constants", () => ({
   GOOGLE_SHEETS_CLIENT_SECRET: "test-client-secret",
   GOOGLE_SHEETS_REDIRECT_URL: "test-redirect-url",
   SESSION_MAX_AGE: 1000,
+  REDIS_URL: "mock-redis-url",
+  AUDIT_LOG_ENABLED: true,
 }));
 
 // Mock child components

apps/web/app/(app)/environments/[environmentId]/integrations/slack/actions.ts

@@ -2,7 +2,7 @@
 
 import { getSlackChannels } from "@/lib/slack/service";
 import { authenticatedActionClient } from "@/lib/utils/action-client";
-import { checkAuthorizationUpdated } from "@/lib/utils/action-client-middleware";
+import { checkAuthorizationUpdated } from "@/lib/utils/action-client/action-client-middleware";
 import { getOrganizationIdFromEnvironmentId, getProjectIdFromEnvironmentId } from "@/lib/utils/helper";
 import { z } from "zod";
 import { ZId } from "@formbricks/types/common";

apps/web/app/(app)/environments/[environmentId]/project/(setup)/app-connection/page.test.tsx

@@ -25,6 +25,14 @@ vi.mock("@/lib/constants", () => ({
   IS_PRODUCTION: false,
   SENTRY_DSN: "mock-sentry-dsn",
   SESSION_MAX_AGE: 1000,
+  REDIS_URL: "test-redis-url",
+  AUDIT_LOG_ENABLED: true,
+}));
+
+vi.mock("@/lib/env", () => ({
+  env: {
+    PUBLIC_URL: "https://example.com",
+  },
 }));
 
 describe("AppConnectionPage Re-export", () => {

apps/web/app/(app)/environments/[environmentId]/project/general/page.test.tsx

@@ -25,6 +25,14 @@ vi.mock("@/lib/constants", () => ({
   IS_PRODUCTION: false,
   SENTRY_DSN: "mock-sentry-dsn",
   SESSION_MAX_AGE: 1000,
+  REDIS_URL: "redis://localhost:6379",
+  AUDIT_LOG_ENABLED: 1,
+}));
+
+vi.mock("@/lib/env", () => ({
+  env: {
+    PUBLIC_URL: "https://public-domain.com",
+  },
 }));
 
 describe("GeneralSettingsPage re-export", () => {

apps/web/app/(app)/environments/[environmentId]/project/languages/page.test.tsx

@@ -25,6 +25,8 @@ vi.mock("@/lib/constants", () => ({
   IS_PRODUCTION: false,
   SENTRY_DSN: "mock-sentry-dsn",
   SESSION_MAX_AGE: 1000,
+  REDIS_URL: "redis://localhost:6379",
+  AUDIT_LOG_ENABLED: 1,
 }));
 
 describe("LanguagesPage re-export", () => {

apps/web/app/(app)/environments/[environmentId]/project/look/page.test.tsx

@@ -25,6 +25,14 @@ vi.mock("@/lib/constants", () => ({
   IS_PRODUCTION: false,
   SENTRY_DSN: "mock-sentry-dsn",
   SESSION_MAX_AGE: 1000,
+  REDIS_URL: "redis://localhost:6379",
+  AUDIT_LOG_ENABLED: 1,
+}));
+
+vi.mock("@/lib/env", () => ({
+  env: {
+    PUBLIC_URL: "https://public-domain.com",
+  },
 }));
 
 describe("ProjectLookSettingsPage re-export", () => {

apps/web/app/(app)/environments/[environmentId]/project/tags/page.test.tsx

@@ -25,6 +25,8 @@ vi.mock("@/lib/constants", () => ({
   IS_PRODUCTION: false,
   SENTRY_DSN: "mock-sentry-dsn",
   SESSION_MAX_AGE: 1000,
+  REDIS_URL: "redis://localhost:6379",
+  AUDIT_LOG_ENABLED: 1,
 }));
 
 describe("TagsPage re-export", () => {

apps/web/app/(app)/environments/[environmentId]/project/teams/page.test.tsx

@@ -25,6 +25,8 @@ vi.mock("@/lib/constants", () => ({
   IS_PRODUCTION: false,
   SENTRY_DSN: "mock-sentry-dsn",
   SESSION_MAX_AGE: 1000,
+  REDIS_URL: "test-redis-url",
+  AUDIT_LOG_ENABLED: true,
 }));
 
 describe("ProjectTeams re-export", () => {

apps/web/app/(app)/environments/[environmentId]/settings/(account)/layout.test.tsx

@@ -41,6 +41,8 @@ vi.mock("@/lib/constants", () => ({
   IS_PRODUCTION: false,
   SENTRY_DSN: "mock-sentry-dsn",
   SESSION_MAX_AGE: 1000,
+  REDIS_URL: "test-redis-url",
+  AUDIT_LOG_ENABLED: true,
 }));
 
 const mockGetOrganizationByEnvironmentId = vi.mocked(getOrganizationByEnvironmentId);

apps/web/app/(app)/environments/[environmentId]/settings/(account)/notifications/actions.ts

@@ -1,7 +1,9 @@
 "use server";
 
-import { updateUser } from "@/lib/user/service";
+import { getUser, updateUser } from "@/lib/user/service";
 import { authenticatedActionClient } from "@/lib/utils/action-client";
+import { AuthenticatedActionClientCtx } from "@/lib/utils/action-client/types/context";
+import { withAuditLogging } from "@/modules/ee/audit-logs/lib/handler";
 import { z } from "zod";
 import { ZUserNotificationSettings } from "@formbricks/types/user";
 
@@ -11,8 +13,25 @@ const ZUpdateNotificationSettingsAction = z.object({
 
 export const updateNotificationSettingsAction = authenticatedActionClient
   .schema(ZUpdateNotificationSettingsAction)
-  .action(async ({ ctx, parsedInput }) => {
-    await updateUser(ctx.user.id, {
-      notificationSettings: parsedInput.notificationSettings,
-    });
-  });
+  .action(
+    withAuditLogging(
+      "updated",
+      "user",
+      async ({
+        ctx,
+        parsedInput,
+      }: {
+        ctx: AuthenticatedActionClientCtx;
+        parsedInput: Record<string, any>;
+      }) => {
+        const oldObject = await getUser(ctx.user.id);
+        const result = await updateUser(ctx.user.id, {
+          notificationSettings: parsedInput.notificationSettings,
+        });
+        ctx.auditLoggingCtx.userId = ctx.user.id;
+        ctx.auditLoggingCtx.oldObject = oldObject;
+        ctx.auditLoggingCtx.newObject = result;
+        return result;
+      }
+    )
+  );

apps/web/app/(app)/environments/[environmentId]/settings/(account)/profile/actions.ts

@@ -7,10 +7,12 @@ import {
 import { EMAIL_VERIFICATION_DISABLED } from "@/lib/constants";
 import { deleteFile } from "@/lib/storage/service";
 import { getFileNameWithIdFromUrl } from "@/lib/storage/utils";
-import { updateUser } from "@/lib/user/service";
+import { getUser, updateUser } from "@/lib/user/service";
 import { authenticatedActionClient } from "@/lib/utils/action-client";
+import { AuthenticatedActionClientCtx } from "@/lib/utils/action-client/types/context";
 import { rateLimit } from "@/lib/utils/rate-limit";
 import { updateBrevoCustomer } from "@/modules/auth/lib/brevo";
+import { withAuditLogging } from "@/modules/ee/audit-logs/lib/handler";
 import { sendVerificationNewEmail } from "@/modules/email";
 import { z } from "zod";
 import { ZId } from "@formbricks/types/common";
@@ -27,93 +29,136 @@ const limiter = rateLimit({
   allowedPerInterval: 3, // max 3 calls for email verification per hour
 });
 
+function buildUserUpdatePayload(parsedInput: any): TUserUpdateInput {
+  return {
+    ...(parsedInput.name && { name: parsedInput.name }),
+    ...(parsedInput.locale && { locale: parsedInput.locale }),
+  };
+}
+
+async function handleEmailUpdate({
+  ctx,
+  parsedInput,
+  payload,
+}: {
+  ctx: any;
+  parsedInput: any;
+  payload: TUserUpdateInput;
+}) {
+  const inputEmail = parsedInput.email?.trim().toLowerCase();
+  if (!inputEmail || ctx.user.email === inputEmail) return payload;
+
+  try {
+    await limiter(ctx.user.id);
+  } catch {
+    throw new TooManyRequestsError("Too many requests");
+  }
+  if (ctx.user.identityProvider !== "email") {
+    throw new OperationNotAllowedError("Email update is not allowed for non-credential users.");
+  }
+  if (!parsedInput.password) {
+    throw new AuthenticationError("Password is required to update email.");
+  }
+  const isCorrectPassword = await verifyUserPassword(ctx.user.id, parsedInput.password);
+  if (!isCorrectPassword) {
+    throw new AuthorizationError("Incorrect credentials");
+  }
+  const isEmailUnique = await getIsEmailUnique(inputEmail);
+  if (!isEmailUnique) return payload;
+
+  if (EMAIL_VERIFICATION_DISABLED) {
+    payload.email = inputEmail;
+    await updateBrevoCustomer({ id: ctx.user.id, email: inputEmail });
+  } else {
+    await sendVerificationNewEmail(ctx.user.id, inputEmail);
+  }
+  return payload;
+}
+
 export const updateUserAction = authenticatedActionClient
   .schema(
     ZUserUpdateInput.pick({ name: true, email: true, locale: true }).extend({
       password: ZUserPassword.optional(),
     })
   )
-  .action(async ({ parsedInput, ctx }) => {
-    const inputEmail = parsedInput.email?.trim().toLowerCase();
+  .action(
+    withAuditLogging(
+      "updated",
+      "user",
+      async ({
+        ctx,
+        parsedInput,
+      }: {
+        ctx: AuthenticatedActionClientCtx;
+        parsedInput: Record<string, any>;
+      }) => {
+        const oldObject = await getUser(ctx.user.id);
+        let payload = buildUserUpdatePayload(parsedInput);
+        payload = await handleEmailUpdate({ ctx, parsedInput, payload });
 
-    let payload: TUserUpdateInput = {
-      ...(parsedInput.name && { name: parsedInput.name }),
-      ...(parsedInput.locale && { locale: parsedInput.locale }),
-    };
-
-    // Only process email update if a new email is provided and it's different from current email
-    if (inputEmail && ctx.user.email !== inputEmail) {
-      // Check rate limit
-      try {
-        await limiter(ctx.user.id);
-      } catch {
-        throw new TooManyRequestsError("Too many requests");
-      }
-      if (ctx.user.identityProvider !== "email") {
-        throw new OperationNotAllowedError("Email update is not allowed for non-credential users.");
-      }
-
-      if (!parsedInput.password) {
-        throw new AuthenticationError("Password is required to update email.");
-      }
-
-      const isCorrectPassword = await verifyUserPassword(ctx.user.id, parsedInput.password);
-      if (!isCorrectPassword) {
-        throw new AuthorizationError("Incorrect credentials");
-      }
-
-      // Check if the new email is unique, no user exists with the new email
-      const isEmailUnique = await getIsEmailUnique(inputEmail);
-
-      // If the new email is unique, proceed with the email update
-      if (isEmailUnique) {
-        if (EMAIL_VERIFICATION_DISABLED) {
-          payload.email = inputEmail;
-          await updateBrevoCustomer({ id: ctx.user.id, email: inputEmail });
-        } else {
-          await sendVerificationNewEmail(ctx.user.id, inputEmail);
+        // Only proceed with updateUser if we have actual changes to make
+        let newObject = oldObject;
+        if (Object.keys(payload).length > 0) {
+          newObject = await updateUser(ctx.user.id, payload);
         }
+
+        ctx.auditLoggingCtx.userId = ctx.user.id;
+        ctx.auditLoggingCtx.oldObject = oldObject;
+        ctx.auditLoggingCtx.newObject = newObject;
+
+        return true;
       }
-    }
-
-    // Only proceed with updateUser if we have actual changes to make
-    if (Object.keys(payload).length > 0) {
-      await updateUser(ctx.user.id, payload);
-    }
-
-    return true;
-  });
+    )
+  );
 
 const ZUpdateAvatarAction = z.object({
   avatarUrl: z.string(),
 });
 
-export const updateAvatarAction = authenticatedActionClient
-  .schema(ZUpdateAvatarAction)
-  .action(async ({ parsedInput, ctx }) => {
-    return await updateUser(ctx.user.id, { imageUrl: parsedInput.avatarUrl });
-  });
+export const updateAvatarAction = authenticatedActionClient.schema(ZUpdateAvatarAction).action(
+  withAuditLogging(
+    "updated",
+    "user",
+    async ({ ctx, parsedInput }: { ctx: AuthenticatedActionClientCtx; parsedInput: Record<string, any> }) => {
+      const oldObject = await getUser(ctx.user.id);
+      const result = await updateUser(ctx.user.id, { imageUrl: parsedInput.avatarUrl });
+      ctx.auditLoggingCtx.userId = ctx.user.id;
+      ctx.auditLoggingCtx.oldObject = oldObject;
+      ctx.auditLoggingCtx.newObject = result;
+      return result;
+    }
+  )
+);
 
 const ZRemoveAvatarAction = z.object({
   environmentId: ZId,
 });
 
-export const removeAvatarAction = authenticatedActionClient
-  .schema(ZRemoveAvatarAction)
-  .action(async ({ parsedInput, ctx }) => {
-    const imageUrl = ctx.user.imageUrl;
-    if (!imageUrl) {
-      throw new Error("Image not found");
-    }
+export const removeAvatarAction = authenticatedActionClient.schema(ZRemoveAvatarAction).action(
+  withAuditLogging(
+    "updated",
+    "user",
+    async ({ ctx, parsedInput }: { ctx: AuthenticatedActionClientCtx; parsedInput: Record<string, any> }) => {
+      const oldObject = await getUser(ctx.user.id);
+      const imageUrl = ctx.user.imageUrl;
+      if (!imageUrl) {
+        throw new Error("Image not found");
+      }
 
-    const fileName = getFileNameWithIdFromUrl(imageUrl);
-    if (!fileName) {
-      throw new Error("Invalid filename");
-    }
+      const fileName = getFileNameWithIdFromUrl(imageUrl);
+      if (!fileName) {
+        throw new Error("Invalid filename");
+      }
 
-    const deletionResult = await deleteFile(parsedInput.environmentId, "public", fileName);
-    if (!deletionResult.success) {
-      throw new Error("Deletion failed");
+      const deletionResult = await deleteFile(parsedInput.environmentId, "public", fileName);
+      if (!deletionResult.success) {
+        throw new Error("Deletion failed");
+      }
+      const result = await updateUser(ctx.user.id, { imageUrl: null });
+      ctx.auditLoggingCtx.userId = ctx.user.id;
+      ctx.auditLoggingCtx.oldObject = oldObject;
+      ctx.auditLoggingCtx.newObject = result;
+      return result;
     }
-    return await updateUser(ctx.user.id, { imageUrl: null });
-  });
+  )
+);

apps/web/app/(app)/environments/[environmentId]/settings/(account)/profile/components/EditProfileDetailsForm.tsx

@@ -3,6 +3,7 @@
 import { PasswordConfirmationModal } from "@/app/(app)/environments/[environmentId]/settings/(account)/profile/components/password-confirmation-modal";
 import { appLanguages } from "@/lib/i18n/utils";
 import { getFormattedErrorMessage } from "@/lib/utils/helper";
+import { useSignOut } from "@/modules/auth/hooks/use-sign-out";
 import { Button } from "@/modules/ui/components/button";
 import {
   DropdownMenu,
@@ -16,8 +17,6 @@ import { Input } from "@/modules/ui/components/input";
 import { zodResolver } from "@hookform/resolvers/zod";
 import { useTranslate } from "@tolgee/react";
 import { ChevronDownIcon } from "lucide-react";
-import { signOut } from "next-auth/react";
-import { useRouter } from "next/navigation";
 import { useState } from "react";
 import { FormProvider, SubmitHandler, useForm } from "react-hook-form";
 import toast from "react-hot-toast";
@@ -39,7 +38,6 @@ export const EditProfileDetailsForm = ({
   emailVerificationDisabled: boolean;
 }) => {
   const { t } = useTranslate();
-  const router = useRouter();
 
   const form = useForm<TEditProfileNameForm>({
     defaultValues: {
@@ -53,6 +51,7 @@ export const EditProfileDetailsForm = ({
 
   const { isSubmitting, isDirty } = form.formState;
   const [showModal, setShowModal] = useState(false);
+  const { signOut: signOutWithAudit } = useSignOut({ id: user.id, email: user.email });
 
   const handleConfirmPassword = async (password: string) => {
     const values = form.getValues();
@@ -86,8 +85,12 @@ export const EditProfileDetailsForm = ({
         toast.success(t("auth.verification-requested.new_email_verification_success"));
       } else {
         toast.success(t("environments.settings.profile.email_change_initiated"));
-        await signOut({ redirect: false });
-        router.push(`/email-change-without-verification-success`);
+        await signOutWithAudit({
+          reason: "email_change",
+          redirectUrl: "/email-change-without-verification-success",
+          redirect: true,
+          callbackUrl: "/email-change-without-verification-success",
+        });
         return;
       }
     } else {

apps/web/app/(app)/environments/[environmentId]/settings/(organization)/general/actions.ts

@@ -1,8 +1,10 @@
 "use server";
 
-import { deleteOrganization, updateOrganization } from "@/lib/organization/service";
+import { deleteOrganization, getOrganization, updateOrganization } from "@/lib/organization/service";
 import { authenticatedActionClient } from "@/lib/utils/action-client";
-import { checkAuthorizationUpdated } from "@/lib/utils/action-client-middleware";
+import { checkAuthorizationUpdated } from "@/lib/utils/action-client/action-client-middleware";
+import { AuthenticatedActionClientCtx } from "@/lib/utils/action-client/types/context";
+import { withAuditLogging } from "@/modules/ee/audit-logs/lib/handler";
 import { getIsMultiOrgEnabled } from "@/modules/ee/license-check/lib/utils";
 import { z } from "zod";
 import { ZId } from "@formbricks/types/common";
@@ -16,43 +18,65 @@ const ZUpdateOrganizationNameAction = z.object({
 
 export const updateOrganizationNameAction = authenticatedActionClient
   .schema(ZUpdateOrganizationNameAction)
-  .action(async ({ parsedInput, ctx }) => {
-    await checkAuthorizationUpdated({
-      userId: ctx.user.id,
-      organizationId: parsedInput.organizationId,
-      access: [
-        {
-          type: "organization",
-          schema: ZOrganizationUpdateInput.pick({ name: true }),
-          data: parsedInput.data,
-          roles: ["owner"],
-        },
-      ],
-    });
-
-    return await updateOrganization(parsedInput.organizationId, parsedInput.data);
-  });
+  .action(
+    withAuditLogging(
+      "updated",
+      "organization",
+      async ({
+        ctx,
+        parsedInput,
+      }: {
+        ctx: AuthenticatedActionClientCtx;
+        parsedInput: Record<string, any>;
+      }) => {
+        await checkAuthorizationUpdated({
+          userId: ctx.user.id,
+          organizationId: parsedInput.organizationId,
+          access: [
+            {
+              type: "organization",
+              schema: ZOrganizationUpdateInput.pick({ name: true }),
+              data: parsedInput.data,
+              roles: ["owner"],
+            },
+          ],
+        });
+        ctx.auditLoggingCtx.organizationId = parsedInput.organizationId;
+        const oldObject = await getOrganization(parsedInput.organizationId);
+        const result = await updateOrganization(parsedInput.organizationId, parsedInput.data);
+        ctx.auditLoggingCtx.oldObject = oldObject;
+        ctx.auditLoggingCtx.newObject = result;
+        return result;
+      }
+    )
+  );
 
 const ZDeleteOrganizationAction = z.object({
   organizationId: ZId,
 });
 
-export const deleteOrganizationAction = authenticatedActionClient
-  .schema(ZDeleteOrganizationAction)
-  .action(async ({ parsedInput, ctx }) => {
-    const isMultiOrgEnabled = await getIsMultiOrgEnabled();
-    if (!isMultiOrgEnabled) throw new OperationNotAllowedError("Organization deletion disabled");
+export const deleteOrganizationAction = authenticatedActionClient.schema(ZDeleteOrganizationAction).action(
+  withAuditLogging(
+    "deleted",
+    "organization",
+    async ({ ctx, parsedInput }: { ctx: AuthenticatedActionClientCtx; parsedInput: Record<string, any> }) => {
+      const isMultiOrgEnabled = await getIsMultiOrgEnabled();
+      if (!isMultiOrgEnabled) throw new OperationNotAllowedError("Organization deletion disabled");
 
-    await checkAuthorizationUpdated({
-      userId: ctx.user.id,
-      organizationId: parsedInput.organizationId,
-      access: [
-        {
-          type: "organization",
-          roles: ["owner"],
-        },
-      ],
-    });
-
-    return await deleteOrganization(parsedInput.organizationId);
-  });
+      await checkAuthorizationUpdated({
+        userId: ctx.user.id,
+        organizationId: parsedInput.organizationId,
+        access: [
+          {
+            type: "organization",
+            roles: ["owner"],
+          },
+        ],
+      });
+      ctx.auditLoggingCtx.organizationId = parsedInput.organizationId;
+      const oldObject = await getOrganization(parsedInput.organizationId);
+      ctx.auditLoggingCtx.oldObject = oldObject;
+      return await deleteOrganization(parsedInput.organizationId);
+    }
+  )
+);

apps/web/app/(app)/environments/[environmentId]/settings/(organization)/teams/page.test.tsx

@@ -30,6 +30,14 @@ vi.mock("@/lib/constants", () => ({
   SMTP_USER: "mock-smtp-user",
   SMTP_PASSWORD: "mock-smtp-password",
   SESSION_MAX_AGE: 1000,
+  REDIS_URL: "redis://localhost:6379",
+  AUDIT_LOG_ENABLED: 1,
+}));
+
+vi.mock("@/lib/env", () => ({
+  env: {
+    PUBLIC_URL: "https://public-domain.com",
+  },
 }));
 
 describe("TeamsPage re-export", () => {

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/actions.ts

@@ -2,7 +2,7 @@
 
 import { getResponseCountBySurveyId, getResponses } from "@/lib/response/service";
 import { authenticatedActionClient } from "@/lib/utils/action-client";
-import { checkAuthorizationUpdated } from "@/lib/utils/action-client-middleware";
+import { checkAuthorizationUpdated } from "@/lib/utils/action-client/action-client-middleware";
 import { getOrganizationIdFromSurveyId, getProjectIdFromSurveyId } from "@/lib/utils/helper";
 import { revalidatePath } from "next/cache";
 import { z } from "zod";

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/components/SurveyAnalysisNavigation.test.tsx

@@ -45,6 +45,14 @@ vi.mock("@/lib/constants", () => ({
   SMTP_USER: "mock-smtp-user",
   SMTP_PASSWORD: "mock-smtp-password",
   SESSION_MAX_AGE: 1000,
+  REDIS_URL: "test-redis-url",
+  AUDIT_LOG_ENABLED: true,
+}));
+
+vi.mock("@/lib/env", () => ({
+  env: {
+    PUBLIC_URL: "https://public-domain.com",
+  },
 }));
 
 vi.mock("@/app/(app)/environments/[environmentId]/components/ResponseFilterContext");

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/responses/components/ResponsePage.tsx

@@ -20,7 +20,7 @@ interface ResponsePageProps {
   environment: TEnvironment;
   survey: TSurvey;
   surveyId: string;
-  webAppUrl: string;
+  publicDomain: string;
   user?: TUser;
   environmentTags: TTag[];
   responsesPerPage: number;
@@ -32,7 +32,7 @@ export const ResponsePage = ({
   environment,
   survey,
   surveyId,
-  webAppUrl,
+  publicDomain,
   user,
   environmentTags,
   responsesPerPage,
@@ -155,7 +155,7 @@ export const ResponsePage = ({
     <>
       <div className="flex gap-1.5">
         <CustomFilter survey={surveyMemoized} />
-        {!isReadOnly && !isSharingPage && <ResultsShareButton survey={survey} webAppUrl={webAppUrl} />}
+        {!isReadOnly && !isSharingPage && <ResultsShareButton survey={survey} publicDomain={publicDomain} />}
       </div>
       <ResponseDataView
         survey={survey}

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/responses/page.test.tsx

@@ -3,7 +3,7 @@ import { SurveyAnalysisNavigation } from "@/app/(app)/environments/[environmentI
 import { ResponsePage } from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/responses/components/ResponsePage";
 import Page from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/responses/page";
 import { SurveyAnalysisCTA } from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/SurveyAnalysisCTA";
-import { getSurveyDomain } from "@/lib/getSurveyUrl";
+import { getPublicDomain } from "@/lib/getPublicUrl";
 import { getResponseCountBySurveyId } from "@/lib/response/service";
 import { getSurvey } from "@/lib/survey/service";
 import { getTagsByEnvironmentId } from "@/lib/tag/service";
@@ -65,8 +65,8 @@ vi.mock("@/lib/constants", () => ({
   SESSION_MAX_AGE: 1000,
 }));
 
