chore(backport): updated release workflow (#6627 )

refactor: enhance JWT handling and improve security tests (#6619 ) (#6626 )
fix: backports formbricks.sh fix (#6550 )
2025-12-24 15:10:36 -06:00 · 2025-09-30 17:39:44 +02:00 · 2025-09-30 09:40:29 -03:00 · 2025-09-15 17:58:45 +02:00
21 changed files with 2214 additions and 651 deletions
--- a/.github/actions/build-and-push-docker/action.yml
+++ b/.github/actions/build-and-push-docker/action.yml
@@ -0,0 +1,312 @@
+name: Build and Push Docker Image
+description: |
+  Unified Docker build and push action for both ECR and GHCR registries.
+
+  Supports:
+  - ECR builds for Formbricks Cloud deployment
+  - GHCR builds for community self-hosting
+  - Automatic version resolution and tagging
+  - Conditional signing and deployment tags
+
+inputs:
+  registry_type:
+    description: "Registry type: 'ecr' or 'ghcr'"
+    required: true
+
+  # Version input
+  version:
+    description: "Explicit version (SemVer only, e.g., 1.2.3). If provided, this version is used directly. If empty, version is auto-generated from branch name."
+    required: false
+  experimental_mode:
+    description: "Enable experimental timestamped versions"
+    required: false
+    default: "false"
+
+  # ECR specific inputs
+  ecr_registry:
+    description: "ECR registry URL (required for ECR builds)"
+    required: false
+  ecr_repository:
+    description: "ECR repository name (required for ECR builds)"
+    required: false
+  ecr_region:
+    description: "ECR AWS region (required for ECR builds)"
+    required: false
+  aws_role_arn:
+    description: "AWS role ARN for ECR authentication (required for ECR builds)"
+    required: false
+
+  # GHCR specific inputs
+  ghcr_image_name:
+    description: "GHCR image name (required for GHCR builds)"
+    required: false
+
+  # Deployment options
+  deploy_production:
+    description: "Tag image for production deployment"
+    required: false
+    default: "false"
+  deploy_staging:
+    description: "Tag image for staging deployment"
+    required: false
+    default: "false"
+  is_prerelease:
+    description: "Whether this is a prerelease (auto-tags for staging/production)"
+    required: false
+    default: "false"
+
+  # Build options
+  dockerfile:
+    description: "Path to Dockerfile"
+    required: false
+    default: "apps/web/Dockerfile"
+  context:
+    description: "Build context"
+    required: false
+    default: "."
+
+outputs:
+  image_tag:
+    description: "Resolved image tag used for the build"
+    value: ${{ steps.version.outputs.version }}
+  registry_tags:
+    description: "Complete registry tags that were pushed"
+    value: ${{ steps.build.outputs.tags }}
+  image_digest:
+    description: "Image digest from the build"
+    value: ${{ steps.build.outputs.digest }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Validate inputs
+      shell: bash
+      env:
+        REGISTRY_TYPE: ${{ inputs.registry_type }}
+        ECR_REGISTRY: ${{ inputs.ecr_registry }}
+        ECR_REPOSITORY: ${{ inputs.ecr_repository }}
+        ECR_REGION: ${{ inputs.ecr_region }}
+        AWS_ROLE_ARN: ${{ inputs.aws_role_arn }}
+        GHCR_IMAGE_NAME: ${{ inputs.ghcr_image_name }}
+      run: |
+        set -euo pipefail
+
+        if [[ "$REGISTRY_TYPE" != "ecr" && "$REGISTRY_TYPE" != "ghcr" ]]; then
+          echo "ERROR: registry_type must be 'ecr' or 'ghcr', got: $REGISTRY_TYPE"
+          exit 1
+        fi
+
+        if [[ "$REGISTRY_TYPE" == "ecr" ]]; then
+          if [[ -z "$ECR_REGISTRY" || -z "$ECR_REPOSITORY" || -z "$ECR_REGION" || -z "$AWS_ROLE_ARN" ]]; then
+            echo "ERROR: ECR builds require ecr_registry, ecr_repository, ecr_region, and aws_role_arn"
+            exit 1
+          fi
+        fi
+
+        if [[ "$REGISTRY_TYPE" == "ghcr" ]]; then
+          if [[ -z "$GHCR_IMAGE_NAME" ]]; then
+            echo "ERROR: GHCR builds require ghcr_image_name"
+            exit 1
+          fi
+        fi
+
+        echo "SUCCESS: Input validation passed for $REGISTRY_TYPE build"
+
+    - name: Resolve Docker version
+      id: version
+      uses: ./.github/actions/resolve-docker-version
+      with:
+        version: ${{ inputs.version }}
+        current_branch: ${{ github.ref_name }}
+        experimental_mode: ${{ inputs.experimental_mode }}
+
+    - name: Update package.json version
+      uses: ./.github/actions/update-package-version
+      with:
+        version: ${{ steps.version.outputs.version }}
+
+    - name: Configure AWS credentials (ECR only)
+      if: ${{ inputs.registry_type == 'ecr' }}
+      uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.2.0
+      with:
+        role-to-assume: ${{ inputs.aws_role_arn }}
+        aws-region: ${{ inputs.ecr_region }}
+
+    - name: Log in to Amazon ECR (ECR only)
+      if: ${{ inputs.registry_type == 'ecr' }}
+      uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+
+    - name: Set up Docker build tools
+      uses: ./.github/actions/docker-build-setup
+      with:
+        registry: ${{ inputs.registry_type == 'ghcr' && 'ghcr.io' || '' }}
+        setup_cosign: ${{ inputs.registry_type == 'ghcr' && 'true' || 'false' }}
+        skip_login_on_pr: ${{ inputs.registry_type == 'ghcr' && 'true' || 'false' }}
+
+    - name: Build ECR tag list
+      if: ${{ inputs.registry_type == 'ecr' }}
+      id: ecr-tags
+      shell: bash
+      env:
+        IMAGE_TAG: ${{ steps.version.outputs.version }}
+        ECR_REGISTRY: ${{ inputs.ecr_registry }}
+        ECR_REPOSITORY: ${{ inputs.ecr_repository }}
+        DEPLOY_PRODUCTION: ${{ inputs.deploy_production }}
+        DEPLOY_STAGING: ${{ inputs.deploy_staging }}
+        IS_PRERELEASE: ${{ inputs.is_prerelease }}
+      run: |
+        set -euo pipefail
+
+        # Start with the base image tag
+        TAGS="${ECR_REGISTRY}/${ECR_REPOSITORY}:${IMAGE_TAG}"
+
+        # Handle automatic tagging based on release type
+        if [[ "${IS_PRERELEASE}" == "true" ]]; then
+          TAGS="${TAGS}\n${ECR_REGISTRY}/${ECR_REPOSITORY}:staging"
+          echo "Adding staging tag for prerelease"
+        elif [[ "${IS_PRERELEASE}" == "false" ]]; then
+          TAGS="${TAGS}\n${ECR_REGISTRY}/${ECR_REPOSITORY}:production"
+          echo "Adding production tag for stable release"
+        fi
+
+        # Handle manual deployment overrides
+        if [[ "${DEPLOY_PRODUCTION}" == "true" ]]; then
+          TAGS="${TAGS}\n${ECR_REGISTRY}/${ECR_REPOSITORY}:production"
+          echo "Adding production tag (manual override)"
+        fi
+        if [[ "${DEPLOY_STAGING}" == "true" ]]; then
+          TAGS="${TAGS}\n${ECR_REGISTRY}/${ECR_REPOSITORY}:staging"
+          echo "Adding staging tag (manual override)"
+        fi
+
+        echo "ECR tags generated:"
+        echo -e "${TAGS}"
+
+        {
+          echo "tags<<EOF"
+          echo -e "${TAGS}"
+          echo "EOF"
+        } >> "${GITHUB_OUTPUT}"
+
+    - name: Generate additional GHCR tags for releases
+      if: ${{ inputs.registry_type == 'ghcr' && inputs.experimental_mode == 'false' && (github.event_name == 'workflow_call' || github.event_name == 'release' || github.event_name == 'workflow_dispatch') }}
+      id: ghcr-extra-tags
+      shell: bash
+      env:
+        VERSION: ${{ steps.version.outputs.version }}
+        IMAGE_NAME: ${{ inputs.ghcr_image_name }}
+        IS_PRERELEASE: ${{ inputs.is_prerelease }}
+      run: |
+        set -euo pipefail
+
+        # Start with base version tag
+        TAGS="ghcr.io/${IMAGE_NAME}:${VERSION}"
+
+        # For proper SemVer releases, add major.minor and major tags
+        if [[ "${VERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+          # Extract major and minor versions
+          MAJOR=$(echo "${VERSION}" | cut -d. -f1)
+          MINOR=$(echo "${VERSION}" | cut -d. -f2)
+          
+          TAGS="${TAGS}\nghcr.io/${IMAGE_NAME}:${MAJOR}.${MINOR}"
+          TAGS="${TAGS}\nghcr.io/${IMAGE_NAME}:${MAJOR}"
+          
+          echo "Added SemVer tags: ${MAJOR}.${MINOR}, ${MAJOR}"
+        fi
+
+        # Add latest tag for stable releases
+        if [[ "${IS_PRERELEASE}" == "false" ]]; then
+          TAGS="${TAGS}\nghcr.io/${IMAGE_NAME}:latest"
+          echo "Added latest tag for stable release"
+        fi
+
+        echo "Generated GHCR tags:"
+        echo -e "${TAGS}"
+
+        # Debug: Show what will be passed to Docker build
+        echo "DEBUG: Tags for Docker build step:"
+        echo -e "${TAGS}"
+
+        {
+          echo "tags<<EOF"
+          echo -e "${TAGS}"
+          echo "EOF"
+        } >> "${GITHUB_OUTPUT}"
+
+    - name: Build GHCR metadata (experimental)
+      if: ${{ inputs.registry_type == 'ghcr' && inputs.experimental_mode == 'true' }}
+      id: ghcr-meta-experimental
+      uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+      with:
+        images: ghcr.io/${{ inputs.ghcr_image_name }}
+        tags: |
+          type=ref,event=branch
+          type=raw,value=${{ steps.version.outputs.version }}
+
+    - name: Debug Docker build tags
+      shell: bash
+      run: |
+        echo "=== DEBUG: Docker Build Configuration ==="
+        echo "Registry Type: ${{ inputs.registry_type }}"
+        echo "Experimental Mode: ${{ inputs.experimental_mode }}"
+        echo "Event Name: ${{ github.event_name }}"
+        echo "Is Prerelease: ${{ inputs.is_prerelease }}"
+        echo "Version: ${{ steps.version.outputs.version }}"
+
+        if [[ "${{ inputs.registry_type }}" == "ecr" ]]; then
+          echo "ECR Tags: ${{ steps.ecr-tags.outputs.tags }}"
+        elif [[ "${{ inputs.experimental_mode }}" == "true" ]]; then
+          echo "GHCR Experimental Tags: ${{ steps.ghcr-meta-experimental.outputs.tags }}"
+        else
+          echo "GHCR Extra Tags: ${{ steps.ghcr-extra-tags.outputs.tags }}"
+        fi
+
+    - name: Build and push Docker image
+      id: build
+      uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # v1.14.0
+      with:
+        project: tw0fqmsx3c
+        token: ${{ env.DEPOT_PROJECT_TOKEN }}
+        context: ${{ inputs.context }}
+        file: ${{ inputs.dockerfile }}
+        platforms: linux/amd64,linux/arm64
+        push: ${{ github.event_name != 'pull_request' }}
+        tags: ${{ inputs.registry_type == 'ecr' && steps.ecr-tags.outputs.tags || (inputs.registry_type == 'ghcr' && inputs.experimental_mode == 'true' && steps.ghcr-meta-experimental.outputs.tags) || (inputs.registry_type == 'ghcr' && inputs.experimental_mode == 'false' && steps.ghcr-extra-tags.outputs.tags) || (inputs.registry_type == 'ghcr' && format('ghcr.io/{0}:{1}', inputs.ghcr_image_name, steps.version.outputs.version)) || (inputs.registry_type == 'ecr' && format('{0}/{1}:{2}', inputs.ecr_registry, inputs.ecr_repository, steps.version.outputs.version)) }}
+        labels: ${{ inputs.registry_type == 'ghcr' && inputs.experimental_mode == 'true' && steps.ghcr-meta-experimental.outputs.labels || '' }}
+        secrets: |
+          database_url=${{ env.DUMMY_DATABASE_URL }}
+          encryption_key=${{ env.DUMMY_ENCRYPTION_KEY }}
+          redis_url=${{ env.DUMMY_REDIS_URL }}
+          sentry_auth_token=${{ env.SENTRY_AUTH_TOKEN }}
+      env:
+        DEPOT_PROJECT_TOKEN: ${{ env.DEPOT_PROJECT_TOKEN }}
+        DUMMY_DATABASE_URL: ${{ env.DUMMY_DATABASE_URL }}
+        DUMMY_ENCRYPTION_KEY: ${{ env.DUMMY_ENCRYPTION_KEY }}
+        DUMMY_REDIS_URL: ${{ env.DUMMY_REDIS_URL }}
+        SENTRY_AUTH_TOKEN: ${{ env.SENTRY_AUTH_TOKEN }}
+
+    - name: Sign GHCR image (GHCR only)
+      if: ${{ inputs.registry_type == 'ghcr' && (github.event_name == 'workflow_call' || github.event_name == 'release' || github.event_name == 'workflow_dispatch') }}
+      shell: bash
+      env:
+        TAGS: ${{ inputs.experimental_mode == 'true' && steps.ghcr-meta-experimental.outputs.tags || steps.ghcr-extra-tags.outputs.tags }}
+        DIGEST: ${{ steps.build.outputs.digest }}
+      run: |
+        set -euo pipefail
+        echo "${TAGS}" | xargs -I {} cosign sign --yes "{}@${DIGEST}"
+
+    - name: Output build summary
+      shell: bash
+      env:
+        REGISTRY_TYPE: ${{ inputs.registry_type }}
+        IMAGE_TAG: ${{ steps.version.outputs.version }}
+        VERSION_SOURCE: ${{ steps.version.outputs.source }}
+      run: |
+        echo "SUCCESS: Built and pushed Docker image to $REGISTRY_TYPE"
+        echo "Image Tag: $IMAGE_TAG (source: $VERSION_SOURCE)"
+        if [[ "$REGISTRY_TYPE" == "ecr" ]]; then
+          echo "ECR Registry: ${{ inputs.ecr_registry }}"
+          echo "ECR Repository: ${{ inputs.ecr_repository }}"
+        else
+          echo "GHCR Image: ghcr.io/${{ inputs.ghcr_image_name }}"
+        fi
--- a/.github/actions/docker-build-setup/action.yml
+++ b/.github/actions/docker-build-setup/action.yml
@@ -0,0 +1,106 @@
+name: Docker Build Setup
+description: |
+  Sets up common Docker build tools and authentication with security validation.
+
+  Security Features:
+  - Registry URL validation
+  - Input sanitization
+  - Conditional setup based on event type
+  - Post-setup verification
+
+  Supports Depot CLI, Cosign signing, and Docker registry authentication.
+
+inputs:
+  registry:
+    description: "Docker registry hostname to login to (e.g., ghcr.io, registry.example.com:5000). No paths allowed."
+    required: false
+    default: "ghcr.io"
+  setup_cosign:
+    description: "Whether to install cosign for image signing"
+    required: false
+    default: "true"
+  skip_login_on_pr:
+    description: "Whether to skip registry login on pull requests"
+    required: false
+    default: "true"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Validate inputs
+      shell: bash
+      env:
+        REGISTRY: ${{ inputs.registry }}
+        SETUP_COSIGN: ${{ inputs.setup_cosign }}
+        SKIP_LOGIN_ON_PR: ${{ inputs.skip_login_on_pr }}
+      run: |
+        set -euo pipefail
+
+        # Security: Validate registry input - must be hostname[:port] only, no paths
+        # Allow empty registry for cases where login is handled externally (e.g., ECR)
+        if [[ -n "$REGISTRY" ]]; then
+          if [[ "$REGISTRY" =~ / ]]; then
+            echo "ERROR: Invalid registry format: $REGISTRY"
+            echo "Registry must be host[:port] with no path (e.g., 'ghcr.io' or 'registry.example.com:5000')"
+            echo "Path components like 'ghcr.io/org' are not allowed as they break docker login"
+            exit 1
+          fi
+
+          # Validate hostname with optional port format
+          if [[ ! "$REGISTRY" =~ ^[a-zA-Z0-9.-]+(\:[0-9]+)?$ ]]; then
+            echo "ERROR: Invalid registry hostname format: $REGISTRY"
+            echo "Registry must be a valid hostname optionally with port (e.g., 'ghcr.io' or 'registry.example.com:5000')"
+            exit 1
+          fi
+        fi
+
+        # Validate boolean inputs
+        if [[ "$SETUP_COSIGN" != "true" && "$SETUP_COSIGN" != "false" ]]; then
+          echo "ERROR: setup_cosign must be 'true' or 'false', got: $SETUP_COSIGN"
+          exit 1
+        fi
+
+        if [[ "$SKIP_LOGIN_ON_PR" != "true" && "$SKIP_LOGIN_ON_PR" != "false" ]]; then
+          echo "ERROR: skip_login_on_pr must be 'true' or 'false', got: $SKIP_LOGIN_ON_PR"
+          exit 1
+        fi
+
+        echo "SUCCESS: Input validation passed"
+
+    - name: Set up Depot CLI
+      uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
+
+    - name: Install cosign
+      # Install cosign when requested AND when we might actually sign images
+      # (i.e., non-PR contexts or when we login on PRs)
+      if: ${{ inputs.setup_cosign == 'true' && (inputs.skip_login_on_pr == 'false' || github.event_name != 'pull_request') }}
+      uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+
+    - name: Log into registry
+      if: ${{ inputs.registry != '' && (inputs.skip_login_on_pr == 'false' || github.event_name != 'pull_request') }}
+      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      with:
+        registry: ${{ inputs.registry }}
+        username: ${{ github.actor }}
+        password: ${{ github.token }}
+
+    - name: Verify setup completion
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        # Verify Depot CLI is available
+        if ! command -v depot >/dev/null 2>&1; then
+          echo "ERROR: Depot CLI not found in PATH"
+          exit 1
+        fi
+
+        # Verify cosign if it should be installed (same conditions as install step)
+        if [[ "${{ inputs.setup_cosign }}" == "true" ]] && [[ "${{ inputs.skip_login_on_pr }}" == "false" || "${{ github.event_name }}" != "pull_request" ]]; then
+          if ! command -v cosign >/dev/null 2>&1; then
+            echo "ERROR: Cosign not found in PATH despite being requested"
+            exit 1
+          fi
+        fi
+
+        echo "SUCCESS: Docker build setup completed successfully"
--- a/.github/actions/resolve-docker-version/action.yml
+++ b/.github/actions/resolve-docker-version/action.yml
@@ -0,0 +1,192 @@
+name: Resolve Docker Version
+description: |
+  Resolves and validates Docker-compatible SemVer versions for container builds with comprehensive security.
+
+  Security Features:
+  - Command injection protection
+  - Input sanitization and validation
+  - Docker tag character restrictions
+  - Length limits and boundary checks
+  - Safe branch name handling
+
+  Supports multiple modes: release, manual override, branch auto-detection, and experimental timestamped versions.
