chore: improved test coverage

chore: improve test coverage
chore: increased test coverage
2026-05-20 19:48:52 -05:00 · 2026-05-18 12:09:01 +00:00 · 2026-05-18 11:57:56 +00:00 · 2026-05-18 11:41:30 +00:00 · 2026-05-18 11:20:53 +00:00 · 2026-05-18 10:28:38 +00:00
71 changed files with 1517 additions and 6513 deletions
@@ -76,10 +76,12 @@ HUB_DATABASE_URL=postgresql://postgres:postgres@postgres:5432/hub?sslmode=disabl
 # EMBEDDING_MODEL=gemini-embedding-001
 # EMBEDDING_PROVIDER_API_KEY=

-####################
-#  CUBE ANALYTICS  #
-####################
-# Cube semantic-layer API. Required. The bundled Docker stack exposes Cube on port 4000.
+###########################
+#  CUBE ANALYTICS (XM V5) #
+###########################
+# XM Suite v5 analysis features require Cube.js. The optional xm dev profile exposes Cube on port 4000.
+# Uncomment COMPOSE_PROFILES=xm to run the optional Cube analytics service.
+# COMPOSE_PROFILES=xm
 CUBEJS_API_URL=http://localhost:4000
 # Generate with: openssl rand -hex 32. `pnpm dev:setup` will create/preserve this automatically.
 CUBEJS_API_SECRET=
@@ -0,0 +1,10 @@
+import { redirect } from "next/navigation";
+import { completeAccountDeletionSsoIdentityConfirmationAndGetRedirectPath } from "./lib/account-deletion-sso-complete";
+
+export default async function AccountDeletionSsoConfirmationCompletePage({
+  searchParams,
+}: {
+  searchParams: Promise<{ intent?: string | string[] }>;
+}) {
+  redirect(await completeAccountDeletionSsoIdentityConfirmationAndGetRedirectPath(await searchParams));
+}
@@ -1,20 +0,0 @@
-import { type NextRequest, NextResponse } from "next/server";
-import { completeAccountDeletionSsoIdentityConfirmationAndGetRedirectPath } from "./lib/account-deletion-sso-complete";
-
-const getIntentSearchParam = (request: NextRequest): string | string[] | undefined => {
-  const intentValues = request.nextUrl.searchParams.getAll("intent");
-
-  if (intentValues.length === 0) {
-    return undefined;
-  }
-
-  return intentValues.length === 1 ? intentValues[0] : intentValues;
-};
-
-export const GET = async (request: NextRequest) => {
-  const redirectPath = await completeAccountDeletionSsoIdentityConfirmationAndGetRedirectPath({
-    intent: getIntentSearchParam(request),
-  });
-
-  return NextResponse.redirect(new URL(redirectPath, request.url));
-};
@@ -10,52 +10,125 @@ import {
  WEBAPP_URL,
 } from "@/lib/constants";
 import { createOrUpdateIntegration, getIntegrationByType } from "@/lib/integration/service";
+import {
+  IntegrationOAuthStateError,
+  consumeIntegrationOAuthState,
+  getSafeOAuthCallbackError,
+} from "@/lib/oauth/integration-state";
 import { capturePostHogEvent } from "@/lib/posthog";
 import { getOrganizationIdFromWorkspaceId } from "@/lib/utils/helper";
 import { hasUserWorkspaceAccess } from "@/lib/workspace/auth";
 import { authOptions } from "@/modules/auth/lib/authOptions";

+const getGoogleSheetsRedirectUrl = (workspaceId: string) =>
+  new URL(`/workspaces/${workspaceId}/integrations/google-sheets`, WEBAPP_URL);
+
+const getGoogleSheetsOAuthState = async (state: string | null, userId: string) => {
+  try {
+    return await consumeIntegrationOAuthState({
+      provider: "googleSheets",
+      userId,
+      state,
+    });
+  } catch (err) {
+    if (err instanceof IntegrationOAuthStateError) {
+      return null;
+    }
+
+    throw err;
+  }
+};
+
+const getGoogleSheetsOAuthClient = () => {
+  const client_id = GOOGLE_SHEETS_CLIENT_ID;
+  const client_secret = GOOGLE_SHEETS_CLIENT_SECRET;
+  const redirect_uri = GOOGLE_SHEETS_REDIRECT_URL;
+
+  if (!client_id) {
+    return { response: responses.internalServerErrorResponse("Google client id is missing") };
+  }
+
+  if (!client_secret) {
+    return { response: responses.internalServerErrorResponse("Google client secret is missing") };
+  }
+
+  if (!redirect_uri) {
+    return { response: responses.internalServerErrorResponse("Google redirect url is missing") };
+  }
+
+  return { client: new google.auth.OAuth2(client_id, client_secret, redirect_uri) };
+};
+
+const captureGoogleSheetsConnectedEvent = async (userId: string, workspaceId: string) => {
+  try {
+    const organizationId = await getOrganizationIdFromWorkspaceId(workspaceId);
+    capturePostHogEvent(userId, "integration_connected", {
+      integration_type: "googleSheets",
+      organization_id: organizationId,
+    });
+    capturePostHogEvent(
+      userId,
+      "integration_connected",
+      {
+        integration_type: "googleSheets",
+        organization_id: organizationId,
+        workspace_id: workspaceId,
+      },
+      { organizationId, workspaceId }
+    );
+  } catch (err) {
+    logger.error({ error: err }, "Failed to capture PostHog integration_connected event for googleSheets");
+  }
+};
+
 export const GET = async (req: Request) => {
  const url = new URL(req.url);
-  const workspaceId = url.searchParams.get("state");
+  const state = url.searchParams.get("state");
  const code = url.searchParams.get("code");
-
-  if (!workspaceId) {
-    return responses.badRequestResponse("Invalid workspaceId");
-  }
+  const error = url.searchParams.get("error");

  const session = await getServerSession(authOptions);
  if (!session) {
    return responses.notAuthenticatedResponse();
  }

+  const oauthState = await getGoogleSheetsOAuthState(state, session.user.id);
+  if (!oauthState) {
+    return responses.badRequestResponse("Invalid OAuth state");
+  }
+
+  const workspaceId = oauthState.workspaceId;
  const canUserAccessWorkspace = await hasUserWorkspaceAccess(session.user.id, workspaceId);
  if (!canUserAccessWorkspace) {
    return responses.unauthorizedResponse();
  }

-  const basePath = `/workspaces/${workspaceId}`;
+  const redirectUrl = getGoogleSheetsRedirectUrl(workspaceId);
+
+  const safeError = getSafeOAuthCallbackError(error);
+  if (safeError) {
+    redirectUrl.searchParams.set("error", safeError);
+    return Response.redirect(redirectUrl);
+  }

  if (code && typeof code !== "string") {
    return responses.badRequestResponse("`code` must be a string");
  }

-  const client_id = GOOGLE_SHEETS_CLIENT_ID;
-  const client_secret = GOOGLE_SHEETS_CLIENT_SECRET;
-  const redirect_uri = GOOGLE_SHEETS_REDIRECT_URL;
-  if (!client_id) return responses.internalServerErrorResponse("Google client id is missing");
-  if (!client_secret) return responses.internalServerErrorResponse("Google client secret is missing");
-  if (!redirect_uri) return responses.internalServerErrorResponse("Google redirect url is missing");
-  const oAuth2Client = new google.auth.OAuth2(client_id, client_secret, redirect_uri);
+  const oAuth2ClientResult = getGoogleSheetsOAuthClient();
+  if ("response" in oAuth2ClientResult) {
+    return oAuth2ClientResult.response;
+  }
+  const oAuth2Client = oAuth2ClientResult.client;

  if (!code) {
-    return Response.redirect(`${WEBAPP_URL}${basePath}/integrations/google-sheets`);
+    return Response.redirect(redirectUrl);
  }

  const token = await oAuth2Client.getToken(code);
  const key = token.res?.data;
  if (!key) {
-    return Response.redirect(`${WEBAPP_URL}${basePath}/integrations/google-sheets`);
+    return Response.redirect(redirectUrl);
  }

  oAuth2Client.setCredentials({ access_token: key.access_token });
@@ -81,29 +154,10 @@ export const GET = async (req: Request) => {
  };

  const result = await createOrUpdateIntegration(workspaceId, googleSheetIntegration);
-  if (result) {
-    try {
-      const organizationId = await getOrganizationIdFromWorkspaceId(workspaceId);
-      capturePostHogEvent(session.user.id, "integration_connected", {
-        integration_type: "googleSheets",
-        organization_id: organizationId,
-      });
-      capturePostHogEvent(
-        session.user.id,
-        "integration_connected",
-        {
-          integration_type: "googleSheets",
-          organization_id: organizationId,
-          workspace_id: workspaceId,
-        },
-        { organizationId, workspaceId }
-      );
-    } catch (err) {
-      logger.error({ error: err }, "Failed to capture PostHog integration_connected event for googleSheets");
-    }
-
-    return Response.redirect(`${WEBAPP_URL}/${basePath}/integrations/google-sheets`);
+  if (!result) {
+    return responses.internalServerErrorResponse("Failed to create or update Google Sheets integration");
  }

-  return responses.internalServerErrorResponse("Failed to create or update Google Sheets integration");
+  await captureGoogleSheetsConnectedEvent(session.user.id, workspaceId);
+  return Response.redirect(redirectUrl);
 };
@@ -7,6 +7,7 @@ import {
  GOOGLE_SHEETS_CLIENT_SECRET,
  GOOGLE_SHEETS_REDIRECT_URL,
 } from "@/lib/constants";
+import { createIntegrationOAuthState } from "@/lib/oauth/integration-state";
 import { hasUserWorkspaceAccess } from "@/lib/workspace/auth";
 import { authOptions } from "@/modules/auth/lib/authOptions";

@@ -39,12 +40,17 @@ export const GET = async (req: NextRequest) => {
  if (!client_secret) return responses.internalServerErrorResponse("Google client secret is missing");
  if (!redirect_uri) return responses.internalServerErrorResponse("Google redirect url is missing");
  const oAuth2Client = new google.auth.OAuth2(client_id, client_secret, redirect_uri);
+  const state = await createIntegrationOAuthState({
+    provider: "googleSheets",
+    userId: session.user.id,
+    workspaceId,
+  });

  const authUrl = oAuth2Client.generateAuthUrl({
    access_type: "offline",
    scope: scopes,
    prompt: "consent",
-    state: workspaceId,
+    state,
  });

  return responses.successResponse({ authUrl });
@@ -12,7 +12,7 @@ import { applyRateLimit } from "@/modules/core/rate-limit/helpers";
 import { rateLimitConfigs } from "@/modules/core/rate-limit/rate-limit-configs";
 import { getBiggerUploadFileSizePermission } from "@/modules/ee/license-check/lib/utils";
 import { getSignedUrlForUpload } from "@/modules/storage/service";
-import { getErrorResponseFromStorageError, validateSurveyAllowsFileUpload } from "@/modules/storage/utils";
+import { getErrorResponseFromStorageError } from "@/modules/storage/utils";

 export const OPTIONS = async (): Promise<Response> => {
  return responses.successResponse(
@@ -107,23 +107,6 @@ export const POST = withV1ApiWrapper({
      };
    }

-    const fileUploadPermission = validateSurveyAllowsFileUpload({
-      fileName,
-      blocks: survey.blocks,
-      questions: survey.questions,
-    });
-
-    if (!fileUploadPermission.ok) {
-      return {
-        response: responses.badRequestResponse(
-          fileUploadPermission.reason === "no_file_upload_question"
-            ? "Survey does not allow file uploads"
-            : "File extension is not allowed for this survey",
-          undefined
-        ),
-      };
-    }
-
    const isBiggerFileUploadAllowed = await getBiggerUploadFileSizePermission(organization.id);
    const maxFileUploadSize = isBiggerFileUploadAllowed
      ? MAX_FILE_UPLOAD_SIZES.big
@@ -5,6 +5,11 @@ import { withV1ApiWrapper } from "@/app/lib/api/with-api-logging";
 import { fetchAirtableAuthToken } from "@/lib/airtable/service";
 import { AIRTABLE_CLIENT_ID, WEBAPP_URL } from "@/lib/constants";
 import { createOrUpdateIntegration, getIntegrationByType } from "@/lib/integration/service";
+import {
+  IntegrationOAuthStateError,
+  consumeIntegrationOAuthState,
+  getSafeOAuthCallbackError,
+} from "@/lib/oauth/integration-state";
 import { capturePostHogEvent } from "@/lib/posthog";
 import { getOrganizationIdFromWorkspaceId } from "@/lib/utils/helper";
 import { hasUserWorkspaceAccess } from "@/lib/workspace/auth";
@@ -29,18 +34,31 @@ export const GET = withV1ApiWrapper({

    const url = req.url;
    const queryParams = new URLSearchParams(url.split("?")[1]); // Split the URL and get the query parameters
-    const workspaceId = queryParams.get("state"); // Get the value of the 'state' parameter
+    const state = queryParams.get("state");
    const code = queryParams.get("code");
+    const error = queryParams.get("error");

-    if (!workspaceId) {
-      return {
-        response: responses.badRequestResponse("Invalid workspaceId"),
-      };
+    let oauthState;
+    try {
+      oauthState = await consumeIntegrationOAuthState({
+        provider: "airtable",
+        userId: authentication.user.id,
+        state,
+      });
+    } catch (err) {
+      if (err instanceof IntegrationOAuthStateError) {
+        return {
+          response: responses.badRequestResponse("Invalid OAuth state"),
+        };
+      }
+
+      throw err;
    }

-    if (!code) {
+    const workspaceId = oauthState.workspaceId;
+    if (!workspaceId || !oauthState.pkceCodeVerifier) {
      return {
-        response: responses.badRequestResponse("`code` is missing"),
+        response: responses.badRequestResponse("Invalid OAuth state"),
      };
    }