-vi.mock("@/lib/getSurveyUrl", () => ({
-  getSurveyDomain: vi.fn(),
+vi.mock("@/lib/getPublicUrl", () => ({
+  getPublicDomain: vi.fn(),
 }));
 
 vi.mock("@/lib/response/service", () => ({
@@ -160,7 +160,7 @@ const mockEnvironment = {
 
 const mockTags: TTag[] = [{ id: "tag1", name: "Tag 1", environmentId: mockEnvironmentId } as unknown as TTag];
 const mockLocale: TUserLocale = "en-US";
-const mockSurveyDomain = "http://customdomain.com";
+const mockPublicDomain = "http://customdomain.com";
 
 const mockParams = {
   environmentId: mockEnvironmentId,
@@ -179,7 +179,7 @@ describe("ResponsesPage", () => {
     vi.mocked(getTagsByEnvironmentId).mockResolvedValue(mockTags);
     vi.mocked(getResponseCountBySurveyId).mockResolvedValue(10);
     vi.mocked(findMatchingLocale).mockResolvedValue(mockLocale);
-    vi.mocked(getSurveyDomain).mockReturnValue(mockSurveyDomain);
+    vi.mocked(getPublicDomain).mockReturnValue(mockPublicDomain);
   });
 
   afterEach(() => {
@@ -205,7 +205,7 @@ describe("ResponsesPage", () => {
         survey: mockSurvey,
         isReadOnly: false,
         user: mockUser,
-        surveyDomain: mockSurveyDomain,
+        publicDomain: mockPublicDomain,
       }),
       undefined
     );
@@ -224,7 +224,7 @@ describe("ResponsesPage", () => {
         environment: mockEnvironment,
         survey: mockSurvey,
         surveyId: mockSurveyId,
-        webAppUrl: "http://localhost:3000",
+        publicDomain: mockPublicDomain,
         environmentTags: mockTags,
         user: mockUser,
         responsesPerPage: 10,

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/responses/page.tsx

@@ -1,8 +1,8 @@
 import { SurveyAnalysisNavigation } from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/components/SurveyAnalysisNavigation";
 import { ResponsePage } from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/responses/components/ResponsePage";
 import { SurveyAnalysisCTA } from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/SurveyAnalysisCTA";
-import { RESPONSES_PER_PAGE, WEBAPP_URL } from "@/lib/constants";
-import { getSurveyDomain } from "@/lib/getSurveyUrl";
+import { RESPONSES_PER_PAGE } from "@/lib/constants";
+import { getPublicDomain } from "@/lib/getPublicUrl";
 import { getResponseCountBySurveyId } from "@/lib/response/service";
 import { getSurvey } from "@/lib/survey/service";
 import { getTagsByEnvironmentId } from "@/lib/tag/service";
@@ -37,7 +37,7 @@ const Page = async (props) => {
   const responseCount = await getResponseCountBySurveyId(params.surveyId);
 
   const locale = await findMatchingLocale();
-  const surveyDomain = getSurveyDomain();
+  const publicDomain = getPublicDomain();
 
   return (
     <PageContentWrapper>
@@ -49,7 +49,7 @@ const Page = async (props) => {
             survey={survey}
             isReadOnly={isReadOnly}
             user={user}
-            surveyDomain={surveyDomain}
+            publicDomain={publicDomain}
             responseCount={responseCount}
           />
         }>
@@ -59,7 +59,7 @@ const Page = async (props) => {
         environment={environment}
         survey={survey}
         surveyId={params.surveyId}
-        webAppUrl={WEBAPP_URL}
+        publicDomain={publicDomain}
         environmentTags={tags}
         user={user}
         responsesPerPage={RESPONSES_PER_PAGE}

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/actions.ts

@@ -3,8 +3,10 @@
 import { getEmailTemplateHtml } from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/lib/emailTemplate";
 import { getSurvey, updateSurvey } from "@/lib/survey/service";
 import { authenticatedActionClient } from "@/lib/utils/action-client";
-import { checkAuthorizationUpdated } from "@/lib/utils/action-client-middleware";
+import { checkAuthorizationUpdated } from "@/lib/utils/action-client/action-client-middleware";
+import { AuthenticatedActionClientCtx } from "@/lib/utils/action-client/types/context";
 import { getOrganizationIdFromSurveyId, getProjectIdFromSurveyId } from "@/lib/utils/helper";
+import { withAuditLogging } from "@/modules/ee/audit-logs/lib/handler";
 import { getOrganizationLogoUrl } from "@/modules/ee/whitelabel/email-customization/lib/organization";
 import { sendEmbedSurveyPreviewEmail } from "@/modules/email";
 import { customAlphabet } from "nanoid";
@@ -63,37 +65,55 @@ const ZGenerateResultShareUrlAction = z.object({
 
 export const generateResultShareUrlAction = authenticatedActionClient
   .schema(ZGenerateResultShareUrlAction)
-  .action(async ({ ctx, parsedInput }) => {
-    await checkAuthorizationUpdated({
-      userId: ctx.user.id,
-      organizationId: await getOrganizationIdFromSurveyId(parsedInput.surveyId),
-      access: [
-        {
-          type: "organization",
-          roles: ["owner", "manager"],
-        },
-        {
-          type: "projectTeam",
-          minPermission: "readWrite",
-          projectId: await getProjectIdFromSurveyId(parsedInput.surveyId),
-        },
-      ],
-    });
+  .action(
+    withAuditLogging(
+      "updated",
+      "survey",
+      async ({
+        ctx,
+        parsedInput,
+      }: {
+        ctx: AuthenticatedActionClientCtx;
+        parsedInput: Record<string, any>;
+      }) => {
+        const organizationId = await getOrganizationIdFromSurveyId(parsedInput.surveyId);
+        await checkAuthorizationUpdated({
+          userId: ctx.user.id,
+          organizationId: organizationId,
+          access: [
+            {
+              type: "organization",
+              roles: ["owner", "manager"],
+            },
+            {
+              type: "projectTeam",
+              minPermission: "readWrite",
+              projectId: await getProjectIdFromSurveyId(parsedInput.surveyId),
+            },
+          ],
+        });
 
-    const survey = await getSurvey(parsedInput.surveyId);
-    if (!survey) {
-      throw new ResourceNotFoundError("Survey", parsedInput.surveyId);
-    }
+        const survey = await getSurvey(parsedInput.surveyId);
+        if (!survey) {
+          throw new ResourceNotFoundError("Survey", parsedInput.surveyId);
+        }
 
-    const resultShareKey = customAlphabet(
-      "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789",
-      20
-    )();
+        const resultShareKey = customAlphabet(
+          "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789",
+          20
+        )();
 
-    await updateSurvey({ ...survey, resultShareKey });
+        ctx.auditLoggingCtx.organizationId = organizationId;
+        ctx.auditLoggingCtx.surveyId = parsedInput.surveyId;
+        ctx.auditLoggingCtx.oldObject = survey;
 
-    return resultShareKey;
-  });
+        const newSurvey = await updateSurvey({ ...survey, resultShareKey });
+        ctx.auditLoggingCtx.newObject = newSurvey;
+
+        return resultShareKey;
+      }
+    )
+  );
 
 const ZGetResultShareUrlAction = z.object({
   surveyId: ZId,
@@ -132,30 +152,50 @@ const ZDeleteResultShareUrlAction = z.object({
 
 export const deleteResultShareUrlAction = authenticatedActionClient
   .schema(ZDeleteResultShareUrlAction)
-  .action(async ({ ctx, parsedInput }) => {
-    await checkAuthorizationUpdated({
-      userId: ctx.user.id,
-      organizationId: await getOrganizationIdFromSurveyId(parsedInput.surveyId),
-      access: [
-        {
-          type: "organization",
-          roles: ["owner", "manager"],
-        },
-        {
-          type: "projectTeam",
-          minPermission: "readWrite",
-          projectId: await getProjectIdFromSurveyId(parsedInput.surveyId),
-        },
-      ],
-    });
+  .action(
+    withAuditLogging(
+      "updated",
+      "survey",
+      async ({
+        ctx,
+        parsedInput,
+      }: {
+        ctx: AuthenticatedActionClientCtx;
+        parsedInput: Record<string, any>;
+      }) => {
+        const organizationId = await getOrganizationIdFromSurveyId(parsedInput.surveyId);
+        await checkAuthorizationUpdated({
+          userId: ctx.user.id,
+          organizationId: organizationId,
+          access: [
+            {
+              type: "organization",
+              roles: ["owner", "manager"],
+            },
+            {
+              type: "projectTeam",
+              minPermission: "readWrite",
+              projectId: await getProjectIdFromSurveyId(parsedInput.surveyId),
+            },
+          ],
+        });
 
-    const survey = await getSurvey(parsedInput.surveyId);
-    if (!survey) {
-      throw new ResourceNotFoundError("Survey", parsedInput.surveyId);
-    }
+        const survey = await getSurvey(parsedInput.surveyId);
+        if (!survey) {
+          throw new ResourceNotFoundError("Survey", parsedInput.surveyId);
+        }
 
-    return await updateSurvey({ ...survey, resultShareKey: null });
-  });
+        ctx.auditLoggingCtx.organizationId = organizationId;
+        ctx.auditLoggingCtx.surveyId = parsedInput.surveyId;
+        ctx.auditLoggingCtx.oldObject = survey;
+
+        const newSurvey = await updateSurvey({ ...survey, resultShareKey: null });
+        ctx.auditLoggingCtx.newObject = newSurvey;
+
+        return newSurvey;
+      }
+    )
+  );
 
 const ZGetEmailHtmlAction = z.object({
   surveyId: ZId,

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/ShareEmbedSurvey.test.tsx

@@ -41,6 +41,36 @@ const mockSurveyWeb = {
   styling: null,
 } as unknown as TSurvey;
 
+vi.mock("@/lib/constants", () => ({
+  INTERCOM_SECRET_KEY: "test-secret-key",
+  IS_INTERCOM_CONFIGURED: true,
+  INTERCOM_APP_ID: "test-app-id",
+  ENCRYPTION_KEY: "test-encryption-key",
+  ENTERPRISE_LICENSE_KEY: "test-enterprise-license-key",
+  GITHUB_ID: "test-github-id",
+  GITHUB_SECRET: "test-githubID",
+  GOOGLE_CLIENT_ID: "test-google-client-id",
+  GOOGLE_CLIENT_SECRET: "test-google-client-secret",
+  AZUREAD_CLIENT_ID: "test-azuread-client-id",
+  AZUREAD_CLIENT_SECRET: "test-azure",
+  AZUREAD_TENANT_ID: "test-azuread-tenant-id",
+  OIDC_DISPLAY_NAME: "test-oidc-display-name",
+  OIDC_CLIENT_ID: "test-oidc-client-id",
+  OIDC_ISSUER: "test-oidc-issuer",
+  OIDC_CLIENT_SECRET: "test-oidc-client-secret",
+  OIDC_SIGNING_ALGORITHM: "test-oidc-signing-algorithm",
+  WEBAPP_URL: "test-webapp-url",
+  IS_POSTHOG_CONFIGURED: true,
+  POSTHOG_API_HOST: "test-posthog-api-host",
+  POSTHOG_API_KEY: "test-posthog-api-key",
+  FORMBRICKS_ENVIRONMENT_ID: "mock-formbricks-environment-id",
+  IS_FORMBRICKS_ENABLED: true,
+  SESSION_MAX_AGE: 1000,
+  REDIS_URL: "test-redis-url",
+  AUDIT_LOG_ENABLED: true,
+  IS_FORMBRICKS_CLOUD: false,
+}));
+
 const mockSurveyLink = {
   ...mockSurveyWeb,
   id: "survey2",
@@ -119,7 +149,7 @@ describe("ShareEmbedSurvey", () => {
 
   const defaultProps = {
     survey: mockSurveyWeb,
-    surveyDomain: "test.com",
+    publicDomain: "https://public-domain.com",
     open: true,
     modalView: "start" as "start" | "embed" | "panel",
     setOpen: mockSetOpen,
@@ -128,7 +158,7 @@ describe("ShareEmbedSurvey", () => {
 
   beforeEach(() => {
     mockEmbedViewComponent.mockImplementation(
-      ({ handleInitialPageButton, tabs, activeId, survey, email, surveyUrl, surveyDomain, locale }) => (
+      ({ handleInitialPageButton, tabs, activeId, survey, email, surveyUrl, publicDomain, locale }) => (
         <div>
           <button onClick={() => handleInitialPageButton()}>EmbedViewMockContent</button>
           <div data-testid="embedview-tabs">{JSON.stringify(tabs)}</div>
@@ -136,7 +166,7 @@ describe("ShareEmbedSurvey", () => {
           <div data-testid="embedview-survey-id">{survey.id}</div>
           <div data-testid="embedview-email">{email}</div>
           <div data-testid="embedview-surveyUrl">{surveyUrl}</div>
-          <div data-testid="embedview-surveyDomain">{surveyDomain}</div>
+          <div data-testid="embedview-publicDomain">{publicDomain}</div>
           <div data-testid="embedview-locale">{locale}</div>
         </div>
       )
@@ -174,20 +204,32 @@ describe("ShareEmbedSurvey", () => {
     expect(screen.getByText("PanelInfoViewMockContent")).toBeInTheDocument();
   });
 
-  test("calls setOpen(false) when handleInitialPageButton is triggered from EmbedView", async () => {
+  test("returns to 'start' view when handleInitialPageButton is triggered from EmbedView", async () => {
     render(<ShareEmbedSurvey {...defaultProps} modalView="embed" />);
     expect(mockEmbedViewComponent).toHaveBeenCalled();
+    expect(screen.getByText("EmbedViewMockContent")).toBeInTheDocument();
+
     const embedViewButton = screen.getByText("EmbedViewMockContent");
     await userEvent.click(embedViewButton);
-    expect(mockSetOpen).toHaveBeenCalledWith(false);
+
+    // Should go back to start view, not close the modal
+    expect(screen.getByText("environments.surveys.summary.your_survey_is_public 🎉")).toBeInTheDocument();
+    expect(screen.queryByText("EmbedViewMockContent")).not.toBeInTheDocument();
+    expect(mockSetOpen).not.toHaveBeenCalled();
   });
 
-  test("calls setOpen(false) when handleInitialPageButton is triggered from PanelInfoView", async () => {
+  test("returns to 'start' view when handleInitialPageButton is triggered from PanelInfoView", async () => {
     render(<ShareEmbedSurvey {...defaultProps} modalView="panel" />);
     expect(mockPanelInfoViewComponent).toHaveBeenCalled();
+    expect(screen.getByText("PanelInfoViewMockContent")).toBeInTheDocument();
+
     const panelInfoViewButton = screen.getByText("PanelInfoViewMockContent");
     await userEvent.click(panelInfoViewButton);
-    expect(mockSetOpen).toHaveBeenCalledWith(false);
+
+    // Should go back to start view, not close the modal
+    expect(screen.getByText("environments.surveys.summary.your_survey_is_public 🎉")).toBeInTheDocument();
+    expect(screen.queryByText("PanelInfoViewMockContent")).not.toBeInTheDocument();
+    expect(mockSetOpen).not.toHaveBeenCalled();
   });
 
   test("handleOpenChange (when Dialog calls its onOpenChange prop)", () => {

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/ShareEmbedSurvey.tsx

@@ -1,6 +1,7 @@
 "use client";
 
 import { ShareSurveyLink } from "@/modules/analysis/components/ShareSurveyLink";
+import { getSurveyUrl } from "@/modules/analysis/utils";
 import { Badge } from "@/modules/ui/components/badge";
 import { Dialog, DialogContent, DialogDescription, DialogTitle } from "@/modules/ui/components/dialog";
 import { useTranslate } from "@tolgee/react";
@@ -23,7 +24,7 @@ import { PanelInfoView } from "./shareEmbedModal/PanelInfoView";
 
 interface ShareEmbedSurveyProps {
   survey: TSurvey;
-  surveyDomain: string;
+  publicDomain: string;
   open: boolean;
   modalView: "start" | "embed" | "panel";
   setOpen: React.Dispatch<React.SetStateAction<boolean>>;
@@ -32,7 +33,7 @@ interface ShareEmbedSurveyProps {
 
 export const ShareEmbedSurvey = ({
   survey,
-  surveyDomain,
+  publicDomain,
   open,
   modalView,
   setOpen,
@@ -62,6 +63,20 @@ export const ShareEmbedSurvey = ({
   const [showView, setShowView] = useState<"start" | "embed" | "panel">("start");
   const [surveyUrl, setSurveyUrl] = useState("");
 
+  useEffect(() => {
+    const fetchSurveyUrl = async () => {
+      try {
+        const url = await getSurveyUrl(survey, publicDomain, "default");
+        setSurveyUrl(url);
+      } catch (error) {
+        console.error("Failed to fetch survey URL:", error);
+        // Fallback to a default URL if fetching fails
+        setSurveyUrl(`${publicDomain}/s/${survey.id}`);
+      }
+    };
+    fetchSurveyUrl();
+  }, [survey, publicDomain]);
+
   useEffect(() => {
     if (survey.type !== "link") {
       setActiveId(tabs[3].id);
@@ -86,7 +101,7 @@ export const ShareEmbedSurvey = ({
   };
 
   const handleInitialPageButton = () => {
-    setOpen(false);
+    setShowView("start");
   };
 
   return (
@@ -105,7 +120,7 @@ export const ShareEmbedSurvey = ({
               <ShareSurveyLink
                 survey={survey}
                 surveyUrl={surveyUrl}
-                surveyDomain={surveyDomain}
+                publicDomain={publicDomain}
                 setSurveyUrl={setSurveyUrl}
                 locale={user.locale}
               />
@@ -159,7 +174,7 @@ export const ShareEmbedSurvey = ({
             survey={survey}
             email={email}
             surveyUrl={surveyUrl}
-            surveyDomain={surveyDomain}
+            publicDomain={publicDomain}
             setSurveyUrl={setSurveyUrl}
             locale={user.locale}
           />

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/SummaryDropOffs.test.tsx

@@ -104,13 +104,15 @@ describe("SummaryDropOffs", () => {
 
     // Check drop-off counts and percentages
     expect(screen.getByText("20")).toBeInTheDocument();
-    expect(screen.getByText("(20%)")).toBeInTheDocument();
-
     expect(screen.getByText("15")).toBeInTheDocument();
-    expect(screen.getByText("(19%)")).toBeInTheDocument(); // 18.75% rounded to 19%
-
     expect(screen.getByText("10")).toBeInTheDocument();
-    expect(screen.getByText("(15%)")).toBeInTheDocument(); // 15.38% rounded to 15%
+
+    // Check percentage values
+    const percentageElements = screen.getAllByText(/\d+%/);
+    expect(percentageElements).toHaveLength(3);
+    expect(percentageElements[0]).toHaveTextContent("20%");
+    expect(percentageElements[1]).toHaveTextContent("19%");
+    expect(percentageElements[2]).toHaveTextContent("15%");
   });
 
   test("renders empty state when dropOff array is empty", () => {

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/SummaryDropOffs.tsx

@@ -23,9 +23,9 @@ export const SummaryDropOffs = ({ dropOff, survey }: SummaryDropOffsProps) => {
   return (
     <div className="rounded-xl border border-slate-200 bg-white shadow-sm">
       <div className="">
-        <div className="grid h-10 grid-cols-6 items-center border-y border-slate-200 bg-slate-100 text-sm font-semibold text-slate-600">
-          <div className="col-span-3 pl-4 md:pl-6">{t("common.questions")}</div>
-          <div className="flex justify-center">
+        <div className="grid min-h-10 grid-cols-6 items-center rounded-t-xl border-b border-slate-200 bg-slate-100 text-sm font-semibold text-slate-600">
+          <div className="col-span-3 px-4 md:px-6">{t("common.questions")}</div>
+          <div className="flex justify-end px-4 md:px-6">
             <TooltipProvider delayDuration={50}>
               <Tooltip>
                 <TooltipTrigger>
@@ -37,14 +37,16 @@ export const SummaryDropOffs = ({ dropOff, survey }: SummaryDropOffsProps) => {
               </Tooltip>
             </TooltipProvider>
           </div>
-          <div className="px-4 text-center md:px-6">{t("environments.surveys.summary.impressions")}</div>
-          <div className="pr-6 text-center md:pl-6">{t("environments.surveys.summary.drop_offs")}</div>
+          <div className="px-4 text-right md:px-6">{t("environments.surveys.summary.impressions")}</div>
+          <div className="px-4 text-right md:mr-1 md:pl-6 md:pr-6">
+            {t("environments.surveys.summary.drop_offs")}
+          </div>
         </div>
         {dropOff.map((quesDropOff) => (
           <div
             key={quesDropOff.questionId}
-            className="grid grid-cols-6 items-center border-b border-slate-100 py-2 text-sm text-slate-800 md:text-base">
-            <div className="col-span-3 flex gap-3 pl-4 md:pl-6">
+            className="grid grid-cols-6 items-start border-b border-slate-100 text-xs text-slate-800 md:text-sm">
+            <div className="col-span-3 flex gap-3 px-4 py-2 md:px-6">
               {getIcon(quesDropOff.questionType)}
               <p>
                 {formatTextWithSlashes(
@@ -57,17 +59,21 @@ export const SummaryDropOffs = ({ dropOff, survey }: SummaryDropOffsProps) => {
                     "default"
                   )["default"],
                   "@",
-                  ["text-lg"]
+                  ["text-sm"]
                 )}
               </p>
             </div>
-            <div className="whitespace-pre-wrap text-center font-semibold">
+            <div className="whitespace-pre-wrap px-4 py-2 text-right font-mono font-medium md:px-6">
               {quesDropOff.ttc > 0 ? (quesDropOff.ttc / 1000).toFixed(2) + "s" : "N/A"}
             </div>
-            <div className="whitespace-pre-wrap text-center font-semibold">{quesDropOff.impressions}</div>
-            <div className="pl-6 text-center md:px-6">
-              <span className="mr-1.5 font-semibold">{quesDropOff.dropOffCount}</span>
-              <span>({Math.round(quesDropOff.dropOffPercentage)}%)</span>
+            <div className="whitespace-pre-wrap px-4 py-2 text-right font-mono font-medium md:px-6">
+              {quesDropOff.impressions}
+            </div>
+            <div className="px-4 py-2 text-right md:px-6">
+              <span className="mr-1 inline-block w-fit rounded-xl bg-slate-100 px-2 py-1 text-left text-xs">
+                {Math.round(quesDropOff.dropOffPercentage)}%
+              </span>
+              <span className="mr-1 font-mono font-medium">{quesDropOff.dropOffCount}</span>
             </div>
           </div>
         ))}

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/SummaryPage.tsx

@@ -36,7 +36,7 @@ interface SummaryPageProps {
   environment: TEnvironment;
   survey: TSurvey;
   surveyId: string;
-  webAppUrl: string;
+  publicDomain: string;
   locale: TUserLocale;
   isReadOnly: boolean;
   initialSurveySummary?: TSurveySummary;
@@ -46,7 +46,7 @@ export const SummaryPage = ({
   environment,
   survey,
   surveyId,
-  webAppUrl,
+  publicDomain,
   locale,
   isReadOnly,
   initialSurveySummary,
@@ -133,7 +133,7 @@ export const SummaryPage = ({
       <div className="flex gap-1.5">
         <CustomFilter survey={surveyMemoized} />
         {!isReadOnly && !isSharingPage && (
-          <ResultsShareButton survey={surveyMemoized} webAppUrl={webAppUrl} />
+          <ResultsShareButton survey={surveyMemoized} publicDomain={publicDomain} />
         )}
       </div>
       <ScrollToTop containerId="mainContent" />

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/SurveyAnalysisCTA.test.tsx

@@ -7,6 +7,22 @@ import { TSurvey } from "@formbricks/types/surveys/types";
 import { TUser } from "@formbricks/types/user";
 import { SurveyAnalysisCTA } from "./SurveyAnalysisCTA";
 
+vi.mock("@/lib/utils/action-client-middleware", () => ({
+  checkAuthorizationUpdated: vi.fn(),
+}));
+vi.mock("@/modules/ee/audit-logs/lib/utils", () => ({
+  withAuditLogging: vi.fn((...args: any[]) => {
+    // Check if the last argument is a function and return it directly
+    if (typeof args[args.length - 1] === "function") {
+      return args[args.length - 1];
+    }
+    // Otherwise, return a new function that takes a function as an argument and returns it
+    return (fn: any) => fn;
+  }),
+}));
+
+const mockPublicDomain = "https://public-domain.com";
+
 // Mock constants
 vi.mock("@/lib/constants", () => ({
   IS_FORMBRICKS_CLOUD: false,
@@ -30,7 +46,15 @@ vi.mock("@/lib/constants", () => ({
   SMTP_HOST: "mock-smtp-host",
   SMTP_PORT: "mock-smtp-port",
   IS_POSTHOG_CONFIGURED: true,
+  AUDIT_LOG_ENABLED: true,
   SESSION_MAX_AGE: 1000,
+  REDIS_URL: "mock-url",
+}));
+
+vi.mock("@/lib/env", () => ({
+  env: {
+    PUBLIC_URL: "https://public-domain.com",
+  },
 }));
 
 // Create a spy for refreshSingleUseId so we can override it in tests
@@ -56,7 +80,7 @@ vi.mock("next/navigation", () => ({
 