+
+inputs:
+  version:
+    description: "Explicit version (SemVer only, e.g., 1.2.3-beta). If provided, this version is used directly. If empty, version is auto-generated from branch name."
+    required: false
+  current_branch:
+    description: "Current branch name for auto-detection"
+    required: true
+  experimental_mode:
+    description: "Enable experimental mode with timestamp-based versions"
+    required: false
+    default: "false"
+
+outputs:
+  version:
+    description: "Resolved Docker-compatible SemVer version"
+    value: ${{ steps.resolve.outputs.version }}
+  source:
+    description: "Source of version (release|override|branch)"
+    value: ${{ steps.resolve.outputs.source }}
+  normalized:
+    description: "Whether the version was normalized (true/false)"
+    value: ${{ steps.resolve.outputs.normalized }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Resolve and validate Docker version
+      id: resolve
+      shell: bash
+      env:
+        EXPLICIT_VERSION: ${{ inputs.version }}
+        CURRENT_BRANCH: ${{ inputs.current_branch }}
+        EXPERIMENTAL_MODE: ${{ inputs.experimental_mode }}
+      run: |
+        set -euo pipefail
+
+        # Function to validate SemVer format (Docker-compatible, no '+' build metadata)
+        validate_semver() {
+          local version="$1"
+          local context="$2"
+          
+          if [[ ! "$version" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?$ ]]; then
+            echo "ERROR: Invalid $context format. Must be semver without build metadata (e.g., 1.2.3, 1.2.3-alpha)"
+            echo "Provided: $version"
+            echo "Note: Docker tags cannot contain '+' characters. Use prerelease identifiers instead."
+            exit 1
+          fi
+        }
+
+        # Function to generate branch-based version
+        generate_branch_version() {
+          local branch="$1"
+          local use_timestamp="${2:-true}"
+          local timestamp
+          
+          if [[ "$use_timestamp" == "true" ]]; then
+            timestamp=$(date +%s)
+          else
+            timestamp=""
+          fi
+          
+          # Sanitize branch name for Docker compatibility
+          local sanitized_branch=$(echo "$branch" | sed 's/[^a-zA-Z0-9.-]/-/g' | sed 's/--*/-/g' | sed 's/^-\|-$//g')
+          
+          # Additional safety: truncate if too long (reserve space for prefix and timestamp)
+          if (( ${#sanitized_branch} > 80 )); then
+            sanitized_branch="${sanitized_branch:0:80}"
+            echo "INFO: Branch name truncated for Docker compatibility" >&2
+          fi
+          local version
+          
+          # Generate version based on branch name (unified approach)
+          # All branches get alpha versions with sanitized branch name
+          if [[ -n "$timestamp" ]]; then
+            version="0.0.0-alpha-$sanitized_branch-$timestamp"
+            echo "INFO: Branch '$branch' detected - alpha version: $version" >&2
+          else
+            version="0.0.0-alpha-$sanitized_branch"
+            echo "INFO: Branch '$branch' detected - alpha version: $version" >&2
+          fi
+          
+          echo "$version"
+        }
+
+
+        # Input validation and sanitization
+        if [[ -z "$CURRENT_BRANCH" ]]; then
+          echo "ERROR: current_branch input is required"
+          exit 1
+        fi
+
+        # Security: Validate inputs to prevent command injection
+        # Use grep to check for dangerous characters (more reliable than bash regex)
+        validate_input() {
+          local input="$1"
+          local name="$2"
+          
+          # Check for dangerous characters using grep
+          if echo "$input" | grep -q '[;|&`$(){}\\[:space:]]'; then
+            echo "ERROR: $name contains potentially dangerous characters: $input"
+            echo "Input should only contain letters, numbers, hyphens, underscores, dots, and forward slashes"
+            return 1
+          fi
+          
+          return 0
+        }
+
+        # Validate current branch
+        if ! validate_input "$CURRENT_BRANCH" "Branch name"; then
+          exit 1
+        fi
+
+        # Validate explicit version if provided
+        if [[ -n "$EXPLICIT_VERSION" ]] && ! validate_input "$EXPLICIT_VERSION" "Explicit version"; then
+          exit 1
+        fi
+
+        # Main resolution logic (ultra-simplified)
+        NORMALIZED="false"
+
+        if [[ -n "$EXPLICIT_VERSION" ]]; then
+          # Use provided explicit version (from either workflow_call or manual input)
+          validate_semver "$EXPLICIT_VERSION" "explicit version"
+          
+          # Normalize to lowercase for Docker/ECR compatibility
+          RESOLVED_VERSION="${EXPLICIT_VERSION,,}"
+          if [[ "$EXPLICIT_VERSION" != "$RESOLVED_VERSION" ]]; then
+            NORMALIZED="true"
+            echo "INFO: Original version contained uppercase characters, normalized: $EXPLICIT_VERSION -> $RESOLVED_VERSION"
+          fi
+          
+          SOURCE="explicit"
+          echo "INFO: Using explicit version: $RESOLVED_VERSION"
+          
+        else
+          # Auto-generate version from branch name
+          if [[ "$EXPERIMENTAL_MODE" == "true" ]]; then
+            # Use timestamped version generation
+            echo "INFO: Experimental mode: generating timestamped version from branch: $CURRENT_BRANCH"
+            RESOLVED_VERSION=$(generate_branch_version "$CURRENT_BRANCH" "true")
+            SOURCE="experimental"
+          else
+            # Standard branch version (no timestamp)
+            echo "INFO: Auto-detecting version from branch: $CURRENT_BRANCH"
+            RESOLVED_VERSION=$(generate_branch_version "$CURRENT_BRANCH" "false")
+            SOURCE="branch"
+          fi
+          echo "Generated version: $RESOLVED_VERSION"
+        fi
+
+        # Final validation - ensure result is valid Docker tag
+        if [[ -z "$RESOLVED_VERSION" ]]; then
+          echo "ERROR: Failed to resolve version"
+          exit 1
+        fi
+
+        if (( ${#RESOLVED_VERSION} > 128 )); then
+          echo "ERROR: Version must be at most 128 characters (Docker limitation)"
+          echo "Generated version: $RESOLVED_VERSION (${#RESOLVED_VERSION} chars)"
+          exit 1
+        fi
+
+        if [[ ! "$RESOLVED_VERSION" =~ ^[a-z0-9._-]+$ ]]; then
+          echo "ERROR: Version contains invalid characters for Docker tags"
+          echo "Version: $RESOLVED_VERSION"
+          exit 1
+        fi
+
+        if [[ "$RESOLVED_VERSION" =~ ^[.-] || "$RESOLVED_VERSION" =~ [.-]$ ]]; then
+          echo "ERROR: Version must not start or end with '.' or '-'"
+          echo "Version: $RESOLVED_VERSION"
+          exit 1
+        fi
+
+        # Output results
+        echo "SUCCESS: Resolved Docker version: $RESOLVED_VERSION (source: $SOURCE)"
+        echo "version=$RESOLVED_VERSION" >> $GITHUB_OUTPUT
+        echo "source=$SOURCE" >> $GITHUB_OUTPUT
+        echo "normalized=$NORMALIZED" >> $GITHUB_OUTPUT
--- a/.github/actions/update-package-version/action.yml
+++ b/.github/actions/update-package-version/action.yml
@@ -0,0 +1,160 @@
+name: Update Package Version
+description: |
+  Safely updates package.json version with comprehensive validation and atomic operations.
+
+  Security Features:
+  - Path traversal protection
+  - SemVer validation with length limits
+  - Atomic file operations with backup/recovery
+  - JSON validation before applying changes
+
+  This action is designed to be secure by default and prevent common attack vectors.
+
+inputs:
+  version:
+    description: "Version to set in package.json (must be valid SemVer)"
+    required: true
+  package_path:
+    description: "Path to package.json file"
+    required: false
+    default: "./apps/web/package.json"
+
+outputs:
+  updated_version:
+    description: "The version that was actually set in package.json"
+    value: ${{ steps.update.outputs.updated_version }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Update and verify package.json version
+      id: update
+      shell: bash
+      env:
+        VERSION: ${{ inputs.version }}
+        PACKAGE_PATH: ${{ inputs.package_path }}
+      run: |
+        set -euo pipefail
+
+        # Validate inputs
+        if [[ -z "$VERSION" ]]; then
+          echo "ERROR: version input is required"
+          exit 1
+        fi
+
+        # Security: Validate package_path to prevent path traversal attacks
+        # Only allow paths within the workspace and must end with package.json
+        if [[ "$PACKAGE_PATH" =~ \.\./|^/|^~ ]]; then
+          echo "ERROR: Invalid package path - path traversal detected: $PACKAGE_PATH"
+          echo "Package path must be relative to workspace root and cannot contain '../', start with '/', or '~'"
+          exit 1
+        fi
+
+        if [[ ! "$PACKAGE_PATH" =~ package\.json$ ]]; then
+          echo "ERROR: Package path must end with 'package.json': $PACKAGE_PATH"
+          exit 1
+        fi
+
+        # Resolve to absolute path within workspace for additional security
+        WORKSPACE_ROOT="${GITHUB_WORKSPACE:-$(pwd)}"
+
+        # Use realpath to resolve both paths and handle symlinks properly
+        WORKSPACE_ROOT=$(realpath "$WORKSPACE_ROOT")
+        RESOLVED_PATH=$(realpath "${WORKSPACE_ROOT}/${PACKAGE_PATH}")
+
+        # Ensure WORKSPACE_ROOT has a trailing slash for proper prefix matching
+        WORKSPACE_ROOT="${WORKSPACE_ROOT}/"
+
+        # Use shell string matching to ensure RESOLVED_PATH is within workspace
+        # This is more secure than regex and handles edge cases properly
+        if [[ "$RESOLVED_PATH" != "$WORKSPACE_ROOT"* ]]; then
+          echo "ERROR: Resolved path is outside workspace: $RESOLVED_PATH"
+          echo "Workspace root: $WORKSPACE_ROOT"
+          exit 1
+        fi
+
+        if [[ ! -f "$RESOLVED_PATH" ]]; then
+          echo "ERROR: package.json not found at: $RESOLVED_PATH"
+          exit 1
+        fi
+
+        # Use resolved path for operations
+        PACKAGE_PATH="$RESOLVED_PATH"
+
+        # Validate SemVer format with additional security checks
+        if [[ ${#VERSION} -gt 128 ]]; then
+          echo "ERROR: Version string too long (${#VERSION} chars, max 128): $VERSION"
+          exit 1
+        fi
+
+        if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?$ ]]; then
+          echo "ERROR: Invalid SemVer format: $VERSION"
+          echo "Expected format: MAJOR.MINOR.PATCH[-PRERELEASE]"
+          echo "Only alphanumeric characters, dots, and hyphens allowed in prerelease"
+          exit 1
+        fi
+
+        # Additional validation: Check for reasonable version component sizes
+        # Extract base version (MAJOR.MINOR.PATCH) without prerelease/build metadata
+        if [[ "$VERSION" =~ ^([0-9]+\.[0-9]+\.[0-9]+) ]]; then
+          BASE_VERSION="${BASH_REMATCH[1]}"
+        else
+          echo "ERROR: Could not extract base version from: $VERSION"
+          exit 1
+        fi
+
+        # Split version components safely
+        IFS='.' read -ra VERSION_PARTS <<< "$BASE_VERSION"
+
+        # Validate component sizes (should have exactly 3 parts due to regex above)
+        if (( ${VERSION_PARTS[0]} > 999 || ${VERSION_PARTS[1]} > 999 || ${VERSION_PARTS[2]} > 999 )); then
+          echo "ERROR: Version components too large (max 999 each): $VERSION"
+          echo "Components: ${VERSION_PARTS[0]}.${VERSION_PARTS[1]}.${VERSION_PARTS[2]}"
+          exit 1
+        fi
+
+        echo "Updating package.json version to: $VERSION"
+
+        # Create backup for atomic operations
+        BACKUP_PATH="${PACKAGE_PATH}.backup.$$"
+        cp "$PACKAGE_PATH" "$BACKUP_PATH"
+
+        # Use jq to safely update the version field with error handling
+        if ! jq --arg version "$VERSION" '.version = $version' "$PACKAGE_PATH" > "${PACKAGE_PATH}.tmp"; then
+          echo "ERROR: jq failed to process package.json"
+          rm -f "${PACKAGE_PATH}.tmp" "$BACKUP_PATH"
+          exit 1
+        fi
+
+        # Validate the generated JSON before applying changes
+        if ! jq empty "${PACKAGE_PATH}.tmp" 2>/dev/null; then
+          echo "ERROR: Generated invalid JSON"
+          rm -f "${PACKAGE_PATH}.tmp" "$BACKUP_PATH"
+          exit 1
+        fi
+
+        # Atomic move operation
+        if ! mv "${PACKAGE_PATH}.tmp" "$PACKAGE_PATH"; then
+          echo "ERROR: Failed to update package.json"
+          # Restore backup
+          mv "$BACKUP_PATH" "$PACKAGE_PATH"
+          exit 1
+        fi
+
+        # Verify the update was successful
+        UPDATED_VERSION=$(jq -r '.version' "$PACKAGE_PATH" 2>/dev/null)
+
+        if [[ "$UPDATED_VERSION" != "$VERSION" ]]; then
+          echo "ERROR: Version update failed!"
+          echo "Expected: $VERSION"
+          echo "Actual: $UPDATED_VERSION"
+          # Restore backup
+          mv "$BACKUP_PATH" "$PACKAGE_PATH"
+          exit 1
+        fi
+
+        # Clean up backup on success
+        rm -f "$BACKUP_PATH"
+
+        echo "SUCCESS: Updated package.json version to: $UPDATED_VERSION"
+        echo "updated_version=$UPDATED_VERSION" >> $GITHUB_OUTPUT
--- a/.github/actions/upload-sentry-sourcemaps/action.yml
+++ b/.github/actions/upload-sentry-sourcemaps/action.yml
@@ -1,104 +0,0 @@
-name: "Upload Sentry Sourcemaps"
-description: "Extract sourcemaps from Docker image and upload to Sentry"
-
-inputs:
-  docker_image:
-    description: "Docker image to extract sourcemaps from"
-    required: true
-  release_version:
-    description: "Sentry release version (e.g., v1.2.3)"
-    required: true
-  sentry_auth_token:
-    description: "Sentry authentication token"
-    required: true
-  environment:
-    description: "Sentry environment (e.g., production, staging)"
-    required: false
-    default: "staging"
-
-runs:
-  using: "composite"
-  steps:
-    - name: Checkout code
-      uses: actions/checkout@v4
-      with:
-        fetch-depth: 0
-
-    - name: Extract sourcemaps from Docker image
-      shell: bash
-      env:
-        DOCKER_IMAGE: ${{ inputs.docker_image }}
-      run: |
-        set -euo pipefail
-
-        # Validate docker image format (basic validation)
-        if [[ ! "$DOCKER_IMAGE" =~ ^[a-zA-Z0-9._/-]+:[a-zA-Z0-9._-]+$ ]] && [[ ! "$DOCKER_IMAGE" =~ ^[a-zA-Z0-9._/-]+@sha256:[A-Fa-f0-9]{64}$ ]]; then
-          echo "❌ Error: Invalid docker image format. Must be in format 'image:tag' or 'image@sha256:hash'"
-          echo "Provided: ${DOCKER_IMAGE}"
-          exit 1
-        fi
-
-        echo "📦 Extracting sourcemaps from Docker image: ${DOCKER_IMAGE}"
-
-        # Create temporary container from the image and capture its ID
-        echo "Creating temporary container..."
-        CONTAINER_ID=$(docker create "$DOCKER_IMAGE")
-        echo "Container created with ID: ${CONTAINER_ID}"
-
-        # Set up cleanup function to ensure container is removed on script exit
-        cleanup_container() {
-          # Capture the current exit code to preserve it
-          local original_exit_code=$?
-          
-          echo "🧹 Cleaning up Docker container..."
-          
-          # Remove the container if it exists (ignore errors if already removed)
-          if [ -n "$CONTAINER_ID" ]; then
-            docker rm -f "$CONTAINER_ID" 2>/dev/null || true
-            echo "Container ${CONTAINER_ID} removed"
-          fi
-          
-          # Exit with the original exit code to preserve script success/failure status
-          exit $original_exit_code
-        }
-
-        # Register cleanup function to run on script exit (success or failure)
-        trap cleanup_container EXIT
-
-        # Extract .next directory containing sourcemaps
-        docker cp "$CONTAINER_ID:/home/nextjs/apps/web/.next" ./extracted-next
-
-        # Verify sourcemaps exist
-        if [ ! -d "./extracted-next/static/chunks" ]; then
-          echo "❌ Error: .next/static/chunks directory not found in Docker image"
-          echo "Expected structure: /home/nextjs/apps/web/.next/static/chunks/"
-          exit 1
-        fi
-
-        sourcemap_count=$(find ./extracted-next/static/chunks -name "*.map" | wc -l)
-        echo "✅ Found ${sourcemap_count} sourcemap files"
-
-        if [ "$sourcemap_count" -eq 0 ]; then
-          echo "❌ Error: No sourcemap files found. Check that productionBrowserSourceMaps is enabled."
-          exit 1
-        fi
-
-    - name: Create Sentry release and upload sourcemaps
-      uses: getsentry/action-release@v3
-      env:
-        SENTRY_AUTH_TOKEN: ${{ inputs.sentry_auth_token }}
-        SENTRY_ORG: formbricks
-        SENTRY_PROJECT: formbricks-cloud
-      with:
-        environment: ${{ inputs.environment }}
-        version: ${{ inputs.release_version }}
-        sourcemaps: "./extracted-next/"
-
-    - name: Clean up extracted files
-      shell: bash
-      if: always()
-      run: |
-        set -euo pipefail
-        # Clean up extracted files
-        rm -rf ./extracted-next
-        echo "🧹 Cleaned up extracted files"
--- a/.github/workflows/build-and-push-ecr.yml
+++ b/.github/workflows/build-and-push-ecr.yml
@@ -1,12 +1,44 @@
-name: Build & Push Docker to ECR
+name: Build Cloud Deployment Images
+
+# This workflow builds Formbricks Docker images for ECR deployment:
+# - workflow_call: Used by releases with explicit SemVer versions
+# - workflow_dispatch: Auto-detects version from current branch or uses override