@@ -52,10 +70,25 @@ export const GET = withV1ApiWrapper({
    }

    const basePath = `/workspaces/${workspaceId}`;
+    const redirectUrl = new URL(`${basePath}/integrations/airtable`, WEBAPP_URL);
+    const safeError = getSafeOAuthCallbackError(error);
+
+    if (!code && safeError) {
+      redirectUrl.searchParams.set("error", safeError);
+      return {
+        response: Response.redirect(redirectUrl),
+      };
+    }
+
+    if (!code) {
+      return {
+        response: responses.badRequestResponse("`code` is missing"),
+      };
+    }

    const client_id = AIRTABLE_CLIENT_ID;
    const redirect_uri = WEBAPP_URL + "/api/v1/integrations/airtable/callback";
-    const code_verifier = Buffer.from(workspaceId + authentication.user.id + workspaceId).toString("base64");
+    const code_verifier = oauthState.pkceCodeVerifier;

    if (!client_id)
      return {
@@ -110,10 +143,10 @@ export const GET = withV1ApiWrapper({
      }

      return {
-        response: Response.redirect(`${WEBAPP_URL}${basePath}/integrations/airtable`),
+        response: Response.redirect(redirectUrl),
      };
    } catch (error) {
-      logger.error({ error, url: req.url }, "Error in GET /api/v1/integrations/airtable/callback");
+      logger.error({ error }, "Error in GET /api/v1/integrations/airtable/callback");
      return {
        response: responses.internalServerErrorResponse(
          error instanceof Error ? error.message : String(error)
@@ -1,7 +1,7 @@
-import crypto from "crypto";
 import { responses } from "@/app/lib/api/response";
 import { withV1ApiWrapper } from "@/app/lib/api/with-api-logging";
 import { AIRTABLE_CLIENT_ID, WEBAPP_URL } from "@/lib/constants";
+import { createIntegrationOAuthState, generatePkcePair } from "@/lib/oauth/integration-state";
 import { hasUserWorkspaceAccess } from "@/lib/workspace/auth";

 const scope = `data.records:read data.records:write schema.bases:read schema.bases:write user.email:read`;
@@ -33,22 +33,19 @@ export const GET = withV1ApiWrapper({
      return {
        response: responses.internalServerErrorResponse("Airtable client id is missing"),
      };
-    const codeVerifier = Buffer.from(workspaceId + authentication.user.id + workspaceId).toString("base64");
-
-    const codeChallengeMethod = "S256";
-    const codeChallenge = crypto
-      .createHash("sha256")
-      .update(codeVerifier) // hash the code verifier with the sha256 algorithm
-      .digest("base64") // base64 encode, needs to be transformed to base64url
-      .replace(/=/g, "") // remove =
-      .replace(/\+/g, "-") // replace + with -
-      .replace(/\//g, "_"); // replace / with _ now base64url encoded
+    const { codeChallenge, codeChallengeMethod, codeVerifier } = generatePkcePair();
+    const state = await createIntegrationOAuthState({
+      provider: "airtable",
+      userId: authentication.user.id,
+      workspaceId,
+      pkceCodeVerifier: codeVerifier,
+    });

    const authUrl = new URL("https://airtable.com/oauth2/v1/authorize");

    authUrl.searchParams.append("client_id", client_id);
    authUrl.searchParams.append("redirect_uri", redirect_uri);
-    authUrl.searchParams.append("state", workspaceId);
+    authUrl.searchParams.append("state", state);
    authUrl.searchParams.append("scope", scope);
    authUrl.searchParams.append("response_type", "code");
    authUrl.searchParams.append("code_challenge_method", codeChallengeMethod);
@@ -11,6 +11,11 @@ import {
 } from "@/lib/constants";
 import { symmetricEncrypt } from "@/lib/crypto";
 import { createOrUpdateIntegration, getIntegrationByType } from "@/lib/integration/service";
+import {
+  IntegrationOAuthStateError,
+  consumeIntegrationOAuthState,
+  getSafeOAuthCallbackError,
+} from "@/lib/oauth/integration-state";
 import { capturePostHogEvent } from "@/lib/posthog";
 import { getOrganizationIdFromWorkspaceId } from "@/lib/utils/helper";
 import { hasUserWorkspaceAccess } from "@/lib/workspace/auth";
@@ -23,10 +28,28 @@ export const GET = withV1ApiWrapper({

    const url = req.url;
    const queryParams = new URLSearchParams(url.split("?")[1]); // Split the URL and get the query parameters
-    const workspaceId = queryParams.get("state"); // Get the value of the 'state' parameter
+    const state = queryParams.get("state");
    const code = queryParams.get("code");
    const error = queryParams.get("error");

+    let oauthState;
+    try {
+      oauthState = await consumeIntegrationOAuthState({
+        provider: "notion",
+        userId: authentication.user.id,
+        state,
+      });
+    } catch (err) {
+      if (err instanceof IntegrationOAuthStateError) {
+        return {
+          response: responses.badRequestResponse("Invalid OAuth state"),
+        };
+      }
+
+      throw err;
+    }
+
+    const workspaceId = oauthState.workspaceId;
    if (!workspaceId) {
      return {
        response: responses.badRequestResponse("Invalid workspaceId"),
@@ -41,6 +64,8 @@ export const GET = withV1ApiWrapper({
    }

    const basePath = `/workspaces/${workspaceId}`;
+    const redirectUrl = new URL(`${basePath}/integrations/notion`, WEBAPP_URL);
+    const safeError = getSafeOAuthCallbackError(error);

    if (code && typeof code !== "string") {
      return {
@@ -48,6 +73,13 @@ export const GET = withV1ApiWrapper({
      };
    }

+    if (!code && safeError) {
+      redirectUrl.searchParams.set("error", safeError);
+      return {
+        response: Response.redirect(redirectUrl),
+      };
+    }
+
    const client_id = NOTION_OAUTH_CLIENT_ID;
    const client_secret = NOTION_OAUTH_CLIENT_SECRET;
    const redirect_uri = NOTION_REDIRECT_URI;
@@ -118,13 +150,9 @@ export const GET = withV1ApiWrapper({
        }

        return {
-          response: Response.redirect(`${WEBAPP_URL}${basePath}/integrations/notion`),
+          response: Response.redirect(redirectUrl),
        };
      }
-    } else if (error) {
-      return {
-        response: Response.redirect(`${WEBAPP_URL}${basePath}/integrations/notion?error=${error}`),
-      };
    }

    return {
@@ -6,6 +6,7 @@ import {
  NOTION_OAUTH_CLIENT_SECRET,
  NOTION_REDIRECT_URI,
 } from "@/lib/constants";
+import { createIntegrationOAuthState } from "@/lib/oauth/integration-state";
 import { hasUserWorkspaceAccess } from "@/lib/workspace/auth";

 export const GET = withV1ApiWrapper({
@@ -49,9 +50,16 @@ export const GET = withV1ApiWrapper({
      return {
        response: responses.internalServerErrorResponse("Notion auth url is missing"),
      };
+    const state = await createIntegrationOAuthState({
+      provider: "notion",
+      userId: authentication.user.id,
+      workspaceId,
+    });
+    const authUrlWithState = new URL(auth_url);
+    authUrlWithState.searchParams.set("state", state);

    return {
-      response: responses.successResponse({ authUrl: `${auth_url}&state=${workspaceId}` }),
+      response: responses.successResponse({ authUrl: authUrlWithState.toString() }),
    };
  },
 });
@@ -8,6 +8,11 @@ import { responses } from "@/app/lib/api/response";
 import { withV1ApiWrapper } from "@/app/lib/api/with-api-logging";
 import { SLACK_CLIENT_ID, SLACK_CLIENT_SECRET, SLACK_REDIRECT_URI, WEBAPP_URL } from "@/lib/constants";
 import { createOrUpdateIntegration, getIntegrationByType } from "@/lib/integration/service";
+import {
+  IntegrationOAuthStateError,
+  consumeIntegrationOAuthState,
+  getSafeOAuthCallbackError,
+} from "@/lib/oauth/integration-state";
 import { capturePostHogEvent } from "@/lib/posthog";
 import { getOrganizationIdFromWorkspaceId } from "@/lib/utils/helper";
 import { hasUserWorkspaceAccess } from "@/lib/workspace/auth";
@@ -20,10 +25,28 @@ export const GET = withV1ApiWrapper({

    const url = req.url;
    const queryParams = new URLSearchParams(url.split("?")[1]); // Split the URL and get the query parameters
-    const workspaceId = queryParams.get("state"); // Get the value of the 'state' parameter
+    const state = queryParams.get("state");
    const code = queryParams.get("code");
    const error = queryParams.get("error");

+    let oauthState;
+    try {
+      oauthState = await consumeIntegrationOAuthState({
+        provider: "slack",
+        userId: authentication.user.id,
+        state,
+      });
+    } catch (err) {
+      if (err instanceof IntegrationOAuthStateError) {
+        return {
+          response: responses.badRequestResponse("Invalid OAuth state"),
+        };
+      }
+
+      throw err;
+    }
+
+    const workspaceId = oauthState.workspaceId;
    if (!workspaceId) {
      return {
        response: responses.badRequestResponse("Invalid workspaceId"),
@@ -38,6 +61,8 @@ export const GET = withV1ApiWrapper({
    }

    const basePath = `/workspaces/${workspaceId}`;
+    const redirectUrl = new URL(`${basePath}/integrations/slack`, WEBAPP_URL);
+    const safeError = getSafeOAuthCallbackError(error);

    if (code && typeof code !== "string") {
      return {
@@ -45,6 +70,13 @@ export const GET = withV1ApiWrapper({
      };
    }

+    if (!code && safeError) {
+      redirectUrl.searchParams.set("error", safeError);
+      return {
+        response: Response.redirect(redirectUrl),
+      };
+    }
+
    if (!SLACK_CLIENT_ID)
      return {
        response: responses.internalServerErrorResponse("Slack client id is missing"),
@@ -125,13 +157,9 @@ export const GET = withV1ApiWrapper({
        }

        return {
-          response: Response.redirect(`${WEBAPP_URL}${basePath}/integrations/slack`),
+          response: Response.redirect(redirectUrl),
        };
      }
-    } else if (error) {
-      return {
-        response: Response.redirect(`${WEBAPP_URL}${basePath}/integrations/slack?error=${error}`),
-      };
    }

    return {
@@ -1,6 +1,7 @@
 import { responses } from "@/app/lib/api/response";
 import { withV1ApiWrapper } from "@/app/lib/api/with-api-logging";
 import { SLACK_AUTH_URL, SLACK_CLIENT_ID, SLACK_CLIENT_SECRET } from "@/lib/constants";
+import { createIntegrationOAuthState } from "@/lib/oauth/integration-state";
 import { hasUserWorkspaceAccess } from "@/lib/workspace/auth";

 export const GET = withV1ApiWrapper({
@@ -37,9 +38,16 @@ export const GET = withV1ApiWrapper({
      return {
        response: responses.internalServerErrorResponse("Slack auth url is missing"),
      };
+    const state = await createIntegrationOAuthState({
+      provider: "slack",
+      userId: authentication.user.id,
+      workspaceId,
+    });
+    const authUrl = new URL(SLACK_AUTH_URL);
+    authUrl.searchParams.set("state", state);

    return {
-      response: responses.successResponse({ authUrl: `${SLACK_AUTH_URL}&state=${workspaceId}` }),
+      response: responses.successResponse({ authUrl: authUrl.toString() }),
    };
  },
 });
@@ -135,7 +135,7 @@ describe("withV3ApiWrapper", () => {
      apiKeyId: "key_1",
      organizationId: "org_1",
      organizationAccess: { accessControl: { read: true, write: true } },
-      workspacePermissions: [],
+      environmentPermissions: [],
    });

    const wrapped = withV3ApiWrapper({
@@ -3,7 +3,7 @@ import { beforeEach, describe, expect, test, vi } from "vitest";
 import { AuthorizationError } from "@formbricks/types/errors";
 import { checkAuthorizationUpdated } from "@/lib/utils/action-client/action-client-middleware";
 import { getOrganizationIdFromWorkspaceId } from "@/lib/utils/helper";
-import { getWorkspace } from "@/lib/workspace/service";
+import { findWorkspaceByIdOrLegacyEnvId } from "@/lib/utils/resolve-client-id";
 import { requireSessionWorkspaceAccess, requireV3WorkspaceAccess } from "./auth";

 vi.mock("@formbricks/logger", () => ({
@@ -19,8 +19,8 @@ vi.mock("@/lib/utils/helper", () => ({
  getOrganizationIdFromWorkspaceId: vi.fn(),
 }));

-vi.mock("@/lib/workspace/service", () => ({
-  getWorkspace: vi.fn(),
+vi.mock("@/lib/utils/resolve-client-id", () => ({
+  findWorkspaceByIdOrLegacyEnvId: vi.fn(),
 }));

 vi.mock("@/lib/utils/action-client/action-client-middleware", () => ({
@@ -39,7 +39,7 @@ describe("requireSessionWorkspaceAccess", () => {
    expect(body.requestId).toBe(requestId);
    expect(body.status).toBe(401);
    expect(body.code).toBe("not_authenticated");
-    expect(getWorkspace).not.toHaveBeenCalled();
+    expect(findWorkspaceByIdOrLegacyEnvId).not.toHaveBeenCalled();
    expect(checkAuthorizationUpdated).not.toHaveBeenCalled();
  });