 // Mock copySurveyLink to return a predictable string
 vi.mock("@/modules/survey/lib/client-utils", () => ({
-  copySurveyLink: vi.fn((url: string, id: string) => `${url}?id=${id}`),
+  copySurveyLink: vi.fn((url: string, suId: string) => `${url}?suId=${suId}`),
 }));
 
 // Mock the copy survey action
@@ -87,6 +111,10 @@ vi.mock("@/app/share/[sharingKey]/actions", () => ({
   getResponseCountBySurveySharingKeyAction: vi.fn(() => Promise.resolve({ data: 5 })),
 }));
 
+vi.mock("@/lib/getPublicUrl", () => ({
+  getPublicDomain: vi.fn(() => mockPublicDomain),
+}));
+
 vi.spyOn(toast, "success");
 vi.spyOn(toast, "error");
 
@@ -107,7 +135,6 @@ const dummySurvey = {
 } as unknown as TSurvey;
 const dummyEnvironment = { id: "env123", appSetupCompleted: true } as TEnvironment;
 const dummyUser = { id: "user123", name: "Test User" } as TUser;
-const surveyDomain = "https://surveys.test.formbricks.com";
 
 describe("SurveyAnalysisCTA - handleCopyLink", () => {
   afterEach(() => {
@@ -120,7 +147,7 @@ describe("SurveyAnalysisCTA - handleCopyLink", () => {
         survey={dummySurvey}
         environment={dummyEnvironment}
         isReadOnly={false}
-        surveyDomain={surveyDomain}
+        publicDomain={mockPublicDomain}
         user={dummyUser}
         responseCount={5}
       />
@@ -131,9 +158,7 @@ describe("SurveyAnalysisCTA - handleCopyLink", () => {
 
     await waitFor(() => {
       expect(refreshSingleUseIdSpy).toHaveBeenCalled();
-      expect(writeTextMock).toHaveBeenCalledWith(
-        "https://surveys.test.formbricks.com/s/survey123?id=newSingleUseId"
-      );
+      expect(writeTextMock).toHaveBeenCalledWith("https://public-domain.com/s/survey123?suId=newSingleUseId");
       expect(toast.success).toHaveBeenCalledWith("common.copied_to_clipboard");
     });
   });
@@ -145,7 +170,7 @@ describe("SurveyAnalysisCTA - handleCopyLink", () => {
         survey={dummySurvey}
         environment={dummyEnvironment}
         isReadOnly={false}
-        surveyDomain={surveyDomain}
+        publicDomain={mockPublicDomain}
         user={dummyUser}
         responseCount={5}
       />
@@ -178,7 +203,7 @@ describe("SurveyAnalysisCTA - Edit functionality", () => {
         survey={dummySurvey}
         environment={dummyEnvironment}
         isReadOnly={false}
-        surveyDomain={surveyDomain}
+        publicDomain={mockPublicDomain}
         user={dummyUser}
         responseCount={5}
       />
@@ -199,7 +224,7 @@ describe("SurveyAnalysisCTA - Edit functionality", () => {
         survey={dummySurvey}
         environment={dummyEnvironment}
         isReadOnly={false}
-        surveyDomain={surveyDomain}
+        publicDomain={mockPublicDomain}
         user={dummyUser}
         responseCount={0}
       />
@@ -221,7 +246,7 @@ describe("SurveyAnalysisCTA - Edit functionality", () => {
         survey={dummySurvey}
         environment={dummyEnvironment}
         isReadOnly={true}
-        surveyDomain={surveyDomain}
+        publicDomain={mockPublicDomain}
         user={dummyUser}
         responseCount={5}
       />
@@ -250,7 +275,7 @@ describe("SurveyAnalysisCTA - duplicateSurveyAndRoute and EditPublicSurveyAlertD
         survey={dummySurvey}
         environment={dummyEnvironment}
         isReadOnly={false}
-        surveyDomain={surveyDomain}
+        publicDomain={mockPublicDomain}
         user={dummyUser}
         responseCount={5}
       />
@@ -293,7 +318,7 @@ describe("SurveyAnalysisCTA - duplicateSurveyAndRoute and EditPublicSurveyAlertD
         survey={dummySurvey}
         environment={dummyEnvironment}
         isReadOnly={false}
-        surveyDomain={surveyDomain}
+        publicDomain={mockPublicDomain}
         user={dummyUser}
         responseCount={5}
       />
@@ -319,7 +344,7 @@ describe("SurveyAnalysisCTA - duplicateSurveyAndRoute and EditPublicSurveyAlertD
         survey={dummySurvey}
         environment={dummyEnvironment}
         isReadOnly={false}
-        surveyDomain={surveyDomain}
+        publicDomain={mockPublicDomain}
         user={dummyUser}
         responseCount={5}
       />
@@ -353,7 +378,7 @@ describe("SurveyAnalysisCTA - duplicateSurveyAndRoute and EditPublicSurveyAlertD
         survey={dummySurvey}
         environment={dummyEnvironment}
         isReadOnly={false}
-        surveyDomain={surveyDomain}
+        publicDomain={mockPublicDomain}
         user={dummyUser}
         responseCount={5}
       />

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/SurveyAnalysisCTA.tsx

@@ -24,7 +24,7 @@ interface SurveyAnalysisCTAProps {
   environment: TEnvironment;
   isReadOnly: boolean;
   user: TUser;
-  surveyDomain: string;
+  publicDomain: string;
   responseCount: number;
 }
 
@@ -40,7 +40,7 @@ export const SurveyAnalysisCTA = ({
   environment,
   isReadOnly,
   user,
-  surveyDomain,
+  publicDomain,
   responseCount,
 }: SurveyAnalysisCTAProps) => {
   const { t } = useTranslate();
@@ -56,7 +56,7 @@ export const SurveyAnalysisCTA = ({
     dropdown: false,
   });
 
-  const surveyUrl = useMemo(() => `${surveyDomain}/s/${survey.id}`, [survey.id, surveyDomain]);
+  const surveyUrl = useMemo(() => `${publicDomain}/s/${survey.id}`, [survey.id, publicDomain]);
   const { refreshSingleUseId } = useSingleUseId(survey);
 
   const widgetSetupCompleted = survey.type === "app" && environment.appSetupCompleted;
@@ -202,7 +202,7 @@ export const SurveyAnalysisCTA = ({
             <ShareEmbedSurvey
               key={key}
               survey={survey}
-              surveyDomain={surveyDomain}
+              publicDomain={publicDomain}
               open={modalState[key as keyof ModalState]}
               setOpen={setOpen}
               user={user}

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/shareEmbedModal/EmbedView.test.tsx

@@ -64,7 +64,7 @@ const defaultProps = {
   survey: mockSurveyLink,
   email: "test@example.com",
   surveyUrl: "http://example.com/survey1",
-  surveyDomain: "http://example.com",
+  publicDomain: "http://example.com",
   setSurveyUrl: vi.fn(),
   locale: "en" as any,
   disableBack: false,

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/shareEmbedModal/EmbedView.tsx

@@ -20,7 +20,7 @@ interface EmbedViewProps {
   survey: any;
   email: string;
   surveyUrl: string;
-  surveyDomain: string;
+  publicDomain: string;
   setSurveyUrl: React.Dispatch<React.SetStateAction<string>>;
   locale: TUserLocale;
 }
@@ -35,7 +35,7 @@ export const EmbedView = ({
   survey,
   email,
   surveyUrl,
-  surveyDomain,
+  publicDomain,
   setSurveyUrl,
   locale,
 }: EmbedViewProps) => {
@@ -83,7 +83,7 @@ export const EmbedView = ({
             <LinkTab
               survey={survey}
               surveyUrl={surveyUrl}
-              surveyDomain={surveyDomain}
+              publicDomain={publicDomain}
               setSurveyUrl={setSurveyUrl}
               locale={locale}
             />

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/shareEmbedModal/LinkTab.test.tsx

@@ -6,12 +6,12 @@ import { LinkTab } from "./LinkTab";
 
 // Mock ShareSurveyLink
 vi.mock("@/modules/analysis/components/ShareSurveyLink", () => ({
-  ShareSurveyLink: vi.fn(({ survey, surveyUrl, surveyDomain, locale }) => (
+  ShareSurveyLink: vi.fn(({ survey, surveyUrl, publicDomain, locale }) => (
     <div data-testid="share-survey-link">
       Mocked ShareSurveyLink
       <span data-testid="survey-id">{survey.id}</span>
       <span data-testid="survey-url">{surveyUrl}</span>
-      <span data-testid="survey-domain">{surveyDomain}</span>
+      <span data-testid="public-domain">{publicDomain}</span>
       <span data-testid="locale">{locale}</span>
     </div>
   )),
@@ -49,7 +49,7 @@ const mockSurvey: TSurvey = {
 } as unknown as TSurvey;
 
 const mockSurveyUrl = "https://app.formbricks.com/s/survey1";
-const mockSurveyDomain = "https://app.formbricks.com";
+const mockPublicDomain = "https://app.formbricks.com";
 const mockSetSurveyUrl = vi.fn();
 const mockLocale: TUserLocale = "en-US";
 
@@ -82,7 +82,7 @@ describe("LinkTab", () => {
       <LinkTab
         survey={mockSurvey}
         surveyUrl={mockSurveyUrl}
-        surveyDomain={mockSurveyDomain}
+        publicDomain={mockPublicDomain}
         setSurveyUrl={mockSetSurveyUrl}
         locale={mockLocale}
       />
@@ -97,7 +97,7 @@ describe("LinkTab", () => {
       <LinkTab
         survey={mockSurvey}
         surveyUrl={mockSurveyUrl}
-        surveyDomain={mockSurveyDomain}
+        publicDomain={mockPublicDomain}
         setSurveyUrl={mockSetSurveyUrl}
         locale={mockLocale}
       />
@@ -105,7 +105,7 @@ describe("LinkTab", () => {
     expect(screen.getByTestId("share-survey-link")).toBeInTheDocument();
     expect(screen.getByTestId("survey-id")).toHaveTextContent(mockSurvey.id);
     expect(screen.getByTestId("survey-url")).toHaveTextContent(mockSurveyUrl);
-    expect(screen.getByTestId("survey-domain")).toHaveTextContent(mockSurveyDomain);
+    expect(screen.getByTestId("public-domain")).toHaveTextContent(mockPublicDomain);
     expect(screen.getByTestId("locale")).toHaveTextContent(mockLocale);
   });
 
@@ -114,7 +114,7 @@ describe("LinkTab", () => {
       <LinkTab
         survey={mockSurvey}
         surveyUrl={mockSurveyUrl}
-        surveyDomain={mockSurveyDomain}
+        publicDomain={mockPublicDomain}
         setSurveyUrl={mockSetSurveyUrl}
         locale={mockLocale}
       />
@@ -129,7 +129,7 @@ describe("LinkTab", () => {
       <LinkTab
         survey={mockSurvey}
         surveyUrl={mockSurveyUrl}
-        surveyDomain={mockSurveyDomain}
+        publicDomain={mockPublicDomain}
         setSurveyUrl={mockSetSurveyUrl}
         locale={mockLocale}
       />

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/shareEmbedModal/LinkTab.tsx

@@ -9,12 +9,12 @@ import { TUserLocale } from "@formbricks/types/user";
 interface LinkTabProps {
   survey: TSurvey;
   surveyUrl: string;
-  surveyDomain: string;
+  publicDomain: string;
   setSurveyUrl: (url: string) => void;
   locale: TUserLocale;
 }
 
-export const LinkTab = ({ survey, surveyUrl, surveyDomain, setSurveyUrl, locale }: LinkTabProps) => {
+export const LinkTab = ({ survey, surveyUrl, publicDomain, setSurveyUrl, locale }: LinkTabProps) => {
   const { t } = useTranslate();
 
   const docsLinks = [
@@ -44,7 +44,7 @@ export const LinkTab = ({ survey, surveyUrl, surveyDomain, setSurveyUrl, locale
         <ShareSurveyLink
           survey={survey}
           surveyUrl={surveyUrl}
-          surveyDomain={surveyDomain}
+          publicDomain={publicDomain}
           setSurveyUrl={setSurveyUrl}
           locale={locale}
         />

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/lib/emailTemplate.test.tsx

@@ -1,9 +1,8 @@
-import { getSurveyDomain } from "@/lib/getSurveyUrl";
+import { getPublicDomain } from "@/lib/getPublicUrl";
 import { getProjectByEnvironmentId } from "@/lib/project/service";
 import { getSurvey } from "@/lib/survey/service";
 import { getStyling } from "@/lib/utils/styling";
 import { getPreviewEmailTemplateHtml } from "@/modules/email/components/preview-email-template";
-import { getTranslate } from "@/tolgee/server";
 import { cleanup } from "@testing-library/react";
 import { afterEach, beforeEach, describe, expect, test, vi } from "vitest";
 import { TEnvironment } from "@formbricks/types/environment";
@@ -35,7 +34,16 @@ vi.mock("@/lib/constants", () => ({
   SENTRY_DSN: "mock-sentry-dsn",
 }));
 
-vi.mock("@/lib/getSurveyUrl");
+vi.mock("@/lib/env", () => ({
+  env: {
+    PUBLIC_URL: "https://public-domain.com",
+  },
+}));
+
+vi.mock("@/lib/getPublicUrl", () => ({
+  getPublicDomain: vi.fn().mockReturnValue("https://public-domain.com"),
+}));
+
 vi.mock("@/lib/project/service");
 vi.mock("@/lib/survey/service");
 vi.mock("@/lib/utils/styling");
@@ -121,7 +129,7 @@ const mockComputedStyling = {
   thankYouCardIconBgColor: "#DDDDDD",
 } as any;
 
-const mockSurveyDomain = "https://app.formbricks.com";
+const mockPublicDomain = "https://app.formbricks.com";
 const mockRawHtml = `${doctype}<html><body>Test Email Content for ${mockSurvey.name}</body></html>`;
 const mockCleanedHtml = `<html><body>Test Email Content for ${mockSurvey.name}</body></html>`;
 
@@ -136,7 +144,7 @@ describe("getEmailTemplateHtml", () => {
     vi.mocked(getSurvey).mockResolvedValue(mockSurvey);
     vi.mocked(getProjectByEnvironmentId).mockResolvedValue(mockProject);
     vi.mocked(getStyling).mockReturnValue(mockComputedStyling);
-    vi.mocked(getSurveyDomain).mockReturnValue(mockSurveyDomain);
+    vi.mocked(getPublicDomain).mockReturnValue(mockPublicDomain);
     vi.mocked(getPreviewEmailTemplateHtml).mockResolvedValue(mockRawHtml);
   });
 
@@ -147,8 +155,8 @@ describe("getEmailTemplateHtml", () => {
     expect(getSurvey).toHaveBeenCalledWith(mockSurveyId);
     expect(getProjectByEnvironmentId).toHaveBeenCalledWith(mockSurvey.environmentId);
     expect(getStyling).toHaveBeenCalledWith(mockProject, mockSurvey);
-    expect(getSurveyDomain).toHaveBeenCalledTimes(1);
-    const expectedSurveyUrl = `${mockSurveyDomain}/s/${mockSurvey.id}`;
+    expect(getPublicDomain).toHaveBeenCalledTimes(1);
+    const expectedSurveyUrl = `${mockPublicDomain}/s/${mockSurvey.id}`;
     expect(getPreviewEmailTemplateHtml).toHaveBeenCalledWith(
       mockSurvey,
       expectedSurveyUrl,

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/lib/emailTemplate.tsx

@@ -1,4 +1,4 @@
-import { getSurveyDomain } from "@/lib/getSurveyUrl";
+import { getPublicDomain } from "@/lib/getPublicUrl";
 import { getProjectByEnvironmentId } from "@/lib/project/service";
 import { getSurvey } from "@/lib/survey/service";
 import { getStyling } from "@/lib/utils/styling";
@@ -17,7 +17,7 @@ export const getEmailTemplateHtml = async (surveyId: string, locale: string) =>
   }
 
   const styling = getStyling(project, survey);
-  const surveyUrl = getSurveyDomain() + "/s/" + survey.id;
+  const surveyUrl = getPublicDomain() + "/s/" + survey.id;
   const html = await getPreviewEmailTemplateHtml(survey, surveyUrl, styling, locale, t);
   const doctype =
     '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">';

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/page.test.tsx

@@ -3,8 +3,8 @@ import { SurveyAnalysisNavigation } from "@/app/(app)/environments/[environmentI
 import { SummaryPage } from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/SummaryPage";
 import { getSurveySummary } from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/lib/surveySummary";
 import SurveyPage from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/page";
-import { DEFAULT_LOCALE, WEBAPP_URL } from "@/lib/constants";
-import { getSurveyDomain } from "@/lib/getSurveyUrl";
+import { DEFAULT_LOCALE } from "@/lib/constants";
+import { getPublicDomain } from "@/lib/getPublicUrl";
 import { getResponseCountBySurveyId } from "@/lib/response/service";
 import { getSurvey } from "@/lib/survey/service";
 import { getUser } from "@/lib/user/service";
@@ -38,7 +38,6 @@ vi.mock("@/lib/constants", () => ({
   OIDC_SIGNING_ALGORITHM: "test-oidc-signing-algorithm",
   IS_PRODUCTION: false,
   SENTRY_DSN: "mock-sentry-dsn",
-  WEBAPP_URL: "http://localhost:3000",
   RESPONSES_PER_PAGE: 10,
   SESSION_MAX_AGE: 1000,
 }));
@@ -64,8 +63,8 @@ vi.mock(
   })
 );
 
-vi.mock("@/lib/getSurveyUrl", () => ({
-  getSurveyDomain: vi.fn(),
+vi.mock("@/lib/getPublicUrl", () => ({
+  getPublicDomain: vi.fn(),
 }));
 
 vi.mock("@/lib/response/service", () => ({
@@ -211,7 +210,7 @@ describe("SurveyPage", () => {
     vi.mocked(getSurvey).mockResolvedValue(mockSurvey);
     vi.mocked(getUser).mockResolvedValue(mockUser);
     vi.mocked(getResponseCountBySurveyId).mockResolvedValue(10);
-    vi.mocked(getSurveyDomain).mockReturnValue("test.domain.com");
+    vi.mocked(getPublicDomain).mockReturnValue("http://localhost:3000");
     vi.mocked(getSurveySummary).mockResolvedValue(mockSurveySummary);
     vi.mocked(notFound).mockClear();
   });
@@ -235,7 +234,7 @@ describe("SurveyPage", () => {
     expect(vi.mocked(getEnvironmentAuth)).toHaveBeenCalledWith(mockEnvironmentId);
     expect(vi.mocked(getSurvey)).toHaveBeenCalledWith(mockSurveyId);
     expect(vi.mocked(getUser)).toHaveBeenCalledWith(mockUserId);
-    expect(vi.mocked(getSurveyDomain)).toHaveBeenCalled();
+    expect(vi.mocked(getPublicDomain)).toHaveBeenCalled();
 
     expect(vi.mocked(SurveyAnalysisNavigation).mock.calls[0][0]).toEqual(
       expect.objectContaining({
@@ -250,7 +249,7 @@ describe("SurveyPage", () => {
         environment: mockEnvironment,
         survey: mockSurvey,
         surveyId: mockSurveyId,
-        webAppUrl: WEBAPP_URL,
+        publicDomain: "http://localhost:3000",
         isReadOnly: false,
         locale: mockUser.locale ?? DEFAULT_LOCALE,
         initialSurveySummary: mockSurveySummary,

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/page.tsx

@@ -2,8 +2,8 @@ import { SurveyAnalysisNavigation } from "@/app/(app)/environments/[environmentI
 import { SummaryPage } from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/SummaryPage";
 import { SurveyAnalysisCTA } from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/SurveyAnalysisCTA";
 import { getSurveySummary } from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/lib/surveySummary";
-import { DEFAULT_LOCALE, WEBAPP_URL } from "@/lib/constants";
-import { getSurveyDomain } from "@/lib/getSurveyUrl";
+import { DEFAULT_LOCALE } from "@/lib/constants";
+import { getPublicDomain } from "@/lib/getPublicUrl";
 import { getSurvey } from "@/lib/survey/service";
 import { getUser } from "@/lib/user/service";
 import { getEnvironmentAuth } from "@/modules/environments/lib/utils";
@@ -40,7 +40,7 @@ const SurveyPage = async (props: { params: Promise<{ environmentId: string; surv
   // Fetch initial survey summary data on the server to prevent duplicate API calls during hydration
   const initialSurveySummary = await getSurveySummary(surveyId);
 
-  const surveyDomain = getSurveyDomain();
+  const publicDomain = getPublicDomain();
 
   return (
     <PageContentWrapper>
@@ -52,7 +52,7 @@ const SurveyPage = async (props: { params: Promise<{ environmentId: string; surv
             survey={survey}
             isReadOnly={isReadOnly}
             user={user}
-            surveyDomain={surveyDomain}
+            publicDomain={publicDomain}
             responseCount={initialSurveySummary?.meta.totalResponses ?? 0}
           />
         }>
@@ -62,13 +62,13 @@ const SurveyPage = async (props: { params: Promise<{ environmentId: string; surv
         environment={environment}
         survey={survey}
         surveyId={params.surveyId}
-        webAppUrl={WEBAPP_URL}
+        publicDomain={publicDomain}
         isReadOnly={isReadOnly}
         locale={user.locale ?? DEFAULT_LOCALE}
         initialSurveySummary={initialSurveySummary}
       />
 
-      <SettingsId title={t("common.survey_id")} id={surveyId}></SettingsId>
+      <SettingsId title={t("common.survey_id")} id={surveyId} />
     </PageContentWrapper>
   );
 };

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/actions.ts

@@ -5,8 +5,10 @@ import { getResponseDownloadUrl, getResponseFilteringValues } from "@/lib/respon
 import { getSurvey, updateSurvey } from "@/lib/survey/service";
 import { getTagsByEnvironmentId } from "@/lib/tag/service";
 import { authenticatedActionClient } from "@/lib/utils/action-client";
-import { checkAuthorizationUpdated } from "@/lib/utils/action-client-middleware";
+import { checkAuthorizationUpdated } from "@/lib/utils/action-client/action-client-middleware";
+import { AuthenticatedActionClientCtx } from "@/lib/utils/action-client/types/context";
 import { getOrganizationIdFromSurveyId, getProjectIdFromSurveyId } from "@/lib/utils/helper";
+import { withAuditLogging } from "@/modules/ee/audit-logs/lib/handler";
 import { checkMultiLanguagePermission } from "@/modules/ee/multi-language-surveys/lib/actions";
 import { getSurveyFollowUpsPermission } from "@/modules/survey/follow-ups/lib/utils";
 import { checkSpamProtectionPermission } from "@/modules/survey/lib/permission";
@@ -14,7 +16,7 @@ import { z } from "zod";
 import { ZId } from "@formbricks/types/common";
 import { OperationNotAllowedError, ResourceNotFoundError } from "@formbricks/types/errors";
 import { ZResponseFilterCriteria } from "@formbricks/types/responses";
-import { ZSurvey } from "@formbricks/types/surveys/types";
+import { TSurvey, ZSurvey } from "@formbricks/types/surveys/types";
 
 const ZGetResponsesDownloadUrlAction = z.object({
   surveyId: ZId,
@@ -102,39 +104,54 @@ const checkSurveyFollowUpsPermission = async (organizationId: string): Promise<v
   }
 };
 
-export const updateSurveyAction = authenticatedActionClient
-  .schema(ZSurvey)
-  .action(async ({ ctx, parsedInput }) => {
-    const organizationId = await getOrganizationIdFromSurveyId(parsedInput.id);
-    await checkAuthorizationUpdated({
-      userId: ctx.user.id,
-      organizationId,
-      access: [
-        {
-          type: "organization",
-          roles: ["owner", "manager"],
-        },
-        {
-          type: "projectTeam",
-          projectId: await getProjectIdFromSurveyId(parsedInput.id),
-          minPermission: "readWrite",
-        },
-      ],
-    });
+export const updateSurveyAction = authenticatedActionClient.schema(ZSurvey).action(
+  withAuditLogging(
+    "updated",
+    "survey",
+    async ({ ctx, parsedInput }: { ctx: AuthenticatedActionClientCtx; parsedInput: TSurvey }) => {
+      const organizationId = await getOrganizationIdFromSurveyId(parsedInput.id);
+      await checkAuthorizationUpdated({
+        userId: ctx.user?.id ?? "",
+        organizationId,
+        access: [
+          {
+            type: "organization",
+            roles: ["owner", "manager"],
+          },
+          {
+            type: "projectTeam",
+            projectId: await getProjectIdFromSurveyId(parsedInput.id),
+            minPermission: "readWrite",
+          },
+        ],
+      });
 
-    const { followUps } = parsedInput;
+      const { followUps } = parsedInput;
 