 on:
  workflow_dispatch:
+    inputs:
+      version_override:
+        description: "Override version (SemVer only, e.g., 1.2.3). Leave empty to auto-detect from branch."
+        required: false
+        type: string
+      deploy_production:
+        description: "Tag image for production deployment"
+        required: false
+        default: false
+        type: boolean
+      deploy_staging:
+        description: "Tag image for staging deployment"
+        required: false
+        default: false
+        type: boolean
+  workflow_call:
    inputs:
      image_tag:
-        description: "Image tag to push (e.g., v3.16.1)"
+        description: "Image tag to push (required for workflow_call)"
        required: true
-        default: "v3.16.1"
+        type: string
+      IS_PRERELEASE:
+        description: "Whether this is a prerelease (auto-tags for staging/production)"
+        required: false
+        type: boolean
+        default: false
+    outputs:
+      IMAGE_TAG:
+        description: "Normalized image tag used for the build"
+        value: ${{ jobs.build-and-push.outputs.IMAGE_TAG }}
+      TAGS:
+        description: "Newline-separated list of ECR tags pushed"
+        value: ${{ jobs.build-and-push.outputs.TAGS }}

 permissions:
  contents: read
@@ -17,14 +49,15 @@ env:
  # ECR settings are sourced from repository/environment variables for portability across envs/forks
  ECR_REGISTRY: ${{ vars.ECR_REGISTRY }}
  ECR_REPOSITORY: ${{ vars.ECR_REPOSITORY }}
-  DOCKERFILE: apps/web/Dockerfile
-  CONTEXT: .

 jobs:
  build-and-push:
    name: Build and Push
    runs-on: ubuntu-latest
    timeout-minutes: 45
+    outputs:
+      IMAGE_TAG: ${{ steps.build.outputs.image_tag }}
+      TAGS: ${{ steps.build.outputs.registry_tags }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
@@ -34,66 +67,22 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

-      - name: Validate image tag input
-        shell: bash
-        env:
-          IMAGE_TAG: ${{ inputs.image_tag }}
-        run: |
-          set -euo pipefail
-          if [[ -z "${IMAGE_TAG}" ]]; then
-            echo "❌ Image tag is required (non-empty)."
-            exit 1
-          fi
-          if (( ${#IMAGE_TAG} > 128 )); then
-            echo "❌ Image tag must be at most 128 characters."
-            exit 1
-          fi
-          if [[ ! "${IMAGE_TAG}" =~ ^[a-z0-9._-]+$ ]]; then
-            echo "❌ Image tag may only contain lowercase letters, digits, '.', '_' and '-'."
-            exit 1
-          fi
-          if [[ "${IMAGE_TAG}" =~ ^[.-] || "${IMAGE_TAG}" =~ [.-]$ ]]; then
-            echo "❌ Image tag must not start or end with '.' or '-'."
-            exit 1
-          fi
-
-      - name: Validate required variables
-        shell: bash
-        env:
-          ECR_REGISTRY: ${{ env.ECR_REGISTRY }}
-          ECR_REPOSITORY: ${{ env.ECR_REPOSITORY }}
-          ECR_REGION: ${{ env.ECR_REGION }}
-        run: |
-          set -euo pipefail
-          if [[ -z "${ECR_REGISTRY}" || -z "${ECR_REPOSITORY}" || -z "${ECR_REGION}" ]]; then
-            echo "ECR_REGION, ECR_REGISTRY and ECR_REPOSITORY must be set via repository or environment variables (Settings → Variables)."
-            exit 1
-          fi
-
-      - name: Configure AWS credentials (OIDC)
-        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a
+      - name: Build and push cloud deployment image
+        id: build
+        uses: ./.github/actions/build-and-push-docker
        with:
-          role-to-assume: ${{ secrets.AWS_ECR_PUSH_ROLE_ARN }}
-          aws-region: ${{ env.ECR_REGION }}
-
-      - name: Log in to Amazon ECR
-        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076
-
-      - name: Set up Depot CLI
-        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
-
-      - name: Build and push image (Depot remote builder)
-        uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # v1.14.0
-        with:
-          project: tw0fqmsx3c
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          context: ${{ env.CONTEXT }}
-          file: ${{ env.DOCKERFILE }}
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ inputs.image_tag }}
-            ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:latest
-          secrets: |
-            database_url=${{ secrets.DUMMY_DATABASE_URL }}
-            encryption_key=${{ secrets.DUMMY_ENCRYPTION_KEY }}
+          registry_type: "ecr"
+          ecr_registry: ${{ env.ECR_REGISTRY }}
+          ecr_repository: ${{ env.ECR_REPOSITORY }}
+          ecr_region: ${{ env.ECR_REGION }}
+          aws_role_arn: ${{ secrets.AWS_ECR_PUSH_ROLE_ARN }}
+          version: ${{ inputs.version_override || inputs.image_tag }}
+          deploy_production: ${{ inputs.deploy_production }}
+          deploy_staging: ${{ inputs.deploy_staging }}
+          is_prerelease: ${{ inputs.IS_PRERELEASE }}
+        env:
+          DEPOT_PROJECT_TOKEN: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          DUMMY_DATABASE_URL: ${{ secrets.DUMMY_DATABASE_URL }}
+          DUMMY_ENCRYPTION_KEY: ${{ secrets.DUMMY_ENCRYPTION_KEY }}
+          DUMMY_REDIS_URL: ${{ secrets.DUMMY_REDIS_URL }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
--- a/.github/workflows/deploy-formbricks-cloud.yml
+++ b/.github/workflows/deploy-formbricks-cloud.yml
@@ -4,7 +4,7 @@ on:
  workflow_dispatch:
    inputs:
      VERSION:
-        description: "The version of the Docker image to release, full image tag if image tag is v0.0.0 enter v0.0.0."
+        description: "The version of the Docker image to release (clean SemVer, e.g., 1.2.3)"
        required: true
        type: string
      REPOSITORY:
--- a/.github/workflows/docker-build-validation.yml
+++ b/.github/workflows/docker-build-validation.yml
@@ -21,10 +21,10 @@ jobs:
    name: Validate Docker Build
    runs-on: ubuntu-latest

-    # Add PostgreSQL service container
+    # Add PostgreSQL and Redis service containers
    services:
      postgres:
-        image: pgvector/pgvector:pg17
+        image: pgvector/pgvector@sha256:9ae02a756ba16a2d69dd78058e25915e36e189bb36ddf01ceae86390d7ed786a
        env:
          POSTGRES_USER: test
          POSTGRES_PASSWORD: test
@@ -38,6 +38,11 @@ jobs:
          --health-timeout 5s
          --health-retries 5

+      redis:
+        image: valkey/valkey@sha256:12ba4f45a7c3e1d0f076acd616cb230834e75a77e8516dde382720af32832d6d
+        ports:
+          - 6379:6379
+
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
@@ -67,6 +72,7 @@ jobs:
          secrets: |
            database_url=${{ secrets.DUMMY_DATABASE_URL }}
            encryption_key=${{ secrets.DUMMY_ENCRYPTION_KEY }}
+            redis_url=redis://localhost:6379

      - name: Verify and Initialize PostgreSQL
        run: |
@@ -96,6 +102,29 @@ jobs:
          echo "Network configuration:"
          netstat -tulpn | grep 5432 || echo "No process listening on port 5432"

+      - name: Verify Redis/Valkey Connection
+        run: |
+          echo "Verifying Redis/Valkey connection..."
+          # Install Redis client to test connection
+          sudo apt-get update && sudo apt-get install -y redis-tools
+
+          # Test connection using redis-cli with timeout and proper error handling
+          echo "Testing Redis connection with 30 second timeout..."
+          if timeout 30 bash -c 'until redis-cli -h localhost -p 6379 ping >/dev/null 2>&1; do
+            echo "Waiting for Redis to be ready..."
+            sleep 2
+          done'; then
+            echo "✅ Redis connection successful"
+            redis-cli -h localhost -p 6379 info server | head -5
+          else
+            echo "❌ Redis connection failed after 30 seconds"
+            exit 1
+          fi
+
+          # Show network configuration for Redis
+          echo "Redis network configuration:"
+          netstat -tulpn | grep 6379 || echo "No process listening on port 6379"
+
      - name: Test Docker Image with Health Check
        shell: bash
        env:
@@ -113,6 +142,7 @@ jobs:
            -p 3000:3000 \
            -e DATABASE_URL="postgresql://test:test@host.docker.internal:5432/formbricks" \
            -e ENCRYPTION_KEY="$DUMMY_ENCRYPTION_KEY" \
+            -e REDIS_URL="redis://host.docker.internal:6379" \
            -d "formbricks-test:$GITHUB_SHA"

          # Start health check polling immediately (every 5 seconds for up to 5 minutes)
--- a/.github/workflows/docker-security-scan.yml
+++ b/.github/workflows/docker-security-scan.yml
@@ -17,7 +17,34 @@ jobs:
  scan:
    name: Vulnerability Scan
    runs-on: ubuntu-latest
+    timeout-minutes: 30
    steps:
+      - name: Harden the runner
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout (for SARIF fingerprinting only)
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 1
+
+      - name: Determine ref and commit for upload
+        id: gitref
+        shell: bash
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
+          HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+        run: |
+          set -euo pipefail
+          if [[ "${EVENT_NAME}" == "workflow_run" ]]; then
+            echo "ref=refs/heads/${HEAD_BRANCH}" >> "$GITHUB_OUTPUT"
+            echo "sha=${HEAD_SHA}" >> "$GITHUB_OUTPUT"
+          else
+            echo "ref=${GITHUB_REF}" >> "$GITHUB_OUTPUT"
+            echo "sha=${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+          fi
      - name: Log in to GitHub Container Registry
        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
        with:
@@ -35,6 +62,9 @@ jobs:

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@a4e1a019f5e24960714ff6296aee04b736cbc3cf # v3.29.6
-        if: ${{ always() && hashFiles('trivy-results.sarif') != '' }}
+        if: ${{ always() }}
        with:
          sarif_file: "trivy-results.sarif"
+          ref: ${{ steps.gitref.outputs.ref }}
+          sha: ${{ steps.gitref.outputs.sha }}
+          category: "trivy-container-scan"
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -182,4 +182,4 @@ jobs:

      - name: Output App Logs
        if: failure()
-        run: cat app.log
+        run: cat app.log
--- a/.github/workflows/formbricks-release.yml
+++ b/.github/workflows/formbricks-release.yml
@@ -8,8 +8,8 @@ permissions:
  contents: read

 jobs:
-  docker-build:
-    name: Build & release docker image
+  docker-build-community:
+    name: Build & release community docker image
    permissions:
      contents: read
      packages: write
@@ -19,6 +19,19 @@ jobs:
    with:
      IS_PRERELEASE: ${{ github.event.release.prerelease }}