@@ -55,11 +55,11 @@ describe("requireSessionWorkspaceAccess", () => {
    const body = await (result as Response).json();
    expect(body.requestId).toBe(requestId);
    expect(body.code).toBe("not_authenticated");
-    expect(getWorkspace).not.toHaveBeenCalled();
+    expect(findWorkspaceByIdOrLegacyEnvId).not.toHaveBeenCalled();
  });

  test("returns 403 when workspace is not found (avoid leaking existence)", async () => {
-    vi.mocked(getWorkspace).mockResolvedValueOnce(null);
+    vi.mocked(findWorkspaceByIdOrLegacyEnvId).mockResolvedValueOnce(null);
    const result = await requireSessionWorkspaceAccess(
      { user: { id: "user_1" }, expires: "" } as any,
      "ws_nonexistent",
@@ -72,12 +72,12 @@ describe("requireSessionWorkspaceAccess", () => {
    const body = await (result as Response).json();
    expect(body.requestId).toBe(requestId);
    expect(body.code).toBe("forbidden");
-    expect(getWorkspace).toHaveBeenCalledWith("ws_nonexistent");
+    expect(findWorkspaceByIdOrLegacyEnvId).toHaveBeenCalledWith("ws_nonexistent");
    expect(checkAuthorizationUpdated).not.toHaveBeenCalled();
  });

  test("returns 403 when user has no access to workspace", async () => {
-    vi.mocked(getWorkspace).mockResolvedValueOnce({ id: "proj_abc" } as any);
+    vi.mocked(findWorkspaceByIdOrLegacyEnvId).mockResolvedValueOnce({ id: "proj_abc" });
    vi.mocked(getOrganizationIdFromWorkspaceId).mockResolvedValueOnce("org_1");
    vi.mocked(checkAuthorizationUpdated).mockRejectedValueOnce(new AuthorizationError("Not authorized"));
    const result = await requireSessionWorkspaceAccess(
@@ -102,7 +102,7 @@ describe("requireSessionWorkspaceAccess", () => {
  });

  test("returns workspace context when session is valid and user has access", async () => {
-    vi.mocked(getWorkspace).mockResolvedValueOnce({ id: "proj_abc" } as any);
+    vi.mocked(findWorkspaceByIdOrLegacyEnvId).mockResolvedValueOnce({ id: "proj_abc" });
    vi.mocked(getOrganizationIdFromWorkspaceId).mockResolvedValueOnce("org_1");
    vi.mocked(checkAuthorizationUpdated).mockResolvedValueOnce(undefined as any);
    const result = await requireSessionWorkspaceAccess(
@@ -144,7 +144,7 @@ function wsPerm(workspaceId: string, permission: ApiKeyPermission = ApiKeyPermis

 describe("requireV3WorkspaceAccess", () => {
  beforeEach(() => {
-    vi.mocked(getWorkspace).mockResolvedValue({ id: "proj_k" } as any);
+    vi.mocked(findWorkspaceByIdOrLegacyEnvId).mockResolvedValue({ id: "proj_k" });
    vi.mocked(getOrganizationIdFromWorkspaceId).mockResolvedValue("org_k");
  });

@@ -154,7 +154,7 @@ describe("requireV3WorkspaceAccess", () => {
  });

  test("delegates to session flow when user is present", async () => {
-    vi.mocked(getWorkspace).mockResolvedValueOnce({ id: "proj_s" } as any);
+    vi.mocked(findWorkspaceByIdOrLegacyEnvId).mockResolvedValueOnce({ id: "proj_s" });
    vi.mocked(getOrganizationIdFromWorkspaceId).mockResolvedValueOnce("org_s");
    vi.mocked(checkAuthorizationUpdated).mockResolvedValueOnce(undefined as any);
    const r = await requireV3WorkspaceAccess(
@@ -179,7 +179,7 @@ describe("requireV3WorkspaceAccess", () => {
      workspaceId: "proj_k",
      organizationId: "org_k",
    });
-    expect(getWorkspace).toHaveBeenCalledWith("proj_k");
+    expect(findWorkspaceByIdOrLegacyEnvId).toHaveBeenCalledWith("proj_k");
  });

  test("returns context for API key with write on workspace", async () => {
@@ -239,7 +239,7 @@ describe("requireV3WorkspaceAccess", () => {
  });

  test("returns 403 when the workspace cannot be resolved for an API key", async () => {
-    vi.mocked(getWorkspace).mockResolvedValueOnce(null);
+    vi.mocked(findWorkspaceByIdOrLegacyEnvId).mockResolvedValueOnce(null);
    const auth = {
      ...keyBase,
      workspacePermissions: [wsPerm("proj_k", ApiKeyPermission.manage)],
@@ -1,7 +1,5 @@
 import { describe, expect, test } from "vitest";
 import {
-  createdResponse,
-  noContentResponse,
  problemBadRequest,
  problemForbidden,
  problemInternalError,
@@ -120,34 +118,3 @@ describe("successResponse", () => {
    expect(res.headers.get("Cache-Control")).toBe("private, max-age=60");
  });
 });
-
-describe("createdResponse", () => {
-  test("returns 201 with Location, request id, and data envelope", async () => {
-    const res = createdResponse(
-      { id: "survey_1" },
-      {
-        location: "/api/v3/surveys/survey_1",
-        requestId: "req-created",
-      }
-    );
-
-    expect(res.status).toBe(201);
-    expect(res.headers.get("Location")).toBe("/api/v3/surveys/survey_1");
-    expect(res.headers.get("X-Request-Id")).toBe("req-created");
-    expect(res.headers.get("Content-Type")).toBe("application/json");
-    expect(res.headers.get("Cache-Control")).toContain("no-store");
-    expect(await res.json()).toEqual({
-      data: { id: "survey_1" },
-    });
-  });
-});
-
-describe("noContentResponse", () => {
-  test("returns 204 without a body", async () => {
-    const res = noContentResponse({ requestId: "req-empty" });
-    expect(res.status).toBe(204);
-    expect(res.headers.get("X-Request-Id")).toBe("req-empty");
-    expect(res.headers.get("Cache-Control")).toContain("no-store");
-    expect(await res.text()).toBe("");
-  });
-});
@@ -171,43 +171,3 @@ export function successResponse<T>(
    }
  );
 }
-
-export function createdResponse<T>(
-  data: T,
-  options: { location: string; requestId?: string; cache?: string }
-): Response {
-  const headers: Record<string, string> = {
-    "Content-Type": "application/json",
-    "Cache-Control": options.cache ?? CACHE_NO_STORE,
-    Location: options.location,
-  };
-
-  if (options.requestId) {
-    headers["X-Request-Id"] = options.requestId;
-  }
-
-  return Response.json(
-    {
-      data,
-    },
-    {
-      status: 201,
-      headers,
-    }
-  );
-}
-
-export function noContentResponse(options?: { requestId?: string; cache?: string }): Response {
-  const headers: Record<string, string> = {
-    "Cache-Control": options?.cache ?? CACHE_NO_STORE,
-  };
-
-  if (options?.requestId) {
-    headers["X-Request-Id"] = options.requestId;
-  }
-
-  return new Response(null, {
-    status: 204,
-    headers,
-  });
-}
@@ -1,34 +1,45 @@
 import { describe, expect, test, vi } from "vitest";
 import { ResourceNotFoundError } from "@formbricks/types/errors";
 import { getOrganizationIdFromWorkspaceId } from "@/lib/utils/helper";
-import { getWorkspace } from "@/lib/workspace/service";
+import { findWorkspaceByIdOrLegacyEnvId } from "@/lib/utils/resolve-client-id";
 import { resolveV3WorkspaceContext } from "./workspace-context";

-vi.mock("@/lib/workspace/service", () => ({
-  getWorkspace: vi.fn(),
-}));
-
 vi.mock("@/lib/utils/helper", () => ({
  getOrganizationIdFromWorkspaceId: vi.fn(),
 }));

+vi.mock("@/lib/utils/resolve-client-id", () => ({
+  findWorkspaceByIdOrLegacyEnvId: vi.fn(),
+}));
+
 describe("resolveV3WorkspaceContext", () => {
  test("returns workspaceId and organizationId when workspace exists", async () => {
-    vi.mocked(getWorkspace).mockResolvedValueOnce({ id: "ws_abc" });
+    vi.mocked(findWorkspaceByIdOrLegacyEnvId).mockResolvedValueOnce({ id: "ws_abc" });
    vi.mocked(getOrganizationIdFromWorkspaceId).mockResolvedValueOnce("org_123");
    const result = await resolveV3WorkspaceContext("ws_abc");
    expect(result).toEqual({
      workspaceId: "ws_abc",
      organizationId: "org_123",
    });
-    expect(getWorkspace).toHaveBeenCalledWith("ws_abc");
+    expect(findWorkspaceByIdOrLegacyEnvId).toHaveBeenCalledWith("ws_abc");
    expect(getOrganizationIdFromWorkspaceId).toHaveBeenCalledWith("ws_abc");
  });

+  test("resolves legacy environmentId to canonical workspaceId", async () => {
+    vi.mocked(findWorkspaceByIdOrLegacyEnvId).mockResolvedValueOnce({ id: "ws_canonical" });
+    vi.mocked(getOrganizationIdFromWorkspaceId).mockResolvedValueOnce("org_456");
+    const result = await resolveV3WorkspaceContext("env_legacy");
+    expect(result).toEqual({
+      workspaceId: "ws_canonical",
+      organizationId: "org_456",
+    });
+    expect(getOrganizationIdFromWorkspaceId).toHaveBeenCalledWith("ws_canonical");
+  });
+
  test("throws when workspace does not exist", async () => {
-    vi.mocked(getWorkspace).mockResolvedValueOnce(null);
+    vi.mocked(findWorkspaceByIdOrLegacyEnvId).mockResolvedValueOnce(null);
    await expect(resolveV3WorkspaceContext("ws_nonexistent")).rejects.toThrow(ResourceNotFoundError);
-    expect(getWorkspace).toHaveBeenCalledWith("ws_nonexistent");
+    expect(findWorkspaceByIdOrLegacyEnvId).toHaveBeenCalledWith("ws_nonexistent");
    expect(getOrganizationIdFromWorkspaceId).not.toHaveBeenCalled();
  });
 });
@@ -6,7 +6,7 @@
 */
 import { ResourceNotFoundError } from "@formbricks/types/errors";
 import { getOrganizationIdFromWorkspaceId } from "@/lib/utils/helper";
-import { getWorkspace } from "@/lib/workspace/service";
+import { findWorkspaceByIdOrLegacyEnvId } from "@/lib/utils/resolve-client-id";

 /**
 * Internal IDs derived from a V3 workspace identifier.
@@ -19,20 +19,21 @@ export type V3WorkspaceContext = {
 };

 /**
- * Resolves a V3 API workspaceId to internal workspaceId and organizationId.
+ * Resolves a V3 API workspaceId (or legacy environmentId) to internal workspaceId and organizationId.
 *
 * @throws ResourceNotFoundError if the workspace does not exist.
 */
 export async function resolveV3WorkspaceContext(workspaceId: string): Promise<V3WorkspaceContext> {
-  const workspace = await getWorkspace(workspaceId);
+  const workspace = await findWorkspaceByIdOrLegacyEnvId(workspaceId);
  if (!workspace) {
    throw new ResourceNotFoundError("workspace", workspaceId);
  }

-  const organizationId = await getOrganizationIdFromWorkspaceId(workspace.id);
+  const canonicalId = workspace.id;
+  const organizationId = await getOrganizationIdFromWorkspaceId(canonicalId);