-    if (parsedInput.recaptcha?.enabled) {
-      await checkSpamProtectionPermission(organizationId);
+      const oldSurvey = await getSurvey(parsedInput.id);
+
+      if (parsedInput.recaptcha?.enabled) {
+        await checkSpamProtectionPermission(organizationId);
+      }
+
+      if (followUps?.length) {
+        await checkSurveyFollowUpsPermission(organizationId);
+      }
+
+      if (parsedInput.languages?.length) {
+        await checkMultiLanguagePermission(organizationId);
+      }
+
+      // Context for audit log
+      ctx.auditLoggingCtx.surveyId = parsedInput.id;
+      ctx.auditLoggingCtx.organizationId = organizationId;
+      ctx.auditLoggingCtx.oldObject = oldSurvey;
+
+      const newSurvey = await updateSurvey(parsedInput);
+
+      ctx.auditLoggingCtx.newObject = newSurvey;
+
+      return newSurvey;
     }
-
-    if (followUps?.length) {
-      await checkSurveyFollowUpsPermission(organizationId);
-    }
-
-    if (parsedInput.languages?.length) {
-      await checkMultiLanguagePermission(organizationId);
-    }
-
-    return await updateSurvey(parsedInput);
-  });
+  )
+);

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/components/ResultsShareButton.test.tsx

@@ -138,7 +138,7 @@ describe("ResultsShareButton", () => {
 
   test("renders initial state and fetches sharing key (no existing key)", async () => {
     mockGetResultShareUrlAction.mockResolvedValue({ data: null });
-    render(<ResultsShareButton survey={mockSurvey} webAppUrl={webAppUrl} />);
+    render(<ResultsShareButton survey={mockSurvey} publicDomain={webAppUrl} />);
 
     expect(screen.getByTestId("dropdown-menu-trigger")).toBeInTheDocument();
     expect(screen.getByTestId("link-icon")).toBeInTheDocument();
@@ -150,7 +150,7 @@ describe("ResultsShareButton", () => {
 
   test("handles copy private link to clipboard", async () => {
     mockGetResultShareUrlAction.mockResolvedValue({ data: null });
-    render(<ResultsShareButton survey={mockSurvey} webAppUrl={webAppUrl} />);
+    render(<ResultsShareButton survey={mockSurvey} publicDomain={webAppUrl} />);
 
     fireEvent.click(screen.getByTestId("dropdown-menu-trigger")); // Open dropdown
     const copyLinkButton = (await screen.findAllByTestId("dropdown-menu-item")).find((item) =>
@@ -166,7 +166,9 @@ describe("ResultsShareButton", () => {
   test("handles copy public link to clipboard", async () => {
     const shareKey = "publicShareKey";
     mockGetResultShareUrlAction.mockResolvedValue({ data: shareKey });
-    render(<ResultsShareButton survey={{ ...mockSurvey, resultShareKey: shareKey }} webAppUrl={webAppUrl} />);
+    render(
+      <ResultsShareButton survey={{ ...mockSurvey, resultShareKey: shareKey }} publicDomain={webAppUrl} />
+    );
 
     fireEvent.click(screen.getByTestId("dropdown-menu-trigger")); // Open dropdown
     const copyPublicLinkButton = (await screen.findAllByTestId("dropdown-menu-item")).find((item) =>
@@ -184,7 +186,7 @@ describe("ResultsShareButton", () => {
   test("handles publish to web successfully", async () => {
     mockGetResultShareUrlAction.mockResolvedValue({ data: null });
     mockGenerateResultShareUrlAction.mockResolvedValue({ data: "newShareKey" });
-    render(<ResultsShareButton survey={mockSurvey} webAppUrl={webAppUrl} />);
+    render(<ResultsShareButton survey={mockSurvey} publicDomain={webAppUrl} />);
 
     fireEvent.click(screen.getByTestId("dropdown-menu-trigger"));
     const publishButton = (await screen.findAllByTestId("dropdown-menu-item")).find((item) =>
@@ -210,7 +212,9 @@ describe("ResultsShareButton", () => {
     const shareKey = "toUnpublishKey";
     mockGetResultShareUrlAction.mockResolvedValue({ data: shareKey });
     mockDeleteResultShareUrlAction.mockResolvedValue({ data: { id: mockSurvey.id } });
-    render(<ResultsShareButton survey={{ ...mockSurvey, resultShareKey: shareKey }} webAppUrl={webAppUrl} />);
+    render(
+      <ResultsShareButton survey={{ ...mockSurvey, resultShareKey: shareKey }} publicDomain={webAppUrl} />
+    );
 
     fireEvent.click(screen.getByTestId("dropdown-menu-trigger"));
     const unpublishButton = (await screen.findAllByTestId("dropdown-menu-item")).find((item) =>
@@ -234,7 +238,7 @@ describe("ResultsShareButton", () => {
 
   test("opens and closes ShareSurveyResults modal", async () => {
     mockGetResultShareUrlAction.mockResolvedValue({ data: null });
-    render(<ResultsShareButton survey={mockSurvey} webAppUrl={webAppUrl} />);
+    render(<ResultsShareButton survey={mockSurvey} publicDomain={webAppUrl} />);
 
     fireEvent.click(screen.getByTestId("dropdown-menu-trigger"));
     const publishButton = (await screen.findAllByTestId("dropdown-menu-item")).find((item) =>

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/components/ResultsShareButton.tsx

@@ -21,10 +21,10 @@ import { ShareSurveyResults } from "../(analysis)/summary/components/ShareSurvey
 
 interface ResultsShareButtonProps {
   survey: TSurvey;
-  webAppUrl: string;
+  publicDomain: string;
 }
 
-export const ResultsShareButton = ({ survey, webAppUrl }: ResultsShareButtonProps) => {
+export const ResultsShareButton = ({ survey, publicDomain }: ResultsShareButtonProps) => {
   const { t } = useTranslate();
   const [showResultsLinkModal, setShowResultsLinkModal] = useState(false);
 
@@ -34,7 +34,7 @@ export const ResultsShareButton = ({ survey, webAppUrl }: ResultsShareButtonProp
   const handlePublish = async () => {
     const resultShareKeyResponse = await generateResultShareUrlAction({ surveyId: survey.id });
     if (resultShareKeyResponse?.data) {
-      setSurveyUrl(webAppUrl + "/share/" + resultShareKeyResponse.data);
+      setSurveyUrl(publicDomain + "/share/" + resultShareKeyResponse.data);
       setShowPublishModal(true);
     } else {
       const errorMessage = getFormattedErrorMessage(resultShareKeyResponse);
@@ -58,13 +58,13 @@ export const ResultsShareButton = ({ survey, webAppUrl }: ResultsShareButtonProp
     const fetchSharingKey = async () => {
       const resultShareUrlResponse = await getResultShareUrlAction({ surveyId: survey.id });
       if (resultShareUrlResponse?.data) {
-        setSurveyUrl(webAppUrl + "/share/" + resultShareUrlResponse.data);
+        setSurveyUrl(publicDomain + "/share/" + resultShareUrlResponse.data);
         setShowPublishModal(true);
       }
     };
 
     fetchSharingKey();
-  }, [survey.id, webAppUrl]);
+  }, [survey.id, publicDomain]);
 
   const copyUrlToClipboard = () => {
     if (typeof window !== "undefined") {

apps/web/app/(app)/layout.test.tsx

@@ -39,6 +39,8 @@ vi.mock("@/lib/constants", () => ({
   FORMBRICKS_ENVIRONMENT_ID: "mock-formbricks-environment-id",
   IS_FORMBRICKS_ENABLED: true,
   SESSION_MAX_AGE: 1000,
+  REDIS_URL: "test-redis-url",
+  AUDIT_LOG_ENABLED: true,
 }));
 
 vi.mock("@/app/intercom/IntercomClientWrapper", () => ({

apps/web/app/ClientEnvironmentRedirect.test.tsx

@@ -14,41 +14,64 @@ describe("ClientEnvironmentRedirect", () => {
     cleanup();
   });
 
-  test("should redirect to the provided environment ID when no last environment exists", () => {
+  test("should redirect to the first environment ID when no last environment exists", () => {
     const mockPush = vi.fn();
     vi.mocked(useRouter).mockReturnValue({ push: mockPush } as any);
 
     // Mock localStorage
     const localStorageMock = {
       getItem: vi.fn().mockReturnValue(null),
+      removeItem: vi.fn(),
     };
+
     Object.defineProperty(window, "localStorage", {
       value: localStorageMock,
     });
 
-    render(<ClientEnvironmentRedirect environmentId="test-env-id" />);
+    render(<ClientEnvironmentRedirect userEnvironments={["test-env-id"]} />);
 
     expect(mockPush).toHaveBeenCalledWith("/environments/test-env-id");
   });
 
-  test("should redirect to the last environment ID when it exists in localStorage", () => {
+  test("should redirect to the last environment ID when it exists in localStorage and is valid", () => {
     const mockPush = vi.fn();
     vi.mocked(useRouter).mockReturnValue({ push: mockPush } as any);
 
     // Mock localStorage with a last environment ID
     const localStorageMock = {
       getItem: vi.fn().mockReturnValue("last-env-id"),
+      removeItem: vi.fn(),
     };
     Object.defineProperty(window, "localStorage", {
       value: localStorageMock,
     });
 
-    render(<ClientEnvironmentRedirect environmentId="test-env-id" />);
+    render(<ClientEnvironmentRedirect userEnvironments={["last-env-id", "other-env-id"]} />);
 
     expect(localStorageMock.getItem).toHaveBeenCalledWith(FORMBRICKS_ENVIRONMENT_ID_LS);
     expect(mockPush).toHaveBeenCalledWith("/environments/last-env-id");
   });
 
+  test("should clear invalid environment ID and redirect to default when stored ID is not in user environments", () => {
+    const mockPush = vi.fn();
+    vi.mocked(useRouter).mockReturnValue({ push: mockPush } as any);
+
+    // Mock localStorage with an invalid environment ID
+    const localStorageMock = {
+      getItem: vi.fn().mockReturnValue("invalid-env-id"),
+      removeItem: vi.fn(),
+    };
+    Object.defineProperty(window, "localStorage", {
+      value: localStorageMock,
+    });
+
+    render(<ClientEnvironmentRedirect userEnvironments={["valid-env-1", "valid-env-2"]} />);
+
+    expect(localStorageMock.getItem).toHaveBeenCalledWith(FORMBRICKS_ENVIRONMENT_ID_LS);
+    expect(localStorageMock.removeItem).toHaveBeenCalledWith(FORMBRICKS_ENVIRONMENT_ID_LS);
+    expect(mockPush).toHaveBeenCalledWith("/environments/valid-env-1");
+  });
+
   test("should update redirect when environment ID prop changes", () => {
     const mockPush = vi.fn();
     vi.mocked(useRouter).mockReturnValue({ push: mockPush } as any);
@@ -56,19 +79,20 @@ describe("ClientEnvironmentRedirect", () => {
     // Mock localStorage
     const localStorageMock = {
       getItem: vi.fn().mockReturnValue(null),
+      removeItem: vi.fn(),
     };
     Object.defineProperty(window, "localStorage", {
       value: localStorageMock,
     });
 
-    const { rerender } = render(<ClientEnvironmentRedirect environmentId="initial-env-id" />);
+    const { rerender } = render(<ClientEnvironmentRedirect userEnvironments={["initial-env-id"]} />);
     expect(mockPush).toHaveBeenCalledWith("/environments/initial-env-id");
 
     // Clear mock calls
     mockPush.mockClear();
 
     // Rerender with new environment ID
-    rerender(<ClientEnvironmentRedirect environmentId="new-env-id" />);
+    rerender(<ClientEnvironmentRedirect userEnvironments={["new-env-id"]} />);
     expect(mockPush).toHaveBeenCalledWith("/environments/new-env-id");
   });
 });

apps/web/app/ClientEnvironmentRedirect.tsx

@@ -5,22 +5,23 @@ import { useRouter } from "next/navigation";
 import { useEffect } from "react";
 
 interface ClientEnvironmentRedirectProps {
-  environmentId: string;
+  userEnvironments: string[];
 }
 
-const ClientEnvironmentRedirect = ({ environmentId }: ClientEnvironmentRedirectProps) => {
+const ClientEnvironmentRedirect = ({ userEnvironments }: ClientEnvironmentRedirectProps) => {
   const router = useRouter();
 
   useEffect(() => {
     const lastEnvironmentId = localStorage.getItem(FORMBRICKS_ENVIRONMENT_ID_LS);
 
-    if (lastEnvironmentId) {
-      // Redirect to the last environment the user was in
+    if (lastEnvironmentId && userEnvironments.includes(lastEnvironmentId)) {
       router.push(`/environments/${lastEnvironmentId}`);
     } else {
-      router.push(`/environments/${environmentId}`);
+      // If the last environmentId is not valid, remove it from localStorage and redirect to the provided environmentId
+      localStorage.removeItem(FORMBRICKS_ENVIRONMENT_ID_LS);
+      router.push(`/environments/${userEnvironments[0]}`);
     }
-  }, [environmentId, router]);
+  }, [userEnvironments, router]);
 
   return null;
 };

apps/web/app/api/(internal)/pipeline/route.ts

@@ -7,6 +7,8 @@ import { getOrganizationByEnvironmentId } from "@/lib/organization/service";
 import { getResponseCountBySurveyId } from "@/lib/response/service";
 import { getSurvey, updateSurvey } from "@/lib/survey/service";
 import { convertDatesInObject } from "@/lib/time";
+import { queueAuditEvent } from "@/modules/ee/audit-logs/lib/handler";
+import { TAuditStatus, UNKNOWN_DATA } from "@/modules/ee/audit-logs/types/audit-log";
 import { sendResponseFinishedEmail } from "@/modules/email";
 import { sendFollowUpsForResponse } from "@/modules/survey/follow-ups/lib/follow-ups";
 import { FollowUpSendError } from "@/modules/survey/follow-ups/types/follow-up";
@@ -179,10 +181,33 @@ export const POST = async (request: Request) => {
 
     // Update survey status if necessary
     if (survey.autoComplete && responseCount >= survey.autoComplete) {
-      await updateSurvey({
-        ...survey,
-        status: "completed",
-      });
+      let logStatus: TAuditStatus = "success";
+
+      try {
+        await updateSurvey({
+          ...survey,
+          status: "completed",
+        });
+      } catch (error) {
+        logStatus = "failure";
+        logger.error(
+          { error, url: request.url, surveyId },
+          `Failed to update survey ${surveyId} status to completed`
+        );
+      } finally {
+        await queueAuditEvent({
+          status: logStatus,
+          action: "updated",
+          targetType: "survey",
+          userId: UNKNOWN_DATA,
+          userType: "system",
+          targetId: survey.id,
+          organizationId: organization.id,
+          newObject: {
+            status: "completed",
+          },
+        });
+      }
     }
 
     // Await webhook and email promises with allSettled to prevent early rejection

apps/web/app/api/auth/[...nextauth]/route.ts

@@ -1,8 +1,140 @@
-import { authOptions } from "@/modules/auth/lib/authOptions";
+import { IS_PRODUCTION, SENTRY_DSN } from "@/lib/constants";
+import { authOptions as baseAuthOptions } from "@/modules/auth/lib/authOptions";
+import { queueAuditEventBackground } from "@/modules/ee/audit-logs/lib/handler";
+import { TAuditStatus, UNKNOWN_DATA } from "@/modules/ee/audit-logs/types/audit-log";
+import * as Sentry from "@sentry/nextjs";
 import NextAuth from "next-auth";
+import { logger } from "@formbricks/logger";
 
 export const fetchCache = "force-no-store";
 
-const handler = NextAuth(authOptions);
+const handler = async (req: Request, ctx: any) => {
+  const eventId = req.headers.get("x-request-id") ?? undefined;
+
+  const authOptions = {
+    ...baseAuthOptions,
+    callbacks: {
+      ...baseAuthOptions.callbacks,
+      async jwt(params: any) {
+        let result: any = params.token;
+        let error: any = undefined;
+
+        try {
+          if (baseAuthOptions.callbacks?.jwt) {
+            result = await baseAuthOptions.callbacks.jwt(params);
+          }
+        } catch (err) {
+          error = err;
+          logger.withContext({ eventId, err }).error("JWT callback failed");
+
+          if (SENTRY_DSN && IS_PRODUCTION) {
+            Sentry.captureException(err);
+          }
+        }
+
+        // Audit JWT operations (token refresh, updates)
+        if (params.trigger && params.token?.profile?.id) {
+          const status: TAuditStatus = error ? "failure" : "success";
+          const auditLog = {
+            action: "jwtTokenCreated" as const,
+            targetType: "user" as const,
+            userId: params.token.profile.id,
+            targetId: params.token.profile.id,
+            organizationId: UNKNOWN_DATA,
+            status,
+            userType: "user" as const,
+            newObject: { trigger: params.trigger, tokenType: "jwt" },
+            ...(error ? { eventId } : {}),
+          };
+
+          queueAuditEventBackground(auditLog);
+        }
+
+        if (error) throw error;
+        return result;
+      },
+      async session(params: any) {
+        let result: any = params.session;
+        let error: any = undefined;
+
+        try {
+          if (baseAuthOptions.callbacks?.session) {
+            result = await baseAuthOptions.callbacks.session(params);
+          }
+        } catch (err) {
+          error = err;
+          logger.withContext({ eventId, err }).error("Session callback failed");
+
+          if (SENTRY_DSN && IS_PRODUCTION) {
+            Sentry.captureException(err);
+          }
+        }
+
+        if (error) throw error;
+        return result;
+      },
+      async signIn({ user, account, profile, email, credentials }) {
+        let result: boolean | string = true;
+        let error: any = undefined;
+        let authMethod = "unknown";
+
+        try {
+          if (baseAuthOptions.callbacks?.signIn) {
+            result = await baseAuthOptions.callbacks.signIn({
+              user,
+              account,
+              profile,
+              email,
+              credentials,
+            });
+          }
+
+          // Determine authentication method for more detailed logging
+          if (account?.provider === "credentials") {
+            authMethod = "password";
+          } else if (account?.provider === "token") {
+            authMethod = "email_verification";
+          } else if (account?.provider && account.provider !== "credentials") {
+            authMethod = "sso";
+          }
+        } catch (err) {
+          error = err;
+          result = false;
+
+          logger.withContext({ eventId, err }).error("User sign-in failed");
+
+          if (SENTRY_DSN && IS_PRODUCTION) {
+            Sentry.captureException(err);
+          }
+        }
+
+        const status: TAuditStatus = result === false ? "failure" : "success";
+        const auditLog = {
+          action: "signedIn" as const,
+          targetType: "user" as const,
+          userId: user?.id ?? UNKNOWN_DATA,
+          targetId: user?.id ?? UNKNOWN_DATA,
+          organizationId: UNKNOWN_DATA,
+          status,
+          userType: "user" as const,
+          newObject: {
+            ...user,
+            authMethod,
+            provider: account?.provider,
+            ...(error ? { errorMessage: error.message } : {}),
+          },
+          ...(status === "failure" ? { eventId } : {}),
+        };
+
+        queueAuditEventBackground(auditLog);
+
+        if (error) throw error;
+        return result;
+      },
+    },
+  };
+
+  return NextAuth(authOptions)(req, ctx);
+};
 
 export { handler as GET, handler as POST };

apps/web/app/api/cron/ping/route.ts

@@ -1,5 +1,6 @@
 import { responses } from "@/app/lib/api/response";
 import { CRON_SECRET } from "@/lib/constants";
+import { env } from "@/lib/env";
 import { captureTelemetry } from "@/lib/telemetry";
 import packageJson from "@/package.json";
 import { headers } from "next/headers";
@@ -13,6 +14,10 @@ export const POST = async () => {
     return responses.notAuthenticatedResponse();
   }
 
+  if (env.TELEMETRY_DISABLED === "1") {
+    return responses.successResponse({}, true);
+  }
+
   const [surveyCount, responseCount, userCount] = await Promise.all([
     prisma.survey.count(),
     prisma.response.count(),

apps/web/app/api/v1/management/action-classes/[actionClassId]/route.ts

@@ -1,6 +1,7 @@
 import { authenticateRequest, handleErrorResponse } from "@/app/api/v1/auth";
 import { responses } from "@/app/lib/api/response";
 import { transformErrorToDetails } from "@/app/lib/api/validator";
+import { ApiAuditLog, withApiLogging } from "@/app/lib/api/with-api-logging";
 import { deleteActionClass, getActionClass, updateActionClass } from "@/lib/actionClass/service";
 import { hasPermission } from "@/modules/organization/settings/api-keys/lib/utils";
 import { logger } from "@formbricks/logger";
@@ -44,63 +45,104 @@ export const GET = async (
   }
 };
 
-export const PUT = async (
-  request: Request,
-  props: { params: Promise<{ actionClassId: string }> }
-): Promise<Response> => {
-  const params = await props.params;
-  try {
-    const authentication = await authenticateRequest(request);
-    if (!authentication) return responses.notAuthenticatedResponse();
-    const actionClass = await fetchAndAuthorizeActionClass(authentication, params.actionClassId, "PUT");
-    if (!actionClass) {
-      return responses.notFoundResponse("Action Class", params.actionClassId);
-    }
-
-    let actionClassUpdate;
+export const PUT = withApiLogging(
+  async (request: Request, props: { params: Promise<{ actionClassId: string }> }, auditLog: ApiAuditLog) => {
+    const params = await props.params;
     try {
-      actionClassUpdate = await request.json();
-    } catch (error) {
-      logger.error({ error, url: request.url }, "Error parsing JSON");
-      return responses.badRequestResponse("Malformed JSON input, please check your request body");
-    }
+      const authentication = await authenticateRequest(request);
+      if (!authentication) {
+        return {
+          response: responses.notAuthenticatedResponse(),
+        };
+      }
+      auditLog.userId = authentication.apiKeyId;
 
-    const inputValidation = ZActionClassInput.safeParse(actionClassUpdate);
-    if (!inputValidation.success) {
-      return responses.badRequestResponse(
-        "Fields are missing or incorrectly formatted",
-        transformErrorToDetails(inputValidation.error)
+      const actionClass = await fetchAndAuthorizeActionClass(authentication, params.actionClassId, "PUT");
+      if (!actionClass) {
+        return {
+          response: responses.notFoundResponse("Action Class", params.actionClassId),
+        };
+      }
+      auditLog.oldObject = actionClass;
+      auditLog.organizationId = authentication.organizationId;
+
+      let actionClassUpdate;
+      try {
+        actionClassUpdate = await request.json();
+      } catch (error) {
+        logger.error({ error, url: request.url }, "Error parsing JSON");
+        return {
+          response: responses.badRequestResponse("Malformed JSON input, please check your request body"),
+        };
+      }
+
+      const inputValidation = ZActionClassInput.safeParse(actionClassUpdate);
+      if (!inputValidation.success) {
+        return {
+          response: responses.badRequestResponse(
+            "Fields are missing or incorrectly formatted",
+            transformErrorToDetails(inputValidation.error)
+          ),
+        };
+      }
+      const updatedActionClass = await updateActionClass(
+        inputValidation.data.environmentId,
+        params.actionClassId,
+        inputValidation.data
       );
+      if (updatedActionClass) {
+        auditLog.newObject = updatedActionClass;
+        return {
+          response: responses.successResponse(updatedActionClass),
+        };
+      }
+      return {
+        response: responses.internalServerErrorResponse("Some error occurred while updating action"),
+      };
+    } catch (error) {
+      return {
+        response: handleErrorResponse(error),
+      };
     }
-    const updatedActionClass = await updateActionClass(
-      inputValidation.data.environmentId,
-      params.actionClassId,
-      inputValidation.data
-    );
-    if (updatedActionClass) {
-      return responses.successResponse(updatedActionClass);
-    }
-    return responses.internalServerErrorResponse("Some error ocured while updating action");
-  } catch (error) {
-    return handleErrorResponse(error);
-  }
-};
+  },
+  "updated",
+  "actionClass"
+);
 
-export const DELETE = async (
-  request: Request,
-  props: { params: Promise<{ actionClassId: string }> }
-): Promise<Response> => {
-  const params = await props.params;
-  try {
-    const authentication = await authenticateRequest(request);
-    if (!authentication) return responses.notAuthenticatedResponse();
-    const actionClass = await fetchAndAuthorizeActionClass(authentication, params.actionClassId, "DELETE");
-    if (!actionClass) {
-      return responses.notFoundResponse("Action Class", params.actionClassId);
+export const DELETE = withApiLogging(
+  async (request: Request, props: { params: Promise<{ actionClassId: string }> }, auditLog: ApiAuditLog) => {
+    const params = await props.params;
+    auditLog.targetId = params.actionClassId;
+
+    try {
+      const authentication = await authenticateRequest(request);
+      if (!authentication) {
+        return {
+          response: responses.notAuthenticatedResponse(),
+        };
+      }
+      auditLog.userId = authentication.apiKeyId;
+
+      const actionClass = await fetchAndAuthorizeActionClass(authentication, params.actionClassId, "DELETE");
+      if (!actionClass) {
+        return {
+          response: responses.notFoundResponse("Action Class", params.actionClassId),
+        };
+      }
+
+      auditLog.oldObject = actionClass;
+      auditLog.organizationId = authentication.organizationId;
+
+      const deletedActionClass = await deleteActionClass(params.actionClassId);
+      return {
+        response: responses.successResponse(deletedActionClass),
+      };
+    } catch (error) {
+      return {
+        response: handleErrorResponse(error),
+      };
     }
-    const deletedActionClass = await deleteActionClass(params.actionClassId);
-    return responses.successResponse(deletedActionClass);
-  } catch (error) {
-    return handleErrorResponse(error);
-  }
-};
+  },
+  "deleted",
+  "actionClass"
+);

apps/web/app/api/v1/management/action-classes/route.ts

@@ -1,6 +1,7 @@
 import { authenticateRequest } from "@/app/api/v1/auth";
 import { responses } from "@/app/lib/api/response";
 import { transformErrorToDetails } from "@/app/lib/api/validator";
+import { ApiAuditLog, withApiLogging } from "@/app/lib/api/with-api-logging";
 import { createActionClass } from "@/lib/actionClass/service";
 import { hasPermission } from "@/modules/organization/settings/api-keys/lib/utils";
 import { logger } from "@formbricks/logger";
@@ -28,41 +29,62 @@ export const GET = async (request: Request) => {
   }
 };
 