+  docker-build-cloud:
+    name: Build & push Formbricks Cloud to ECR
+    permissions:
+      contents: read
+      id-token: write
+    uses: ./.github/workflows/build-and-push-ecr.yml
+    secrets: inherit
+    with:
+      image_tag: ${{ needs.docker-build-community.outputs.VERSION }}
+      IS_PRERELEASE: ${{ github.event.release.prerelease }}
+    needs:
+      - docker-build-community
+
  helm-chart-release:
    name: Release Helm Chart
    permissions:
@@ -27,48 +40,42 @@ jobs:
    uses: ./.github/workflows/release-helm-chart.yml
    secrets: inherit
    needs:
-      - docker-build
+      - docker-build-community
    with:
-      VERSION: ${{ needs.docker-build.outputs.VERSION }}
+      VERSION: ${{ needs.docker-build-community.outputs.VERSION }}

-  deploy-formbricks-cloud:
-    name: Deploy Helm Chart to Formbricks Cloud
-    permissions:
-      contents: read
-      id-token: write
-    secrets: inherit
-    uses: ./.github/workflows/deploy-formbricks-cloud.yml
-    needs:
-      - docker-build
-      - helm-chart-release
-    with:
-      VERSION: v${{ needs.docker-build.outputs.VERSION }}
-      ENVIRONMENT: ${{ github.event.release.prerelease && 'staging' || 'production' }}
-
-  upload-sentry-sourcemaps:
-    name: Upload Sentry Sourcemaps
+  verify-cloud-build:
+    name: Verify Cloud Build Outputs
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
+    timeout-minutes: 5 # Simple verification should be quick
    needs:
-      - docker-build
-      - deploy-formbricks-cloud
+      - docker-build-cloud
    steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: Harden the runner
        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
        with:
          egress-policy: audit

-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
+      - name: Display ECR build outputs
+        env:
+          IMAGE_TAG: ${{ needs.docker-build-cloud.outputs.IMAGE_TAG }}
+          TAGS: ${{ needs.docker-build-cloud.outputs.TAGS }}
+        run: |
+          set -euo pipefail

-      - name: Upload Sentry Sourcemaps
-        uses: ./.github/actions/upload-sentry-sourcemaps
-        continue-on-error: true
-        with:
-          docker_image: ghcr.io/formbricks/formbricks:v${{ needs.docker-build.outputs.VERSION }}
-          release_version: v${{ needs.docker-build.outputs.VERSION }}
-          sentry_auth_token: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          environment: ${{ github.event.release.prerelease && 'staging' || 'production' }}
+          echo "✅ ECR Build Completed Successfully"
+          echo "Image Tag: ${IMAGE_TAG}"
+          echo "ECR Tags:"
+          printf '%s\n' "${TAGS}"
+
+  move-stable-tag:
+    name: Move stable tag to release
+    permissions:
+      contents: write # Required for tag push operations in called workflow
+    uses: ./.github/workflows/move-stable-tag.yml
+    needs:
+      - docker-build-community # Ensure release is successful first
+    with:
+      release_tag: ${{ github.event.release.tag_name }}
+      commit_sha: ${{ github.sha }}
+      is_prerelease: ${{ github.event.release.prerelease }}
--- a/.github/workflows/move-stable-tag.yml
+++ b/.github/workflows/move-stable-tag.yml
@@ -0,0 +1,96 @@
+name: Move Stable Tag
+
+on:
+  workflow_call:
+    inputs:
+      release_tag:
+        description: "The release tag name (e.g., 1.2.3)"
+        required: true
+        type: string
+      commit_sha:
+        description: "The commit SHA to point the stable tag to"
+        required: true
+        type: string
+      is_prerelease:
+        description: "Whether this is a prerelease (stable tag won't be moved for prereleases)"
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+
+# Prevent concurrent stable tag operations to avoid race conditions
+concurrency:
+  group: move-stable-tag-${{ github.repository }}
+  cancel-in-progress: true
+
+jobs:
+  move-stable-tag:
+    name: Move stable tag to release
+    runs-on: ubuntu-latest
+    timeout-minutes: 10 # Prevent hung git operations
+    permissions:
+      contents: write # Required to push tags
+    # Only move stable tag for non-prerelease versions
+    if: ${{ !inputs.is_prerelease }}
+    steps:
+      - name: Harden the runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0 # Full history needed for tag operations
+
+      - name: Validate inputs
+        env:
+          RELEASE_TAG: ${{ inputs.release_tag }}
+          COMMIT_SHA: ${{ inputs.commit_sha }}
+        run: |
+          set -euo pipefail
+
+          # Validate release tag format
+          if [[ ! "$RELEASE_TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$ ]]; then
+            echo "❌ Error: Invalid release tag format. Expected format: 1.2.3, 1.2.3-alpha"
+            echo "Provided: $RELEASE_TAG"
+            exit 1
+          fi
+
+          # Validate commit SHA format (40 character hex)
+          if [[ ! "$COMMIT_SHA" =~ ^[a-f0-9]{40}$ ]]; then
+            echo "❌ Error: Invalid commit SHA format. Expected 40 character hex string"
+            echo "Provided: $COMMIT_SHA"
+            exit 1
+          fi
+
+          echo "✅ Input validation passed"
+          echo "Release tag: $RELEASE_TAG"
+          echo "Commit SHA: $COMMIT_SHA"
+
+      - name: Move stable tag
+        env:
+          RELEASE_TAG: ${{ inputs.release_tag }}
+          COMMIT_SHA: ${{ inputs.commit_sha }}
+        run: |
+          set -euo pipefail
+
+          # Configure git
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+          # Verify the commit exists
+          if ! git cat-file -e "$COMMIT_SHA"; then
+            echo "❌ Error: Commit $COMMIT_SHA does not exist in this repository"
+            exit 1
+          fi
+
+          # Move stable tag to the release commit
+          echo "📌 Moving stable tag to commit: $COMMIT_SHA (release: $RELEASE_TAG)"
+          git tag -f stable "$COMMIT_SHA"
+          git push origin stable --force
+
+          echo "✅ Successfully moved stable tag to release $RELEASE_TAG"
+          echo "🔗 Stable tag now points to: https://github.com/${{ github.repository }}/commit/$COMMIT_SHA"
--- a/.github/workflows/release-docker-github-experimental.yml
+++ b/.github/workflows/release-docker-github-experimental.yml
@@ -1,41 +1,31 @@
-name: Docker Release to Github Experimental
+name: Build Community Testing Images

-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
+# This workflow builds experimental/testing versions of Formbricks for self-hosting customers
+# to test fixes and features before official releases. Images are pushed to GHCR with
+# timestamped experimental versions for easy identification and testing.

 on:
  workflow_dispatch:
-
-env:
-  # Use docker.io for Docker Hub if empty
-  REGISTRY: ghcr.io
-  # github.repository as <account>/<repo>
-  IMAGE_NAME: ${{ github.repository }}-experimental
-  TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
-  TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
+    inputs:
+      version_override:
+        description: "Override version (SemVer only, e.g., 1.2.3-beta). Leave empty for auto-generated experimental version."
+        required: false
+        type: string

 permissions:
  contents: read
+  packages: write
+  id-token: write

 jobs:
-  build:
+  build-community-testing:
+    name: Build Community Testing Image
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-      # This is used to complete the identity challenge
-      # with sigstore/fulcio when running outside of PRs.
-      id-token: write
-
-    outputs:
-      DOCKER_IMAGE: ${{ steps.extract_image_info.outputs.DOCKER_IMAGE }}
-      RELEASE_VERSION: ${{ steps.extract_image_info.outputs.RELEASE_VERSION }}
+    timeout-minutes: 45

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
        with:
          egress-policy: audit

@@ -44,151 +34,17 @@ jobs:
        with:
          fetch-depth: 0

-      - name: Generate SemVer version from branch or tag
-        id: generate_version
+      - name: Build and push community testing image
+        uses: ./.github/actions/build-and-push-docker
+        with:
+          registry_type: "ghcr"
+          ghcr_image_name: "${{ github.repository }}-experimental"
+          experimental_mode: "true"
+          version: ${{ inputs.version_override }}
        env:
-          REF_NAME: ${{ github.ref_name }}
-          REF_TYPE: ${{ github.ref_type }}
-        run: |
-          # Get reference name and type from environment variables
-          echo "Reference type: $REF_TYPE"
-          echo "Reference name: $REF_NAME"
-
-          if [[ "$REF_TYPE" == "tag" ]]; then
-            # If running from a tag, use the tag name
-            if [[ "$REF_NAME" =~ ^v?[0-9]+\.[0-9]+\.[0-9]+.*$ ]]; then
-              # Tag looks like a SemVer, use it directly (remove 'v' prefix if present)
-              VERSION=$(echo "$REF_NAME" | sed 's/^v//')
-              echo "Using SemVer tag: $VERSION"
-            else
-              # Tag is not SemVer, treat as prerelease
-              SANITIZED_TAG=$(echo "$REF_NAME" | sed 's/[^a-zA-Z0-9.-]/-/g' | sed 's/--*/-/g' | sed 's/^-\|-$//g')
-              VERSION="0.0.0-$SANITIZED_TAG"
-              echo "Using tag as prerelease: $VERSION"
-            fi
-          else
-            # Running from branch, use branch name as prerelease
-            SANITIZED_BRANCH=$(echo "$REF_NAME" | sed 's/[^a-zA-Z0-9.-]/-/g' | sed 's/--*/-/g' | sed 's/^-\|-$//g')
-            VERSION="0.0.0-$SANITIZED_BRANCH"
-            echo "Using branch as prerelease: $VERSION"
-          fi
-
-          echo "VERSION=$VERSION" >> $GITHUB_ENV
-          echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
-          echo "Generated SemVer version: $VERSION"
-
-      - name: Update package.json version
-        run: |
-          sed -i "s/\"version\": \"0.0.0\"/\"version\": \"${{ env.VERSION }}\"/" ./apps/web/package.json
-          cat ./apps/web/package.json | grep version
-
-      - name: Set Sentry environment in .env
-        run: |
-          if ! grep -q "^SENTRY_ENVIRONMENT=staging$" .env 2>/dev/null; then
-            echo "SENTRY_ENVIRONMENT=staging" >> .env
-            echo "Added SENTRY_ENVIRONMENT=staging to .env file"
-          else
-            echo "SENTRY_ENVIRONMENT=staging already exists in .env file"
-          fi
-
-      - name: Set up Depot CLI
-        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
-
-      # Install the cosign tool except on PR
-      # https://github.com/sigstore/cosign-installer
-      - name: Install cosign
-        if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
-
-      # Login against a Docker registry except on PR
-      # https://github.com/docker/login-action
-      - name: Log into registry ${{ env.REGISTRY }}
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      # Extract metadata (tags, labels) for Docker
-      # https://github.com/docker/metadata-action
-      - name: Extract Docker metadata
-        id: meta
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-
-      # Build and push Docker image with Buildx (don't push on PR)
-      # https://github.com/docker/build-push-action
-      - name: Build and push Docker image
-        id: build-and-push
-        uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # v1.14.0
-        with:
-          project: tw0fqmsx3c
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          context: .
-          file: ./apps/web/Dockerfile
-          platforms: linux/amd64,linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          secrets: |
-            database_url=${{ secrets.DUMMY_DATABASE_URL }}
-            encryption_key=${{ secrets.DUMMY_ENCRYPTION_KEY }}
-
-      - name: Extract image info for sourcemap upload
-        id: extract_image_info
-        run: |
-          # Use the first readable tag from metadata action output
-          DOCKER_IMAGE=$(echo "${{ steps.meta.outputs.tags }}" | head -n1 | xargs)
-          echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> $GITHUB_OUTPUT
-
-          # Use the generated version for Sentry release
-          RELEASE_VERSION="$VERSION"
-          echo "RELEASE_VERSION=$RELEASE_VERSION" >> $GITHUB_OUTPUT
-
-          echo "Docker image: $DOCKER_IMAGE"
-          echo "Release version: $RELEASE_VERSION"
-          echo "Available tags: ${{ steps.meta.outputs.tags }}"
-
-      # Sign the resulting Docker image digest except on PRs.
-      # This will only write to the public Rekor transparency log when the Docker
-      # repository is public to avoid leaking data.  If you would like to publish
-      # transparency data even for private images, pass --force to cosign below.
-      # https://github.com/sigstore/cosign
-      - name: Sign the published Docker image
-        if: ${{ github.event_name != 'pull_request' }}
-        env:
-          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
-          TAGS: ${{ steps.meta.outputs.tags }}
-          DIGEST: ${{ steps.build-and-push.outputs.digest }}
-        # This step uses the identity token to provision an ephemeral certificate
-        # against the sigstore community Fulcio instance.
-        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
-
-  upload-sentry-sourcemaps:
-    name: Upload Sentry Sourcemaps
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    needs:
-      - build
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-
-      - name: Upload Sentry Sourcemaps
-        uses: ./.github/actions/upload-sentry-sourcemaps
-        continue-on-error: true
-        with:
-          docker_image: ${{ needs.build.outputs.DOCKER_IMAGE }}
-          release_version: ${{ needs.build.outputs.RELEASE_VERSION }}
-          sentry_auth_token: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          environment: staging
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DEPOT_PROJECT_TOKEN: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          DUMMY_DATABASE_URL: ${{ secrets.DUMMY_DATABASE_URL }}
+          DUMMY_ENCRYPTION_KEY: ${{ secrets.DUMMY_ENCRYPTION_KEY }}
+          DUMMY_REDIS_URL: ${{ secrets.DUMMY_REDIS_URL }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
--- a/.github/workflows/release-docker-github.yml
+++ b/.github/workflows/release-docker-github.yml
@@ -1,4 +1,4 @@
-name: Docker Release to Github
+name: Release Community Docker Images

 # This workflow uses actions that are not certified by GitHub.
 # They are provided by a third-party and are governed by
@@ -23,8 +23,6 @@ env:
  REGISTRY: ghcr.io
  # github.repository as <account>/<repo>
  IMAGE_NAME: ${{ github.repository }}
-  TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
-  TURBO_TEAM: ${{ secrets.TURBO_TEAM }}

 permissions:
  contents: read
@@ -32,6 +30,7 @@ permissions:
 jobs:
  build:
    runs-on: ubuntu-latest
+    timeout-minutes: 45
    permissions:
      contents: read
      packages: write
@@ -44,102 +43,60 @@ jobs:

    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
        with:
          egress-policy: audit

      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

-      - name: Get Release Tag
+      - name: Extract release version from tag
        id: extract_release_tag
        run: |
-          # Extract version from tag (e.g., refs/tags/v1.2.3 -> 1.2.3)
-          TAG="$GITHUB_REF"
-          TAG=${TAG#refs/tags/v}
+          set -euo pipefail

-          # Validate the extracted tag format
-          if [[ ! "$TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$ ]]; then
-            echo "❌ Error: Invalid release tag format after extraction. Must be semver (e.g., 1.2.3, 1.2.3-alpha)"
-            echo "Original ref: $GITHUB_REF"
-            echo "Extracted tag: $TAG"
+          # Extract tag name with fallback logic for different trigger contexts
+          if [[ -n "${RELEASE_TAG:-}" ]]; then
+            TAG="$RELEASE_TAG"
+            echo "Using RELEASE_TAG override: $TAG"
+          elif [[ "$GITHUB_REF_NAME" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?$ ]] || [[ "$GITHUB_REF_NAME" =~ ^v[0-9] ]]; then
+            TAG="$GITHUB_REF_NAME"
+            echo "Using GITHUB_REF_NAME (looks like tag): $TAG"
+          else
+            # Fallback: extract from GITHUB_REF for direct tag triggers
+            TAG="${GITHUB_REF#refs/tags/}"
+            if [[ -z "$TAG" || "$TAG" == "$GITHUB_REF" ]]; then
+              TAG="$GITHUB_REF_NAME"
+              echo "Using GITHUB_REF_NAME as final fallback: $TAG"
+            else
+              echo "Extracted from GITHUB_REF: $TAG"
+            fi
+          fi
+
+          # Strip v-prefix if present (normalize to clean SemVer)
+          TAG=${TAG#[vV]}
+
+          # Validate SemVer format (supports prereleases like 4.0.0-rc.1)
+          if [[ ! "$TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?$ ]]; then
+            echo "ERROR: Invalid tag format '$TAG'. Expected SemVer (e.g., 1.2.3, 4.0.0-rc.1)"
            exit 1
          fi