  return {
-    workspaceId: workspace.id,
+    workspaceId: canonicalId,
    organizationId,
  };
 }
@@ -0,0 +1,318 @@
+import { ApiKeyPermission } from "@prisma/client";
+import { NextRequest } from "next/server";
+import { afterEach, beforeEach, describe, expect, test, vi } from "vitest";
+import { DatabaseError, ResourceNotFoundError } from "@formbricks/types/errors";
+import { requireV3WorkspaceAccess } from "@/app/api/v3/lib/auth";
+import { getSurvey } from "@/lib/survey/service";
+import { deleteSurvey } from "@/modules/survey/lib/surveys";
+import { DELETE } from "./route";
+
+const { mockAuthenticateRequest } = vi.hoisted(() => ({
+  mockAuthenticateRequest: vi.fn(),
+}));
+
+const { mockQueueAuditEvent, mockBuildAuditLogBaseObject } = vi.hoisted(() => ({
+  mockQueueAuditEvent: vi.fn().mockImplementation(async () => undefined),
+  mockBuildAuditLogBaseObject: vi.fn((action: string, targetType: string, apiUrl: string) => ({
+    action,
+    targetType,
+    userId: "unknown",
+    targetId: "unknown",
+    organizationId: "unknown",
+    status: "failure",
+    oldObject: undefined,
+    newObject: undefined,
+    userType: "api",
+    apiUrl,
+  })),
+}));
+
+vi.mock("next-auth", () => ({
+  getServerSession: vi.fn(),
+}));
+
+vi.mock("@/app/api/v1/auth", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("@/app/api/v1/auth")>();
+  return { ...actual, authenticateRequest: mockAuthenticateRequest };
+});
+
+vi.mock("@/modules/core/rate-limit/helpers", () => ({
+  applyRateLimit: vi.fn().mockResolvedValue(undefined),
+  applyIPRateLimit: vi.fn().mockResolvedValue(undefined),
+}));
+
+vi.mock("@/lib/constants", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("@/lib/constants")>();
+  return { ...actual, AUDIT_LOG_ENABLED: false };
+});
+
+vi.mock("@/app/api/v3/lib/auth", () => ({
+  requireV3WorkspaceAccess: vi.fn(),
+}));
+
+vi.mock("@/lib/survey/service", () => ({
+  getSurvey: vi.fn(),
+}));
+
+vi.mock("@/modules/survey/lib/surveys", () => ({
+  deleteSurvey: vi.fn(),
+}));
+
+vi.mock("@/modules/ee/audit-logs/lib/handler", () => ({
+  queueAuditEvent: mockQueueAuditEvent,
+}));
+
+vi.mock("@/app/lib/api/with-api-logging", () => ({
+  buildAuditLogBaseObject: mockBuildAuditLogBaseObject,
+}));
+
+vi.mock("@formbricks/logger", () => ({
+  logger: {
+    withContext: vi.fn(() => ({
+      warn: vi.fn(),
+      error: vi.fn(),
+    })),
+  },
+}));
+
+const getServerSession = vi.mocked((await import("next-auth")).getServerSession);
+const queueAuditEvent = vi.mocked((await import("@/modules/ee/audit-logs/lib/handler")).queueAuditEvent);
+
+const surveyId = "clxx1234567890123456789012";
+const workspaceId = "clzz9876543210987654321098";
+
+function createRequest(url: string, requestId?: string, extraHeaders?: Record<string, string>): NextRequest {
+  const headers: Record<string, string> = { ...extraHeaders };
+  if (requestId) {
+    headers["x-request-id"] = requestId;
+  }
+
+  return new NextRequest(url, {
+    method: "DELETE",
+    headers,
+  });
+}
+
+const apiKeyAuth = {
+  type: "apiKey" as const,
+  apiKeyId: "key_1",
+  organizationId: "org_1",
+  organizationAccess: {
+    accessControl: { read: true, write: true },
+  },
+  workspacePermissions: [
+    {
+      workspaceId,
+      workspaceName: "W",
+      permission: ApiKeyPermission.write,
+    },
+  ],
+};
+
+describe("DELETE /api/v3/surveys/[surveyId]", () => {
+  beforeEach(() => {
+    vi.resetAllMocks();
+    getServerSession.mockResolvedValue({
+      user: { id: "user_1", name: "User", email: "u@example.com" },
+      expires: "2026-01-01",
+    } as any);
+    mockAuthenticateRequest.mockResolvedValue(null);
+    vi.mocked(getSurvey).mockResolvedValue({
+      id: surveyId,
+      name: "Delete me",
+      workspaceId: workspaceId,
+      type: "link",
+      status: "draft",
+      createdAt: new Date("2026-04-15T10:00:00.000Z"),
+      updatedAt: new Date("2026-04-15T10:00:00.000Z"),
+      responseCount: 0,
+      creator: { name: "User" },
+      singleUse: null,
+    } as any);
+    vi.mocked(deleteSurvey).mockResolvedValue({
+      id: surveyId,
+      workspaceId,
+      type: "link",
+      segment: null,
+      triggers: [],
+    } as any);
+    vi.mocked(requireV3WorkspaceAccess).mockResolvedValue({
+      workspaceId,
+      organizationId: "org_1",
+    });
+  });
+
+  afterEach(() => {
+    vi.clearAllMocks();
+  });
+
+  test("returns 401 when no session and no API key", async () => {
+    getServerSession.mockResolvedValue(null);
+    mockAuthenticateRequest.mockResolvedValue(null);
+
+    const res = await DELETE(createRequest(`http://localhost/api/v3/surveys/${surveyId}`), {
+      params: Promise.resolve({ surveyId }),
+    } as never);
+
+    expect(res.status).toBe(401);
+    expect(vi.mocked(getSurvey)).not.toHaveBeenCalled();
+  });
+
+  test("returns 200 with session auth and deletes the survey", async () => {
+    const res = await DELETE(createRequest(`http://localhost/api/v3/surveys/${surveyId}`, "req-delete"), {
+      params: Promise.resolve({ surveyId }),
+    } as never);
+
+    expect(res.status).toBe(200);
+    expect(requireV3WorkspaceAccess).toHaveBeenCalledWith(
+      expect.objectContaining({ user: expect.any(Object) }),
+      workspaceId,
+      "readWrite",
+      "req-delete",
+      `/api/v3/surveys/${surveyId}`
+    );
+    expect(deleteSurvey).toHaveBeenCalledWith(surveyId);
+    expect(await res.json()).toEqual({
+      data: {
+        id: surveyId,
+      },
+    });
+  });
+
+  test("returns 200 with x-api-key when the key can delete in the survey workspace", async () => {
+    getServerSession.mockResolvedValue(null);
+    mockAuthenticateRequest.mockResolvedValue(apiKeyAuth as any);
+
+    const res = await DELETE(
+      createRequest(`http://localhost/api/v3/surveys/${surveyId}`, "req-api-key", {
+        "x-api-key": "fbk_test",
+      }),
+      {
+        params: Promise.resolve({ surveyId }),
+      } as never
+    );
+
+    expect(res.status).toBe(200);
+    expect(requireV3WorkspaceAccess).toHaveBeenCalledWith(
+      expect.objectContaining({ apiKeyId: "key_1" }),
+      workspaceId,
+      "readWrite",
+      "req-api-key",
+      `/api/v3/surveys/${surveyId}`
+    );
+  });
+
+  test("returns 400 when surveyId is invalid", async () => {
+    const res = await DELETE(createRequest("http://localhost/api/v3/surveys/not-a-cuid"), {
+      params: Promise.resolve({ surveyId: "not-a-cuid" }),
+    } as never);
+
+    expect(res.status).toBe(400);
+    expect(vi.mocked(getSurvey)).not.toHaveBeenCalled();
+  });
+
+  test("returns 403 when the survey does not exist", async () => {
+    vi.mocked(getSurvey).mockResolvedValueOnce(null);
+
+    const res = await DELETE(createRequest(`http://localhost/api/v3/surveys/${surveyId}`), {
+      params: Promise.resolve({ surveyId }),
+    } as never);
+
+    expect(res.status).toBe(403);
+    expect(deleteSurvey).not.toHaveBeenCalled();
+  });
+
+  test("returns 403 when the user lacks readWrite workspace access", async () => {
+    vi.mocked(requireV3WorkspaceAccess).mockResolvedValueOnce(
+      new Response(
+        JSON.stringify({
+          title: "Forbidden",
+          status: 403,
+          detail: "You are not authorized to access this resource",
+          requestId: "req-forbidden",
+        }),
+        { status: 403, headers: { "Content-Type": "application/problem+json" } }
+      )
+    );
+
+    const res = await DELETE(createRequest(`http://localhost/api/v3/surveys/${surveyId}`, "req-forbidden"), {
+      params: Promise.resolve({ surveyId }),
+    } as never);
+
+    expect(res.status).toBe(403);
+    expect(deleteSurvey).not.toHaveBeenCalled();
+    expect(queueAuditEvent).toHaveBeenCalledWith(
+      expect.objectContaining({
+        action: "deleted",
+        targetType: "survey",
+        targetId: "unknown",
+        organizationId: "unknown",
+        userId: "user_1",
+        userType: "user",
+        status: "failure",
+        oldObject: undefined,
+      })
+    );
+  });
+
+  test("returns 500 when survey deletion fails", async () => {
+    vi.mocked(deleteSurvey).mockRejectedValueOnce(new DatabaseError("db down"));
+
+    const res = await DELETE(createRequest(`http://localhost/api/v3/surveys/${surveyId}`, "req-db"), {
+      params: Promise.resolve({ surveyId }),
+    } as never);
+
+    expect(res.status).toBe(500);
+    const body = await res.json();
+    expect(body.code).toBe("internal_server_error");
+  });
+
+  test("returns 403 when the survey is deleted after authorization succeeds", async () => {
+    vi.mocked(deleteSurvey).mockRejectedValueOnce(new ResourceNotFoundError("Survey", surveyId));
+
+    const res = await DELETE(createRequest(`http://localhost/api/v3/surveys/${surveyId}`, "req-race"), {
+      params: Promise.resolve({ surveyId }),
+    } as never);
+
+    expect(res.status).toBe(403);
+    const body = await res.json();
+    expect(body.code).toBe("forbidden");
+    expect(queueAuditEvent).toHaveBeenCalledWith(
+      expect.objectContaining({
+        action: "deleted",
+        targetType: "survey",
+        targetId: surveyId,
+        organizationId: "org_1",
+        userId: "user_1",
+        userType: "user",
+        status: "failure",
+        oldObject: expect.objectContaining({
+          id: surveyId,
+          workspaceId: workspaceId,
+        }),
+      })
+    );
+  });
+
+  test("queues an audit log with target, actor, organization, and old object", async () => {
+    await DELETE(createRequest(`http://localhost/api/v3/surveys/${surveyId}`, "req-audit"), {
+      params: Promise.resolve({ surveyId }),
+    } as never);
+
+    expect(queueAuditEvent).toHaveBeenCalledWith(
+      expect.objectContaining({
+        action: "deleted",
+        targetType: "survey",
+        targetId: surveyId,
+        organizationId: "org_1",
+        userId: "user_1",
+        userType: "user",
+        status: "success",
+        oldObject: expect.objectContaining({
+          id: surveyId,
+          workspaceId: workspaceId,
+        }),
+      })
+    );
+  });
+});
@@ -2,140 +2,42 @@ import { z } from "zod";
 import { logger } from "@formbricks/logger";
 import { DatabaseError, ResourceNotFoundError } from "@formbricks/types/errors";
 import { withV3ApiWrapper } from "@/app/api/v3/lib/api-wrapper";
-import {
-  noContentResponse,
-  problemBadRequest,
-  problemForbidden,
-  problemInternalError,
-  successResponse,
-} from "@/app/api/v3/lib/response";
-import {
-  V3SurveyLanguageError,
-  V3SurveyUnsupportedShapeError,
-  serializeV3SurveyResource,
-} from "@/app/api/v3/surveys/serializers";
+import { requireV3WorkspaceAccess } from "@/app/api/v3/lib/auth";
+import { problemForbidden, problemInternalError, successResponse } from "@/app/api/v3/lib/response";
+import { getSurvey } from "@/lib/survey/service";
 import { deleteSurvey } from "@/modules/survey/lib/surveys";
-import { getAuthorizedV3Survey } from "../authorization";
-import { parseV3SurveyLanguageQuery } from "../language";
-
-const surveyParamsSchema = z.object({
-  surveyId: z.cuid2(),
-});
-
-const surveyQuerySchema = z
-  .object({
-    lang: z
-      .union([z.string(), z.array(z.string())])
-      .transform((value, ctx) => {
-        const parsedLanguageQuery = parseV3SurveyLanguageQuery(value);
-
-        if (!parsedLanguageQuery.ok) {
-          ctx.addIssue({
-            code: "custom",
-            message: parsedLanguageQuery.message,
-          });
-          return z.NEVER;
-        }
-
-        return parsedLanguageQuery.languages;
-      })
-      .optional(),
-  })
-  .strict();
-
-export const GET = withV3ApiWrapper({
-  auth: "both",
-  schemas: {
-    params: surveyParamsSchema,
-    query: surveyQuerySchema,
-  },
-  handler: async ({ parsedInput, authentication, requestId, instance }) => {
-    const surveyId = parsedInput.params.surveyId;
-    const log = logger.withContext({ requestId, surveyId });
-
-    try {
-      const { survey, response } = await getAuthorizedV3Survey({
-        surveyId,
-        authentication,
-        access: "read",
-        requestId,
-        instance,
-      });
-
-      if (response) {
-        log.warn({ statusCode: response.status }, "Survey not found or not accessible");
-        return response;
-      }
-
-      try {
-        return successResponse(serializeV3SurveyResource(survey, { lang: parsedInput.query.lang }), {
-          requestId,
-          cache: "private, no-store",
-        });
-      } catch (error) {
-        if (error instanceof V3SurveyLanguageError) {
-          log.warn({ statusCode: 400, lang: parsedInput.query.lang }, "Invalid survey language selector");
-          return problemBadRequest(requestId, error.message, {
-            instance,
-            invalid_params: [
-              {
-                name: "lang",
-                reason: error.message,
-              },
-            ],
-          });
-        }
-
-        if (error instanceof V3SurveyUnsupportedShapeError) {
-          log.warn({ statusCode: 400 }, "Unsupported v3 survey shape");
-          return problemBadRequest(requestId, error.message, {
-            instance,
-            invalid_params: [
-              {
-                name: "survey",
-                reason: error.message,
-              },
-            ],
-          });
-        }
-
-        throw error;
-      }
-    } catch (error) {
-      if (error instanceof DatabaseError) {
-        log.error({ error, statusCode: 500 }, "Database error");
-        return problemInternalError(requestId, "An unexpected error occurred.", instance);
-      }
-
-      log.error({ error, statusCode: 500 }, "V3 survey get unexpected error");
-      return problemInternalError(requestId, "An unexpected error occurred.", instance);
-    }
-  },
-});

 export const DELETE = withV3ApiWrapper({
  auth: "both",
  action: "deleted",
  targetType: "survey",
  schemas: {
-    params: surveyParamsSchema,
+    params: z.object({
+      surveyId: z.cuid2(),
+    }),
  },
  handler: async ({ parsedInput, authentication, requestId, instance, auditLog }) => {
    const surveyId = parsedInput.params.surveyId;
    const log = logger.withContext({ requestId, surveyId });

    try {
-      const { survey, authResult, response } = await getAuthorizedV3Survey({
-        surveyId,
-        authentication,
-        access: "readWrite",
-        requestId,
-        instance,
-      });
+      const survey = await getSurvey(surveyId);

-      if (response) {
+      if (!survey) {
        log.warn({ statusCode: 403 }, "Survey not found or not accessible");
-        return response;
+        return problemForbidden(requestId, "You are not authorized to access this resource", instance);
+      }
+
+      const authResult = await requireV3WorkspaceAccess(
+        authentication,
+        survey.workspaceId,
+        "readWrite",
+        requestId,
+        instance
+      );
+
+      if (authResult instanceof Response) {
+        return authResult;
      }

      if (auditLog) {
@@ -144,9 +46,14 @@ export const DELETE = withV3ApiWrapper({
        auditLog.oldObject = survey;
      }

-      await deleteSurvey(surveyId);
+      const deletedSurvey = await deleteSurvey(surveyId);