-export const POST = async (request: Request): Promise<Response> => {
-  try {
-    const authentication = await authenticateRequest(request);
-    if (!authentication) return responses.notAuthenticatedResponse();
-
-    let actionClassInput;
+export const POST = withApiLogging(
+  async (request: Request, _, auditLog: ApiAuditLog) => {
     try {
-      actionClassInput = await request.json();
+      const authentication = await authenticateRequest(request);
+      if (!authentication) {
+        return {
+          response: responses.notAuthenticatedResponse(),
+        };
+      }
+      auditLog.userId = authentication.apiKeyId;
+      auditLog.organizationId = authentication.organizationId;
+
+      let actionClassInput;
+      try {
+        actionClassInput = await request.json();
+      } catch (error) {
+        logger.error({ error, url: request.url }, "Error parsing JSON input");
+        return {
+          response: responses.badRequestResponse("Malformed JSON input, please check your request body"),
+        };
+      }
+
+      const inputValidation = ZActionClassInput.safeParse(actionClassInput);
+      const environmentId = actionClassInput.environmentId;
+
+      if (!hasPermission(authentication.environmentPermissions, environmentId, "POST")) {
+        return {
+          response: responses.unauthorizedResponse(),
+        };
+      }
+
+      if (!inputValidation.success) {
+        return {
+          response: responses.badRequestResponse(
+            "Fields are missing or incorrectly formatted",
+            transformErrorToDetails(inputValidation.error),
+            true
+          ),
+        };
+      }
+
+      const actionClass: TActionClass = await createActionClass(environmentId, inputValidation.data);
+      auditLog.targetId = actionClass.id;
+      auditLog.newObject = actionClass;
+      return {
+        response: responses.successResponse(actionClass),
+      };
     } catch (error) {
-      logger.error({ error, url: request.url }, "Error parsing JSON input");
-      return responses.badRequestResponse("Malformed JSON input, please check your request body");
+      if (error instanceof DatabaseError) {
+        return {
+          response: responses.badRequestResponse(error.message),
+        };
+      }
+      throw error;
     }
-
-    const inputValidation = ZActionClassInput.safeParse(actionClassInput);
-
-    const environmentId = actionClassInput.environmentId;
-
-    if (!hasPermission(authentication.environmentPermissions, environmentId, "POST")) {
-      return responses.unauthorizedResponse();
-    }
-
-    if (!inputValidation.success) {
-      return responses.badRequestResponse(
-        "Fields are missing or incorrectly formatted",
-        transformErrorToDetails(inputValidation.error),
-        true
-      );
-    }
-
-    const actionClass: TActionClass = await createActionClass(environmentId, inputValidation.data);
-    return responses.successResponse(actionClass);
-  } catch (error) {
-    if (error instanceof DatabaseError) {
-      return responses.badRequestResponse(error.message);
-    }
-    throw error;
-  }
-};
+  },
+  "created",
+  "actionClass"
+);

apps/web/app/api/v1/management/responses/[responseId]/route.ts

@@ -1,6 +1,7 @@
 import { authenticateRequest, handleErrorResponse } from "@/app/api/v1/auth";
 import { responses } from "@/app/lib/api/response";
 import { transformErrorToDetails } from "@/app/lib/api/validator";
+import { ApiAuditLog, withApiLogging } from "@/app/lib/api/with-api-logging";
 import { validateFileUploads } from "@/lib/fileValidation";
 import { deleteResponse, getResponse, updateResponse } from "@/lib/response/service";
 import { getSurvey } from "@/lib/survey/service";
@@ -48,58 +49,101 @@ export const GET = async (
   }
 };
 
-export const DELETE = async (
-  request: Request,
-  props: { params: Promise<{ responseId: string }> }
-): Promise<Response> => {
-  const params = await props.params;
-  try {
-    const authentication = await authenticateRequest(request);
-    if (!authentication) return responses.notAuthenticatedResponse();
-
-    const result = await fetchAndAuthorizeResponse(params.responseId, authentication, "DELETE");
-    if (result.error) return result.error;
-
-    const deletedResponse = await deleteResponse(params.responseId);
-    return responses.successResponse(deletedResponse);
-  } catch (error) {
-    return handleErrorResponse(error);
-  }
-};
-
-export const PUT = async (
-  request: Request,
-  props: { params: Promise<{ responseId: string }> }
-): Promise<Response> => {
-  const params = await props.params;
-  try {
-    const authentication = await authenticateRequest(request);
-    if (!authentication) return responses.notAuthenticatedResponse();
-
-    const result = await fetchAndAuthorizeResponse(params.responseId, authentication, "PUT");
-    if (result.error) return result.error;
-
-    let responseUpdate;
+export const DELETE = withApiLogging(
+  async (request: Request, props: { params: Promise<{ responseId: string }> }, auditLog: ApiAuditLog) => {
+    const params = await props.params;
+    auditLog.targetId = params.responseId;
     try {
-      responseUpdate = await request.json();
+      const authentication = await authenticateRequest(request);
+      if (!authentication) {
+        return {
+          response: responses.notAuthenticatedResponse(),
+        };
+      }
+      auditLog.userId = authentication.apiKeyId;
+      auditLog.organizationId = authentication.organizationId;
+
+      const result = await fetchAndAuthorizeResponse(params.responseId, authentication, "DELETE");
+      if (result.error) {
+        return {
+          response: result.error,
+        };
+      }
+      auditLog.oldObject = result.response;
+
+      const deletedResponse = await deleteResponse(params.responseId);
+      return {
+        response: responses.successResponse(deletedResponse),
+      };
     } catch (error) {
-      logger.error({ error, url: request.url }, "Error parsing JSON");
-      return responses.badRequestResponse("Malformed JSON input, please check your request body");
+      return {
+        response: handleErrorResponse(error),
+      };
     }
+  },
+  "deleted",
+  "response"
+);
 
-    if (!validateFileUploads(responseUpdate.data, result.survey.questions)) {
-      return responses.badRequestResponse("Invalid file upload response");
-    }
+export const PUT = withApiLogging(
+  async (request: Request, props: { params: Promise<{ responseId: string }> }, auditLog: ApiAuditLog) => {
+    const params = await props.params;
+    auditLog.targetId = params.responseId;
+    try {
+      const authentication = await authenticateRequest(request);
+      if (!authentication) {
+        return {
+          response: responses.notAuthenticatedResponse(),
+        };
+      }
+      auditLog.userId = authentication.apiKeyId;
+      auditLog.organizationId = authentication.organizationId;
 
-    const inputValidation = ZResponseUpdateInput.safeParse(responseUpdate);
-    if (!inputValidation.success) {
-      return responses.badRequestResponse(
-        "Fields are missing or incorrectly formatted",
-        transformErrorToDetails(inputValidation.error)
-      );
+      const result = await fetchAndAuthorizeResponse(params.responseId, authentication, "PUT");
+      if (result.error) {
+        return {
+          response: result.error,
+        };
+      }
+      auditLog.oldObject = result.response;
+
+      let responseUpdate;
+      try {
+        responseUpdate = await request.json();
+      } catch (error) {
+        logger.error({ error, url: request.url }, "Error parsing JSON");
+        return {
+          response: responses.badRequestResponse("Malformed JSON input, please check your request body"),
+        };
+      }
+
+      if (!validateFileUploads(responseUpdate.data, result.survey.questions)) {
+        return {
+          response: responses.badRequestResponse("Invalid file upload response"),
+        };
+      }
+
+      const inputValidation = ZResponseUpdateInput.safeParse(responseUpdate);
+      if (!inputValidation.success) {
+        return {
+          response: responses.badRequestResponse(
+            "Fields are missing or incorrectly formatted",
+            transformErrorToDetails(inputValidation.error)
+          ),
+        };
+      }
+
+      const updated = await updateResponse(params.responseId, inputValidation.data);
+      auditLog.newObject = updated;
+      return {
+        response: responses.successResponse(updated),
+      };
+    } catch (error) {
+      return {
+        response: handleErrorResponse(error),
+      };
     }
-    return responses.successResponse(await updateResponse(params.responseId, inputValidation.data));
-  } catch (error) {
-    return handleErrorResponse(error);
-  }
-};
+  },
+  "updated",
+  "response"
+);

apps/web/app/api/v1/management/responses/route.ts

@@ -1,6 +1,7 @@
 import { authenticateRequest } from "@/app/api/v1/auth";
 import { responses } from "@/app/lib/api/response";
 import { transformErrorToDetails } from "@/app/lib/api/validator";
+import { ApiAuditLog, withApiLogging } from "@/app/lib/api/with-api-logging";
 import { validateFileUploads } from "@/lib/fileValidation";
 import { getResponses } from "@/lib/response/service";
 import { getSurvey } from "@/lib/survey/service";
@@ -91,46 +92,78 @@ const validateSurvey = async (responseInput: TResponseInput, environmentId: stri
   return { survey };
 };
 
-export const POST = async (request: Request): Promise<Response> => {
-  try {
-    const authentication = await authenticateRequest(request);
-    if (!authentication) return responses.notAuthenticatedResponse();
-
-    const inputResult = await validateInput(request);
-    if (inputResult.error) return inputResult.error;
-
-    const responseInput = inputResult.data;
-    const environmentId = responseInput.environmentId;
-
-    if (!hasPermission(authentication.environmentPermissions, environmentId, "POST")) {
-      return responses.unauthorizedResponse();
-    }
-
-    const surveyResult = await validateSurvey(responseInput, environmentId);
-    if (surveyResult.error) return surveyResult.error;
-
-    if (!validateFileUploads(responseInput.data, surveyResult.survey.questions)) {
-      return responses.badRequestResponse("Invalid file upload response");
-    }
-
-    if (responseInput.createdAt && !responseInput.updatedAt) {
-      responseInput.updatedAt = responseInput.createdAt;
-    }
-
+export const POST = withApiLogging(
+  async (request: Request, _, auditLog: ApiAuditLog) => {
     try {
-      const response = await createResponse(responseInput);
-      return responses.successResponse(response, true);
-    } catch (error) {
-      if (error instanceof InvalidInputError) {
-        return responses.badRequestResponse(error.message);
+      const authentication = await authenticateRequest(request);
+      if (!authentication) {
+        return {
+          response: responses.notAuthenticatedResponse(),
+        };
       }
-      logger.error({ error, url: request.url }, "Error in POST /api/v1/management/responses");
-      return responses.internalServerErrorResponse(error.message);
+      auditLog.userId = authentication.apiKeyId;
+      auditLog.organizationId = authentication.organizationId;
+
+      const inputResult = await validateInput(request);
+      if (inputResult.error) {
+        return {
+          response: inputResult.error,
+        };
+      }
+
+      const responseInput = inputResult.data;
+      const environmentId = responseInput.environmentId;
+
+      if (!hasPermission(authentication.environmentPermissions, environmentId, "POST")) {
+        return {
+          response: responses.unauthorizedResponse(),
+        };
+      }
+
+      const surveyResult = await validateSurvey(responseInput, environmentId);
+      if (surveyResult.error) {
+        return {
+          response: surveyResult.error,
+        };
+      }
+
+      if (!validateFileUploads(responseInput.data, surveyResult.survey.questions)) {
+        return {
+          response: responses.badRequestResponse("Invalid file upload response"),
+        };
+      }
+
+      if (responseInput.createdAt && !responseInput.updatedAt) {
+        responseInput.updatedAt = responseInput.createdAt;
+      }
+
+      try {
+        const response = await createResponse(responseInput);
+        auditLog.targetId = response.id;
+        auditLog.newObject = response;
+        return {
+          response: responses.successResponse(response, true),
+        };
+      } catch (error) {
+        if (error instanceof InvalidInputError) {
+          return {
+            response: responses.badRequestResponse(error.message),
+          };
+        }
+        logger.error({ error, url: request.url }, "Error in POST /api/v1/management/responses");
+        return {
+          response: responses.internalServerErrorResponse(error.message),
+        };
+      }
+    } catch (error) {
+      if (error instanceof DatabaseError) {
+        return {
+          response: responses.badRequestResponse(error.message),
+        };
+      }
+      throw error;
     }
-  } catch (error) {
-    if (error instanceof DatabaseError) {
-      return responses.badRequestResponse(error.message);
-    }
-    throw error;
-  }
-};
+  },
+  "created",
+  "response"
+);

apps/web/app/api/v1/management/storage/lib/utils.test.ts

@@ -0,0 +1,212 @@
+import { authenticateRequest } from "@/app/api/v1/auth";
+import { responses } from "@/app/lib/api/response";
+import { hasUserEnvironmentAccess } from "@/lib/environment/auth";
+import { hasPermission } from "@/modules/organization/settings/api-keys/lib/utils";
+import { Session } from "next-auth";
+import { NextRequest } from "next/server";
+import { describe, expect, test } from "vitest";
+import { vi } from "vitest";
+import { TAuthenticationApiKey } from "@formbricks/types/auth";
+import { checkForRequiredFields } from "./utils";
+import { checkAuth } from "./utils";
+
+// Create mock response objects
+const mockBadRequestResponse = new Response("Bad Request", { status: 400 });
+const mockNotAuthenticatedResponse = new Response("Not authenticated", { status: 401 });
+const mockUnauthorizedResponse = new Response("Unauthorized", { status: 401 });
+
+vi.mock("@/app/api/v1/auth", () => ({
+  authenticateRequest: vi.fn(),
+}));
+
+vi.mock("@/lib/environment/auth", () => ({
+  hasUserEnvironmentAccess: vi.fn(),
+}));
+
+vi.mock("@/modules/organization/settings/api-keys/lib/utils", () => ({
+  hasPermission: vi.fn(),
+}));
+
+vi.mock("@/app/lib/api/response", () => ({
+  responses: {
+    badRequestResponse: vi.fn(() => mockBadRequestResponse),
+    notAuthenticatedResponse: vi.fn(() => mockNotAuthenticatedResponse),
+    unauthorizedResponse: vi.fn(() => mockUnauthorizedResponse),
+  },
+}));
+
+describe("checkForRequiredFields", () => {
+  test("should return undefined when all required fields are present", () => {
+    const result = checkForRequiredFields("env-123", "image/png", "test-file.png");
+    expect(result).toBeUndefined();
+  });
+
+  test("should return bad request response when environmentId is missing", () => {
+    const result = checkForRequiredFields("", "image/png", "test-file.png");
+    expect(responses.badRequestResponse).toHaveBeenCalledWith("environmentId is required");
+    expect(result).toBe(mockBadRequestResponse);
+  });
+
+  test("should return bad request response when fileType is missing", () => {
+    const result = checkForRequiredFields("env-123", "", "test-file.png");
+    expect(responses.badRequestResponse).toHaveBeenCalledWith("contentType is required");
+    expect(result).toBe(mockBadRequestResponse);
+  });
+
+  test("should return bad request response when encodedFileName is missing", () => {
+    const result = checkForRequiredFields("env-123", "image/png", "");
+    expect(responses.badRequestResponse).toHaveBeenCalledWith("fileName is required");
+    expect(result).toBe(mockBadRequestResponse);
+  });
+
+  test("should return bad request response when environmentId is undefined", () => {
+    const result = checkForRequiredFields(undefined as any, "image/png", "test-file.png");
+    expect(responses.badRequestResponse).toHaveBeenCalledWith("environmentId is required");
+    expect(result).toBe(mockBadRequestResponse);
+  });
+
+  test("should return bad request response when fileType is undefined", () => {
+    const result = checkForRequiredFields("env-123", undefined as any, "test-file.png");
+    expect(responses.badRequestResponse).toHaveBeenCalledWith("contentType is required");
+    expect(result).toBe(mockBadRequestResponse);
+  });
+
+  test("should return bad request response when encodedFileName is undefined", () => {
+    const result = checkForRequiredFields("env-123", "image/png", undefined as any);
+    expect(responses.badRequestResponse).toHaveBeenCalledWith("fileName is required");
+    expect(result).toBe(mockBadRequestResponse);
+  });
+});
+
+describe("checkAuth", () => {
+  const environmentId = "env-123";
+  const mockRequest = new NextRequest("http://localhost:3000/api/test");
+
+  test("returns notAuthenticatedResponse when no session and no authentication", async () => {
+    vi.mocked(authenticateRequest).mockResolvedValue(null);
+
+    const result = await checkAuth(null, environmentId, mockRequest);
+
+    expect(authenticateRequest).toHaveBeenCalledWith(mockRequest);
+    expect(responses.notAuthenticatedResponse).toHaveBeenCalled();
+    expect(result).toBe(mockNotAuthenticatedResponse);
+  });
+
+  test("returns unauthorizedResponse when no session and authentication lacks POST permission", async () => {
+    const mockAuthentication: TAuthenticationApiKey = {
+      type: "apiKey",
+      environmentPermissions: [
+        {
+          environmentId: "env-123",
+          permission: "read",
+          environmentType: "development",
+          projectId: "project-1",
+          projectName: "Project 1",
+        },
+      ],
+      hashedApiKey: "hashed-key",
+      apiKeyId: "api-key-id",
+      organizationId: "org-id",
+      organizationAccess: {
+        accessControl: {},
+      },
+    };
+
+    vi.mocked(authenticateRequest).mockResolvedValue(mockAuthentication);
+    vi.mocked(hasPermission).mockReturnValue(false);
+
+    const result = await checkAuth(null, environmentId, mockRequest);
+
+    expect(authenticateRequest).toHaveBeenCalledWith(mockRequest);
+    expect(hasPermission).toHaveBeenCalledWith(
+      mockAuthentication.environmentPermissions,
+      environmentId,
+      "POST"
+    );
+    expect(responses.unauthorizedResponse).toHaveBeenCalled();
+    expect(result).toBe(mockUnauthorizedResponse);
+  });
+
+  test("returns undefined when no session and authentication has POST permission", async () => {
+    const mockAuthentication: TAuthenticationApiKey = {
+      type: "apiKey",
+      environmentPermissions: [
+        {
+          environmentId: "env-123",
+          permission: "write",
+          environmentType: "development",
+          projectId: "project-1",
+          projectName: "Project 1",
+        },
+      ],
+      hashedApiKey: "hashed-key",
+      apiKeyId: "api-key-id",
+      organizationId: "org-id",
+      organizationAccess: {
+        accessControl: {},
+      },
+    };
+
+    vi.mocked(authenticateRequest).mockResolvedValue(mockAuthentication);
+    vi.mocked(hasPermission).mockReturnValue(true);
+
+    const result = await checkAuth(null, environmentId, mockRequest);
+
+    expect(authenticateRequest).toHaveBeenCalledWith(mockRequest);
+    expect(hasPermission).toHaveBeenCalledWith(
+      mockAuthentication.environmentPermissions,
+      environmentId,
+      "POST"
+    );
+    expect(result).toBeUndefined();
+  });
+
+  test("returns unauthorizedResponse when session exists but user lacks environment access", async () => {
+    const mockSession: Session = {
+      user: {
+        id: "user-123",
+      },
+      expires: "2024-12-31T23:59:59.999Z",
+    };
+
+    vi.mocked(hasUserEnvironmentAccess).mockResolvedValue(false);
+
+    const result = await checkAuth(mockSession, environmentId, mockRequest);
+
+    expect(hasUserEnvironmentAccess).toHaveBeenCalledWith("user-123", environmentId);
+    expect(responses.unauthorizedResponse).toHaveBeenCalled();
+    expect(result).toBe(mockUnauthorizedResponse);
+  });
+
+  test("returns undefined when session exists and user has environment access", async () => {
+    const mockSession: Session = {
+      user: {
+        id: "user-123",
+      },
+      expires: "2024-12-31T23:59:59.999Z",
+    };
+
+    vi.mocked(hasUserEnvironmentAccess).mockResolvedValue(true);
+
+    const result = await checkAuth(mockSession, environmentId, mockRequest);
+
+    expect(hasUserEnvironmentAccess).toHaveBeenCalledWith("user-123", environmentId);
+    expect(result).toBeUndefined();
+  });
+
+  test("does not call authenticateRequest when session exists", async () => {
+    const mockSession: Session = {
+      user: {
+        id: "user-123",
+      },
+      expires: "2024-12-31T23:59:59.999Z",
+    };
+
+    vi.mocked(hasUserEnvironmentAccess).mockResolvedValue(true);
+
+    await checkAuth(mockSession, environmentId, mockRequest);
+
+    expect(authenticateRequest).not.toHaveBeenCalled();
+    expect(hasUserEnvironmentAccess).toHaveBeenCalledWith("user-123", environmentId);
+  });
+});

apps/web/app/api/v1/management/storage/lib/utils.ts

@@ -0,0 +1,41 @@
+import { authenticateRequest } from "@/app/api/v1/auth";
+import { responses } from "@/app/lib/api/response";
+import { hasUserEnvironmentAccess } from "@/lib/environment/auth";
+import { hasPermission } from "@/modules/organization/settings/api-keys/lib/utils";
+import { Session } from "next-auth";
+import { NextRequest } from "next/server";
+
+export const checkForRequiredFields = (
+  environmentId: string,
+  fileType: string,
+  encodedFileName: string
+): Response | undefined => {
+  if (!environmentId) {
+    return responses.badRequestResponse("environmentId is required");
+  }
+
+  if (!fileType) {
+    return responses.badRequestResponse("contentType is required");
+  }
+
+  if (!encodedFileName) {
+    return responses.badRequestResponse("fileName is required");
+  }
+};
+
+export const checkAuth = async (session: Session | null, environmentId: string, request: NextRequest) => {
+  if (!session) {
+    //check whether its using API key
+    const authentication = await authenticateRequest(request);
+    if (!authentication) return responses.notAuthenticatedResponse();
+
+    if (!hasPermission(authentication.environmentPermissions, environmentId, "POST")) {
+      return responses.unauthorizedResponse();
+    }
+  } else {
+    const isUserAuthorized = await hasUserEnvironmentAccess(session.user.id, environmentId);
+    if (!isUserAuthorized) {
+      return responses.unauthorizedResponse();
+    }
+  }
+};

apps/web/app/api/v1/management/storage/local/route.ts

@@ -1,10 +1,10 @@
 // headers -> "Content-Type" should be present and set to a valid MIME type
 // body -> should be a valid file object (buffer)
 // method -> PUT (to be the same as the signedUrl method)
+import { checkAuth, checkForRequiredFields } from "@/app/api/v1/management/storage/lib/utils";
 import { responses } from "@/app/lib/api/response";
 import { ENCRYPTION_KEY, UPLOADS_DIR } from "@/lib/constants";
 import { validateLocalSignedUrl } from "@/lib/crypto";
-import { hasUserEnvironmentAccess } from "@/lib/environment/auth";
 import { validateFile } from "@/lib/fileValidation";
 import { putFileToLocalStorage } from "@/lib/storage/service";
 import { authOptions } from "@/modules/auth/lib/authOptions";
@@ -27,41 +27,17 @@ export const POST = async (req: NextRequest): Promise<Response> => {
   const signedTimestamp = jsonInput.timestamp as string;
   const environmentId = jsonInput.environmentId as string;
 
-  if (!environmentId) {
-    return responses.badRequestResponse("environmentId is required");
-  }
+  const requiredFieldResponse = checkForRequiredFields(environmentId, fileType, encodedFileName);
+  if (requiredFieldResponse) return requiredFieldResponse;
 
-  if (!fileType) {
-    return responses.badRequestResponse("contentType is required");
-  }
-
-  if (!encodedFileName) {
-    return responses.badRequestResponse("fileName is required");
-  }
-
-  if (!signedSignature) {
-    return responses.unauthorizedResponse();
-  }
-
-  if (!signedUuid) {
-    return responses.unauthorizedResponse();
-  }
-
-  if (!signedTimestamp) {
+  if (!signedSignature || !signedUuid || !signedTimestamp) {
     return responses.unauthorizedResponse();
   }
 
   const session = await getServerSession(authOptions);
 
-  if (!session || !session.user) {
-    return responses.notAuthenticatedResponse();
-  }
-
-  const isUserAuthorized = await hasUserEnvironmentAccess(session.user.id, environmentId);
-
-  if (!isUserAuthorized) {
-    return responses.unauthorizedResponse();
-  }
+  const authResponse = await checkAuth(session, environmentId, req);
+  if (authResponse) return authResponse;
 
   const fileName = decodeURIComponent(encodedFileName);
 

apps/web/app/api/v1/management/storage/route.ts

@@ -1,5 +1,5 @@
+import { checkAuth, checkForRequiredFields } from "@/app/api/v1/management/storage/lib/utils";
 import { responses } from "@/app/lib/api/response";
-import { hasUserEnvironmentAccess } from "@/lib/environment/auth";
 import { validateFile } from "@/lib/fileValidation";
 import { authOptions } from "@/modules/auth/lib/authOptions";
 import { getServerSession } from "next-auth";
@@ -13,29 +13,24 @@ import { getSignedUrlForPublicFile } from "./lib/getSignedUrl";
 // use this to upload files for a specific resource, e.g. a user profile picture or a survey
 // this api endpoint will return a signed url for uploading the file to s3 and another url for uploading file to the local storage
 