-          # Safely add to environment variables
-          echo "RELEASE_TAG=$TAG" >> $GITHUB_ENV
-
          echo "VERSION=$TAG" >> $GITHUB_OUTPUT
-          echo "Using tag-based version: $TAG"
+          echo "Using version: $TAG"

-      - name: Update package.json version
-        run: |
-          sed -i "s/\"version\": \"0.0.0\"/\"version\": \"${{ env.RELEASE_TAG }}\"/" ./apps/web/package.json
-          cat ./apps/web/package.json | grep version
-
-      - name: Set up Depot CLI
-        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
-
-      # Install the cosign tool except on PR
-      # https://github.com/sigstore/cosign-installer
-      - name: Install cosign
-        if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
-
-      # Login against a Docker registry except on PR
-      # https://github.com/docker/login-action
-      - name: Log into registry ${{ env.REGISTRY }}
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - name: Build and push community release image
+        id: build
+        uses: ./.github/actions/build-and-push-docker
        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      # Extract metadata (tags, labels) for Docker
-      # https://github.com/docker/metadata-action
-      - name: Extract Docker metadata
-        id: meta
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          tags: |
-            # Default semver tags (version, major.minor, major)
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-            # Only tag as 'latest' for stable releases (not prereleases)
-            type=raw,value=latest,enable=${{ inputs.IS_PRERELEASE != 'true' }}
-
-      # Build and push Docker image with Buildx (don't push on PR)
-      # https://github.com/docker/build-push-action
-      - name: Build and push Docker image
-        id: build-and-push
-        uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # v1.14.0
-        with:
-          project: tw0fqmsx3c
-          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
-          context: .
-          file: ./apps/web/Dockerfile
-          platforms: linux/amd64,linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          secrets: |
-            database_url=${{ secrets.DUMMY_DATABASE_URL }}
-            encryption_key=${{ secrets.DUMMY_ENCRYPTION_KEY }}
-
-      # Sign the resulting Docker image digest except on PRs.
-      # This will only write to the public Rekor transparency log when the Docker
-      # repository is public to avoid leaking data.  If you would like to publish
-      # transparency data even for private images, pass --force to cosign below.
-      # https://github.com/sigstore/cosign
-      - name: Sign the published Docker image
-        if: ${{ github.event_name != 'pull_request' }}
+          registry_type: "ghcr"
+          ghcr_image_name: ${{ env.IMAGE_NAME }}
+          version: ${{ steps.extract_release_tag.outputs.VERSION }}
+          is_prerelease: ${{ inputs.IS_PRERELEASE }}
        env:
-          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
-          TAGS: ${{ steps.meta.outputs.tags }}
-          DIGEST: ${{ steps.build-and-push.outputs.digest }}
-        # This step uses the identity token to provision an ephemeral certificate
-        # against the sigstore community Fulcio instance.
-        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DEPOT_PROJECT_TOKEN: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          DUMMY_DATABASE_URL: ${{ secrets.DUMMY_DATABASE_URL }}
+          DUMMY_ENCRYPTION_KEY: ${{ secrets.DUMMY_ENCRYPTION_KEY }}
+          DUMMY_REDIS_URL: ${{ secrets.DUMMY_REDIS_URL }}
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
--- a/.github/workflows/release-helm-chart.yml
+++ b/.github/workflows/release-helm-chart.yml
@@ -19,7 +19,7 @@ jobs:
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
        with:
          egress-policy: audit

@@ -59,14 +59,35 @@ jobs:
        uses: dcarbone/install-yq-action@4075b4dca348d74bd83f2bf82d30f25d7c54539b # v1.3.1

      - name: Update Chart.yaml with new version
+        env:
+          VERSION: ${{ env.VERSION }}
        run: |
-          yq -i ".version = \"$VERSION\"" helm-chart/Chart.yaml
-          yq -i ".appVersion = \"v$VERSION\"" helm-chart/Chart.yaml
+          set -euo pipefail
+
+          echo "Updating Chart.yaml with version: ${VERSION}"
+          yq -i ".version = \"${VERSION}\"" helm-chart/Chart.yaml
+          yq -i ".appVersion = \"${VERSION}\"" helm-chart/Chart.yaml
+
+          echo "✅ Successfully updated Chart.yaml"

      - name: Package Helm chart
+        env:
+          VERSION: ${{ env.VERSION }}
        run: |
+          set -euo pipefail
+
+          echo "Packaging Helm chart version: ${VERSION}"
          helm package ./helm-chart

+          echo "✅ Successfully packaged formbricks-${VERSION}.tgz"
+
      - name: Push Helm chart to GitHub Container Registry
+        env:
+          VERSION: ${{ env.VERSION }}
        run: |
-          helm push "formbricks-$VERSION.tgz" oci://ghcr.io/formbricks/helm-charts
+          set -euo pipefail
+
+          echo "Pushing Helm chart to registry: formbricks-${VERSION}.tgz"
+          helm push "formbricks-${VERSION}.tgz" oci://ghcr.io/formbricks/helm-charts
+
+          echo "✅ Successfully pushed Helm chart to registry"
--- a/.github/workflows/upload-sentry-sourcemaps.yml
+++ b/.github/workflows/upload-sentry-sourcemaps.yml
@@ -1,48 +0,0 @@
-name: Upload Sentry Sourcemaps (Manual)
-
-on:
-  workflow_dispatch:
-    inputs:
-      docker_image:
-        description: "Docker image to extract sourcemaps from"
-        required: true
-        type: string
-      release_version:
-        description: "Release version (e.g., v1.2.3)"
-        required: true
-        type: string
-      tag_version:
-        description: "Docker image tag (leave empty to use release_version)"
-        required: false
-        type: string
-
-permissions:
-  contents: read
-
-jobs:
-  upload-sourcemaps:
-    name: Upload Sourcemaps to Sentry
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-
-      - name: Set Docker Image
-        run: echo "DOCKER_IMAGE=${DOCKER_IMAGE}" >> $GITHUB_ENV
-        env:
-          DOCKER_IMAGE: ${{ inputs.docker_image }}:${{ inputs.tag_version != '' && inputs.tag_version || inputs.release_version }}
-
-      - name: Upload Sourcemaps to Sentry
-        uses: ./.github/actions/upload-sentry-sourcemaps
-        with:
-          docker_image: ${{ env.DOCKER_IMAGE }}
-          release_version: ${{ inputs.release_version }}
-          sentry_auth_token: ${{ secrets.SENTRY_AUTH_TOKEN }}
--- a/apps/web/lib/jwt.test.ts
+++ b/apps/web/lib/jwt.test.ts
@@ -1,4 +1,5 @@
-import { env } from "@/lib/env";
+import * as crypto from "@/lib/crypto";
+import jwt from "jsonwebtoken";
 import { beforeEach, describe, expect, test, vi } from "vitest";
 import { prisma } from "@formbricks/database";
 import {
@@ -14,12 +15,69 @@ import {
  verifyTokenForLinkSurvey,
 } from "./jwt";

+const TEST_ENCRYPTION_KEY = "0".repeat(32); // 32-byte key for AES-256-GCM
+const TEST_NEXTAUTH_SECRET = "test-nextauth-secret";
+const DIFFERENT_SECRET = "different-secret";
+
+// Error message constants
+const NEXTAUTH_SECRET_ERROR = "NEXTAUTH_SECRET is not set";
+const ENCRYPTION_KEY_ERROR = "ENCRYPTION_KEY is not set";
+
+// Helper function to test error cases for missing secrets/keys
+const testMissingSecretsError = async (
+  testFn: (...args: any[]) => any,
+  args: any[],
+  options: {
+    testNextAuthSecret?: boolean;
+    testEncryptionKey?: boolean;
+    isAsync?: boolean;
+  } = {}
+) => {
+  const { testNextAuthSecret = true, testEncryptionKey = true, isAsync = false } = options;
+
+  if (testNextAuthSecret) {
+    const constants = await import("@/lib/constants");
+    const originalSecret = (constants as any).NEXTAUTH_SECRET;
+    (constants as any).NEXTAUTH_SECRET = undefined;
+
+    if (isAsync) {
+      await expect(testFn(...args)).rejects.toThrow(NEXTAUTH_SECRET_ERROR);
+    } else {
+      expect(() => testFn(...args)).toThrow(NEXTAUTH_SECRET_ERROR);
+    }
+
+    // Restore
+    (constants as any).NEXTAUTH_SECRET = originalSecret;
+  }
+
+  if (testEncryptionKey) {
+    const constants = await import("@/lib/constants");
+    const originalKey = (constants as any).ENCRYPTION_KEY;
+    (constants as any).ENCRYPTION_KEY = undefined;
+
+    if (isAsync) {
+      await expect(testFn(...args)).rejects.toThrow(ENCRYPTION_KEY_ERROR);
+    } else {
+      expect(() => testFn(...args)).toThrow(ENCRYPTION_KEY_ERROR);
+    }
+
+    // Restore
+    (constants as any).ENCRYPTION_KEY = originalKey;
+  }
+};
+
 // Mock environment variables
 vi.mock("@/lib/env", () => ({
  env: {
-    ENCRYPTION_KEY: "0".repeat(32), // 32-byte key for AES-256-GCM
+    ENCRYPTION_KEY: "0".repeat(32),
    NEXTAUTH_SECRET: "test-nextauth-secret",
-  } as typeof env,
+  },
+}));
+
+// Mock constants
+vi.mock("@/lib/constants", () => ({
+  NEXTAUTH_SECRET: "test-nextauth-secret",
+  ENCRYPTION_KEY: "0".repeat(32),
 }));

 // Mock prisma
@@ -31,22 +89,65 @@ vi.mock("@formbricks/database", () => ({
  },
 }));

-describe("JWT Functions", () => {
+// Mock logger
+vi.mock("@formbricks/logger", () => ({
+  logger: {
+    error: vi.fn(),
+    warn: vi.fn(),
+    info: vi.fn(),
+  },
+}));
+
+describe("JWT Functions - Comprehensive Security Tests", () => {
  const mockUser = {
    id: "test-user-id",
    email: "test@example.com",
  };

+  let mockSymmetricEncrypt: any;
+  let mockSymmetricDecrypt: any;
+
  beforeEach(() => {
    vi.clearAllMocks();
+
+    // Setup default crypto mocks
+    mockSymmetricEncrypt = vi
+      .spyOn(crypto, "symmetricEncrypt")
+      .mockImplementation((text: string) => `encrypted_${text}`);
+
+    mockSymmetricDecrypt = vi
+      .spyOn(crypto, "symmetricDecrypt")
+      .mockImplementation((encryptedText: string) => encryptedText.replace("encrypted_", ""));
+
    (prisma.user.findUnique as any).mockResolvedValue(mockUser);
  });

  describe("createToken", () => {
-    test("should create a valid token", () => {
-      const token = createToken(mockUser.id, mockUser.email);
+    test("should create a valid token with encrypted user ID", () => {
+      const token = createToken(mockUser.id);
      expect(token).toBeDefined();
      expect(typeof token).toBe("string");
+      expect(mockSymmetricEncrypt).toHaveBeenCalledWith(mockUser.id, TEST_ENCRYPTION_KEY);
+    });
+
+    test("should accept custom options", () => {
+      const customOptions = { expiresIn: "1h" };
+      const token = createToken(mockUser.id, customOptions);
+      expect(token).toBeDefined();
+
+      // Verify the token contains the expected expiration
+      const decoded = jwt.decode(token) as any;
+      expect(decoded.exp).toBeDefined();
+      expect(decoded.iat).toBeDefined();
+      // Should expire in approximately 1 hour (3600 seconds)
+      expect(decoded.exp - decoded.iat).toBe(3600);
+    });
+
+    test("should throw error if NEXTAUTH_SECRET is not set", async () => {
+      await testMissingSecretsError(createToken, [mockUser.id], {
+        testNextAuthSecret: true,
+        testEncryptionKey: false,
+      });
    });
  });

@@ -56,6 +157,18 @@ describe("JWT Functions", () => {
      const token = createTokenForLinkSurvey(surveyId, mockUser.email);
      expect(token).toBeDefined();
      expect(typeof token).toBe("string");
+      expect(mockSymmetricEncrypt).toHaveBeenCalledWith(mockUser.email, TEST_ENCRYPTION_KEY);
+    });
+
+    test("should include surveyId in payload", () => {
+      const surveyId = "test-survey-id";
+      const token = createTokenForLinkSurvey(surveyId, mockUser.email);
+      const decoded = jwt.decode(token) as any;
+      expect(decoded.surveyId).toBe(surveyId);
+    });
+
+    test("should throw error if NEXTAUTH_SECRET or ENCRYPTION_KEY is not set", async () => {
+      await testMissingSecretsError(createTokenForLinkSurvey, ["survey-id", mockUser.email]);
    });
  });

@@ -64,24 +177,30 @@ describe("JWT Functions", () => {
      const token = createEmailToken(mockUser.email);
      expect(token).toBeDefined();
      expect(typeof token).toBe("string");
+      expect(mockSymmetricEncrypt).toHaveBeenCalledWith(mockUser.email, TEST_ENCRYPTION_KEY);
    });

-    test("should throw error if NEXTAUTH_SECRET is not set", () => {
-      const originalSecret = env.NEXTAUTH_SECRET;
-      try {
-        (env as any).NEXTAUTH_SECRET = undefined;
-        expect(() => createEmailToken(mockUser.email)).toThrow("NEXTAUTH_SECRET is not set");
-      } finally {
-        (env as any).NEXTAUTH_SECRET = originalSecret;
-      }
+    test("should throw error if NEXTAUTH_SECRET or ENCRYPTION_KEY is not set", async () => {
+      await testMissingSecretsError(createEmailToken, [mockUser.email]);
    });
  });

-  describe("getEmailFromEmailToken", () => {
-    test("should extract email from valid token", () => {
-      const token = createEmailToken(mockUser.email);
-      const extractedEmail = getEmailFromEmailToken(token);
-      expect(extractedEmail).toBe(mockUser.email);
+  describe("createEmailChangeToken", () => {
+    test("should create a valid email change token with 1 day expiration", () => {
+      const token = createEmailChangeToken(mockUser.id, mockUser.email);
+      expect(token).toBeDefined();
+      expect(mockSymmetricEncrypt).toHaveBeenCalledWith(mockUser.id, TEST_ENCRYPTION_KEY);
+      expect(mockSymmetricEncrypt).toHaveBeenCalledWith(mockUser.email, TEST_ENCRYPTION_KEY);
+
+      const decoded = jwt.decode(token) as any;
+      expect(decoded.exp).toBeDefined();
+      expect(decoded.iat).toBeDefined();
+      // Should expire in approximately 1 day (86400 seconds)
+      expect(decoded.exp - decoded.iat).toBe(86400);
+    });
+
+    test("should throw error if NEXTAUTH_SECRET or ENCRYPTION_KEY is not set", async () => {
+      await testMissingSecretsError(createEmailChangeToken, [mockUser.id, mockUser.email]);
    });
  });