-      return noContentResponse({ requestId });
+      return successResponse(
+        {
+          id: deletedSurvey.id,
+        },
+        { requestId }
+      );
    } catch (error) {
      if (error instanceof ResourceNotFoundError) {
        log.warn({ errorCode: error.name, statusCode: 403 }, "Survey not found or not accessible");
@@ -1,71 +0,0 @@
-import { describe, expect, test, vi } from "vitest";
-import { requireV3WorkspaceAccess } from "@/app/api/v3/lib/auth";
-import { getSurvey } from "@/lib/survey/service";
-import { getAuthorizedV3Survey } from "./authorization";
-
-vi.mock("@/app/api/v3/lib/auth", () => ({
-  requireV3WorkspaceAccess: vi.fn(),
-}));
-
-vi.mock("@/lib/survey/service", () => ({
-  getSurvey: vi.fn(),
-}));
-
-const survey = {
-  id: "clsv1234567890123456789012",
-  workspaceId: "clxx1234567890123456789012",
-};
-const surveyRecord = survey as unknown as NonNullable<Awaited<ReturnType<typeof getSurvey>>>;
-
-describe("getAuthorizedV3Survey", () => {
-  test("returns a generic forbidden response when the survey does not exist", async () => {
-    vi.mocked(getSurvey).mockResolvedValue(null);
-
-    const result = await getAuthorizedV3Survey({
-      surveyId: survey.id,
-      authentication: null,
-      access: "read",
-      requestId: "req_1",
-      instance: "/api/v3/surveys/clsv1234567890123456789012",
-    });
-
-    expect(result.response?.status).toBe(403);
-    expect(requireV3WorkspaceAccess).not.toHaveBeenCalled();
-  });
-
-  test("returns the authorization response when workspace access is denied", async () => {
-    const forbiddenResponse = new Response(null, { status: 403 });
-    vi.mocked(getSurvey).mockResolvedValue(surveyRecord);
-    vi.mocked(requireV3WorkspaceAccess).mockResolvedValue(forbiddenResponse);
-
-    const result = await getAuthorizedV3Survey({
-      surveyId: survey.id,
-      authentication: null,
-      access: "readWrite",
-      requestId: "req_2",
-      instance: "/api/v3/surveys/clsv1234567890123456789012",
-    });
-
-    expect(result.response).toBe(forbiddenResponse);
-  });
-
-  test("returns the survey and authorization context when access is allowed", async () => {
-    const authResult = { workspaceId: survey.workspaceId, organizationId: "org_1" };
-    vi.mocked(getSurvey).mockResolvedValue(surveyRecord);
-    vi.mocked(requireV3WorkspaceAccess).mockResolvedValue(authResult);
-
-    const result = await getAuthorizedV3Survey({
-      surveyId: survey.id,
-      authentication: null,
-      access: "read",
-      requestId: "req_3",
-      instance: "/api/v3/surveys/clsv1234567890123456789012",
-    });
-
-    expect(result).toEqual({
-      survey,
-      authResult,
-      response: null,
-    });
-  });
-});
@@ -1,37 +0,0 @@
-import { requireV3WorkspaceAccess } from "@/app/api/v3/lib/auth";
-import { problemForbidden } from "@/app/api/v3/lib/response";
-import type { TV3Authentication } from "@/app/api/v3/lib/types";
-import { getSurvey } from "@/lib/survey/service";
-
-export async function getAuthorizedV3Survey(params: {
-  surveyId: string;
-  authentication: TV3Authentication;
-  access: "read" | "readWrite";
-  requestId: string;
-  instance: string;
-}) {
-  const { surveyId, authentication, access, requestId, instance } = params;
-  const survey = await getSurvey(surveyId);
-
-  if (!survey) {
-    return {
-      survey: null,
-      authResult: null,
-      response: problemForbidden(requestId, "You are not authorized to access this resource", instance),
-    };
-  }
-
-  const authResult = await requireV3WorkspaceAccess(
-    authentication,
-    survey.workspaceId,
-    access,
-    requestId,
-    instance
-  );
-
-  if (authResult instanceof Response) {
-    return { survey: null, authResult: null, response: authResult };
-  }
-
-  return { survey, authResult, response: null };
-}
@@ -1,241 +0,0 @@
-import { beforeEach, describe, expect, test, vi } from "vitest";
-import { prisma } from "@formbricks/database";
-import type { TSurvey } from "@formbricks/types/surveys/types";
-import { getOrganizationByWorkspaceId } from "@/lib/organization/service";
-import { createSurvey } from "@/lib/survey/service";
-import { getExternalUrlsPermission } from "@/modules/survey/lib/permission";
-import { V3SurveyCreatePermissionError, createV3Survey } from "./create";
-import { ZV3CreateSurveyBody } from "./schemas";
-
-vi.mock("server-only", () => ({}));
-
-vi.mock("@formbricks/database", () => ({
-  prisma: {
-    language: {
-      upsert: vi.fn(),
-    },
-  },
-}));
-
-vi.mock("@/lib/survey/service", () => ({
-  createSurvey: vi.fn(),
-}));
-
-vi.mock("@/lib/organization/service", () => ({
-  getOrganizationByWorkspaceId: vi.fn(),
-}));
-
-vi.mock("@/modules/survey/lib/permission", () => ({
-  getExternalUrlsPermission: vi.fn(),
-}));
-
-vi.mock("@formbricks/logger", () => ({
-  logger: {
-    withContext: vi.fn(() => ({
-      error: vi.fn(),
-      warn: vi.fn(),
-    })),
-  },
-}));
-
-const workspaceId = "clxx1234567890123456789012";
-
-const rawCreateBody = {
-  workspaceId,
-  name: "Product Feedback",
-  defaultLanguage: "en-US",
-  metadata: {
-    cx_operation: "enterprise_onboarding",
-    title: { "en-US": "Product Feedback", "de-DE": "Produktfeedback" },
-  },
-  blocks: [
-    {
-      id: "clbk1234567890123456789012",
-      name: "Main Block",
-      elements: [
-        {
-          id: "satisfaction",
-          type: "openText",
-          headline: {
-            "en-US": "What should we improve?",
-            "de-DE": "Was sollen wir verbessern?",
-          },
-          required: true,
-        },
-      ],
-    },
-  ],
-};
-
-const createBody = ZV3CreateSurveyBody.parse(rawCreateBody);
-
-const createdSurvey = {
-  id: "clsv1234567890123456789012",
-  workspaceId,
-  createdAt: new Date("2026-04-21T10:00:00.000Z"),
-  updatedAt: new Date("2026-04-21T10:00:00.000Z"),
-  name: "Product Feedback",
-  type: "link",
-  status: "draft",
-  metadata: {},
-  languages: [],
-  questions: [],
-  welcomeCard: { enabled: false },
-  blocks: createBody.blocks,
-  endings: [],
-  hiddenFields: { enabled: false },
-  variables: [],
-} as unknown as TSurvey;
-
-type TLanguageUpsertArgs = Parameters<typeof prisma.language.upsert>[0];
-type TLanguageUpsertReturn = ReturnType<typeof prisma.language.upsert>;
-
-describe("createV3Survey", () => {
-  beforeEach(() => {
-    vi.resetAllMocks();
-    vi.mocked(prisma.language.upsert).mockImplementation(
-      (args: TLanguageUpsertArgs): TLanguageUpsertReturn => {
-        const workspaceIdCode = args.where.workspaceId_code;
-        if (!workspaceIdCode) {
-          throw new Error("Expected workspaceId_code upsert selector");
-        }
-
-        return Promise.resolve({
-          id: `cllang${workspaceIdCode.code.toLowerCase().replaceAll("-", "")}`,
-          code: workspaceIdCode.code,
-          alias: null,
-          workspaceId: workspaceIdCode.workspaceId,
-          createdAt: new Date("2026-04-21T10:00:00.000Z"),
-          updatedAt: new Date("2026-04-21T10:00:00.000Z"),
-        }) as TLanguageUpsertReturn;
-      }
-    );
-    vi.mocked(createSurvey).mockResolvedValue(createdSurvey);
-    vi.mocked(getOrganizationByWorkspaceId).mockResolvedValue({
-      id: "org_1",
-      name: "Organization",
-      createdAt: new Date(),
-      updatedAt: new Date(),
-      billing: {
-        limits: { monthly: { responses: 1000 }, workspaces: 1 },
-        stripeCustomerId: null,
-        usageCycleAnchor: null,
-      },
-      isAISmartToolsEnabled: false,
-      isAIDataAnalysisEnabled: false,
-      whitelabel: undefined,
-    });
-    vi.mocked(getExternalUrlsPermission).mockResolvedValue(true);
-  });
-
-  test("maps the public v3 body to the internal create payload", async () => {
-    await createV3Survey(
-      createBody,
-      {
-        user: { id: "user_1", email: "user@example.com", name: "User" },
-        expires: "2026-05-01",
-      },
-      "req_1"
-    );
-
-    expect(prisma.language.upsert).toHaveBeenCalledWith(
-      expect.objectContaining({
-        where: { workspaceId_code: { workspaceId, code: "en-US" } },
-        create: { workspaceId, code: "en-US", alias: null },
-      })
-    );
-    expect(prisma.language.upsert).toHaveBeenCalledWith(
-      expect.objectContaining({
-        where: { workspaceId_code: { workspaceId, code: "de-DE" } },
-        create: { workspaceId, code: "de-DE", alias: null },
-      })
-    );
-    expect(createSurvey).toHaveBeenCalledWith(
-      workspaceId,
-      expect.objectContaining({
-        name: "Product Feedback",
-        type: "link",
-        status: "draft",
-        createdBy: "user_1",
-        questions: [],
-        metadata: expect.objectContaining({
-          cx_operation: "enterprise_onboarding",
-          title: { default: "Product Feedback", "de-DE": "Produktfeedback" },
-        }),
-        blocks: [
-          expect.objectContaining({
-            elements: [
-              expect.objectContaining({
-                headline: {
-                  default: "What should we improve?",
-                  "de-DE": "Was sollen wir verbessern?",
-                },
-              }),
-            ],
-          }),
-        ],
-        languages: [
-          expect.objectContaining({ default: true, enabled: true }),
-          expect.objectContaining({ default: false, enabled: true }),
-        ],
-      })
-    );
-    expect(getOrganizationByWorkspaceId).not.toHaveBeenCalled();
-    expect(getExternalUrlsPermission).not.toHaveBeenCalled();
-  });
-
-  test("keeps createdBy null for API key calls and honors explicit disabled languages", async () => {
-    const body = ZV3CreateSurveyBody.parse({
-      ...rawCreateBody,
-      languages: [{ code: "fr-FR", enabled: false }],
-    });
-
-    await createV3Survey(
-      body,
-      {
-        type: "apiKey",
-        apiKeyId: "key_1",
-        organizationId: "org_1",
-        organizationAccess: { accessControl: { read: true, write: true } },
-        workspacePermissions: [],
-      },
-      "req_2"
-    );
-
-    expect(createSurvey).toHaveBeenCalledWith(
-      workspaceId,
-      expect.objectContaining({
-        createdBy: null,
-        languages: expect.arrayContaining([
-          expect.objectContaining({ language: expect.objectContaining({ code: "fr-FR" }), enabled: false }),
-        ]),
-      })
-    );
-  });
-
-  test("rejects external CTA buttons when the organization does not have external URL permission", async () => {
-    vi.mocked(getExternalUrlsPermission).mockResolvedValue(false);
-    const body = ZV3CreateSurveyBody.parse({
-      ...rawCreateBody,
-      blocks: [
-        {
-          ...rawCreateBody.blocks[0],
-          elements: [
-            {
-              id: "external_cta",
-              type: "cta",
-              headline: { "en-US": "Continue" },
-              required: false,
-              buttonExternal: true,
-              buttonUrl: "https://example.com",
-              ctaButtonLabel: { "en-US": "Open" },
-            },
-          ],
-        },
-      ],
-    });
-
-    await expect(createV3Survey(body, null, "req_3")).rejects.toThrow(V3SurveyCreatePermissionError);
-    expect(createSurvey).not.toHaveBeenCalled();
-  });
-});
@@ -1,106 +0,0 @@
-import "server-only";
-import type { TSurveyCreateInput } from "@formbricks/types/surveys/types";
-import type { TV3Authentication } from "@/app/api/v3/lib/types";
-import { getOrganizationByWorkspaceId } from "@/lib/organization/service";
-import { createSurvey } from "@/lib/survey/service";
-import { getElementsFromBlocks } from "@/lib/survey/utils";
-import { getExternalUrlsPermission } from "@/modules/survey/lib/permission";
-import { type TV3SurveyLanguageRequest, ensureV3WorkspaceLanguages } from "./languages";
-import { prepareV3SurveyCreate } from "./prepare";
-import { V3SurveyReferenceValidationError } from "./reference-validation";
-import type { TV3CreateSurveyBody } from "./schemas";
-
-export class V3SurveyCreatePermissionError extends Error {
-  constructor(message: string) {
-    super(message);
-    this.name = "V3SurveyCreatePermissionError";
-  }
-}
-
-function getCreatedBy(authentication: TV3Authentication): string | null {
-  if (authentication && "user" in authentication && authentication.user?.id) {
-    return authentication.user.id;
-  }
-
-  return null;
-}
-
-function hasExternalUrlReferences(input: TV3CreateSurveyBody): boolean {
-  const hasExternalEndingLink = input.endings.some(
-    (ending) => ending.type === "endScreen" && Boolean(ending.buttonLink)
-  );
-  const hasExternalCtaButton = getElementsFromBlocks(input.blocks).some(
-    (element) => element.type === "cta" && element.buttonExternal
-  );
-
-  return hasExternalEndingLink || hasExternalCtaButton;
-}
-
-async function assertV3SurveyCreatePermissions(
-  input: TV3CreateSurveyBody,
-  organizationId?: string
-): Promise<void> {
-  if (!hasExternalUrlReferences(input)) {
-    return;
-  }
-
-  const resolvedOrganizationId =
-    organizationId ?? (await getOrganizationByWorkspaceId(input.workspaceId))?.id ?? null;
-  if (!resolvedOrganizationId) {
-    return;
-  }
-
-  const isExternalUrlsAllowed = await getExternalUrlsPermission(resolvedOrganizationId);
-  if (!isExternalUrlsAllowed) {
-    throw new V3SurveyCreatePermissionError(
-      "External URLs are not enabled for this organization. Upgrade to use external survey links."
-    );
-  }
-}
-
-export async function executeV3SurveyCreate(params: {
-  input: TV3CreateSurveyBody;
-  authentication: TV3Authentication;
-  languageRequests: TV3SurveyLanguageRequest[];
-  requestId?: string;
-}) {
-  const { input, authentication, languageRequests, requestId } = params;
-  const languages = await ensureV3WorkspaceLanguages(input.workspaceId, languageRequests, requestId);
-  const surveyCreateInput: TSurveyCreateInput = {
-    name: input.name,
-    type: "link",
-    status: input.status,
-    metadata: input.metadata,
-    welcomeCard: input.welcomeCard,
-    blocks: input.blocks,