-export const POST = async (req: NextRequest): Promise<Response> => {
+export const POST = async (request: NextRequest): Promise<Response> => {
   let storageInput;
 
   try {
-    storageInput = await req.json();
+    storageInput = await request.json();
   } catch (error) {
-    logger.error({ error, url: req.url }, "Error parsing JSON input");
+    logger.error({ error, url: request.url }, "Error parsing JSON input");
     return responses.badRequestResponse("Malformed JSON input, please check your request body");
   }
 
   const { fileName, fileType, environmentId, allowedFileExtensions } = storageInput;
 
-  if (!fileName) {
-    return responses.badRequestResponse("fileName is required");
-  }
+  const requiredFieldResponse = checkForRequiredFields(environmentId, fileType, fileName);
+  if (requiredFieldResponse) return requiredFieldResponse;
+  const session = await getServerSession(authOptions);
 
-  if (!fileType) {
-    return responses.badRequestResponse("fileType is required");
-  }
-
-  if (!environmentId) {
-    return responses.badRequestResponse("environmentId is required");
-  }
+  const authResponse = await checkAuth(session, environmentId, request);
+  if (authResponse) return authResponse;
 
   // Perform server-side file validation first to block dangerous file types
   const fileValidation = validateFile(fileName, fileType);
@@ -53,18 +48,5 @@ export const POST = async (req: NextRequest): Promise<Response> => {
     }
   }
 
-  // auth and upload private file
-  const session = await getServerSession(authOptions);
-
-  if (!session || !session.user) {
-    return responses.notAuthenticatedResponse();
-  }
-
-  const isUserAuthorized = await hasUserEnvironmentAccess(session.user.id, environmentId);
-
-  if (!isUserAuthorized) {
-    return responses.unauthorizedResponse();
-  }
-
   return await getSignedUrlForPublicFile(fileName, environmentId, fileType);
 };

apps/web/app/api/v1/management/surveys/[surveyId]/route.ts

@@ -3,6 +3,7 @@ import { deleteSurvey } from "@/app/api/v1/management/surveys/[surveyId]/lib/sur
 import { checkFeaturePermissions } from "@/app/api/v1/management/surveys/lib/utils";
 import { responses } from "@/app/lib/api/response";
 import { transformErrorToDetails } from "@/app/lib/api/validator";
+import { ApiAuditLog, withApiLogging } from "@/app/lib/api/with-api-logging";
 import { getOrganizationByEnvironmentId } from "@/lib/organization/service";
 import { getSurvey, updateSurvey } from "@/lib/survey/service";
 import { hasPermission } from "@/modules/organization/settings/api-keys/lib/utils";
@@ -42,64 +43,121 @@ export const GET = async (
   }
 };
 
-export const DELETE = async (
-  request: Request,
-  props: { params: Promise<{ surveyId: string }> }
-): Promise<Response> => {
-  const params = await props.params;
-  try {
-    const authentication = await authenticateRequest(request);
-    if (!authentication) return responses.notAuthenticatedResponse();
-    const result = await fetchAndAuthorizeSurvey(params.surveyId, authentication, "DELETE");
-    if (result.error) return result.error;
-    const deletedSurvey = await deleteSurvey(params.surveyId);
-    return responses.successResponse(deletedSurvey);
-  } catch (error) {
-    return handleErrorResponse(error);
-  }
-};
-
-export const PUT = async (
-  request: Request,
-  props: { params: Promise<{ surveyId: string }> }
-): Promise<Response> => {
-  const params = await props.params;
-  try {
-    const authentication = await authenticateRequest(request);
-    if (!authentication) return responses.notAuthenticatedResponse();
-    const result = await fetchAndAuthorizeSurvey(params.surveyId, authentication, "PUT");
-    if (result.error) return result.error;
-
-    const organization = await getOrganizationByEnvironmentId(result.survey.environmentId);
-    if (!organization) {
-      return responses.notFoundResponse("Organization", null);
-    }
-
-    let surveyUpdate;
+export const DELETE = withApiLogging(
+  async (request: Request, props: { params: Promise<{ surveyId: string }> }, auditLog: ApiAuditLog) => {
+    const params = await props.params;
+    auditLog.targetId = params.surveyId;
     try {
-      surveyUpdate = await request.json();
+      const authentication = await authenticateRequest(request);
+      if (!authentication) {
+        return {
+          response: responses.notAuthenticatedResponse(),
+        };
+      }
+      auditLog.userId = authentication.apiKeyId;
+      auditLog.organizationId = authentication.organizationId;
+
+      const result = await fetchAndAuthorizeSurvey(params.surveyId, authentication, "DELETE");
+      if (result.error) {
+        return {
+          response: result.error,
+        };
+      }
+      auditLog.oldObject = result.survey;
+
+      const deletedSurvey = await deleteSurvey(params.surveyId);
+      return {
+        response: responses.successResponse(deletedSurvey),
+      };
     } catch (error) {
-      logger.error({ error, url: request.url }, "Error parsing JSON input");
-      return responses.badRequestResponse("Malformed JSON input, please check your request body");
+      return {
+        response: handleErrorResponse(error),
+      };
     }
+  },
+  "deleted",
+  "survey"
+);
 
-    const inputValidation = ZSurveyUpdateInput.safeParse({
-      ...result.survey,
-      ...surveyUpdate,
-    });
+export const PUT = withApiLogging(
+  async (request: Request, props: { params: Promise<{ surveyId: string }> }, auditLog: ApiAuditLog) => {
+    const params = await props.params;
+    auditLog.targetId = params.surveyId;
+    try {
+      const authentication = await authenticateRequest(request);
+      if (!authentication) {
+        return {
+          response: responses.notAuthenticatedResponse(),
+        };
+      }
+      auditLog.userId = authentication.apiKeyId;
 
-    if (!inputValidation.success) {
-      return responses.badRequestResponse(
-        "Fields are missing or incorrectly formatted",
-        transformErrorToDetails(inputValidation.error)
-      );
+      const result = await fetchAndAuthorizeSurvey(params.surveyId, authentication, "PUT");
+      if (result.error) {
+        return {
+          response: result.error,
+        };
+      }
+      auditLog.oldObject = result.survey;
+
+      const organization = await getOrganizationByEnvironmentId(result.survey.environmentId);
+      if (!organization) {
+        return {
+          response: responses.notFoundResponse("Organization", null),
+        };
+      }
+      auditLog.organizationId = organization.id;
+
+      let surveyUpdate;
+      try {
+        surveyUpdate = await request.json();
+      } catch (error) {
+        logger.error({ error, url: request.url }, "Error parsing JSON input");
+        return {
+          response: responses.badRequestResponse("Malformed JSON input, please check your request body"),
+        };
+      }
+
+      const inputValidation = ZSurveyUpdateInput.safeParse({
+        ...result.survey,
+        ...surveyUpdate,
+      });
+
+      if (!inputValidation.success) {
+        return {
+          response: responses.badRequestResponse(
+            "Fields are missing or incorrectly formatted",
+            transformErrorToDetails(inputValidation.error)
+          ),
+        };
+      }
+
+      const featureCheckResult = await checkFeaturePermissions(surveyUpdate, organization);
+      if (featureCheckResult) {
+        return {
+          response: featureCheckResult,
+        };
+      }
+
+      try {
+        const updatedSurvey = await updateSurvey({ ...inputValidation.data, id: params.surveyId });
+        auditLog.newObject = updatedSurvey;
+        return {
+          response: responses.successResponse(updatedSurvey),
+        };
+      } catch (error) {
+        auditLog.status = "failure";
+        return {
+          response: handleErrorResponse(error),
+        };
+      }
+    } catch (error) {
+      auditLog.status = "failure";
+      return {
+        response: handleErrorResponse(error),
+      };
     }
-
-    const featureCheckResult = await checkFeaturePermissions(surveyUpdate, organization);
-    if (featureCheckResult) return featureCheckResult;
-
-    return responses.successResponse(await updateSurvey({ ...inputValidation.data, id: params.surveyId }));
-  } catch (error) {
-    return handleErrorResponse(error);
-  }
-};
+  },
+  "updated",
+  "survey"
+);

apps/web/app/api/v1/management/surveys/[surveyId]/singleUseIds/route.ts

@@ -1,6 +1,6 @@
 import { authenticateRequest, handleErrorResponse } from "@/app/api/v1/auth";
 import { responses } from "@/app/lib/api/response";
-import { getSurveyDomain } from "@/lib/getSurveyUrl";
+import { getPublicDomain } from "@/lib/getPublicUrl";
 import { getSurvey } from "@/lib/survey/service";
 import { generateSurveySingleUseIds } from "@/lib/utils/single-use-surveys";
 import { hasPermission } from "@/modules/organization/settings/api-keys/lib/utils";
@@ -42,10 +42,10 @@ export const GET = async (
 
     const singleUseIds = generateSurveySingleUseIds(limit, survey.singleUse.isEncrypted);
 
-    const surveyDomain = getSurveyDomain();
+    const publicDomain = getPublicDomain();
     // map single use ids to survey links
     const surveyLinks = singleUseIds.map(
-      (singleUseId) => `${surveyDomain}/s/${survey.id}?suId=${singleUseId}`
+      (singleUseId) => `${publicDomain}/s/${survey.id}?suId=${singleUseId}`
     );
 
     return responses.successResponse(surveyLinks);

apps/web/app/api/v1/management/surveys/route.ts

@@ -2,6 +2,7 @@ import { authenticateRequest } from "@/app/api/v1/auth";
 import { checkFeaturePermissions } from "@/app/api/v1/management/surveys/lib/utils";
 import { responses } from "@/app/lib/api/response";
 import { transformErrorToDetails } from "@/app/lib/api/validator";
+import { ApiAuditLog, withApiLogging } from "@/app/lib/api/with-api-logging";
 import { getOrganizationByEnvironmentId } from "@/lib/organization/service";
 import { createSurvey } from "@/lib/survey/service";
 import { hasPermission } from "@/modules/organization/settings/api-keys/lib/utils";
@@ -33,50 +34,78 @@ export const GET = async (request: Request) => {
   }
 };
 
-export const POST = async (request: Request): Promise<Response> => {
-  try {
-    const authentication = await authenticateRequest(request);
-    if (!authentication) return responses.notAuthenticatedResponse();
-
-    let surveyInput;
+export const POST = withApiLogging(
+  async (request: Request, _, auditLog: ApiAuditLog) => {
     try {
-      surveyInput = await request.json();
+      const authentication = await authenticateRequest(request);
+      if (!authentication) {
+        return {
+          response: responses.notAuthenticatedResponse(),
+        };
+      }
+      auditLog.userId = authentication.apiKeyId;
+
+      let surveyInput;
+      try {
+        surveyInput = await request.json();
+      } catch (error) {
+        logger.error({ error, url: request.url }, "Error parsing JSON");
+        return {
+          response: responses.badRequestResponse("Malformed JSON input, please check your request body"),
+        };
+      }
+      const inputValidation = ZSurveyCreateInputWithEnvironmentId.safeParse(surveyInput);
+
+      if (!inputValidation.success) {
+        return {
+          response: responses.badRequestResponse(
+            "Fields are missing or incorrectly formatted",
+            transformErrorToDetails(inputValidation.error),
+            true
+          ),
+        };
+      }
+
+      const { environmentId } = inputValidation.data;
+
+      if (!hasPermission(authentication.environmentPermissions, environmentId, "POST")) {
+        return {
+          response: responses.unauthorizedResponse(),
+        };
+      }
+
+      const organization = await getOrganizationByEnvironmentId(environmentId);
+      if (!organization) {
+        return {
+          response: responses.notFoundResponse("Organization", null),
+        };
+      }
+      auditLog.organizationId = organization.id;
+
+      const surveyData = { ...inputValidation.data, environmentId };
+
+      const featureCheckResult = await checkFeaturePermissions(surveyData, organization);
+      if (featureCheckResult) {
+        return {
+          response: featureCheckResult,
+        };
+      }
+
+      const survey = await createSurvey(environmentId, { ...surveyData, environmentId: undefined });
+      auditLog.targetId = survey.id;
+      auditLog.newObject = survey;
+      return {
+        response: responses.successResponse(survey),
+      };
     } catch (error) {
-      logger.error({ error, url: request.url }, "Error parsing JSON");
-      return responses.badRequestResponse("Malformed JSON input, please check your request body");
+      if (error instanceof DatabaseError) {
+        return {
+          response: responses.badRequestResponse(error.message),
+        };
+      }
+      throw error;
     }
-    const inputValidation = ZSurveyCreateInputWithEnvironmentId.safeParse(surveyInput);
-
-    if (!inputValidation.success) {
-      return responses.badRequestResponse(
-        "Fields are missing or incorrectly formatted",
-        transformErrorToDetails(inputValidation.error),
-        true
-      );
-    }
-
-    const { environmentId } = inputValidation.data;
-
-    if (!hasPermission(authentication.environmentPermissions, environmentId, "POST")) {
-      return responses.unauthorizedResponse();
-    }
-
-    const organization = await getOrganizationByEnvironmentId(environmentId);
-    if (!organization) {
-      return responses.notFoundResponse("Organization", null);
-    }
-
-    const surveyData = { ...inputValidation.data, environmentId };
-
-    const featureCheckResult = await checkFeaturePermissions(surveyData, organization);
-    if (featureCheckResult) return featureCheckResult;
-
-    const survey = await createSurvey(environmentId, { ...surveyData, environmentId: undefined });
-    return responses.successResponse(survey);
-  } catch (error) {
-    if (error instanceof DatabaseError) {
-      return responses.badRequestResponse(error.message);
-    }
-    throw error;
-  }
-};
+  },
+  "created",
+  "survey"
+);

apps/web/app/api/v1/webhooks/[webhookId]/route.ts

@@ -1,6 +1,7 @@
 import { authenticateRequest } from "@/app/api/v1/auth";
 import { deleteWebhook, getWebhook } from "@/app/api/v1/webhooks/[webhookId]/lib/webhook";
 import { responses } from "@/app/lib/api/response";
+import { ApiAuditLog, withApiLogging } from "@/app/lib/api/with-api-logging";
 import { hasPermission } from "@/modules/organization/settings/api-keys/lib/utils";
 import { headers } from "next/headers";
 import { logger } from "@formbricks/logger";
@@ -28,33 +29,54 @@ export const GET = async (request: Request, props: { params: Promise<{ webhookId
   return responses.successResponse(webhook);
 };
 
-export const DELETE = async (request: Request, props: { params: Promise<{ webhookId: string }> }) => {
-  const params = await props.params;
-  const headersList = await headers();
-  const apiKey = headersList.get("x-api-key");
-  if (!apiKey) {
-    return responses.notAuthenticatedResponse();
-  }
-  const authentication = await authenticateRequest(request);
-  if (!authentication) {
-    return responses.notAuthenticatedResponse();
-  }
+export const DELETE = withApiLogging(
+  async (request: Request, props: { params: Promise<{ webhookId: string }> }, auditLog: ApiAuditLog) => {
+    const params = await props.params;
+    auditLog.targetId = params.webhookId;
+    const headersList = headers();
+    const apiKey = headersList.get("x-api-key");
+    if (!apiKey) {
+      return {
+        response: responses.notAuthenticatedResponse(),
+      };
+    }
+    const authentication = await authenticateRequest(request);
+    if (!authentication) {
+      return {
+        response: responses.notAuthenticatedResponse(),
+      };
+    }
+    auditLog.userId = authentication.apiKeyId;
+    auditLog.organizationId = authentication.organizationId;
+    // check if webhook exists
+    const webhook = await getWebhook(params.webhookId);
+    if (!webhook) {
+      return {
+        response: responses.notFoundResponse("Webhook", params.webhookId),
+      };
+    }
+    if (!hasPermission(authentication.environmentPermissions, webhook.environmentId, "DELETE")) {
+      return {
+        response: responses.unauthorizedResponse(),
+      };
+    }
 
-  // check if webhook exists
-  const webhook = await getWebhook(params.webhookId);
-  if (!webhook) {
-    return responses.notFoundResponse("Webhook", params.webhookId);
-  }
-  if (!hasPermission(authentication.environmentPermissions, webhook.environmentId, "DELETE")) {
-    return responses.unauthorizedResponse();
-  }
+    auditLog.oldObject = webhook;
 
-  // delete webhook from database
-  try {
-    const webhook = await deleteWebhook(params.webhookId);
-    return responses.successResponse(webhook);
-  } catch (e) {
-    logger.error({ error: e, url: request.url }, "Error deleting webhook");
-    return responses.notFoundResponse("Webhook", params.webhookId);
-  }
-};
+    // delete webhook from database
+    try {
+      const deletedWebhook = await deleteWebhook(params.webhookId);
+      return {
+        response: responses.successResponse(deletedWebhook),
+      };
+    } catch (e) {
+      auditLog.status = "failure";
+      logger.error({ error: e, url: request.url }, "Error deleting webhook");
+      return {
+        response: responses.notFoundResponse("Webhook", params.webhookId),
+      };
+    }
+  },
+  "deleted",
+  "webhook"
+);

apps/web/app/api/v1/webhooks/route.ts

@@ -3,6 +3,7 @@ import { createWebhook, getWebhooks } from "@/app/api/v1/webhooks/lib/webhook";
 import { ZWebhookInput } from "@/app/api/v1/webhooks/types/webhooks";
 import { responses } from "@/app/lib/api/response";
 import { transformErrorToDetails } from "@/app/lib/api/validator";
+import { ApiAuditLog, withApiLogging } from "@/app/lib/api/with-api-logging";
 import { hasPermission } from "@/modules/organization/settings/api-keys/lib/utils";
 import { DatabaseError, InvalidInputError } from "@formbricks/types/errors";
 
@@ -25,43 +26,65 @@ export const GET = async (request: Request) => {
   }
 };
 
-export const POST = async (request: Request) => {
-  const authentication = await authenticateRequest(request);
-  if (!authentication) {
-    return responses.notAuthenticatedResponse();
-  }
-  const webhookInput = await request.json();
-  const inputValidation = ZWebhookInput.safeParse(webhookInput);
-
-  if (!inputValidation.success) {
-    return responses.badRequestResponse(
-      "Fields are missing or incorrectly formatted",
-      transformErrorToDetails(inputValidation.error),
-      true
-    );
-  }
-
-  const environmentId = inputValidation.data.environmentId;
-
-  if (!environmentId) {
-    return responses.badRequestResponse("Environment ID is required");
-  }
-
-  if (!hasPermission(authentication.environmentPermissions, environmentId, "POST")) {
-    return responses.unauthorizedResponse();
-  }
-
-  // add webhook to database
-  try {
-    const webhook = await createWebhook(inputValidation.data);
-    return responses.successResponse(webhook);
-  } catch (error) {
-    if (error instanceof InvalidInputError) {
-      return responses.badRequestResponse(error.message);
+export const POST = withApiLogging(
+  async (request: Request, _, auditLog: ApiAuditLog) => {
+    const authentication = await authenticateRequest(request);
+    if (!authentication) {
+      return {
+        response: responses.notAuthenticatedResponse(),
+      };
     }
-    if (error instanceof DatabaseError) {
-      return responses.internalServerErrorResponse(error.message);
+
+    auditLog.organizationId = authentication.organizationId;
+    auditLog.userId = authentication.apiKeyId;
+    const webhookInput = await request.json();
+    const inputValidation = ZWebhookInput.safeParse(webhookInput);
+
+    if (!inputValidation.success) {
+      return {
+        response: responses.badRequestResponse(
+          "Fields are missing or incorrectly formatted",
+          transformErrorToDetails(inputValidation.error),
+          true
+        ),
+      };
     }
-    throw error;
-  }
-};
+
+    const environmentId = inputValidation.data.environmentId;
+    if (!environmentId) {
+      return {
+        response: responses.badRequestResponse("Environment ID is required"),
+      };
+    }
+
+    if (!hasPermission(authentication.environmentPermissions, environmentId, "POST")) {
+      return {
+        response: responses.unauthorizedResponse(),
+      };
+    }
+
+    try {
+      const webhook = await createWebhook(inputValidation.data);
+      auditLog.targetId = webhook.id;
+      auditLog.newObject = webhook;
+
+      return {
+        response: responses.successResponse(webhook),
+      };
+    } catch (error) {
+      if (error instanceof InvalidInputError) {
+        return {
+          response: responses.badRequestResponse(error.message),
+        };
+      }
+      if (error instanceof DatabaseError) {
+        return {
+          response: responses.internalServerErrorResponse(error.message),
+        };
+      }
+      throw error;
+    }
+  },
+  "created",
+  "webhook"
+);