@@ -91,6 +210,50 @@ describe("JWT Functions", () => {
      const token = createInviteToken(inviteId, mockUser.email);
      expect(token).toBeDefined();
      expect(typeof token).toBe("string");
+      expect(mockSymmetricEncrypt).toHaveBeenCalledWith(inviteId, TEST_ENCRYPTION_KEY);
+      expect(mockSymmetricEncrypt).toHaveBeenCalledWith(mockUser.email, TEST_ENCRYPTION_KEY);
+    });
+
+    test("should accept custom options", () => {
+      const inviteId = "test-invite-id";
+      const customOptions = { expiresIn: "24h" };
+      const token = createInviteToken(inviteId, mockUser.email, customOptions);
+      expect(token).toBeDefined();
+
+      const decoded = jwt.decode(token) as any;
+      expect(decoded.exp).toBeDefined();
+      expect(decoded.iat).toBeDefined();
+      // Should expire in approximately 24 hours (86400 seconds)
+      expect(decoded.exp - decoded.iat).toBe(86400);
+    });
+
+    test("should throw error if NEXTAUTH_SECRET or ENCRYPTION_KEY is not set", async () => {
+      await testMissingSecretsError(createInviteToken, ["invite-id", mockUser.email]);
+    });
+  });
+
+  describe("getEmailFromEmailToken", () => {
+    test("should extract email from valid token", () => {
+      const token = createEmailToken(mockUser.email);
+      const extractedEmail = getEmailFromEmailToken(token);
+      expect(extractedEmail).toBe(mockUser.email);
+      expect(mockSymmetricDecrypt).toHaveBeenCalledWith(`encrypted_${mockUser.email}`, TEST_ENCRYPTION_KEY);
+    });
+
+    test("should fall back to original email if decryption fails", () => {
+      mockSymmetricDecrypt.mockImplementationOnce(() => {
+        throw new Error("Decryption failed");
+      });
+
+      // Create token manually with unencrypted email for legacy compatibility
+      const legacyToken = jwt.sign({ email: mockUser.email }, TEST_NEXTAUTH_SECRET);
+      const extractedEmail = getEmailFromEmailToken(legacyToken);
+      expect(extractedEmail).toBe(mockUser.email);
+    });
+
+    test("should throw error if NEXTAUTH_SECRET or ENCRYPTION_KEY is not set", async () => {
+      const token = jwt.sign({ email: "test@example.com" }, TEST_NEXTAUTH_SECRET);
+      await testMissingSecretsError(getEmailFromEmailToken, [token]);
    });
  });

@@ -106,23 +269,194 @@ describe("JWT Functions", () => {
      const result = verifyTokenForLinkSurvey("invalid-token", "test-survey-id");
      expect(result).toBeNull();
    });
+
+    test("should return null if NEXTAUTH_SECRET is not set", async () => {
+      const constants = await import("@/lib/constants");
+      const originalSecret = (constants as any).NEXTAUTH_SECRET;
+      (constants as any).NEXTAUTH_SECRET = undefined;
+
+      const result = verifyTokenForLinkSurvey("any-token", "test-survey-id");
+      expect(result).toBeNull();
+
+      // Restore
+      (constants as any).NEXTAUTH_SECRET = originalSecret;
+    });
+
+    test("should return null if surveyId doesn't match", () => {
+      const surveyId = "test-survey-id";
+      const differentSurveyId = "different-survey-id";
+      const token = createTokenForLinkSurvey(surveyId, mockUser.email);
+      const result = verifyTokenForLinkSurvey(token, differentSurveyId);
+      expect(result).toBeNull();
+    });
+
+    test("should return null if email is missing from payload", () => {
+      const tokenWithoutEmail = jwt.sign({ surveyId: "test-survey-id" }, TEST_NEXTAUTH_SECRET);
+      const result = verifyTokenForLinkSurvey(tokenWithoutEmail, "test-survey-id");
+      expect(result).toBeNull();
+    });
+
+    test("should fall back to original email if decryption fails", () => {
+      mockSymmetricDecrypt.mockImplementationOnce(() => {
+        throw new Error("Decryption failed");
+      });
+
+      // Create legacy token with unencrypted email
+      const legacyToken = jwt.sign(
+        {
+          email: mockUser.email,
+          surveyId: "test-survey-id",
+        },
+        TEST_NEXTAUTH_SECRET
+      );
+
+      const result = verifyTokenForLinkSurvey(legacyToken, "test-survey-id");
+      expect(result).toBe(mockUser.email);
+    });
+
+    test("should fall back to original email if ENCRYPTION_KEY is not set", async () => {
+      const constants = await import("@/lib/constants");
+      const originalKey = (constants as any).ENCRYPTION_KEY;
+      (constants as any).ENCRYPTION_KEY = undefined;
+
+      // Create a token with unencrypted email (as it would be if ENCRYPTION_KEY was not set during creation)
+      const token = jwt.sign(
+        {
+          email: mockUser.email,
+          surveyId: "survey-id",
+        },
+        TEST_NEXTAUTH_SECRET
+      );
+
+      const result = verifyTokenForLinkSurvey(token, "survey-id");
+      expect(result).toBe(mockUser.email);
+
+      // Restore
+      (constants as any).ENCRYPTION_KEY = originalKey;
+    });
+
+    test("should verify legacy survey tokens with surveyId-based secret", async () => {
+      const surveyId = "test-survey-id";
+
+      // Create legacy token with old format (NEXTAUTH_SECRET + surveyId)
+      const legacyToken = jwt.sign({ email: `encrypted_${mockUser.email}` }, TEST_NEXTAUTH_SECRET + surveyId);
+
+      const result = verifyTokenForLinkSurvey(legacyToken, surveyId);
+      expect(result).toBe(mockUser.email);
+    });
+
+    test("should reject survey tokens that fail both new and legacy verification", async () => {
+      const surveyId = "test-survey-id";
+      const invalidToken = jwt.sign({ email: "encrypted_test@example.com" }, "wrong-secret");
+
+      const result = verifyTokenForLinkSurvey(invalidToken, surveyId);
+      expect(result).toBeNull();
+
+      // Verify error logging
+      const { logger } = await import("@formbricks/logger");
+      expect(logger.error).toHaveBeenCalledWith(expect.any(Error), "Survey link token verification failed");
+    });
+
+    test("should reject legacy survey tokens for wrong survey", () => {
+      const correctSurveyId = "correct-survey-id";
+      const wrongSurveyId = "wrong-survey-id";
+
+      // Create legacy token for one survey
+      const legacyToken = jwt.sign(
+        { email: `encrypted_${mockUser.email}` },
+        TEST_NEXTAUTH_SECRET + correctSurveyId
+      );
+
+      // Try to verify with different survey ID
+      const result = verifyTokenForLinkSurvey(legacyToken, wrongSurveyId);
+      expect(result).toBeNull();
+    });
  });

  describe("verifyToken", () => {
    test("should verify valid token", async () => {
-      const token = createToken(mockUser.id, mockUser.email);
+      const token = createToken(mockUser.id);
      const verified = await verifyToken(token);
      expect(verified).toEqual({
-        id: mockUser.id,
+        id: mockUser.id, // Returns the decrypted user ID
        email: mockUser.email,
      });
    });

    test("should throw error if user not found", async () => {
      (prisma.user.findUnique as any).mockResolvedValue(null);
-      const token = createToken(mockUser.id, mockUser.email);
+      const token = createToken(mockUser.id);
      await expect(verifyToken(token)).rejects.toThrow("User not found");
    });
+
+    test("should throw error if NEXTAUTH_SECRET is not set", async () => {
+      await testMissingSecretsError(verifyToken, ["any-token"], {
+        testNextAuthSecret: true,
+        testEncryptionKey: false,
+        isAsync: true,
+      });
+    });
+
+    test("should throw error for invalid token signature", async () => {
+      const invalidToken = jwt.sign({ id: "test-id" }, DIFFERENT_SECRET);
+      await expect(verifyToken(invalidToken)).rejects.toThrow("Invalid token");
+    });
+
+    test("should throw error if token payload is missing id", async () => {
+      const tokenWithoutId = jwt.sign({ email: mockUser.email }, TEST_NEXTAUTH_SECRET);
+      await expect(verifyToken(tokenWithoutId)).rejects.toThrow("Invalid token");
+    });
+
+    test("should return raw id from payload", async () => {
+      // Create token with unencrypted id
+      const token = jwt.sign({ id: mockUser.id }, TEST_NEXTAUTH_SECRET);
+      const verified = await verifyToken(token);
+      expect(verified).toEqual({
+        id: mockUser.id, // Returns the raw ID from payload
+        email: mockUser.email,
+      });
+    });
+
+    test("should verify legacy tokens with email-based secret", async () => {
+      // Create legacy token with old format (NEXTAUTH_SECRET + userEmail)
+      const legacyToken = jwt.sign({ id: `encrypted_${mockUser.id}` }, TEST_NEXTAUTH_SECRET + mockUser.email);
+
+      const verified = await verifyToken(legacyToken);
+      expect(verified).toEqual({
+        id: mockUser.id, // Returns the decrypted user ID
+        email: mockUser.email,
+      });
+    });
+
+    test("should prioritize new tokens over legacy tokens", async () => {
+      // Create both new and legacy tokens for the same user
+      const newToken = createToken(mockUser.id);
+      const legacyToken = jwt.sign({ id: `encrypted_${mockUser.id}` }, TEST_NEXTAUTH_SECRET + mockUser.email);
+
+      // New token should verify without triggering legacy path
+      const verifiedNew = await verifyToken(newToken);
+      expect(verifiedNew.id).toBe(mockUser.id); // Returns decrypted user ID
+
+      // Legacy token should trigger legacy path
+      const verifiedLegacy = await verifyToken(legacyToken);
+      expect(verifiedLegacy.id).toBe(mockUser.id); // Returns decrypted user ID
+    });
+
+    test("should reject tokens that fail both new and legacy verification", async () => {
+      const invalidToken = jwt.sign({ id: "encrypted_test-id" }, "wrong-secret");
+      await expect(verifyToken(invalidToken)).rejects.toThrow("Invalid token");
+
+      // Verify both methods were attempted
+      const { logger } = await import("@formbricks/logger");
+      expect(logger.error).toHaveBeenCalledWith(
+        expect.any(Error),
+        "Token verification failed with new method"
+      );
+      expect(logger.error).toHaveBeenCalledWith(
+        expect.any(Error),
+        "Token verification failed with legacy method"
+      );
+    });
  });

  describe("verifyInviteToken", () => {
@@ -139,6 +473,53 @@ describe("JWT Functions", () => {
    test("should throw error for invalid token", () => {
      expect(() => verifyInviteToken("invalid-token")).toThrow("Invalid or expired invite token");
    });
+
+    test("should throw error if NEXTAUTH_SECRET or ENCRYPTION_KEY is not set", async () => {
+      await testMissingSecretsError(verifyInviteToken, ["any-token"]);
+    });
+
+    test("should throw error if inviteId is missing", () => {
+      const tokenWithoutInviteId = jwt.sign({ email: mockUser.email }, TEST_NEXTAUTH_SECRET);
+      expect(() => verifyInviteToken(tokenWithoutInviteId)).toThrow("Invalid or expired invite token");
+    });
+
+    test("should throw error if email is missing", () => {
+      const tokenWithoutEmail = jwt.sign({ inviteId: "test-invite-id" }, TEST_NEXTAUTH_SECRET);
+      expect(() => verifyInviteToken(tokenWithoutEmail)).toThrow("Invalid or expired invite token");
+    });
+
+    test("should fall back to original values if decryption fails", () => {
+      mockSymmetricDecrypt.mockImplementation(() => {
+        throw new Error("Decryption failed");
+      });
+
+      const inviteId = "test-invite-id";
+      const legacyToken = jwt.sign(
+        {
+          inviteId,
+          email: mockUser.email,
+        },
+        TEST_NEXTAUTH_SECRET
+      );
+
+      const verified = verifyInviteToken(legacyToken);
+      expect(verified).toEqual({
+        inviteId,
+        email: mockUser.email,
+      });
+    });
+
+    test("should throw error for token with wrong signature", () => {
+      const invalidToken = jwt.sign(
+        {
+          inviteId: "test-invite-id",
+          email: mockUser.email,
+        },
+        DIFFERENT_SECRET
+      );
+
+      expect(() => verifyInviteToken(invalidToken)).toThrow("Invalid or expired invite token");
+    });
  });

  describe("verifyEmailChangeToken", () => {
@@ -150,22 +531,478 @@ describe("JWT Functions", () => {
      expect(result).toEqual({ id: userId, email });
    });

+    test("should throw error if NEXTAUTH_SECRET or ENCRYPTION_KEY is not set", async () => {
+      await testMissingSecretsError(verifyEmailChangeToken, ["any-token"], { isAsync: true });
+    });
+
    test("should throw error if token is invalid or missing fields", async () => {
-      // Create a token with missing fields
-      const jwt = await import("jsonwebtoken");
-      const token = jwt.sign({ foo: "bar" }, env.NEXTAUTH_SECRET as string);
+      const token = jwt.sign({ foo: "bar" }, TEST_NEXTAUTH_SECRET);
+      await expect(verifyEmailChangeToken(token)).rejects.toThrow(
+        "Token is invalid or missing required fields"
+      );
+    });
+
+    test("should throw error if id is missing", async () => {
+      const token = jwt.sign({ email: "test@example.com" }, TEST_NEXTAUTH_SECRET);
+      await expect(verifyEmailChangeToken(token)).rejects.toThrow(
+        "Token is invalid or missing required fields"
+      );
+    });
+
+    test("should throw error if email is missing", async () => {
+      const token = jwt.sign({ id: "test-id" }, TEST_NEXTAUTH_SECRET);
      await expect(verifyEmailChangeToken(token)).rejects.toThrow(
        "Token is invalid or missing required fields"
      );
    });