-    endings: input.endings,
-    hiddenFields: input.hiddenFields,
-    variables: input.variables,
-    languages,
-    questions: [],
-    createdBy: getCreatedBy(authentication),
-  };
-
-  return await createSurvey(input.workspaceId, surveyCreateInput);
-}
-
-export async function createV3Survey(
-  input: TV3CreateSurveyBody,
-  authentication: TV3Authentication,
-  requestId?: string,
-  organizationId?: string
-) {
-  const preparation = prepareV3SurveyCreate(input);
-  if (!preparation.ok) {
-    throw new V3SurveyReferenceValidationError(preparation.validation.invalidParams);
-  }
-
-  await assertV3SurveyCreatePermissions(input, organizationId);
-
-  return await executeV3SurveyCreate({
-    input: preparation.document,
-    authentication,
-    languageRequests: preparation.languageRequests,
-    requestId,
-  });
-}
@@ -1,106 +0,0 @@
-import { describe, expect, test } from "vitest";
-import {
-  normalizeV3SurveyLanguageTag,
-  parseV3SurveyLanguageQuery,
-  resolveV3SurveyLanguageCode,
-} from "./language";
-
-const languages = [
-  { code: "en-US", enabled: true },
-  { code: "de-DE", enabled: true },
-  { code: "fr-FR", enabled: false },
-];
-
-describe("normalizeV3SurveyLanguageTag", () => {
-  test.each([
-    ["EN_us", "en-US"],
-    ["en-us", "en-US"],
-    ["de", "de"],
-    ["zh_hans_cn", "zh-Hans-CN"],
-  ])("normalizes %s to %s", (input, expected) => {
-    expect(normalizeV3SurveyLanguageTag(input)).toBe(expected);
-  });
-
-  test("returns null for invalid language tags", () => {
-    expect(normalizeV3SurveyLanguageTag("not a locale")).toBeNull();
-  });
-});
-
-describe("parseV3SurveyLanguageQuery", () => {
-  test("parses comma-separated language selectors", () => {
-    expect(parseV3SurveyLanguageQuery("de-DE, pt_PT, EN_us")).toEqual({
-      ok: true,
-      languages: ["de-DE", "pt-PT", "en-US"],
-    });
-  });
-
-  test("parses repeated language selectors", () => {
-    expect(parseV3SurveyLanguageQuery(["de-DE", "pt_PT,en_us"])).toEqual({
-      ok: true,
-      languages: ["de-DE", "pt-PT", "en-US"],
-    });
-  });
-
-  test("deduplicates language selectors case-insensitively", () => {
-    expect(parseV3SurveyLanguageQuery("de-DE,DE_de")).toEqual({
-      ok: true,
-      languages: ["de-DE"],
-    });
-  });
-
-  test("rejects empty language selectors", () => {
-    expect(parseV3SurveyLanguageQuery("de-DE,")).toEqual({
-      ok: false,
-      message: "Language selector must contain valid comma-separated locale codes",
-    });
-  });
-
-  test("rejects invalid language selectors", () => {
-    expect(parseV3SurveyLanguageQuery("not a locale")).toEqual({
-      ok: false,
-      message: "Language 'not a locale' is not a valid locale code",
-    });
-  });
-});
-
-describe("resolveV3SurveyLanguageCode", () => {
-  test("matches configured languages case-insensitively and normalizes underscores", () => {
-    expect(resolveV3SurveyLanguageCode("DE_de", languages)).toEqual({ ok: true, code: "de-DE" });
-  });
-
-  test("resolves language-only tags when exactly one configured language matches", () => {
-    expect(resolveV3SurveyLanguageCode("de", languages)).toEqual({ ok: true, code: "de-DE" });
-  });
-
-  test("resolves disabled configured languages for management reads", () => {
-    expect(resolveV3SurveyLanguageCode("fr", languages)).toEqual({ ok: true, code: "fr-FR" });
-  });
-
-  test("returns ambiguous when language-only tags match multiple configured languages", () => {
-    expect(
-      resolveV3SurveyLanguageCode("pt", [
-        { code: "pt-BR", enabled: true },
-        { code: "pt-PT", enabled: true },
-      ])
-    ).toEqual({
-      ok: false,
-      reason: "ambiguous",
-      message: "Language 'pt' is ambiguous for this survey; use one of pt-BR, pt-PT",
-    });
-  });
-
-  test("returns unknown for languages not configured on the survey", () => {
-    expect(resolveV3SurveyLanguageCode("es-ES", languages)).toEqual({
-      ok: false,
-      reason: "unknown",
-      message: "Language 'es-ES' is not configured for this survey",
-    });
-  });
-
-  test("resolves the implicit default language for surveys without configured languages", () => {
-    expect(resolveV3SurveyLanguageCode("en", [{ code: "en-US", enabled: true }])).toEqual({
-      ok: true,
-      code: "en-US",
-    });
-  });
-});
@@ -1,149 +0,0 @@
-import type { TSurvey as TInternalSurvey } from "@formbricks/types/surveys/types";
-
-type TV3SurveyLanguageInput = {
-  code: string;
-  enabled: boolean;
-};
-
-export type TV3SurveyLanguage = {
-  code: string;
-  default: boolean;
-  enabled: boolean;
-};
-
-type TV3SurveyLanguageQueryInput = string | string[];
-
-type TResolveV3SurveyLanguageCodeResult =
-  | { ok: true; code: string }
-  | { ok: false; reason: "invalid" | "unknown" | "ambiguous"; message: string };
-
-type TParseV3SurveyLanguageQueryResult = { ok: true; languages: string[] } | { ok: false; message: string };
-
-export function normalizeV3SurveyLanguageTag(value: string): string | null {
-  const normalizedSeparators = value.trim().replaceAll("_", "-");
-
-  try {
-    return Intl.getCanonicalLocales(normalizedSeparators)[0] ?? null;
-  } catch {
-    return null;
-  }
-}
-
-export function parseV3SurveyLanguageQuery(
-  value: TV3SurveyLanguageQueryInput
-): TParseV3SurveyLanguageQueryResult {
-  const requestedLanguages = (Array.isArray(value) ? value : [value])
-    .flatMap((entry) => entry.split(","))
-    .map((entry) => entry.trim());
-
-  if (requestedLanguages.some((entry) => entry.length === 0)) {
-    return {
-      ok: false,
-      message: "Language selector must contain valid comma-separated locale codes",
-    };
-  }
-
-  const normalizedLanguages: string[] = [];
-
-  for (const language of requestedLanguages) {
-    const normalizedLanguage = normalizeV3SurveyLanguageTag(language);
-
-    if (!normalizedLanguage) {
-      return {
-        ok: false,
-        message: `Language '${language}' is not a valid locale code`,
-      };
-    }
-
-    if (!normalizedLanguages.some((entry) => entry.toLowerCase() === normalizedLanguage.toLowerCase())) {
-      normalizedLanguages.push(normalizedLanguage);
-    }
-  }
-
-  return { ok: true, languages: normalizedLanguages };
-}
-
-function getLanguageSubtag(languageTag: string): string {
-  return languageTag.split("-")[0]?.toLowerCase() ?? languageTag.toLowerCase();
-}
-
-export function resolveV3SurveyLanguageCode(
-  requestedLanguage: string,
-  languages: TV3SurveyLanguageInput[]
-): TResolveV3SurveyLanguageCodeResult {
-  const normalizedRequestedLanguage = normalizeV3SurveyLanguageTag(requestedLanguage);
-
-  if (!normalizedRequestedLanguage) {
-    return {
-      ok: false,
-      reason: "invalid",
-      message: `Language '${requestedLanguage}' is not a valid locale code`,
-    };
-  }
-
-  const normalizedLanguages = languages.map((language) => ({
-    ...language,
-    code: normalizeV3SurveyLanguageTag(language.code) ?? language.code,
-  }));
-  const exactMatch = normalizedLanguages.find(
-    (language) => language.code.toLowerCase() === normalizedRequestedLanguage.toLowerCase()
-  );
-
-  if (exactMatch) {
-    return { ok: true, code: exactMatch.code };
-  }
-
-  const requestedSubtag = getLanguageSubtag(normalizedRequestedLanguage);
-  const hasRegionOrScript = normalizedRequestedLanguage.includes("-");
-  const matchingLanguages = hasRegionOrScript
-    ? []
-    : normalizedLanguages.filter((language) => getLanguageSubtag(language.code) === requestedSubtag);
-
-  if (matchingLanguages.length > 1) {
-    return {
-      ok: false,
-      reason: "ambiguous",
-      message: `Language '${normalizedRequestedLanguage}' is ambiguous for this survey; use one of ${matchingLanguages.map((language) => language.code).join(", ")}`,
-    };
-  }
-
-  const languageMatch = matchingLanguages[0];
-  if (languageMatch) {
-    return { ok: true, code: languageMatch.code };
-  }
-
-  return {
-    ok: false,
-    reason: "unknown",
-    message: `Language '${normalizedRequestedLanguage}' is not configured for this survey`,
-  };
-}
-
-export function getV3SurveyLanguages(
-  survey: Pick<TInternalSurvey, "languages">,
-  fallbackLanguage: string
-): TV3SurveyLanguage[] {
-  const languages = (survey.languages ?? []).map((surveyLanguage) => ({
-    code: normalizeV3SurveyLanguageTag(surveyLanguage.language.code) ?? surveyLanguage.language.code,
-    default: surveyLanguage.default,
-    enabled: surveyLanguage.enabled,
-  }));
-
-  if (languages.length === 0) {
-    return [{ code: fallbackLanguage, default: true, enabled: true }];
-  }
-
-  return languages;
-}
-
-export function getV3SurveyDefaultLanguage(
-  survey: Pick<TInternalSurvey, "languages">,
-  fallbackLanguage: string
-): string {
-  const defaultLanguageCode = survey.languages?.find((surveyLanguage) => surveyLanguage.default)?.language
-    .code;
-
-  return defaultLanguageCode
-    ? (normalizeV3SurveyLanguageTag(defaultLanguageCode) ?? defaultLanguageCode)
-    : fallbackLanguage;
-}
@@ -1,150 +0,0 @@
-import "server-only";
-import { Prisma } from "@prisma/client";
-import { prisma } from "@formbricks/database";
-import { logger } from "@formbricks/logger";
-import { DatabaseError } from "@formbricks/types/errors";
-import type { TI18nString } from "@formbricks/types/i18n";
-import type { TSurveyLanguage } from "@formbricks/types/surveys/types";
-import type { TLanguage } from "@formbricks/types/workspace";
-import { normalizeV3SurveyLanguageTag } from "./language";
-import type { TV3SurveyDocument } from "./schemas";
-
-export type TV3SurveyLanguageRequest = {
-  code: string;
-  default: boolean;
-  enabled: boolean;
-};
-
-const languageSelect = {
-  id: true,
-  code: true,
-  alias: true,
-  workspaceId: true,
-  createdAt: true,
-  updatedAt: true,
-} satisfies Prisma.LanguageSelect;
-
-function isPlainObject(value: unknown): value is Record<string, unknown> {
-  return typeof value === "object" && value !== null && !Array.isArray(value);
-}
-
-function isInternalI18nString(value: unknown): value is TI18nString {
-  return (
-    isPlainObject(value) &&
-    typeof value.default === "string" &&
-    Object.values(value).every((entry) => typeof entry === "string")
-  );
-}
-
-function collectI18nLanguageCodes(value: unknown, languageCodes: Set<string>): void {
-  if (Array.isArray(value)) {
-    value.forEach((entry) => collectI18nLanguageCodes(entry, languageCodes));
-    return;
-  }
-
-  if (!isPlainObject(value)) {
-    return;
-  }
-
-  if (isInternalI18nString(value)) {
-    Object.keys(value).forEach((languageCode) => {
-      if (languageCode !== "default") {
-        const normalizedLanguageCode = normalizeV3SurveyLanguageTag(languageCode);
-        if (normalizedLanguageCode) {
-          languageCodes.add(normalizedLanguageCode);
-        }
-      }
-    });
-    return;
-  }
-
-  Object.values(value).forEach((entry) => collectI18nLanguageCodes(entry, languageCodes));
-}
-
-export function deriveV3SurveyLanguageRequests(input: TV3SurveyDocument): TV3SurveyLanguageRequest[] {
-  const requestedLanguages = new Map<string, TV3SurveyLanguageRequest>();
-  const addLanguage = (code: string, enabled = true): void => {
-    requestedLanguages.set(code, {
-      code,
-      default: code.toLowerCase() === input.defaultLanguage.toLowerCase(),
-      enabled: code.toLowerCase() === input.defaultLanguage.toLowerCase() ? true : enabled,
-    });
-  };
-
-  addLanguage(input.defaultLanguage);
-
-  input.languages.forEach((language) => {
-    addLanguage(language.code, language.enabled);
-  });
-
-  const contentLanguageCodes = new Set<string>();
-  collectI18nLanguageCodes(input.welcomeCard, contentLanguageCodes);
-  collectI18nLanguageCodes(input.blocks, contentLanguageCodes);
-  collectI18nLanguageCodes(input.endings, contentLanguageCodes);
-  collectI18nLanguageCodes(input.metadata, contentLanguageCodes);
-  contentLanguageCodes.forEach((languageCode) => {
-    if (!requestedLanguages.has(languageCode)) {
-      addLanguage(languageCode);
-    }
-  });
-
-  return Array.from(requestedLanguages.values()).sort((left, right) => {
-    if (left.default) return -1;
-    if (right.default) return 1;
-    return left.code.localeCompare(right.code);
-  });
-}
-
-export async function ensureV3WorkspaceLanguages(
-  workspaceId: string,
-  languageRequests: TV3SurveyLanguageRequest[],
-  requestId?: string
-): Promise<TSurveyLanguage[]> {
-  const log = logger.withContext({ requestId, workspaceId });
-
-  try {
-    const languages = await Promise.all(
-      languageRequests.map((languageRequest) =>
-        prisma.language.upsert({
-          where: {
-            workspaceId_code: {
-              workspaceId,
-              code: languageRequest.code,
-            },
-          },
-          update: {},
-          create: {
-            workspaceId,
-            code: languageRequest.code,
-            alias: null,
-          },
-          select: languageSelect,
-        })
-      )
-    );
-    const languageByCode = new Map(
-      languages.map((language) => [language.code.toLowerCase(), language as TLanguage])
-    );
-
-    return languageRequests.map((languageRequest) => {
-      const language = languageByCode.get(languageRequest.code.toLowerCase());
-
-      if (!language) {
-        throw new DatabaseError(`Failed to resolve language '${languageRequest.code}'`);
-      }
-
-      return {
-        language,
-        default: languageRequest.default,
-        enabled: languageRequest.enabled,
-      };
-    });
-  } catch (error) {
-    if (error instanceof Prisma.PrismaClientKnownRequestError) {
-      log.error({ error }, "Error creating workspace languages for v3 survey write");
-      throw new DatabaseError(error.message);
-    }
-
-    throw error;
-  }
-}
@@ -1,165 +0,0 @@
-import { describe, expect, test, vi } from "vitest";
-import type { TSurvey } from "@formbricks/types/surveys/types";
-import { prepareV3SurveyCreate, prepareV3SurveyCreateInput, prepareV3SurveyPatchInput } from "./prepare";
-import { ZV3CreateSurveyBody } from "./schemas";