apps/web/app/lib/api/with-api-logging.test.ts

@@ -0,0 +1,277 @@
+import * as Sentry from "@sentry/nextjs";
+import { Mock, beforeEach, describe, expect, test, vi } from "vitest";
+import { logger } from "@formbricks/logger";
+import { responses } from "./response";
+import { ApiAuditLog } from "./with-api-logging";
+
+// Mocks
+// This top-level mock is crucial for the SUT (withApiLogging.ts)
+vi.mock("@/modules/ee/audit-logs/lib/handler", () => ({
+  __esModule: true,
+  queueAuditEvent: vi.fn(),
+}));
+
+vi.mock("@sentry/nextjs", () => ({
+  captureException: vi.fn(),
+}));
+
+// Define these outside the mock factory so they can be referenced in tests and reset by clearAllMocks.
+const mockContextualLoggerError = vi.fn();
+const mockContextualLoggerWarn = vi.fn();
+const mockContextualLoggerInfo = vi.fn();
+
+vi.mock("@formbricks/logger", () => {
+  const mockWithContextInstance = vi.fn(() => ({
+    error: mockContextualLoggerError,
+    warn: mockContextualLoggerWarn,
+    info: mockContextualLoggerInfo,
+  }));
+  return {
+    logger: {
+      withContext: mockWithContextInstance,
+      // These are for direct calls like logger.error(), logger.warn()
+      error: vi.fn(),
+      warn: vi.fn(),
+      info: vi.fn(),
+    },
+  };
+});
+
+function createMockRequest({ method = "GET", url = "https://api.test/endpoint", headers = new Map() } = {}) {
+  return {
+    method,
+    url,
+    headers: {
+      get: (key: string) => headers.get(key),
+    },
+  } as unknown as Request;
+}
+
+// Minimal valid ApiAuditLog
+const baseAudit: ApiAuditLog = {
+  action: "created",
+  targetType: "survey",
+  userId: "user-1",
+  targetId: "target-1",
+  organizationId: "org-1",
+  status: "failure",
+  userType: "api",
+};
+
+describe("withApiLogging", () => {
+  beforeEach(() => {
+    vi.resetModules(); // Reset SUT and other potentially cached modules
+    // vi.doMock for constants if a specific test needs to override it
+    // The top-level mocks for audit-logs, sentry, logger should be re-applied implicitly
+    // or are already in place due to vi.mock hoisting.
+
+    // Restore the mock for constants to its default for most tests
+    vi.doMock("@/lib/constants", () => ({
+      AUDIT_LOG_ENABLED: true,
+      IS_PRODUCTION: true,
+      SENTRY_DSN: "dsn",
+      ENCRYPTION_KEY: "test-key",
+      REDIS_URL: "redis://localhost:6379",
+    }));
+
+    vi.clearAllMocks(); // Clear call counts etc. for all vi.fn()
+  });
+
+  test("logs and audits on error response", async () => {
+    const { queueAuditEvent: mockedQueueAuditEvent } = (await import(
+      "@/modules/ee/audit-logs/lib/handler"
+    )) as unknown as { queueAuditEvent: Mock };
+    const handler = vi.fn().mockImplementation(async (req, _props, auditLog) => {
+      if (auditLog) {
+        auditLog.action = "created";
+        auditLog.targetType = "survey";
+        auditLog.userId = "user-1";
+        auditLog.targetId = "target-1";
+        auditLog.organizationId = "org-1";
+        auditLog.userType = "api";
+      }
+      return {
+        response: responses.internalServerErrorResponse("fail"),
+      };
+    });
+    const req = createMockRequest({ headers: new Map([["x-request-id", "abc-123"]]) });
+    const { withApiLogging } = await import("./with-api-logging"); // SUT dynamically imported
+    const wrapped = withApiLogging(handler, "created", "survey");
+    await wrapped(req, undefined);
+    expect(logger.withContext).toHaveBeenCalled();
+    expect(mockContextualLoggerError).toHaveBeenCalled();
+    expect(mockContextualLoggerWarn).not.toHaveBeenCalled();
+    expect(mockContextualLoggerInfo).not.toHaveBeenCalled();
+    expect(mockedQueueAuditEvent).toHaveBeenCalledWith(
+      expect.objectContaining({
+        eventId: "abc-123",
+        userType: "api",
+        apiUrl: req.url,
+        action: "created",
+        status: "failure",
+        targetType: "survey",
+        userId: "user-1",
+        targetId: "target-1",
+        organizationId: "org-1",
+      })
+    );
+    expect(Sentry.captureException).toHaveBeenCalledWith(
+      expect.any(Error),
+      expect.objectContaining({ extra: expect.objectContaining({ correlationId: "abc-123" }) })
+    );
+  });
+
+  test("does not log Sentry if not 500", async () => {
+    const { queueAuditEvent: mockedQueueAuditEvent } = (await import(
+      "@/modules/ee/audit-logs/lib/handler"
+    )) as unknown as { queueAuditEvent: Mock };
+    const handler = vi.fn().mockImplementation(async (req, _props, auditLog) => {
+      if (auditLog) {
+        auditLog.action = "created";
+        auditLog.targetType = "survey";
+        auditLog.userId = "user-1";
+        auditLog.targetId = "target-1";
+        auditLog.organizationId = "org-1";
+        auditLog.userType = "api";
+      }
+      return {
+        response: responses.badRequestResponse("bad req"),
+      };
+    });
+    const req = createMockRequest();
+    const { withApiLogging } = await import("./with-api-logging");
+    const wrapped = withApiLogging(handler, "created", "survey");
+    await wrapped(req, undefined);
+    expect(Sentry.captureException).not.toHaveBeenCalled();
+    expect(logger.withContext).toHaveBeenCalled();
+    expect(mockContextualLoggerError).toHaveBeenCalled();
+    expect(mockContextualLoggerWarn).not.toHaveBeenCalled();
+    expect(mockContextualLoggerInfo).not.toHaveBeenCalled();
+    expect(mockedQueueAuditEvent).toHaveBeenCalledWith(
+      expect.objectContaining({
+        userType: "api",
+        apiUrl: req.url,
+        action: "created",
+        status: "failure",
+        targetType: "survey",
+        userId: "user-1",
+        targetId: "target-1",
+        organizationId: "org-1",
+      })
+    );
+  });
+
+  test("logs and audits on thrown error", async () => {
+    const { queueAuditEvent: mockedQueueAuditEvent } = (await import(
+      "@/modules/ee/audit-logs/lib/handler"
+    )) as unknown as { queueAuditEvent: Mock };
+    const handler = vi.fn().mockImplementation(async (req, _props, auditLog) => {
+      if (auditLog) {
+        auditLog.action = "created";
+        auditLog.targetType = "survey";
+        auditLog.userId = "user-1";
+        auditLog.targetId = "target-1";
+        auditLog.organizationId = "org-1";
+        auditLog.userType = "api";
+      }
+      throw new Error("fail!");
+    });
+    const req = createMockRequest({ headers: new Map([["x-request-id", "err-1"]]) });
+    const { withApiLogging } = await import("./with-api-logging");
+    const wrapped = withApiLogging(handler, "created", "survey");
+    const res = await wrapped(req, undefined);
+    expect(res.status).toBe(500);
+    const body = await res.json();
+    expect(body).toEqual({
+      code: "internal_server_error",
+      message: "An unexpected error occurred.",
+      details: {},
+    });
+    expect(logger.withContext).toHaveBeenCalled();
+    expect(mockContextualLoggerError).toHaveBeenCalled();
+    expect(mockContextualLoggerWarn).not.toHaveBeenCalled();
+    expect(mockContextualLoggerInfo).not.toHaveBeenCalled();
+    expect(mockedQueueAuditEvent).toHaveBeenCalledWith(
+      expect.objectContaining({
+        eventId: "err-1",
+        userType: "api",
+        apiUrl: req.url,
+        action: "created",
+        status: "failure",
+        targetType: "survey",
+        userId: "user-1",
+        targetId: "target-1",
+        organizationId: "org-1",
+      })
+    );
+    expect(Sentry.captureException).toHaveBeenCalledWith(
+      expect.any(Error),
+      expect.objectContaining({ extra: expect.objectContaining({ correlationId: "err-1" }) })
+    );
+  });
+
+  test("does not log/audit on success response", async () => {
+    const { queueAuditEvent: mockedQueueAuditEvent } = (await import(
+      "@/modules/ee/audit-logs/lib/handler"
+    )) as unknown as { queueAuditEvent: Mock };
+    const handler = vi.fn().mockImplementation(async (req, _props, auditLog) => {
+      if (auditLog) {
+        auditLog.action = "created";
+        auditLog.targetType = "survey";
+        auditLog.userId = "user-1";
+        auditLog.targetId = "target-1";
+        auditLog.organizationId = "org-1";
+        auditLog.userType = "api";
+      }
+      return {
+        response: responses.successResponse({ ok: true }),
+      };
+    });
+    const req = createMockRequest();
+    const { withApiLogging } = await import("./with-api-logging");
+    const wrapped = withApiLogging(handler, "created", "survey");
+    await wrapped(req, undefined);
+    expect(logger.withContext).not.toHaveBeenCalled();
+    expect(mockContextualLoggerError).not.toHaveBeenCalled();
+    expect(mockContextualLoggerWarn).not.toHaveBeenCalled();
+    expect(mockContextualLoggerInfo).not.toHaveBeenCalled();
+    expect(mockedQueueAuditEvent).toHaveBeenCalledWith(
+      expect.objectContaining({
+        userType: "api",
+        apiUrl: req.url,
+        action: "created",
+        status: "success",
+        targetType: "survey",
+        userId: "user-1",
+        targetId: "target-1",
+        organizationId: "org-1",
+      })
+    );
+    expect(Sentry.captureException).not.toHaveBeenCalled();
+  });
+
+  test("does not call audit if AUDIT_LOG_ENABLED is false", async () => {
+    // For this specific test, we override the AUDIT_LOG_ENABLED constant
+    vi.doMock("@/lib/constants", () => ({
+      AUDIT_LOG_ENABLED: false,
+      IS_PRODUCTION: true,
+      SENTRY_DSN: "dsn",
+      ENCRYPTION_KEY: "test-key",
+      REDIS_URL: "redis://localhost:6379",
+    }));
+
+    const { queueAuditEvent: mockedQueueAuditEvent } = (await import(
+      "@/modules/ee/audit-logs/lib/handler"
+    )) as unknown as { queueAuditEvent: Mock };
+    const { withApiLogging } = await import("./with-api-logging");
+
+    const handler = vi.fn().mockResolvedValue({
+      response: responses.internalServerErrorResponse("fail"),
+      audit: { ...baseAudit },
+    });
+    const req = createMockRequest();
+    const wrapped = withApiLogging(handler, "created", "survey");
+    await wrapped(req, undefined);
+    expect(mockedQueueAuditEvent).not.toHaveBeenCalled();
+  });
+});

apps/web/app/lib/api/with-api-logging.ts

@@ -0,0 +1,103 @@
+import { responses } from "@/app/lib/api/response";
+import { AUDIT_LOG_ENABLED, IS_PRODUCTION, SENTRY_DSN } from "@/lib/constants";
+import { queueAuditEvent } from "@/modules/ee/audit-logs/lib/handler";
+import { TAuditAction, TAuditTarget, UNKNOWN_DATA } from "@/modules/ee/audit-logs/types/audit-log";
+import * as Sentry from "@sentry/nextjs";
+import { logger } from "@formbricks/logger";
+
+export type ApiAuditLog = Parameters<typeof queueAuditEvent>[0];
+
+/**
+ * withApiLogging wraps an V1 API handler to provide unified error/audit/system logging.
+ * - Handler must return { response }.
+ * - If not a successResponse, calls audit log, system log, and Sentry as needed.
+ * - System and Sentry logs are always called for non-success responses.
+ */
+export const withApiLogging = <TResult extends { response: Response }>(
+  handler: (req: Request, props?: any, auditLog?: ApiAuditLog) => Promise<TResult>,
+  action: TAuditAction,
+  targetType: TAuditTarget
+) => {
+  return async function (req: Request, props: any): Promise<Response> {
+    const auditLog = buildAuditLogBaseObject(action, targetType, req.url);
+
+    let result: { response: Response };
+    let error: any = undefined;
+    try {
+      result = await handler(req, props, auditLog);
+    } catch (err) {
+      error = err;
+      result = {
+        response: responses.internalServerErrorResponse("An unexpected error occurred."),
+      };
+    }
+
+    const res = result.response;
+    // Try to parse the response as JSON to check if it's a success or error
+    let isSuccess = false;
+    let parsed: any = undefined;
+    try {
+      parsed = await res.clone().json();
+      isSuccess = parsed && typeof parsed === "object" && "data" in parsed;
+    } catch {
+      isSuccess = false;
+    }
+
+    const correlationId = req.headers.get("x-request-id") ?? "";
+
+    if (!isSuccess) {
+      if (auditLog) {
+        auditLog.eventId = correlationId;
+      }
+
+      // System log
+      const logContext: any = {
+        correlationId,
+        method: req.method,
+        path: req.url,
+        status: res.status,
+      };
+      if (error) {
+        logContext.error = error;
+      }
+      logger.withContext(logContext).error("API Error Details");
+      // Sentry log
+      if (SENTRY_DSN && IS_PRODUCTION && res.status === 500) {
+        const err = new Error(`API V1 error, id: ${correlationId}`);
+        Sentry.captureException(err, {
+          extra: {
+            error,
+            correlationId,
+          },
+        });
+      }
+    } else {
+      auditLog.status = "success";
+    }
+
+    if (AUDIT_LOG_ENABLED && auditLog) {
+      queueAuditEvent(auditLog);
+    }
+
+    return res;
+  };
+};
+
+export const buildAuditLogBaseObject = (
+  action: TAuditAction,
+  targetType: TAuditTarget,
+  apiUrl: string
+): ApiAuditLog => {
+  return {
+    action,
+    targetType,
+    userId: UNKNOWN_DATA,
+    targetId: UNKNOWN_DATA,
+    organizationId: UNKNOWN_DATA,
+    status: "failure",
+    oldObject: undefined,
+    newObject: undefined,
+    userType: "api",
+    apiUrl,
+  };
+};

apps/web/app/lib/survey-builder.test.ts

@@ -41,7 +41,7 @@ describe("Survey Builder", () => {
         buttonLabel: { default: "common.next" },
         backButtonLabel: { default: "common.back" },
         shuffleOption: "none",
-        required: true,
+        required: false,
       });
       expect(question.choices.length).toBe(3);
       expect(question.id).toBeDefined();
@@ -141,7 +141,7 @@ describe("Survey Builder", () => {
         inputType: "text",
         buttonLabel: { default: "common.next" },
         backButtonLabel: { default: "common.back" },
-        required: true,
+        required: false,
         charLimit: {
           enabled: false,
         },
@@ -204,7 +204,7 @@ describe("Survey Builder", () => {
         range: 5,
         buttonLabel: { default: "common.next" },
         backButtonLabel: { default: "common.back" },
-        required: true,
+        required: false,
         isColorCodingEnabled: false,
       });
       expect(question.id).toBeDefined();
@@ -265,7 +265,7 @@ describe("Survey Builder", () => {
         headline: { default: "NPS Question" },
         buttonLabel: { default: "common.next" },
         backButtonLabel: { default: "common.back" },
-        required: true,
+        required: false,
         isColorCodingEnabled: false,
       });
       expect(question.id).toBeDefined();
@@ -324,7 +324,7 @@ describe("Survey Builder", () => {
         label: { default: "I agree to terms" },
         buttonLabel: { default: "common.next" },
         backButtonLabel: { default: "common.back" },
-        required: true,
+        required: false,
       });
       expect(question.id).toBeDefined();
     });
@@ -377,7 +377,7 @@ describe("Survey Builder", () => {
         headline: { default: "CTA Question" },
         buttonLabel: { default: "common.next" },
         backButtonLabel: { default: "common.back" },
-        required: true,
+        required: false,
         buttonExternal: false,
       });
       expect(question.id).toBeDefined();

apps/web/app/lib/survey-builder.ts

@@ -66,7 +66,7 @@ export const buildMultipleChoiceQuestion = ({
     buttonLabel: createI18nString(buttonLabel || t(defaultButtonLabel), []),
     backButtonLabel: createI18nString(backButtonLabel || t(defaultBackButtonLabel), []),
     shuffleOption: shuffleOption || "none",
-    required: required ?? true,
+    required: required ?? false,
     logic,
   };
 };
@@ -105,7 +105,7 @@ export const buildOpenTextQuestion = ({
     headline: createI18nString(headline, []),
     buttonLabel: createI18nString(buttonLabel || t(defaultButtonLabel), []),
     backButtonLabel: createI18nString(backButtonLabel || t(defaultBackButtonLabel), []),
-    required: required ?? true,
+    required: required ?? false,
     longAnswer,
     logic,
     charLimit: {
@@ -153,7 +153,7 @@ export const buildRatingQuestion = ({
     range,
     buttonLabel: createI18nString(buttonLabel || t(defaultButtonLabel), []),
     backButtonLabel: createI18nString(backButtonLabel || t(defaultBackButtonLabel), []),
-    required: required ?? true,
+    required: required ?? false,
     isColorCodingEnabled,
     lowerLabel: lowerLabel ? createI18nString(lowerLabel, []) : undefined,
     upperLabel: upperLabel ? createI18nString(upperLabel, []) : undefined,
@@ -194,7 +194,7 @@ export const buildNPSQuestion = ({
     headline: createI18nString(headline, []),
     buttonLabel: createI18nString(buttonLabel || t(defaultButtonLabel), []),
     backButtonLabel: createI18nString(backButtonLabel || t(defaultBackButtonLabel), []),
-    required: required ?? true,
+    required: required ?? false,
     isColorCodingEnabled,
     lowerLabel: lowerLabel ? createI18nString(lowerLabel, []) : undefined,
     upperLabel: upperLabel ? createI18nString(upperLabel, []) : undefined,
@@ -230,7 +230,7 @@ export const buildConsentQuestion = ({
     headline: createI18nString(headline, []),
     buttonLabel: createI18nString(buttonLabel || t(defaultButtonLabel), []),
     backButtonLabel: createI18nString(backButtonLabel || t(defaultBackButtonLabel), []),
-    required: required ?? true,
+    required: required ?? false,
     label: createI18nString(label, []),
     logic,
   };
@@ -269,7 +269,7 @@ export const buildCTAQuestion = ({
     buttonLabel: createI18nString(buttonLabel || t(defaultButtonLabel), []),
     backButtonLabel: createI18nString(backButtonLabel || t(defaultBackButtonLabel), []),
     dismissButtonLabel: dismissButtonLabel ? createI18nString(dismissButtonLabel, []) : undefined,
-    required: required ?? true,
+    required: required ?? false,
     buttonExternal,
     buttonUrl,
     logic,
@@ -309,7 +309,7 @@ export const createJumpLogic = (
 // Helper function to create jump logic based on choice selection
 export const createChoiceJumpLogic = (
   sourceQuestionId: string,
-  choiceId: string,
+  choiceId: string | number,
   targetId: string
 ): TSurveyLogic => ({
   id: createId(),

apps/web/app/lib/templates.ts

@@ -1210,6 +1210,7 @@ const feedbackBox = (t: TFnType): TTemplate => {
             t("templates.feedback_box_question_1_choice_1"),
             t("templates.feedback_box_question_1_choice_2"),
           ],
+          choiceIds: [reusableOptionIds[0], reusableOptionIds[1]],
           headline: t("templates.feedback_box_question_1_headline"),
           required: true,
           subheader: t("templates.feedback_box_question_1_subheader"),
@@ -2054,7 +2055,7 @@ const professionalDevelopmentSurvey = (t: TFnType): TTemplate => {
           shuffleOption: "none",
           choices: [
             t("templates.professional_development_survey_question_1_choice_1"),
-            t("templates.professional_development_survey_question_1_choice_1"),
+            t("templates.professional_development_survey_question_1_choice_2"),
           ],
           t,
         }),
@@ -2381,6 +2382,7 @@ const measureTaskAccomplishment = (t: TFnType): TTemplate => {
             t("templates.measure_task_accomplishment_question_1_option_2_label"),
             t("templates.measure_task_accomplishment_question_1_option_3_label"),
           ],
+          choiceIds: [reusableOptionIds[0], reusableOptionIds[1], reusableOptionIds[2]],
           headline: t("templates.measure_task_accomplishment_question_1_headline"),
           required: true,
           t,
@@ -2739,10 +2741,10 @@ const understandPurchaseIntention = (t: TFnType): TTemplate => {
         buildRatingQuestion({
           id: reusableQuestionIds[0],
           logic: [
-            createChoiceJumpLogic(reusableQuestionIds[0], "2", reusableQuestionIds[1]),
-            createChoiceJumpLogic(reusableQuestionIds[0], "3", reusableQuestionIds[2]),
-            createChoiceJumpLogic(reusableQuestionIds[0], "4", reusableQuestionIds[2]),
-            createChoiceJumpLogic(reusableQuestionIds[0], "5", localSurvey.endings[0].id),
+            createChoiceJumpLogic(reusableQuestionIds[0], 2, reusableQuestionIds[1]),
+            createChoiceJumpLogic(reusableQuestionIds[0], 3, reusableQuestionIds[2]),
+            createChoiceJumpLogic(reusableQuestionIds[0], 4, reusableQuestionIds[2]),
+            createChoiceJumpLogic(reusableQuestionIds[0], 5, localSurvey.endings[0].id),
           ],
           range: 5,
           scale: "number",
@@ -2795,7 +2797,7 @@ const improveNewsletterContent = (t: TFnType): TTemplate => {
         buildRatingQuestion({
           id: reusableQuestionIds[0],
           logic: [
-            createChoiceJumpLogic(reusableQuestionIds[0], "5", reusableQuestionIds[2]),
+            createChoiceJumpLogic(reusableQuestionIds[0], 5, reusableQuestionIds[2]),
             {
               id: createId(),
               conditions: {
@@ -2895,8 +2897,8 @@ const evaluateAProductIdea = (t: TFnType): TTemplate => {
         buildRatingQuestion({
           id: reusableQuestionIds[1],
           logic: [
-            createChoiceJumpLogic(reusableQuestionIds[1], "3", reusableQuestionIds[2]),
-            createChoiceJumpLogic(reusableQuestionIds[1], "4", reusableQuestionIds[3]),
+            createChoiceJumpLogic(reusableQuestionIds[1], 3, reusableQuestionIds[2]),
+            createChoiceJumpLogic(reusableQuestionIds[1], 4, reusableQuestionIds[3]),
           ],
           range: 5,
           scale: "number",
@@ -2928,8 +2930,8 @@ const evaluateAProductIdea = (t: TFnType): TTemplate => {
         buildRatingQuestion({
           id: reusableQuestionIds[4],
           logic: [
-            createChoiceJumpLogic(reusableQuestionIds[4], "3", reusableQuestionIds[5]),
-            createChoiceJumpLogic(reusableQuestionIds[4], "4", reusableQuestionIds[6]),
+            createChoiceJumpLogic(reusableQuestionIds[4], 3, reusableQuestionIds[5]),
+            createChoiceJumpLogic(reusableQuestionIds[4], 4, reusableQuestionIds[6]),
           ],
           range: 5,
           scale: "number",
@@ -3004,6 +3006,7 @@ const understandLowEngagement = (t: TFnType): TTemplate => {
             t("templates.understand_low_engagement_question_1_choice_4"),
             t("templates.understand_low_engagement_question_1_choice_5"),
           ],
+          choiceIds: [reusableOptionIds[0], reusableOptionIds[1], reusableOptionIds[2], reusableOptionIds[3]],
           headline: t("templates.understand_low_engagement_question_1_headline"),
           required: true,
           containsOther: true,

apps/web/app/middleware/domain-utils.test.ts

@@ -0,0 +1,85 @@
+import { NextRequest } from "next/server";
+import { beforeEach, describe, expect, test, vi } from "vitest";
+import { getPublicDomainHost, isPublicDomainConfigured, isRequestFromPublicDomain } from "./domain-utils";
+
+// Mock the env module
+vi.mock("@/lib/env", () => ({
+  env: {
+    get PUBLIC_URL() {
+      return process.env.PUBLIC_URL || "";
+    },
+  },
+}));
+
+describe("Domain Utils", () => {
+  beforeEach(() => {
+    process.env.PUBLIC_URL = "";
+  });
+
+  describe("getPublicDomain", () => {
+    test("should return null when PUBLIC_URL is empty", () => {
+      expect(getPublicDomainHost()).toBeNull();
+    });
+
+    test("should return the host from a valid PUBLIC_URL", () => {
+      process.env.PUBLIC_URL = "https://example.com";
+      expect(getPublicDomainHost()).toBe("example.com");
+    });
+
+    test("should handle URLs with paths", () => {
+      process.env.PUBLIC_URL = "https://example.com/path";
+      expect(getPublicDomainHost()).toBe("example.com");
+    });
+
+    test("should handle URLs with ports", () => {
+      process.env.PUBLIC_URL = "https://example.com:3000";
+      expect(getPublicDomainHost()).toBe("example.com:3000");
+    });
+  });
+
+  describe("isPublicDomainConfigured", () => {
+    test("should return false when PUBLIC_URL is empty", () => {
+      process.env.PUBLIC_URL = "";
+      expect(isPublicDomainConfigured()).toBe(false);
+    });
+
+    test("should return true when PUBLIC_URL is valid", () => {
+      process.env.PUBLIC_URL = "https://example.com";
+      expect(isPublicDomainConfigured()).toBe(true);
+    });
+  });
+
+  describe("isRequestFromPublicDomain", () => {
+    test("should return false when public domain is not configured", () => {
+      process.env.PUBLIC_URL = "";
+      const request = new NextRequest("https://example.com");
+      expect(isRequestFromPublicDomain(request)).toBe(false);
+    });
+
+    test("should return false when host doesn't match public domain", () => {
+      process.env.PUBLIC_URL = "https://example.com";
+      const request = new NextRequest("https://different-domain.com");
+      expect(isRequestFromPublicDomain(request)).toBe(false);
+    });
+
+    test("should return true when host matches public domain", () => {
+      process.env.PUBLIC_URL = "https://example.com";
+      const request = new NextRequest("https://example.com", {
+        headers: {
+          host: "example.com",
+        },
+      });
+      expect(isRequestFromPublicDomain(request)).toBe(true);
+    });
+
+    test("should handle domains with ports", () => {
+      process.env.PUBLIC_URL = "https://example.com:3000";
+      const request = new NextRequest("https://example.com:3000", {
+        headers: {
+          host: "example.com:3000",
+        },
+      });
+      expect(isRequestFromPublicDomain(request)).toBe(true);
+    });
+  });
+});

apps/web/app/middleware/domain-utils.ts

@@ -0,0 +1,31 @@
+import { env } from "@/lib/env";
+import { NextRequest } from "next/server";
+
+/**
+ * Get the public domain from PUBLIC_URL environment variable
+ */
+export const getPublicDomainHost = (): string | null => {
+  const PUBLIC_URL = env.PUBLIC_URL;
+  if (!PUBLIC_URL) return null;
+
+  return new URL(PUBLIC_URL).host;
+};
+
+/**
+ * Check if PUBLIC_URL is configured (has a valid public domain)
+ */
+export const isPublicDomainConfigured = (): boolean => {
+  return getPublicDomainHost() !== null;
+};
+
+/**
+ * Check if the current request is coming from the public domain
+ */
+export const isRequestFromPublicDomain = (request: NextRequest): boolean => {
+  const host = request.headers.get("host");
+  const publicDomainHost = getPublicDomainHost();
+
+  if (!publicDomainHost) return false;
+
+  return host === publicDomainHost;
+};

apps/web/app/middleware/endpoint-validator.test.ts

@@ -1,10 +1,13 @@
 import { describe, expect, test } from "vitest";
 import {
+  isAdminDomainRoute,
   isAuthProtectedRoute,
   isClientSideApiRoute,
   isForgotPasswordRoute,
   isLoginRoute,
   isManagementApiRoute,
+  isPublicDomainRoute,
+  isRouteAllowedForDomain,
   isShareUrlRoute,
   isSignupRoute,
   isSyncWithUserIdentificationEndpoint,
@@ -69,6 +72,9 @@ describe("endpoint-validator", () => {
       expect(isClientSideApiRoute("/api/v1/management/something")).toBe(false);
       expect(isClientSideApiRoute("/api/something")).toBe(false);
       expect(isClientSideApiRoute("/auth/login")).toBe(false);
+
+      // exception for open graph image generation route, it should not be rate limited
+      expect(isClientSideApiRoute("/api/v1/client/og")).toBe(false);
     });
   });
 