    test("should return original id/email if decryption fails", async () => {
-      // Create a token with non-encrypted id/email
-      const jwt = await import("jsonwebtoken");
+      mockSymmetricDecrypt.mockImplementation(() => {
+        throw new Error("Decryption failed");
+      });
+
      const payload = { id: "plain-id", email: "plain@example.com" };
-      const token = jwt.sign(payload, env.NEXTAUTH_SECRET as string);
+      const token = jwt.sign(payload, TEST_NEXTAUTH_SECRET);
      const result = await verifyEmailChangeToken(token);
      expect(result).toEqual(payload);
    });
+
+    test("should throw error for token with wrong signature", async () => {
+      const invalidToken = jwt.sign(
+        {
+          id: "test-id",
+          email: "test@example.com",
+        },
+        DIFFERENT_SECRET
+      );
+
+      await expect(verifyEmailChangeToken(invalidToken)).rejects.toThrow();
+    });
+  });
+
+  // SECURITY SCENARIO TESTS
+  describe("Security Scenarios", () => {
+    describe("Algorithm Confusion Attack Prevention", () => {
+      test("should reject 'none' algorithm tokens in verifyToken", async () => {
+        // Create malicious token with "none" algorithm
+        const maliciousToken =
+          Buffer.from(
+            JSON.stringify({
+              alg: "none",
+              typ: "JWT",
+            })
+          ).toString("base64url") +
+          "." +
+          Buffer.from(
+            JSON.stringify({
+              id: "encrypted_malicious-id",
+            })
+          ).toString("base64url") +
+          ".";
+
+        await expect(verifyToken(maliciousToken)).rejects.toThrow("Invalid token");
+      });
+
+      test("should reject 'none' algorithm tokens in verifyTokenForLinkSurvey", () => {
+        const maliciousToken =
+          Buffer.from(
+            JSON.stringify({
+              alg: "none",
+              typ: "JWT",
+            })
+          ).toString("base64url") +
+          "." +
+          Buffer.from(
+            JSON.stringify({
+              email: "encrypted_attacker@evil.com",
+              surveyId: "test-survey-id",
+            })
+          ).toString("base64url") +
+          ".";
+
+        const result = verifyTokenForLinkSurvey(maliciousToken, "test-survey-id");
+        expect(result).toBeNull();
+      });
+
+      test("should reject 'none' algorithm tokens in verifyInviteToken", () => {
+        const maliciousToken =
+          Buffer.from(
+            JSON.stringify({
+              alg: "none",
+              typ: "JWT",
+            })
+          ).toString("base64url") +
+          "." +
+          Buffer.from(
+            JSON.stringify({
+              inviteId: "encrypted_malicious-invite",
+              email: "encrypted_attacker@evil.com",
+            })
+          ).toString("base64url") +
+          ".";
+
+        expect(() => verifyInviteToken(maliciousToken)).toThrow("Invalid or expired invite token");
+      });
+
+      test("should reject 'none' algorithm tokens in verifyEmailChangeToken", async () => {
+        const maliciousToken =
+          Buffer.from(
+            JSON.stringify({
+              alg: "none",
+              typ: "JWT",
+            })
+          ).toString("base64url") +
+          "." +
+          Buffer.from(
+            JSON.stringify({
+              id: "encrypted_malicious-id",
+              email: "encrypted_attacker@evil.com",
+            })
+          ).toString("base64url") +
+          ".";
+
+        await expect(verifyEmailChangeToken(maliciousToken)).rejects.toThrow();
+      });
+
+      test("should reject RS256 algorithm tokens (HS256/RS256 confusion)", async () => {
+        // Create malicious token with RS256 algorithm header but HS256 signature
+        const maliciousHeader = Buffer.from(
+          JSON.stringify({
+            alg: "RS256",
+            typ: "JWT",
+          })
+        ).toString("base64url");
+
+        const maliciousPayload = Buffer.from(
+          JSON.stringify({
+            id: "encrypted_malicious-id",
+          })
+        ).toString("base64url");
+
+        // Create signature using HMAC (as if it were HS256)
+        const crypto = require("crypto");
+        const signature = crypto
+          .createHmac("sha256", TEST_NEXTAUTH_SECRET)
+          .update(`${maliciousHeader}.${maliciousPayload}`)
+          .digest("base64url");
+
+        const maliciousToken = `${maliciousHeader}.${maliciousPayload}.${signature}`;
+
+        await expect(verifyToken(maliciousToken)).rejects.toThrow("Invalid token");
+      });
+
+      test("should only accept HS256 algorithm", async () => {
+        // Test that other valid algorithms are rejected
+        const otherAlgorithms = ["HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512"];
+
+        for (const alg of otherAlgorithms) {
+          const maliciousHeader = Buffer.from(
+            JSON.stringify({
+              alg,
+              typ: "JWT",
+            })
+          ).toString("base64url");
+
+          const maliciousPayload = Buffer.from(
+            JSON.stringify({
+              id: "encrypted_test-id",
+            })
+          ).toString("base64url");
+
+          const maliciousToken = `${maliciousHeader}.${maliciousPayload}.fake-signature`;
+
+          await expect(verifyToken(maliciousToken)).rejects.toThrow("Invalid token");
+        }
+      });
+    });
+
+    describe("Token Tampering", () => {
+      test("should reject tokens with modified payload", async () => {
+        const token = createToken(mockUser.id);
+        const [header, payload, signature] = token.split(".");
+
+        // Modify the payload
+        const decodedPayload = JSON.parse(Buffer.from(payload, "base64url").toString());
+        decodedPayload.id = "malicious-id";
+        const tamperedPayload = Buffer.from(JSON.stringify(decodedPayload)).toString("base64url");
+        const tamperedToken = `${header}.${tamperedPayload}.${signature}`;
+
+        await expect(verifyToken(tamperedToken)).rejects.toThrow("Invalid token");
+      });
+
+      test("should reject tokens with modified signature", async () => {
+        const token = createToken(mockUser.id);
+        const [header, payload] = token.split(".");
+        const tamperedToken = `${header}.${payload}.tamperedsignature`;
+
+        await expect(verifyToken(tamperedToken)).rejects.toThrow("Invalid token");
+      });
+
+      test("should reject malformed tokens", async () => {
+        const malformedTokens = [
+          "not.a.jwt",
+          "only.two.parts",
+          "too.many.parts.here.invalid",
+          "",
+          "invalid-base64",
+        ];
+
+        for (const malformedToken of malformedTokens) {
+          await expect(verifyToken(malformedToken)).rejects.toThrow();
+        }
+      });
+    });
+
+    describe("Cross-Survey Token Reuse", () => {
+      test("should reject survey tokens used for different surveys", () => {
+        const surveyId1 = "survey-1";
+        const surveyId2 = "survey-2";
+
+        const token = createTokenForLinkSurvey(surveyId1, mockUser.email);
+        const result = verifyTokenForLinkSurvey(token, surveyId2);
+
+        expect(result).toBeNull();
+      });
+    });
+
+    describe("Expired Tokens", () => {
+      test("should reject expired tokens", async () => {
+        const expiredToken = jwt.sign(
+          {
+            id: "encrypted_test-id",
+            exp: Math.floor(Date.now() / 1000) - 3600, // Expired 1 hour ago
+          },
+          TEST_NEXTAUTH_SECRET
+        );
+
+        await expect(verifyToken(expiredToken)).rejects.toThrow("Invalid token");
+      });
+
+      test("should reject expired email change tokens", async () => {
+        const expiredToken = jwt.sign(
+          {
+            id: "encrypted_test-id",
+            email: "encrypted_test@example.com",
+            exp: Math.floor(Date.now() / 1000) - 3600, // Expired 1 hour ago
+          },
+          TEST_NEXTAUTH_SECRET
+        );
+
+        await expect(verifyEmailChangeToken(expiredToken)).rejects.toThrow();
+      });
+    });
+
+    describe("Encryption Key Attacks", () => {
+      test("should fail gracefully with wrong encryption key", async () => {
+        mockSymmetricDecrypt.mockImplementation(() => {
+          throw new Error("Authentication tag verification failed");
+        });
+
+        // Mock findUnique to only return user for correct decrypted ID, not ciphertext
+        (prisma.user.findUnique as any).mockImplementation(({ where }: { where: { id: string } }) => {
+          if (where.id === mockUser.id) {
+            return Promise.resolve(mockUser);
+          }
+          return Promise.resolve(null); // Return null for ciphertext IDs
+        });
+
+        const token = createToken(mockUser.id);
+        // Should fail because ciphertext passed as userId won't match any user in DB
+        await expect(verifyToken(token)).rejects.toThrow(/User not found/i);
+      });
+
+      test("should handle encryption key not set gracefully", async () => {
+        const constants = await import("@/lib/constants");
+        const originalKey = (constants as any).ENCRYPTION_KEY;
+        (constants as any).ENCRYPTION_KEY = undefined;
+
+        const token = jwt.sign(
+          {
+            email: "test@example.com",
+            surveyId: "test-survey-id",
+          },
+          TEST_NEXTAUTH_SECRET
+        );
+
+        const result = verifyTokenForLinkSurvey(token, "test-survey-id");
+        expect(result).toBe("test@example.com");
+
+        // Restore
+        (constants as any).ENCRYPTION_KEY = originalKey;
+      });
+    });
+
+    describe("SQL Injection Attempts", () => {
+      test("should safely handle malicious user IDs", async () => {
+        const maliciousIds = [
+          "'; DROP TABLE users; --",
+          "1' OR '1'='1",
+          "admin'/*",
+          "<script>alert('xss')</script>",
+          "../../etc/passwd",
+        ];
+
+        for (const maliciousId of maliciousIds) {
+          mockSymmetricDecrypt.mockReturnValueOnce(maliciousId);
+
+          const token = jwt.sign({ id: "encrypted_malicious" }, TEST_NEXTAUTH_SECRET);
+
+          // The function should look up the user safely
+          await verifyToken(token);
+          expect(prisma.user.findUnique).toHaveBeenCalledWith({
+            where: { id: maliciousId },
+          });
+        }
+      });
+    });
+
+    describe("Token Reuse and Replay Attacks", () => {
+      test("should allow legitimate token reuse within validity period", async () => {
+        const token = createToken(mockUser.id);
+
+        // First use
+        const result1 = await verifyToken(token);
+        expect(result1.id).toBe(mockUser.id); // Returns decrypted user ID
+
+        // Second use (should still work)
+        const result2 = await verifyToken(token);
+        expect(result2.id).toBe(mockUser.id); // Returns decrypted user ID
+      });
+    });
+
+    describe("Legacy Token Compatibility", () => {
+      test("should handle legacy unencrypted tokens gracefully", async () => {
+        // Legacy token with plain text data
+        const legacyToken = jwt.sign({ id: mockUser.id }, TEST_NEXTAUTH_SECRET);
+        const result = await verifyToken(legacyToken);
+
+        expect(result.id).toBe(mockUser.id); // Returns raw ID from payload
+        expect(result.email).toBe(mockUser.email);
+      });
+
+      test("should handle mixed encrypted/unencrypted fields", async () => {
+        mockSymmetricDecrypt
+          .mockImplementationOnce(() => mockUser.id) // id decrypts successfully
+          .mockImplementationOnce(() => {
+            throw new Error("Email not encrypted");
+          }); // email fails
+
+        const token = jwt.sign(
+          {
+            id: "encrypted_test-id",
+            email: "plain-email@example.com",
+          },
+          TEST_NEXTAUTH_SECRET
+        );
+
+        const result = await verifyEmailChangeToken(token);
+        expect(result.id).toBe(mockUser.id);
+        expect(result.email).toBe("plain-email@example.com");
+      });
+
+      test("should verify old format user tokens with email-based secrets", async () => {
+        // Simulate old token format with per-user secret
+        const oldFormatToken = jwt.sign(
+          { id: `encrypted_${mockUser.id}` },
+          TEST_NEXTAUTH_SECRET + mockUser.email
+        );
+
+        const result = await verifyToken(oldFormatToken);
+        expect(result.id).toBe(mockUser.id); // Returns decrypted user ID
+        expect(result.email).toBe(mockUser.email);
+      });
+
+      test("should verify old format survey tokens with survey-based secrets", () => {
+        const surveyId = "legacy-survey-id";
+
+        // Simulate old survey token format
+        const oldFormatSurveyToken = jwt.sign(
+          { email: `encrypted_${mockUser.email}` },
+          TEST_NEXTAUTH_SECRET + surveyId
+        );
+
+        const result = verifyTokenForLinkSurvey(oldFormatSurveyToken, surveyId);
+        expect(result).toBe(mockUser.email);
+      });
+
+      test("should gracefully handle database errors during legacy verification", async () => {
+        // Create token that will fail new method
+        const legacyToken = jwt.sign(
+          { id: `encrypted_${mockUser.id}` },
+          TEST_NEXTAUTH_SECRET + mockUser.email
+        );
+
+        // Make database lookup fail
+        (prisma.user.findUnique as any).mockRejectedValueOnce(new Error("DB connection lost"));
+
+        await expect(verifyToken(legacyToken)).rejects.toThrow("DB connection lost");
+      });
+    });
+
+    describe("Edge Cases and Error Handling", () => {
+      test("should handle database connection errors gracefully", async () => {
+        (prisma.user.findUnique as any).mockRejectedValue(new Error("Database connection failed"));
+
+        const token = createToken(mockUser.id);
+        await expect(verifyToken(token)).rejects.toThrow("Database connection failed");
+      });
+
+      test("should handle crypto module errors", () => {
+        mockSymmetricEncrypt.mockImplementation(() => {
+          throw new Error("Crypto module error");
+        });
+
+        expect(() => createToken(mockUser.id)).toThrow("Crypto module error");
+      });
+
+      test("should validate email format in tokens", () => {
+        const invalidEmails = ["", "not-an-email", "missing@", "@missing-local.com", "spaces in@email.com"];
+
+        invalidEmails.forEach((invalidEmail) => {
+          expect(() => createEmailToken(invalidEmail)).not.toThrow();
+          // Note: JWT functions don't validate email format, they just encrypt/decrypt
+          // Email validation should happen at a higher level
+        });
+      });
+
+      test("should handle extremely long inputs", () => {
+        const longString = "a".repeat(10000);
+
+        expect(() => createToken(longString)).not.toThrow();
+        expect(() => createEmailToken(longString)).not.toThrow();
+      });
+
+      test("should handle special characters in user data", () => {
+        const specialChars = "!@#$%^&*()_+-=[]{}|;:'\",.<>?/~`";
+
+        expect(() => createToken(specialChars)).not.toThrow();
+        expect(() => createEmailToken(specialChars)).not.toThrow();
+      });
+    });
+
+    describe("Performance and Resource Exhaustion", () => {
+      test("should handle rapid token creation without memory leaks", () => {
+        const tokens: string[] = [];
+        for (let i = 0; i < 1000; i++) {
+          tokens.push(createToken(`user-${i}`));
+        }
+
+        expect(tokens.length).toBe(1000);
+        expect(tokens.every((token) => typeof token === "string")).toBe(true);
+      });
+
+      test("should handle rapid token verification", async () => {
+        const token = createToken(mockUser.id);
+
+        const verifications: Promise<any>[] = [];
+        for (let i = 0; i < 100; i++) {
+          verifications.push(verifyToken(token));
+        }
+
+        const results = await Promise.all(verifications);
+        expect(results.length).toBe(100);
+        expect(results.every((result: any) => result.id === mockUser.id)).toBe(true); // Returns decrypted user ID
+      });
+    });
  });
 });
--- a/apps/web/lib/jwt.ts
+++ b/apps/web/lib/jwt.ts
@@ -1,43 +1,64 @@
+import { ENCRYPTION_KEY, NEXTAUTH_SECRET } from "@/lib/constants";
 import { symmetricDecrypt, symmetricEncrypt } from "@/lib/crypto";
-import { env } from "@/lib/env";
 import jwt, { JwtPayload } from "jsonwebtoken";
 import { prisma } from "@formbricks/database";
 import { logger } from "@formbricks/logger";

-export const createToken = (userId: string, userEmail: string, options = {}): string => {
-  const encryptedUserId = symmetricEncrypt(userId, env.ENCRYPTION_KEY);
-  return jwt.sign({ id: encryptedUserId }, env.NEXTAUTH_SECRET + userEmail, options);
-};
-export const createTokenForLinkSurvey = (surveyId: string, userEmail: string): string => {
-  const encryptedEmail = symmetricEncrypt(userEmail, env.ENCRYPTION_KEY);
-  return jwt.sign({ email: encryptedEmail }, env.NEXTAUTH_SECRET + surveyId);
+// Helper function to decrypt with fallback to plain text
+const decryptWithFallback = (encryptedText: string, key: string): string => {
+  try {
+    return symmetricDecrypt(encryptedText, key);
+  } catch {
+    return encryptedText; // Return as-is if decryption fails (legacy format)
+  }
 };

-export const verifyEmailChangeToken = async (token: string): Promise<{ id: string; email: string }> => {
-  if (!env.NEXTAUTH_SECRET) {
+export const createToken = (userId: string, options = {}): string => {
+  if (!NEXTAUTH_SECRET) {
    throw new Error("NEXTAUTH_SECRET is not set");
  }

-  const payload = jwt.verify(token, env.NEXTAUTH_SECRET) as { id: string; email: string };
+  if (!ENCRYPTION_KEY) {
+    throw new Error("ENCRYPTION_KEY is not set");
+  }
+
+  const encryptedUserId = symmetricEncrypt(userId, ENCRYPTION_KEY);
+  return jwt.sign({ id: encryptedUserId }, NEXTAUTH_SECRET, options);
+};
+export const createTokenForLinkSurvey = (surveyId: string, userEmail: string): string => {
+  if (!NEXTAUTH_SECRET) {
+    throw new Error("NEXTAUTH_SECRET is not set");
+  }
+
+  if (!ENCRYPTION_KEY) {
+    throw new Error("ENCRYPTION_KEY is not set");
+  }
+
+  const encryptedEmail = symmetricEncrypt(userEmail, ENCRYPTION_KEY);
+  return jwt.sign({ email: encryptedEmail, surveyId }, NEXTAUTH_SECRET);
+};
+
+export const verifyEmailChangeToken = async (token: string): Promise<{ id: string; email: string }> => {
+  if (!NEXTAUTH_SECRET) {
+    throw new Error("NEXTAUTH_SECRET is not set");
+  }
+
+  if (!ENCRYPTION_KEY) {
+    throw new Error("ENCRYPTION_KEY is not set");
+  }
+
+  const payload = jwt.verify(token, NEXTAUTH_SECRET, { algorithms: ["HS256"] }) as {
+    id: string;
+    email: string;
+  };

  if (!payload?.id || !payload?.email) {
    throw new Error("Token is invalid or missing required fields");
  }