-
-vi.mock("server-only", () => ({}));
-
-const workspaceId = "clxx1234567890123456789012";
-
-const rawCreateBody = {
-  workspaceId,
-  name: "Product Feedback",
-  defaultLanguage: "en-US",
-  blocks: [
-    {
-      id: "clbk1234567890123456789012",
-      name: "Main Block",
-      elements: [
-        {
-          id: "satisfaction",
-          type: "openText",
-          headline: { "en-US": "What should we improve?", "de-DE": "Was sollen wir verbessern?" },
-          required: true,
-        },
-      ],
-    },
-  ],
-};
-
-const createBody = ZV3CreateSurveyBody.parse(rawCreateBody);
-
-const survey = {
-  id: "clsv1234567890123456789012",
-  workspaceId,
-  createdAt: new Date("2026-04-21T10:00:00.000Z"),
-  updatedAt: new Date("2026-04-21T10:00:00.000Z"),
-  name: "Product Feedback",
-  type: "link",
-  status: "draft",
-  metadata: {},
-  languages: [
-    {
-      language: {
-        id: "cllangenus000000000000000",
-        code: "en-US",
-        alias: null,
-        workspaceId,
-        createdAt: new Date("2026-04-21T10:00:00.000Z"),
-        updatedAt: new Date("2026-04-21T10:00:00.000Z"),
-      },
-      default: true,
-      enabled: true,
-    },
-  ],
-  questions: [],
-  welcomeCard: { enabled: false },
-  blocks: createBody.blocks,
-  endings: [],
-  hiddenFields: { enabled: false },
-  variables: [],
-} as unknown as TSurvey;
-
-describe("v3 survey preparation", () => {
-  test("prepares a valid create document and derives language side effects", () => {
-    const preparation = prepareV3SurveyCreate(createBody);
-
-    expect(preparation.ok).toBe(true);
-    if (!preparation.ok) {
-      throw new Error("Expected create preparation to succeed");
-    }
-    expect(preparation.languageRequests).toEqual([
-      { code: "en-US", default: true, enabled: true },
-      { code: "de-DE", default: false, enabled: true },
-    ]);
-  });
-
-  test("returns validation results instead of throwing for invalid create input", () => {
-    const preparation = prepareV3SurveyCreateInput({
-      ...rawCreateBody,
-      blocks: [
-        {
-          ...rawCreateBody.blocks[0],
-          elements: [
-            {
-              ...rawCreateBody.blocks[0].elements[0],
-              buttonUrl: "https://example.com",
-            },
-          ],
-        },
-      ],
-    });
-
-    expect(preparation.ok).toBe(false);
-    if (!preparation.ok) {
-      expect(preparation.validation.invalidParams).toEqual(
-        expect.arrayContaining([expect.objectContaining({ name: "blocks.0.elements.0.buttonUrl" })])
-      );
-    }
-  });
-
-  test("applies a patch over the current document before validating references", () => {
-    const preparation = prepareV3SurveyPatchInput(survey, {
-      blocks: [
-        {
-          ...rawCreateBody.blocks[0],
-          logicFallback: "clmiss12345678901234567890",
-        },
-      ],
-    });
-
-    expect(preparation.ok).toBe(false);
-    if (!preparation.ok) {
-      expect(preparation.validation.invalidParams).toEqual(
-        expect.arrayContaining([expect.objectContaining({ name: "blocks.0.logicFallback" })])
-      );
-    }
-  });
-
-  test("rejects patch input with immutable fields as validation results", () => {
-    const preparation = prepareV3SurveyPatchInput(survey, {
-      workspaceId,
-    });
-
-    expect(preparation.ok).toBe(false);
-    if (!preparation.ok) {
-      expect(preparation.validation.invalidParams).toEqual(
-        expect.arrayContaining([expect.objectContaining({ name: "workspaceId" })])
-      );
-    }
-  });
-
-  test("rejects non-draft element id changes on non-draft surveys", () => {
-    const preparation = prepareV3SurveyPatchInput(
-      {
-        ...survey,
-        status: "inProgress",
-      } as TSurvey,
-      {
-        blocks: [
-          {
-            ...rawCreateBody.blocks[0],
-            elements: [
-              {
-                ...rawCreateBody.blocks[0].elements[0],
-                id: "renamed_satisfaction",
-              },
-            ],
-          },
-        ],
-      }
-    );
-
-    expect(preparation.ok).toBe(false);
-    if (!preparation.ok) {
-      expect(preparation.validation.invalidParams).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({
-            name: "blocks.0.elements.0.id",
-            reason: expect.stringContaining("cannot be changed"),
-          }),
-        ])
-      );
-    }
-  });
-});
@@ -1,178 +0,0 @@
-import type { TSurvey as TInternalSurvey } from "@formbricks/types/surveys/types";
-import type { InvalidParam } from "@/app/api/v3/lib/response";
-import { getV3SurveyDefaultLanguage, getV3SurveyLanguages } from "./language";
-import { type TV3SurveyLanguageRequest, deriveV3SurveyLanguageRequests } from "./languages";
-import {
-  DEFAULT_V3_SURVEY_LANGUAGE,
-  type TV3CreateSurveyBody,
-  type TV3PatchSurveyBody,
-  type TV3SurveyDocument,
-  ZV3CreateSurveyBody,
-  ZV3SurveyDocumentBase,
-  createZV3PatchSurveyBodySchema,
-  formatV3ZodInvalidParams,
-} from "./schemas";
-import { type TV3SurveyDocumentValidationResult, validateV3SurveyDocument } from "./validation";
-
-type TV3SurveyPrepareSuccess<TDocument> = {
-  ok: true;
-  document: TDocument;
-  validation: Extract<TV3SurveyDocumentValidationResult, { valid: true }>;
-  languageRequests: TV3SurveyLanguageRequest[];
-};
-
-type TV3SurveyPrepareFailure = {
-  ok: false;
-  validation: Extract<TV3SurveyDocumentValidationResult, { valid: false }>;
-};
-
-export type TV3SurveyPrepareResult<TDocument> = TV3SurveyPrepareSuccess<TDocument> | TV3SurveyPrepareFailure;
-
-function invalidPreparation(invalidParams: InvalidParam[]): TV3SurveyPrepareFailure {
-  return {
-    ok: false,
-    validation: {
-      valid: false,
-      invalidParams,
-    },
-  };
-}
-
-function validPreparation<TDocument extends TV3SurveyDocument>(
-  document: TDocument
-): TV3SurveyPrepareResult<TDocument> {
-  const validation = validateV3SurveyDocument(document);
-
-  if (!validation.valid) {
-    return invalidPreparation(validation.invalidParams);
-  }
-
-  return {
-    ok: true,
-    document,
-    validation,
-    languageRequests: deriveV3SurveyLanguageRequests(document),
-  };
-}
-
-function buildDocumentFromSurvey(survey: TInternalSurvey): TV3SurveyPrepareResult<TV3SurveyDocument> {
-  if (Array.isArray(survey.questions) && survey.questions.length > 0) {
-    return invalidPreparation([
-      {
-        name: "survey",
-        reason: "Legacy question-based surveys are not supported by the v3 survey management API",
-      },
-    ]);
-  }
-
-  const documentResult = ZV3SurveyDocumentBase.safeParse({
-    name: survey.name,
-    status: survey.status,
-    metadata: survey.metadata ?? {},
-    defaultLanguage: getV3SurveyDefaultLanguage(survey, DEFAULT_V3_SURVEY_LANGUAGE),
-    languages: getV3SurveyLanguages(survey, DEFAULT_V3_SURVEY_LANGUAGE),
-    welcomeCard: survey.welcomeCard,
-    blocks: survey.blocks,
-    endings: survey.endings,
-    hiddenFields: survey.hiddenFields,
-    variables: survey.variables,
-  });
-
-  if (!documentResult.success) {
-    return invalidPreparation(formatV3ZodInvalidParams(documentResult.error, "survey"));
-  }
-
-  return validPreparation(documentResult.data);
-}
-
-function mergeV3SurveyPatch(document: TV3SurveyDocument, patch: TV3PatchSurveyBody): TV3SurveyDocument {
-  return {
-    ...document,
-    ...Object.fromEntries(Object.entries(patch).filter(([, value]) => value !== undefined)),
-  };
-}
-
-function getElementIds(document: TV3SurveyDocument): Set<string> {
-  return new Set(document.blocks.flatMap((block) => block.elements.map((element) => element.id)));
-}
-
-function getImmutableElementIdIssues(
-  currentDocument: TV3SurveyDocument,
-  patchedDocument: TV3SurveyDocument
-): InvalidParam[] {
-  if (currentDocument.status === "draft") {
-    return [];
-  }
-
-  const patchedElementIds = getElementIds(patchedDocument);
-  const issues: InvalidParam[] = [];
-
-  currentDocument.blocks.forEach((currentBlock) => {
-    const patchedBlockIndex = patchedDocument.blocks.findIndex((block) => block.id === currentBlock.id);
-    if (patchedBlockIndex === -1) {
-      return;
-    }
-
-    const patchedBlock = patchedDocument.blocks[patchedBlockIndex];
-    currentBlock.elements.forEach((currentElement, elementIndex) => {
-      if (currentElement.isDraft || patchedElementIds.has(currentElement.id)) {
-        return;
-      }
-
-      const patchedElement = patchedBlock.elements[elementIndex];
-      if (!patchedElement || patchedElement.id === currentElement.id) {
-        return;
-      }
-
-      issues.push({
-        name: `blocks.${patchedBlockIndex}.elements.${elementIndex}.id`,
-        reason: `Element id '${currentElement.id}' cannot be changed because the survey and element are no longer drafts`,
-      });
-    });
-  });
-
-  return issues;
-}
-
-export function prepareV3SurveyCreate(
-  document: TV3CreateSurveyBody
-): TV3SurveyPrepareResult<TV3CreateSurveyBody> {
-  return validPreparation(document);
-}
-
-export function prepareV3SurveyCreateInput(input: unknown): TV3SurveyPrepareResult<TV3CreateSurveyBody> {
-  const parsed = ZV3CreateSurveyBody.safeParse(input);
-
-  if (!parsed.success) {
-    return invalidPreparation(formatV3ZodInvalidParams(parsed.error, "data"));
-  }
-
-  return prepareV3SurveyCreate(parsed.data);
-}
-
-export function prepareV3SurveyPatchInput(
-  survey: TInternalSurvey,
-  input: unknown
-): TV3SurveyPrepareResult<TV3SurveyDocument> {
-  const currentDocument = buildDocumentFromSurvey(survey);
-
-  if (!currentDocument.ok) {
-    return currentDocument;
-  }
-
-  const parsedPatch = createZV3PatchSurveyBodySchema(currentDocument.document.defaultLanguage).safeParse(
-    input
-  );
-
-  if (!parsedPatch.success) {
-    return invalidPreparation(formatV3ZodInvalidParams(parsedPatch.error, "data"));
-  }
-
-  const patchedDocument = mergeV3SurveyPatch(currentDocument.document, parsedPatch.data);
-  const immutableElementIdIssues = getImmutableElementIdIssues(currentDocument.document, patchedDocument);
-  if (immutableElementIdIssues.length > 0) {
-    return invalidPreparation(immutableElementIdIssues);
-  }
-
-  return validPreparation(patchedDocument);
-}
@@ -1,269 +0,0 @@
-import { describe, expect, test } from "vitest";
-import { validateV3SurveyReferences } from "./reference-validation";
-import { ZV3CreateSurveyBody } from "./schemas";
-
-const validSurvey = ZV3CreateSurveyBody.parse({
-  workspaceId: "clxx1234567890123456789012",
-  name: "Product Feedback",
-  hiddenFields: {
-    enabled: true,
-    fieldIds: ["account_id"],
-  },
-  variables: [
-    {
-      id: "clvar123456789012345678901",
-      name: "score",
-      type: "number",
-      value: 0,
-    },
-  ],
-  endings: [
-    {
-      id: "clend123456789012345678901",
-      type: "endScreen",
-      headline: { "en-US": "Thanks" },
-    },
-  ],
-  blocks: [
-    {
-      id: "clbk1234567890123456789012",
-      name: "Main Block",
-      logicFallback: "clend123456789012345678901",
-      elements: [
-        {
-          id: "satisfaction",
-          type: "openText",
-          headline: { "en-US": "What should we improve?" },
-          required: true,
-        },
-      ],
-      logic: [
-        {
-          id: "cllog123456789012345678901",
-          conditions: {
-            id: "clgrp123456789012345678901",
-            connector: "and",
-            conditions: [
-              {
-                id: "clcon123456789012345678901",
-                leftOperand: { type: "element", value: "satisfaction" },
-                operator: "isSubmitted",
-              },
-            ],
-          },
-          actions: [
-            {
-              id: "clact123456789012345678901",
-              objective: "calculate",
-              variableId: "clvar123456789012345678901",
-              operator: "add",
-              value: { type: "static", value: 1 },
-            },
-          ],
-        },
-      ],
-    },
-  ],
-});
-
-describe("validateV3SurveyReferences", () => {
-  test("accepts a survey with consistent stable identifiers", () => {
-    expect(
-      validateV3SurveyReferences({
-        blocks: validSurvey.blocks,
-        endings: validSurvey.endings,
-        hiddenFields: validSurvey.hiddenFields,
-        variables: validSurvey.variables,
-      })
-    ).toEqual({ ok: true, invalidParams: [] });
-  });
-
-  test("rejects duplicate block, element, variable, and hidden field identifiers", () => {
-    const survey = {
-      ...validSurvey,
-      hiddenFields: { enabled: true, fieldIds: ["account_id", "account_id"] },
-      variables: [
-        ...validSurvey.variables,
-        {
-          id: "clvar123456789012345678901",
-          name: "score",
-          type: "number" as const,
-          value: 0,
-        },
-      ],
-      blocks: [
-        ...validSurvey.blocks,
-        {
-          ...validSurvey.blocks[0],
-          elements: [{ ...validSurvey.blocks[0].elements[0] }],
-        },
-      ],
-    };
-
-    const result = validateV3SurveyReferences({
-      blocks: survey.blocks,
-      endings: survey.endings,
-      hiddenFields: survey.hiddenFields,
-      variables: survey.variables,
-    });
-
-    expect(result.ok).toBe(false);
-    if (!result.ok) {
-      expect(result.invalidParams).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({ name: "blocks.1.id" }),
-          expect.objectContaining({ name: "blocks.1.elements.0.id" }),
-          expect.objectContaining({ name: "variables.1.id" }),
-          expect.objectContaining({ name: "hiddenFields.fieldIds.1" }),
-        ])
-      );
-    }
-  });
-
-  test("rejects cross-namespace identifier collisions", () => {
-    const result = validateV3SurveyReferences({
-      blocks: validSurvey.blocks,
-      endings: validSurvey.endings,
-      hiddenFields: { enabled: true, fieldIds: ["account_id", "satisfaction"] },
-      variables: [
-        {
-          id: "satisfaction",
-          name: "account_id",
-          type: "number",