@@ -136,4 +142,138 @@ describe("endpoint-validator", () => {
       expect(isSyncWithUserIdentificationEndpoint("/api/something")).toBe(false);
     });
   });
+
+  describe("isPublicDomainRoute", () => {
+    test("should return true for health endpoint", () => {
+      expect(isPublicDomainRoute("/health")).toBe(true);
+    });
+
+    // Static assets are not handled by domain routing - middleware doesn't run on them
+
+    test("should return true for survey routes", () => {
+      expect(isPublicDomainRoute("/s/survey123")).toBe(true);
+      expect(isPublicDomainRoute("/s/survey-id-with-dashes")).toBe(true);
+    });
+
+    test("should return true for contact survey routes", () => {
+      expect(isPublicDomainRoute("/c/jwt-token")).toBe(true);
+      expect(isPublicDomainRoute("/c/very-long-jwt-token-123")).toBe(true);
+    });
+
+    test("should return true for client API routes", () => {
+      expect(isPublicDomainRoute("/api/v1/client/something")).toBe(true);
+      expect(isPublicDomainRoute("/api/v2/client/other")).toBe(true);
+    });
+
+    test("should return true for share routes", () => {
+      expect(isPublicDomainRoute("/share/abc123/summary")).toBe(true);
+      expect(isPublicDomainRoute("/share/xyz789/responses")).toBe(true);
+      expect(isPublicDomainRoute("/share/anything")).toBe(true);
+    });
+
+    test("should return false for admin-only routes", () => {
+      expect(isPublicDomainRoute("/")).toBe(false);
+      expect(isPublicDomainRoute("/environments/123")).toBe(false);
+      expect(isPublicDomainRoute("/auth/login")).toBe(false);
+      expect(isPublicDomainRoute("/setup/organization")).toBe(false);
+      expect(isPublicDomainRoute("/organizations/123")).toBe(false);
+      expect(isPublicDomainRoute("/product/settings")).toBe(false);
+      expect(isPublicDomainRoute("/api/v1/management/users")).toBe(false);
+      expect(isPublicDomainRoute("/api/v2/management/surveys")).toBe(false);
+    });
+  });
+
+  describe("isAdminDomainRoute", () => {
+    test("should return true for health endpoint (backward compatibility)", () => {
+      expect(isAdminDomainRoute("/health")).toBe(true);
+      expect(isAdminDomainRoute("/health")).toBe(true);
+    });
+
+    // Static assets are not handled by domain routing - middleware doesn't run on them
+
+    test("should return true for admin routes", () => {
+      expect(isAdminDomainRoute("/")).toBe(true);
+      expect(isAdminDomainRoute("/environments/123")).toBe(true);
+      expect(isAdminDomainRoute("/environments/123/surveys")).toBe(true);
+      expect(isAdminDomainRoute("/auth/login")).toBe(true);
+      expect(isAdminDomainRoute("/auth/signup")).toBe(true);
+      expect(isAdminDomainRoute("/setup/organization")).toBe(true);
+      expect(isAdminDomainRoute("/setup/team")).toBe(true);
+      expect(isAdminDomainRoute("/organizations/123")).toBe(true);
+      expect(isAdminDomainRoute("/organizations/123/settings")).toBe(true);
+      expect(isAdminDomainRoute("/product/settings")).toBe(true);
+      expect(isAdminDomainRoute("/product/features")).toBe(true);
+      expect(isAdminDomainRoute("/api/v1/management/users")).toBe(true);
+      expect(isAdminDomainRoute("/api/v2/management/surveys")).toBe(true);
+      expect(isAdminDomainRoute("/pipeline/jobs")).toBe(true);
+      expect(isAdminDomainRoute("/cron/tasks")).toBe(true);
+      expect(isAdminDomainRoute("/random/route")).toBe(true);
+      expect(isAdminDomainRoute("/s/survey123")).toBe(false);
+      expect(isAdminDomainRoute("/c/jwt-token")).toBe(false);
+      expect(isAdminDomainRoute("/api/v1/client/test")).toBe(false);
+    });
+  });
+
+  describe("isRouteAllowedForDomain", () => {
+    test("should allow public routes on public domain", () => {
+      expect(isRouteAllowedForDomain("/s/survey123", true)).toBe(true);
+      expect(isRouteAllowedForDomain("/c/jwt-token", true)).toBe(true);
+      expect(isRouteAllowedForDomain("/api/v1/client/test", true)).toBe(true);
+      expect(isRouteAllowedForDomain("/share/abc/summary", true)).toBe(true);
+      expect(isRouteAllowedForDomain("/health", true)).toBe(true);
+      // Static assets not tested - middleware doesn't run on them
+    });
+
+    test("should block admin routes on public domain", () => {
+      expect(isRouteAllowedForDomain("/", true)).toBe(false);
+      expect(isRouteAllowedForDomain("/environments/123", true)).toBe(false);
+      expect(isRouteAllowedForDomain("/auth/login", true)).toBe(false);
+      expect(isRouteAllowedForDomain("/api/v1/management/users", true)).toBe(false);
+    });
+
+    test("should block public routes on admin domain when PUBLIC_URL is configured", () => {
+      // Admin routes should be allowed
+      expect(isRouteAllowedForDomain("/", false)).toBe(true);
+      expect(isRouteAllowedForDomain("/environments/123", false)).toBe(true);
+      expect(isRouteAllowedForDomain("/auth/login", false)).toBe(true);
+      expect(isRouteAllowedForDomain("/api/v1/management/users", false)).toBe(true);
+      expect(isRouteAllowedForDomain("/health", false)).toBe(true);
+      expect(isRouteAllowedForDomain("/pipeline/jobs", false)).toBe(true);
+      expect(isRouteAllowedForDomain("/cron/tasks", false)).toBe(true);
+
+      // Public routes should be blocked on admin domain
+      expect(isRouteAllowedForDomain("/s/survey123", false)).toBe(false);
+      expect(isRouteAllowedForDomain("/c/jwt-token", false)).toBe(false);
+      expect(isRouteAllowedForDomain("/api/v1/client/test", false)).toBe(false);
+      expect(isRouteAllowedForDomain("/share/abc/summary", false)).toBe(false);
+    });
+  });
+
+  describe("edge cases", () => {
+    test("should handle empty paths", () => {
+      expect(isPublicDomainRoute("")).toBe(false);
+      expect(isAdminDomainRoute("")).toBe(true);
+      expect(isAdminDomainRoute("")).toBe(true);
+    });
+
+    test("should handle paths with query parameters", () => {
+      expect(isPublicDomainRoute("/s/survey123?param=value")).toBe(true);
+      expect(isPublicDomainRoute("/environments/123?tab=settings")).toBe(false);
+    });
+
+    test("should handle paths with fragments", () => {
+      expect(isPublicDomainRoute("/s/survey123#section")).toBe(true);
+      expect(isPublicDomainRoute("/environments/123#overview")).toBe(false);
+    });
+
+    test("should handle nested survey routes", () => {
+      expect(isPublicDomainRoute("/s/survey123/preview")).toBe(true);
+      expect(isPublicDomainRoute("/s/survey123/embed")).toBe(true);
+    });
+
+    test("should handle nested client API routes", () => {
+      expect(isPublicDomainRoute("/api/v1/client/env123/actions")).toBe(true);
+      expect(isPublicDomainRoute("/api/v2/client/env456/responses")).toBe(true);
+    });
+  });
 });

apps/web/app/middleware/endpoint-validator.ts

@@ -1,3 +1,9 @@
+import {
+  getAllPubliclyAccessibleRoutePatterns,
+  getPublicDomainRoutePatterns,
+  matchesAnyPattern,
+} from "./route-config";
+
 export const isLoginRoute = (url: string) =>
   url === "/api/auth/callback/credentials" || url === "/auth/login";
 
@@ -8,6 +14,9 @@ export const isVerifyEmailRoute = (url: string) => url === "/auth/verify-email";
 export const isForgotPasswordRoute = (url: string) => url === "/auth/forgot-password";
 
 export const isClientSideApiRoute = (url: string): boolean => {
+  // Open Graph image generation route is a client side API route but it should not be rate limited
+  if (url.includes("/api/v1/client/og")) return false;
+
   if (url.includes("/api/v1/js/actions")) return true;
   if (url.includes("/api/v1/client/storage")) return true;
   const regex = /^\/api\/v\d+\/client\//;
@@ -38,3 +47,39 @@ export const isSyncWithUserIdentificationEndpoint = (
   const match = url.match(regex);
   return match ? { environmentId: match.groups!.environmentId, userId: match.groups!.userId } : false;
 };
+
+/**
+ * Check if the route should be accessible on the public domain (PUBLIC_URL)
+ * Uses whitelist approach - only explicitly allowed routes are accessible
+ */
+export const isPublicDomainRoute = (url: string): boolean => {
+  const publicRoutePatterns = getAllPubliclyAccessibleRoutePatterns();
+  return matchesAnyPattern(url, publicRoutePatterns);
+};
+
+/**
+ * Check if the route should be accessible on the admin domain (WEBAPP_URL)
+ * When PUBLIC_URL is configured, admin domain should only allow admin-specific routes + health
+ */
+export const isAdminDomainRoute = (url: string): boolean => {
+  const publicOnlyRoutePatterns = getPublicDomainRoutePatterns();
+  const isPublicRoute = matchesAnyPattern(url, publicOnlyRoutePatterns);
+
+  if (isPublicRoute) {
+    return false;
+  }
+
+  // For non-public routes, allow them (includes known admin routes and unknown routes like pipeline, cron)
+  return true;
+};
+
+/**
+ * Determine if a request should be allowed based on domain and route
+ */
+export const isRouteAllowedForDomain = (url: string, isPublicDomain: boolean): boolean => {
+  if (isPublicDomain) {
+    return isPublicDomainRoute(url);
+  }
+
+  return isAdminDomainRoute(url);
+};

apps/web/app/middleware/route-config.ts

@@ -0,0 +1,54 @@
+/**
+ * Routes that should be accessible on the public domain (PUBLIC_URL)
+ * Uses whitelist approach - only these routes are allowed on public domain
+ */
+const PUBLIC_ROUTES = {
+  // Survey routes
+  SURVEY_ROUTES: [
+    /^\/s\/[^/]+/, // /s/[surveyId] - survey pages
+    /^\/c\/[^/]+/, // /c/[jwt] - contact survey pages
+  ],
+
+  // API routes accessible from public domain
+  API_ROUTES: [
+    /^\/api\/v[12]\/client\//, // /api/v1/client/** and /api/v2/client/**
+  ],
+
+  // Share routes
+  SHARE_ROUTES: [
+    /^\/share\//, // /share/** - shared survey results
+  ],
+} as const;
+
+const COMMON_ROUTES = {
+  HEALTH_ROUTES: [/^\/health$/], // /health endpoint
+  PUBLIC_STORAGE_ROUTES: [
+    /^\/storage\/[^/]+\/public\//, // /storage/[environmentId]/public/** - public storage
+  ],
+} as const;
+
+/**
+ * Get public only route patterns as a flat array
+ */
+export const getPublicDomainRoutePatterns = (): RegExp[] => {
+  return Object.values(PUBLIC_ROUTES).flat();
+};
+
+/**
+ * Get all public route patterns as a flat array
+ */
+export const getAllPubliclyAccessibleRoutePatterns = (): RegExp[] => {
+  const routes = {
+    ...PUBLIC_ROUTES,
+    ...COMMON_ROUTES,
+  };
+
+  return Object.values(routes).flat();
+};
+
+/**
+ * Check if a URL matches any of the given route patterns
+ */
+export const matchesAnyPattern = (url: string, patterns: RegExp[]): boolean => {
+  return patterns.some((pattern) => pattern.test(url));
+};

apps/web/app/page.test.tsx

@@ -3,12 +3,12 @@ import { cleanup } from "@testing-library/react";
 import { beforeEach, describe, expect, test, vi } from "vitest";
 import { TMembership } from "@formbricks/types/memberships";
 import { TOrganization } from "@formbricks/types/organizations";
+import { TProject } from "@formbricks/types/project";
 import { TUser } from "@formbricks/types/user";
 import Page from "./page";
 
-// Mock dependencies
-vi.mock("@/lib/environment/service", () => ({
-  getFirstEnvironmentIdByUserId: vi.fn(),
+vi.mock("@/lib/project/service", () => ({
+  getProjectEnvironmentsByOrganizationIds: vi.fn(),
 }));
 
 vi.mock("@/lib/instance/service", () => ({
@@ -48,8 +48,11 @@ vi.mock("@/modules/ui/components/client-logout", () => ({
 }));
 
 vi.mock("@/app/ClientEnvironmentRedirect", () => ({
-  default: ({ environmentId }: { environmentId: string }) => (
-    <div data-testid="client-environment-redirect">Environment ID: {environmentId}</div>
+  default: ({ environmentId, userEnvironments }: { environmentId: string; userEnvironments?: string[] }) => (
+    <div data-testid="client-environment-redirect">
+      Environment ID: {environmentId}
+      {userEnvironments && ` | User Environments: ${userEnvironments.join(", ")}`}
+    </div>
   ),
 }));
 
@@ -149,7 +152,7 @@ describe("Page", () => {
     const { getIsFreshInstance } = await import("@/lib/instance/service");
     const { getUser } = await import("@/lib/user/service");
     const { getOrganizationsByUserId } = await import("@/lib/organization/service");
-    const { getFirstEnvironmentIdByUserId } = await import("@/lib/environment/service");
+    const { getProjectEnvironmentsByOrganizationIds } = await import("@/lib/project/service");
     const { getMembershipByUserIdOrganizationId } = await import("@/lib/membership/service");
     const { getAccessFlags } = await import("@/lib/membership/utils");
     const { redirect } = await import("next/navigation");
@@ -204,13 +207,23 @@ describe("Page", () => {
       role: "owner",
     };
 
+    const mockUserProjects = [
+      {
+        id: "test-project-id",
+        name: "Test Project",
+        environments: [],
+      },
+    ];
+
     vi.mocked(getServerSession).mockResolvedValue({
       user: { id: "test-user-id" },
     } as any);
     vi.mocked(getIsFreshInstance).mockResolvedValue(false);
     vi.mocked(getUser).mockResolvedValue(mockUser);
+    vi.mocked(getProjectEnvironmentsByOrganizationIds).mockResolvedValue(
+      mockUserProjects as unknown as TProject[]
+    );
     vi.mocked(getOrganizationsByUserId).mockResolvedValue([mockOrganization]);
-    vi.mocked(getFirstEnvironmentIdByUserId).mockResolvedValue(null);
     vi.mocked(getMembershipByUserIdOrganizationId).mockResolvedValue(mockMembership);
     vi.mocked(getAccessFlags).mockReturnValue({
       isManager: false,
@@ -228,8 +241,8 @@ describe("Page", () => {
     const { getServerSession } = await import("next-auth");
     const { getIsFreshInstance } = await import("@/lib/instance/service");
     const { getUser } = await import("@/lib/user/service");
+    const { getProjectEnvironmentsByOrganizationIds } = await import("@/lib/project/service");
     const { getOrganizationsByUserId } = await import("@/lib/organization/service");
-    const { getFirstEnvironmentIdByUserId } = await import("@/lib/environment/service");
     const { getMembershipByUserIdOrganizationId } = await import("@/lib/membership/service");
     const { getAccessFlags } = await import("@/lib/membership/utils");
     const { redirect } = await import("next/navigation");
@@ -284,13 +297,23 @@ describe("Page", () => {
       role: "member",
     };
 
+    const mockUserProjects = [
+      {
+        id: "test-project-id",
+        name: "Test Project",
+        environments: [],
+      },
+    ];
+
     vi.mocked(getServerSession).mockResolvedValue({
       user: { id: "test-user-id" },
     } as any);
     vi.mocked(getIsFreshInstance).mockResolvedValue(false);
     vi.mocked(getUser).mockResolvedValue(mockUser);
+    vi.mocked(getProjectEnvironmentsByOrganizationIds).mockResolvedValue(
+      mockUserProjects as unknown as TProject[]
+    );
     vi.mocked(getOrganizationsByUserId).mockResolvedValue([mockOrganization]);
-    vi.mocked(getFirstEnvironmentIdByUserId).mockResolvedValue(null);
     vi.mocked(getMembershipByUserIdOrganizationId).mockResolvedValue(mockMembership);
     vi.mocked(getAccessFlags).mockReturnValue({
       isManager: false,
@@ -309,9 +332,9 @@ describe("Page", () => {
     const { getIsFreshInstance } = await import("@/lib/instance/service");
     const { getUser } = await import("@/lib/user/service");
     const { getOrganizationsByUserId } = await import("@/lib/organization/service");
-    const { getFirstEnvironmentIdByUserId } = await import("@/lib/environment/service");
     const { getMembershipByUserIdOrganizationId } = await import("@/lib/membership/service");
     const { getAccessFlags } = await import("@/lib/membership/utils");
+    const { getProjectEnvironmentsByOrganizationIds } = await import("@/lib/project/service");
     const { render } = await import("@testing-library/react");
 
     const mockUser: TUser = {
@@ -364,7 +387,43 @@ describe("Page", () => {
       role: "member",
     };
 
-    const mockEnvironmentId = "test-env-id";
+    const mockUserProjects = [
+      {
+        id: "project-1",
+        name: "Test Project",
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        organizationId: "test-org-id",
+        styling: { allowStyleOverwrite: true },
+        recontactDays: 0,
+        inAppSurveyBranding: false,
+        linkSurveyBranding: false,
+        config: { channel: "link" as const, industry: "saas" as const },
+        placement: "bottomRight" as const,
+        clickOutsideClose: false,
+        darkOverlay: false,
+        languages: [],
+        logo: null,
+        environments: [
+          {
+            id: "test-env-id",
+            type: "production" as const,
+            createdAt: new Date(),
+            updatedAt: new Date(),
+            projectId: "project-1",
+            appSetupCompleted: true,
+          },
+          {
+            id: "test-env-dev",
+            type: "development" as const,
+            createdAt: new Date(),
+            updatedAt: new Date(),
+            projectId: "project-1",
+            appSetupCompleted: true,
+          },
+        ],
+      },
+    ] as any;
 
     vi.mocked(getServerSession).mockResolvedValue({
       user: { id: "test-user-id" },
@@ -372,8 +431,8 @@ describe("Page", () => {
     vi.mocked(getIsFreshInstance).mockResolvedValue(false);
     vi.mocked(getUser).mockResolvedValue(mockUser);
     vi.mocked(getOrganizationsByUserId).mockResolvedValue([mockOrganization]);
-    vi.mocked(getFirstEnvironmentIdByUserId).mockResolvedValue(mockEnvironmentId);
     vi.mocked(getMembershipByUserIdOrganizationId).mockResolvedValue(mockMembership);
+    vi.mocked(getProjectEnvironmentsByOrganizationIds).mockResolvedValue(mockUserProjects);
     vi.mocked(getAccessFlags).mockReturnValue({
       isManager: false,
       isOwner: false,
@@ -385,7 +444,7 @@ describe("Page", () => {
     const { container } = render(result);
 
     expect(container.querySelector('[data-testid="client-environment-redirect"]')).toHaveTextContent(
-      `Environment ID: ${mockEnvironmentId}`
+      `User Environments: test-env-id, test-env-dev`
     );
   });
 });

apps/web/app/page.tsx

@@ -1,9 +1,9 @@
 import ClientEnvironmentRedirect from "@/app/ClientEnvironmentRedirect";
-import { getFirstEnvironmentIdByUserId } from "@/lib/environment/service";
 import { getIsFreshInstance } from "@/lib/instance/service";
 import { getMembershipByUserIdOrganizationId } from "@/lib/membership/service";
 import { getAccessFlags } from "@/lib/membership/utils";
 import { getOrganizationsByUserId } from "@/lib/organization/service";
+import { getProjectEnvironmentsByOrganizationIds } from "@/lib/project/service";
 import { getUser } from "@/lib/user/service";
 import { authOptions } from "@/modules/auth/lib/authOptions";
 import { ClientLogout } from "@/modules/ui/components/client-logout";
@@ -34,16 +34,34 @@ const Page = async () => {
     return redirect("/setup/organization/create");
   }
 
-  let environmentId: string | null = null;
-  environmentId = await getFirstEnvironmentIdByUserId(session.user.id);
+  const projectsByOrg = await getProjectEnvironmentsByOrganizationIds(userOrganizations.map((org) => org.id));
+
+  // Flatten all environments from all projects across all organizations
+  const allEnvironments = projectsByOrg.flatMap((project) => project.environments);
+
+  // Find first production environment and collect all other environment IDs in one pass
+  const { firstProductionEnvironmentId, otherEnvironmentIds } = allEnvironments.reduce(
+    (acc, env) => {
+      if (env.type === "production" && !acc.firstProductionEnvironmentId) {
+        acc.firstProductionEnvironmentId = env.id;
+      } else {
+        acc.otherEnvironmentIds.add(env.id);
+      }
+      return acc;
+    },
+    { firstProductionEnvironmentId: null as string | null, otherEnvironmentIds: new Set<string>() }
+  );
+
+  const userEnvironments = [...otherEnvironmentIds];
 
   const currentUserMembership = await getMembershipByUserIdOrganizationId(
     session.user.id,
     userOrganizations[0].id
   );
+
   const { isManager, isOwner } = getAccessFlags(currentUserMembership?.role);
 
-  if (!environmentId) {
+  if (!firstProductionEnvironmentId) {
     if (isOwner || isManager) {
       return redirect(`/organizations/${userOrganizations[0].id}/projects/new/mode`);
     } else {
@@ -51,7 +69,10 @@ const Page = async () => {
     }
   }
 
-  return <ClientEnvironmentRedirect environmentId={environmentId} />;
+  // Put the first production environment at the front of the array
+  const sortedUserEnvironments = [firstProductionEnvironmentId, ...userEnvironments];
+
+  return <ClientEnvironmentRedirect userEnvironments={sortedUserEnvironments} />;
 };
 
 export default Page;

apps/web/app/s/[surveyId]/not-found.tsx

@@ -1,3 +1,5 @@
 import { LinkSurveyNotFound } from "@/modules/survey/link/not-found";
 
-export default LinkSurveyNotFound;
+export default function NotFound() {
+  return <LinkSurveyNotFound />;
+}

apps/web/app/setup/organization/create/actions.ts

@@ -4,6 +4,8 @@ import { gethasNoOrganizations } from "@/lib/instance/service";
 import { createMembership } from "@/lib/membership/service";
 import { createOrganization } from "@/lib/organization/service";
 import { authenticatedActionClient } from "@/lib/utils/action-client";
+import { AuthenticatedActionClientCtx } from "@/lib/utils/action-client/types/context";
+import { withAuditLogging } from "@/modules/ee/audit-logs/lib/handler";
 import { getIsMultiOrgEnabled } from "@/modules/ee/license-check/lib/utils";
 import { z } from "zod";
 import { OperationNotAllowedError } from "@formbricks/types/errors";
@@ -12,24 +14,31 @@ const ZCreateOrganizationAction = z.object({
   organizationName: z.string(),
 });
 
-export const createOrganizationAction = authenticatedActionClient
-  .schema(ZCreateOrganizationAction)
-  .action(async ({ ctx, parsedInput }) => {
-    const hasNoOrganizations = await gethasNoOrganizations();
-    const isMultiOrgEnabled = await getIsMultiOrgEnabled();
+export const createOrganizationAction = authenticatedActionClient.schema(ZCreateOrganizationAction).action(
+  withAuditLogging(
+    "created",
+    "organization",
+    async ({ ctx, parsedInput }: { ctx: AuthenticatedActionClientCtx; parsedInput: Record<string, any> }) => {
+      const hasNoOrganizations = await gethasNoOrganizations();
+      const isMultiOrgEnabled = await getIsMultiOrgEnabled();
 
-    if (!hasNoOrganizations && !isMultiOrgEnabled) {
-      throw new OperationNotAllowedError("This action can only be performed on a fresh instance.");
+      if (!hasNoOrganizations && !isMultiOrgEnabled) {
+        throw new OperationNotAllowedError("This action can only be performed on a fresh instance.");
+      }
+
+      const newOrganization = await createOrganization({
+        name: parsedInput.organizationName,
+      });
+
+      await createMembership(newOrganization.id, ctx.user.id, {
+        role: "owner",
+        accepted: true,
+      });
+
+      ctx.auditLoggingCtx.organizationId = newOrganization.id;
+      ctx.auditLoggingCtx.newObject = newOrganization;
+
+      return newOrganization;
     }
-
-    const newOrganization = await createOrganization({
-      name: parsedInput.organizationName,
-    });
-
-    await createMembership(newOrganization.id, ctx.user.id, {
-      role: "owner",
-      accepted: true,
-    });
-
-    return newOrganization;
-  });
+  )
+);

apps/web/app/share/[sharingKey]/(analysis)/responses/page.tsx

@@ -1,7 +1,8 @@
 import { SurveyAnalysisNavigation } from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/components/SurveyAnalysisNavigation";
 import { ResponsePage } from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/responses/components/ResponsePage";
-import { RESPONSES_PER_PAGE, WEBAPP_URL } from "@/lib/constants";
+import { RESPONSES_PER_PAGE } from "@/lib/constants";
 import { getEnvironment } from "@/lib/environment/service";
+import { getPublicDomain } from "@/lib/getPublicUrl";
 import { getProjectByEnvironmentId } from "@/lib/project/service";
 import { getSurvey, getSurveyIdByResultShareKey } from "@/lib/survey/service";
 import { getTagsByEnvironmentId } from "@/lib/tag/service";
@@ -46,6 +47,7 @@ const Page = async (props: ResponsesPageProps) => {
   }
 
   const locale = await findMatchingLocale();
+  const publicDomain = getPublicDomain();
 
   return (
     <div className="flex w-full justify-center">
@@ -57,7 +59,7 @@ const Page = async (props: ResponsesPageProps) => {
           environment={environment}
           survey={survey}
           surveyId={surveyId}
-          webAppUrl={WEBAPP_URL}
+          publicDomain={publicDomain}
           environmentTags={tags}
           responsesPerPage={RESPONSES_PER_PAGE}
           locale={locale}