-  let decryptedId: string;
-  let decryptedEmail: string;
-
-  try {
-    decryptedId = symmetricDecrypt(payload.id, env.ENCRYPTION_KEY);
-  } catch {
-    decryptedId = payload.id;
-  }
-
-  try {
-    decryptedEmail = symmetricDecrypt(payload.email, env.ENCRYPTION_KEY);
-  } catch {
-    decryptedEmail = payload.email;
-  }
+  // Decrypt both fields with fallback
+  const decryptedId = decryptWithFallback(payload.id, ENCRYPTION_KEY);
+  const decryptedEmail = decryptWithFallback(payload.email, ENCRYPTION_KEY);

  return {
    id: decryptedId,
@@ -46,127 +67,230 @@ export const verifyEmailChangeToken = async (token: string): Promise<{ id: strin
 };

 export const createEmailChangeToken = (userId: string, email: string): string => {
-  const encryptedUserId = symmetricEncrypt(userId, env.ENCRYPTION_KEY);
-  const encryptedEmail = symmetricEncrypt(email, env.ENCRYPTION_KEY);
+  if (!NEXTAUTH_SECRET) {
+    throw new Error("NEXTAUTH_SECRET is not set");
+  }
+
+  if (!ENCRYPTION_KEY) {
+    throw new Error("ENCRYPTION_KEY is not set");
+  }
+
+  const encryptedUserId = symmetricEncrypt(userId, ENCRYPTION_KEY);
+  const encryptedEmail = symmetricEncrypt(email, ENCRYPTION_KEY);

  const payload = {
    id: encryptedUserId,
    email: encryptedEmail,
  };

-  return jwt.sign(payload, env.NEXTAUTH_SECRET as string, {
+  return jwt.sign(payload, NEXTAUTH_SECRET, {
    expiresIn: "1d",
  });
 };
+
 export const createEmailToken = (email: string): string => {
-  if (!env.NEXTAUTH_SECRET) {
+  if (!NEXTAUTH_SECRET) {
    throw new Error("NEXTAUTH_SECRET is not set");
  }

-  const encryptedEmail = symmetricEncrypt(email, env.ENCRYPTION_KEY);
-  return jwt.sign({ email: encryptedEmail }, env.NEXTAUTH_SECRET);
+  if (!ENCRYPTION_KEY) {
+    throw new Error("ENCRYPTION_KEY is not set");
+  }
+
+  const encryptedEmail = symmetricEncrypt(email, ENCRYPTION_KEY);
+  return jwt.sign({ email: encryptedEmail }, NEXTAUTH_SECRET);
 };

 export const getEmailFromEmailToken = (token: string): string => {
-  if (!env.NEXTAUTH_SECRET) {
+  if (!NEXTAUTH_SECRET) {
    throw new Error("NEXTAUTH_SECRET is not set");
  }

-  const payload = jwt.verify(token, env.NEXTAUTH_SECRET) as JwtPayload;
-  try {
-    // Try to decrypt first (for newer tokens)
-    const decryptedEmail = symmetricDecrypt(payload.email, env.ENCRYPTION_KEY);
-    return decryptedEmail;
-  } catch {
-    // If decryption fails, return the original email (for older tokens)
-    return payload.email;
+  if (!ENCRYPTION_KEY) {
+    throw new Error("ENCRYPTION_KEY is not set");
  }
+
+  const payload = jwt.verify(token, NEXTAUTH_SECRET, { algorithms: ["HS256"] }) as JwtPayload & {
+    email: string;
+  };
+  return decryptWithFallback(payload.email, ENCRYPTION_KEY);
 };

 export const createInviteToken = (inviteId: string, email: string, options = {}): string => {
-  if (!env.NEXTAUTH_SECRET) {
+  if (!NEXTAUTH_SECRET) {
    throw new Error("NEXTAUTH_SECRET is not set");
  }
-  const encryptedInviteId = symmetricEncrypt(inviteId, env.ENCRYPTION_KEY);
-  const encryptedEmail = symmetricEncrypt(email, env.ENCRYPTION_KEY);
-  return jwt.sign({ inviteId: encryptedInviteId, email: encryptedEmail }, env.NEXTAUTH_SECRET, options);
+
+  if (!ENCRYPTION_KEY) {
+    throw new Error("ENCRYPTION_KEY is not set");
+  }
+
+  const encryptedInviteId = symmetricEncrypt(inviteId, ENCRYPTION_KEY);
+  const encryptedEmail = symmetricEncrypt(email, ENCRYPTION_KEY);
+  return jwt.sign({ inviteId: encryptedInviteId, email: encryptedEmail }, NEXTAUTH_SECRET, options);
 };

 export const verifyTokenForLinkSurvey = (token: string, surveyId: string): string | null => {
+  if (!NEXTAUTH_SECRET) {
+    return null;
+  }
+
  try {
-    const { email } = jwt.verify(token, env.NEXTAUTH_SECRET + surveyId) as JwtPayload;
+    let payload: JwtPayload & { email: string; surveyId?: string };
+
+    // Try primary method first (consistent secret)
    try {
-      // Try to decrypt first (for newer tokens)
-      if (!env.ENCRYPTION_KEY) {
-        throw new Error("ENCRYPTION_KEY is not set");
+      payload = jwt.verify(token, NEXTAUTH_SECRET, { algorithms: ["HS256"] }) as JwtPayload & {
+        email: string;
+        surveyId: string;
+      };
+    } catch (primaryError) {
+      logger.error(primaryError, "Token verification failed with primary method");
+
+      // Fallback to legacy method (surveyId-based secret)
+      try {
+        payload = jwt.verify(token, NEXTAUTH_SECRET + surveyId, { algorithms: ["HS256"] }) as JwtPayload & {
+          email: string;
+        };
+      } catch (legacyError) {
+        logger.error(legacyError, "Token verification failed with legacy method");
+        throw new Error("Invalid token");
      }
-      const decryptedEmail = symmetricDecrypt(email, env.ENCRYPTION_KEY);
-      return decryptedEmail;
-    } catch {
-      // If decryption fails, return the original email (for older tokens)
-      return email;
    }
-  } catch (err) {
+
+    // Verify the surveyId matches if present in payload (new format)
+    if (payload.surveyId && payload.surveyId !== surveyId) {
+      return null;
+    }
+
+    const { email } = payload;
+    if (!email) {
+      return null;
+    }
+
+    // Decrypt email with fallback to plain text
+    if (!ENCRYPTION_KEY) {
+      return email; // Return as-is if encryption key not set
+    }
+
+    return decryptWithFallback(email, ENCRYPTION_KEY);
+  } catch (error) {
+    logger.error(error, "Survey link token verification failed");
    return null;
  }
 };

-export const verifyToken = async (token: string): Promise<JwtPayload> => {
-  // First decode to get the ID
-  const decoded = jwt.decode(token);
-  const payload: JwtPayload = decoded as JwtPayload;
+// Helper function to get user email for legacy verification
+const getUserEmailForLegacyVerification = async (
+  token: string,
+  userId?: string
+): Promise<{ userId: string; userEmail: string }> => {
+  if (!userId) {
+    const decoded = jwt.decode(token);

-  if (!payload) {
-    throw new Error("Token is invalid");
+    // Validate decoded token structure before using it
+    if (
+      !decoded ||
+      typeof decoded !== "object" ||
+      !decoded.id ||
+      typeof decoded.id !== "string" ||
+      decoded.id.trim() === ""
+    ) {
+      logger.error("Invalid token: missing or invalid user ID");
+      throw new Error("Invalid token");
+    }
+
+    userId = decoded.id;
  }

-  const { id } = payload;
-  if (!id) {
-    throw new Error("Token missing required field: id");
+  const decryptedId = decryptWithFallback(userId, ENCRYPTION_KEY);
+
+  // Validate decrypted ID before database query
+  if (!decryptedId || typeof decryptedId !== "string" || decryptedId.trim() === "") {
+    logger.error("Invalid token: missing or invalid user ID");
+    throw new Error("Invalid token");
  }

-  // Try to decrypt the ID (for newer tokens), if it fails use the ID as-is (for older tokens)
-  let decryptedId: string;
-  try {
-    decryptedId = symmetricDecrypt(id, env.ENCRYPTION_KEY);
-  } catch {
-    decryptedId = id;
-  }
-
-  // If no email provided, look up the user
  const foundUser = await prisma.user.findUnique({
    where: { id: decryptedId },
  });

  if (!foundUser) {
-    throw new Error("User not found");
+    const errorMessage = "User not found";
+    logger.error(errorMessage);
+    throw new Error(errorMessage);
  }

-  const userEmail = foundUser.email;
+  return { userId: decryptedId, userEmail: foundUser.email };
+};

-  return { id: decryptedId, email: userEmail };
+export const verifyToken = async (token: string): Promise<JwtPayload> => {
+  if (!NEXTAUTH_SECRET) {
+    throw new Error("NEXTAUTH_SECRET is not set");
+  }
+
+  let payload: JwtPayload & { id: string };
+  let userData: { userId: string; userEmail: string } | null = null;
+
+  // Try new method first, with smart fallback to legacy
+  try {
+    payload = jwt.verify(token, NEXTAUTH_SECRET, { algorithms: ["HS256"] }) as JwtPayload & {
+      id: string;
+    };
+  } catch (newMethodError) {
+    logger.error(newMethodError, "Token verification failed with new method");
+
+    // Get user email for legacy verification
+    userData = await getUserEmailForLegacyVerification(token);
+
+    // Try legacy verification with email-based secret
+    try {
+      payload = jwt.verify(token, NEXTAUTH_SECRET + userData.userEmail, {
+        algorithms: ["HS256"],
+      }) as JwtPayload & {
+        id: string;
+      };
+    } catch (legacyMethodError) {
+      logger.error(legacyMethodError, "Token verification failed with legacy method");
+      throw new Error("Invalid token");
+    }
+  }
+
+  if (!payload?.id) {
+    throw new Error("Invalid token");
+  }
+
+  // Get user email if we don't have it yet
+  userData ??= await getUserEmailForLegacyVerification(token, payload.id);
+
+  return { id: userData.userId, email: userData.userEmail };
 };

 export const verifyInviteToken = (token: string): { inviteId: string; email: string } => {
+  if (!NEXTAUTH_SECRET) {
+    throw new Error("NEXTAUTH_SECRET is not set");
+  }
+
+  if (!ENCRYPTION_KEY) {
+    throw new Error("ENCRYPTION_KEY is not set");
+  }
+
  try {
-    const decoded = jwt.decode(token);
-    const payload: JwtPayload = decoded as JwtPayload;
+    const payload = jwt.verify(token, NEXTAUTH_SECRET, { algorithms: ["HS256"] }) as JwtPayload & {
+      inviteId: string;
+      email: string;
+    };

-    const { inviteId, email } = payload;
+    const { inviteId: encryptedInviteId, email: encryptedEmail } = payload;

-    let decryptedInviteId: string;
-    let decryptedEmail: string;
-
-    try {
-      // Try to decrypt first (for newer tokens)
-      decryptedInviteId = symmetricDecrypt(inviteId, env.ENCRYPTION_KEY);
-      decryptedEmail = symmetricDecrypt(email, env.ENCRYPTION_KEY);
-    } catch {
-      // If decryption fails, use original values (for older tokens)
-      decryptedInviteId = inviteId;
-      decryptedEmail = email;
+    if (!encryptedInviteId || !encryptedEmail) {
+      throw new Error("Invalid token");
    }

+    // Decrypt both fields with fallback to original values
+    const decryptedInviteId = decryptWithFallback(encryptedInviteId, ENCRYPTION_KEY);
+    const decryptedEmail = decryptWithFallback(encryptedEmail, ENCRYPTION_KEY);
+
    return {
      inviteId: decryptedInviteId,
      email: decryptedEmail,
--- a/apps/web/modules/auth/lib/authOptions.test.ts
+++ b/apps/web/modules/auth/lib/authOptions.test.ts
@@ -31,7 +31,7 @@ vi.mock("@/lib/constants", () => ({
  SESSION_MAX_AGE: 86400,
  NEXTAUTH_SECRET: "test-secret",
  WEBAPP_URL: "http://localhost:3000",
-  ENCRYPTION_KEY: "test-encryption-key-32-chars-long",
+  ENCRYPTION_KEY: "12345678901234567890123456789012", // 32 bytes for AES-256
  REDIS_URL: undefined,
  AUDIT_LOG_ENABLED: false,
  AUDIT_LOG_GET_USER_IP: false,
@@ -148,7 +148,6 @@ describe("authOptions", () => {
        email: mockUser.email,
        password: mockHashedPassword,
        emailVerified: new Date(),
-        imageUrl: "http://example.com/avatar.png",
        twoFactorEnabled: false,
      };

@@ -161,7 +160,6 @@ describe("authOptions", () => {
        id: fakeUser.id,
        email: fakeUser.email,
        emailVerified: fakeUser.emailVerified,
-        imageUrl: fakeUser.imageUrl,
      });
    });

@@ -263,7 +261,7 @@ describe("authOptions", () => {
      vi.mocked(applyIPRateLimit).mockResolvedValue(); // Rate limiting passes
      vi.spyOn(prisma.user, "findUnique").mockResolvedValue(mockUser as any);

-      const credentials = { token: createToken(mockUser.id, mockUser.email) };
+      const credentials = { token: createToken(mockUser.id) };

      await expect(tokenProvider.options.authorize(credentials, {})).rejects.toThrow(
        "Email already verified"
@@ -282,7 +280,7 @@ describe("authOptions", () => {
        groupId: null,
      } as any);

-      const credentials = { token: createToken(mockUserId, mockUser.email) };
+      const credentials = { token: createToken(mockUserId) };

      const result = await tokenProvider.options.authorize(credentials, {});
      expect(result.email).toBe(mockUser.email);
@@ -305,7 +303,7 @@ describe("authOptions", () => {
          groupId: null,
        } as any);

-        const credentials = { token: createToken(mockUserId, mockUser.email) };
+        const credentials = { token: createToken(mockUserId) };

        await tokenProvider.options.authorize(credentials, {});

@@ -317,7 +315,7 @@ describe("authOptions", () => {
          new Error("Maximum number of requests reached. Please try again later.")
        );

-        const credentials = { token: createToken(mockUserId, mockUser.email) };
+        const credentials = { token: createToken(mockUserId) };

        await expect(tokenProvider.options.authorize(credentials, {})).rejects.toThrow(
          "Maximum number of requests reached. Please try again later."
@@ -341,7 +339,7 @@ describe("authOptions", () => {
          groupId: null,
        } as any);

-        const credentials = { token: createToken(mockUserId, mockUser.email) };
+        const credentials = { token: createToken(mockUserId) };

        await tokenProvider.options.authorize(credentials, {});

--- a/apps/web/modules/email/index.tsx
+++ b/apps/web/modules/email/index.tsx
@@ -111,7 +111,7 @@ export const sendVerificationEmail = async ({
 }): Promise<boolean> => {
  try {
    const t = await getTranslate();
-    const token = createToken(id, email, {
+    const token = createToken(id, {
      expiresIn: "1d",
    });
    const verifyLink = `${WEBAPP_URL}/auth/verify?token=${encodeURIComponent(token)}`;
@@ -136,7 +136,7 @@ export const sendForgotPasswordEmail = async (user: {
  locale: TUserLocale;
 }): Promise<boolean> => {
  const t = await getTranslate();
-  const token = createToken(user.id, user.email, {
+  const token = createToken(user.id, {
    expiresIn: "1d",
  });
  const verifyLink = `${WEBAPP_URL}/auth/forgot-password/reset?token=${encodeURIComponent(token)}`;
--- a/docker/formbricks.sh
+++ b/docker/formbricks.sh
@@ -256,7 +256,7 @@ EOT
  fi

  echo "📥 Downloading docker-compose.yml from Formbricks GitHub repository..."
-  curl -o docker-compose.yml https://raw.githubusercontent.com/formbricks/formbricks/main/docker/docker-compose.yml
+  curl -o docker-compose.yml https://raw.githubusercontent.com/formbricks/formbricks/stable/docker/docker-compose.yml

  echo "🚙 Updating docker-compose.yml with your custom inputs..."
  sed -i "/WEBAPP_URL:/s|WEBAPP_URL:.*|WEBAPP_URL: \"https://$domain_name\"|" docker-compose.yml
Author	SHA1	Message	Date
Matti Nannt	3eee5bb50f	chore(backport): updated release workflow (#6627 )	2025-09-30 17:39:44 +02:00
Victor Hugo dos Santos	d341370b0d	refactor: enhance JWT handling and improve security tests (#6619 ) (#6626 )	2025-09-30 09:40:29 -03:00
Anshuman Pandey	391b3a3fb0	fix: backports formbricks.sh fix (#6550 )	2025-09-15 17:58:45 +02:00