-          value: 0,
-        },
-      ],
-    });
-
-    expect(result.ok).toBe(false);
-    if (!result.ok) {
-      expect(result.invalidParams).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({ name: "hiddenFields.fieldIds.1" }),
-          expect.objectContaining({ name: "variables.0.id" }),
-          expect.objectContaining({ name: "variables.0.name" }),
-        ])
-      );
-    }
-  });
-
-  test("reports dangling logic references with actionable paths", () => {
-    const survey = {
-      ...validSurvey,
-      blocks: [
-        {
-          ...validSurvey.blocks[0],
-          logicFallback: "clmiss12345678901234567890",
-          logic: [
-            {
-              ...validSurvey.blocks[0].logic![0],
-              actions: [
-                {
-                  ...validSurvey.blocks[0].logic![0].actions[0],
-                  variableId: "clmiss12345678901234567890",
-                },
-                {
-                  id: "cljmp123456789012345678901",
-                  objective: "jumpToBlock" as const,
-                  target: "clmiss12345678901234567890",
-                },
-              ],
-            },
-          ],
-        },
-      ],
-    };
-
-    const result = validateV3SurveyReferences({
-      blocks: survey.blocks,
-      endings: survey.endings,
-      hiddenFields: survey.hiddenFields,
-      variables: survey.variables,
-    });
-
-    expect(result.ok).toBe(false);
-    if (!result.ok) {
-      expect(result.invalidParams).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({ name: "blocks.0.logicFallback" }),
-          expect.objectContaining({ name: "blocks.0.logic.0.actions.0.variableId" }),
-          expect.objectContaining({ name: "blocks.0.logic.0.actions.1.target" }),
-        ])
-      );
-    }
-  });
-
-  test("reports dangling recall references with actionable paths", () => {
-    const survey = {
-      ...validSurvey,
-      blocks: [
-        {
-          ...validSurvey.blocks[0],
-          elements: [
-            {
-              ...validSurvey.blocks[0].elements[0],
-              headline: {
-                default: "Please explain #recall:missing_id/fallback:your answer#",
-              },
-            },
-          ],
-        },
-      ],
-    };
-
-    const result = validateV3SurveyReferences({
-      blocks: survey.blocks,
-      endings: survey.endings,
-      hiddenFields: survey.hiddenFields,
-      variables: survey.variables,
-    });
-
-    expect(result.ok).toBe(false);
-    if (!result.ok) {
-      expect(result.invalidParams).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({
-            name: "blocks.0.elements.0.headline.default",
-            reason: expect.stringContaining("missing_id"),
-          }),
-        ])
-      );
-    }
-  });
-
-  test("reports dangling recall references in survey-level translatable fields", () => {
-    const result = validateV3SurveyReferences({
-      blocks: validSurvey.blocks,
-      endings: validSurvey.endings,
-      hiddenFields: validSurvey.hiddenFields,
-      metadata: {
-        title: {
-          default: "Metadata #recall:missing_metadata_reference/fallback:value#",
-        },
-      },
-      variables: validSurvey.variables,
-      welcomeCard: {
-        enabled: true,
-        headline: {
-          default: "Welcome #recall:missing_welcome_reference/fallback:there#",
-        },
-      },
-    });
-
-    expect(result.ok).toBe(false);
-    if (!result.ok) {
-      expect(result.invalidParams).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({
-            name: "welcomeCard.headline.default",
-            reason: expect.stringContaining("missing_welcome_reference"),
-          }),
-          expect.objectContaining({
-            name: "metadata.title.default",
-            reason: expect.stringContaining("missing_metadata_reference"),
-          }),
-        ])
-      );
-    }
-  });
-});
@@ -1,342 +0,0 @@
-import type { TSurveyBlocks } from "@formbricks/types/surveys/blocks";
-import type { TConditionGroup, TDynamicLogicFieldValue } from "@formbricks/types/surveys/logic";
-import type { TSurveyEndings, TSurveyHiddenFields, TSurveyVariables } from "@formbricks/types/surveys/types";
-import type { InvalidParam } from "@/app/api/v3/lib/response";
-
-type TReferenceValidationInput = {
-  blocks: TSurveyBlocks;
-  endings: TSurveyEndings;
-  hiddenFields: TSurveyHiddenFields;
-  metadata?: unknown;
-  variables: TSurveyVariables;
-  welcomeCard?: unknown;
-};
-
-type TNamedReference = {
-  id: string;
-  path: string;
-  namespace: "block" | "element" | "ending" | "hiddenField" | "variable" | "variableName";
-};
-
-export class V3SurveyReferenceValidationError extends Error {
-  invalidParams: InvalidParam[];
-
-  constructor(invalidParams: InvalidParam[]) {
-    super("Survey contains invalid references");
-    this.name = "V3SurveyReferenceValidationError";
-    this.invalidParams = invalidParams;
-  }
-}
-
-export type TV3SurveyReferenceValidationResult =
-  | { ok: true; invalidParams: [] }
-  | { ok: false; invalidParams: InvalidParam[] };
-
-function addDuplicateIdIssues(
-  entries: { id: string; path: string }[],
-  label: string,
-  issues: InvalidParam[]
-): void {
-  const firstPathById = new Map<string, string>();
-
-  entries.forEach(({ id, path }) => {
-    const firstPath = firstPathById.get(id);
-    if (firstPath !== undefined) {
-      issues.push({
-        name: path,
-        reason: `${label} id '${id}' is duplicated; first used at ${firstPath}`,
-      });
-      return;
-    }
-
-    firstPathById.set(id, path);
-  });
-}
-
-function addDuplicateValueIssues(
-  values: string[],
-  pathForIndex: (index: number) => string,
-  label: string,
-  issues: InvalidParam[]
-): void {
-  const firstIndexByValue = new Map<string, number>();
-
-  values.forEach((value, index) => {
-    const firstIndex = firstIndexByValue.get(value);
-    if (firstIndex !== undefined) {
-      issues.push({
-        name: pathForIndex(index),
-        reason: `${label} '${value}' is duplicated; first used at ${pathForIndex(firstIndex)}`,
-      });
-      return;
-    }
-
-    firstIndexByValue.set(value, index);
-  });
-}
-
-function addCrossNamespaceCollisionIssues(entries: TNamedReference[], issues: InvalidParam[]): void {
-  const firstEntryById = new Map<string, TNamedReference>();
-
-  entries.forEach((entry) => {
-    const lookupId = entry.id.toLowerCase();
-    const firstEntry = firstEntryById.get(lookupId);
-
-    if (!firstEntry) {
-      firstEntryById.set(lookupId, entry);
-      return;
-    }
-
-    if (firstEntry.namespace === entry.namespace) {
-      return;
-    }
-
-    issues.push({
-      name: entry.path,
-      reason: `${entry.namespace} identifier '${entry.id}' conflicts with ${firstEntry.namespace} identifier at ${firstEntry.path}`,
-    });
-  });
-}
-
-function isPlainObject(value: unknown): value is Record<string, unknown> {
-  return typeof value === "object" && value !== null && !Array.isArray(value);
-}
-
-function addRecallReferenceIssues(
-  value: unknown,
-  path: string,
-  references: {
-    elementIds: Set<string>;
-    variableIds: Set<string>;
-    hiddenFieldIds: Set<string>;
-  },
-  issues: InvalidParam[]
-): void {
-  if (typeof value === "string") {
-    const recallPattern = /#recall:([A-Za-z0-9_-]+)/g;
-
-    for (const match of value.matchAll(recallPattern)) {
-      const recallId = match[1];
-      const isKnownReference =
-        references.elementIds.has(recallId) ||
-        references.variableIds.has(recallId) ||
-        references.hiddenFieldIds.has(recallId);
-
-      if (!isKnownReference) {
-        issues.push({
-          name: path,
-          reason: `Recall reference '${recallId}' is not defined in blocks, variables, or hiddenFields.fieldIds`,
-        });
-      }
-    }
-
-    return;
-  }
-
-  if (Array.isArray(value)) {
-    value.forEach((entry, index) => addRecallReferenceIssues(entry, `${path}.${index}`, references, issues));
-    return;
-  }
-
-  if (!isPlainObject(value)) {
-    return;
-  }
-
-  Object.entries(value).forEach(([key, entry]) => {
-    addRecallReferenceIssues(entry, path ? `${path}.${key}` : key, references, issues);
-  });
-}
-
-function validateDynamicOperand(
-  operand: TDynamicLogicFieldValue,
-  path: string,
-  references: {
-    elementIds: Set<string>;
-    variableIds: Set<string>;
-    hiddenFieldIds: Set<string>;
-  },
-  issues: InvalidParam[]
-): void {
-  if (operand.type === "element" && !references.elementIds.has(operand.value)) {
-    issues.push({
-      name: `${path}.value`,
-      reason: `Element id '${operand.value}' is not defined in blocks`,
-    });
-  }
-
-  if (operand.type === "variable" && !references.variableIds.has(operand.value)) {
-    issues.push({
-      name: `${path}.value`,
-      reason: `Variable id '${operand.value}' is not defined in variables`,
-    });
-  }
-
-  if (operand.type === "hiddenField" && !references.hiddenFieldIds.has(operand.value)) {
-    issues.push({
-      name: `${path}.value`,
-      reason: `Hidden field id '${operand.value}' is not defined in hiddenFields.fieldIds`,
-    });
-  }
-}
-
-function validateConditionGroup(
-  conditionGroup: TConditionGroup,
-  path: string,
-  references: {
-    elementIds: Set<string>;
-    variableIds: Set<string>;
-    hiddenFieldIds: Set<string>;
-  },
-  issues: InvalidParam[]
-): void {
-  conditionGroup.conditions.forEach((condition, index) => {
-    const conditionPath = `${path}.conditions.${index}`;
-
-    if ("conditions" in condition) {
-      validateConditionGroup(condition, conditionPath, references, issues);
-      return;
-    }
-
-    validateDynamicOperand(condition.leftOperand, `${conditionPath}.leftOperand`, references, issues);
-
-    if (condition.rightOperand?.type && condition.rightOperand.type !== "static") {
-      validateDynamicOperand(condition.rightOperand, `${conditionPath}.rightOperand`, references, issues);
-    }
-  });
-}
-
-export function getV3SurveyReferenceInvalidParams(input: TReferenceValidationInput): InvalidParam[] {
-  const issues: InvalidParam[] = [];
-  const blockIds = input.blocks.map((block) => block.id);
-  const blockEntries = input.blocks.map((block, index) => ({
-    id: block.id,
-    path: `blocks.${index}.id`,
-  }));
-  const endingIds = input.endings.map((ending) => ending.id);
-  const endingEntries = input.endings.map((ending, index) => ({
-    id: ending.id,
-    path: `endings.${index}.id`,
-  }));
-  const elementEntries = input.blocks.flatMap((block, blockIndex) =>
-    block.elements.map((element, elementIndex) => ({
-      id: element.id,
-      path: `blocks.${blockIndex}.elements.${elementIndex}.id`,
-    }))
-  );
-  const elementIds = elementEntries.map((element) => element.id);
-  const hiddenFieldIds = input.hiddenFields.fieldIds ?? [];
-  const hiddenFieldEntries = hiddenFieldIds.map((id, index) => ({
-    id,
-    path: `hiddenFields.fieldIds.${index}`,
-  }));
-  const variableIds = input.variables.map((variable) => variable.id);
-  const variableIdEntries = variableIds.map((id, index) => ({
-    id,
-    path: `variables.${index}.id`,
-  }));
-  const variableNames = input.variables.map((variable) => variable.name);
-  const variableNameEntries = variableNames.map((id, index) => ({
-    id,
-    path: `variables.${index}.name`,
-  }));
-  const navigationTargetIds = new Set([...blockIds, ...endingIds]);
-  const references = {
-    elementIds: new Set(elementIds),
-    variableIds: new Set(variableIds),
-    hiddenFieldIds: new Set(hiddenFieldIds),
-  };
-
-  addDuplicateIdIssues(blockEntries, "Block", issues);
-  addDuplicateIdIssues(elementEntries, "Element", issues);
-  addDuplicateIdIssues(variableIdEntries, "Variable", issues);
-  addDuplicateValueIssues(
-    hiddenFieldIds,
-    (index) => `hiddenFields.fieldIds.${index}`,
-    "Hidden field id",
-    issues
-  );
-  addDuplicateValueIssues(variableNames, (index) => `variables.${index}.name`, "Variable name", issues);
-  addCrossNamespaceCollisionIssues(
-    [
-      ...blockEntries.map((entry) => ({ ...entry, namespace: "block" as const })),
-      ...elementEntries.map((entry) => ({ ...entry, namespace: "element" as const })),
-      ...endingEntries.map((entry) => ({ ...entry, namespace: "ending" as const })),
-      ...hiddenFieldEntries.map((entry) => ({ ...entry, namespace: "hiddenField" as const })),
-      ...variableIdEntries.map((entry) => ({ ...entry, namespace: "variable" as const })),
-      ...variableNameEntries.map((entry) => ({ ...entry, namespace: "variableName" as const })),
-    ],
-    issues
-  );
-
-  input.blocks.forEach((block, blockIndex) => {
-    if (block.logicFallback && !navigationTargetIds.has(block.logicFallback)) {
-      issues.push({
-        name: `blocks.${blockIndex}.logicFallback`,
-        reason: `Logic fallback target '${block.logicFallback}' is not defined in blocks or endings`,
-      });
-    }
-
-    block.logic?.forEach((logic, logicIndex) => {
-      const logicPath = `blocks.${blockIndex}.logic.${logicIndex}`;
-      validateConditionGroup(logic.conditions, `${logicPath}.conditions`, references, issues);
-
-      logic.actions.forEach((action, actionIndex) => {
-        const actionPath = `${logicPath}.actions.${actionIndex}`;
-
-        if (action.objective === "calculate") {
-          if (!references.variableIds.has(action.variableId)) {
-            issues.push({
-              name: `${actionPath}.variableId`,
-              reason: `Variable id '${action.variableId}' is not defined in variables`,
-            });
-          }
-
-          if (action.value.type !== "static") {
-            validateDynamicOperand(action.value, `${actionPath}.value`, references, issues);
-          }
-        }
-
-        if (action.objective === "requireAnswer" && !references.elementIds.has(action.target)) {
-          issues.push({
-            name: `${actionPath}.target`,
-            reason: `Element id '${action.target}' is not defined in blocks`,
-          });
-        }
-
-        if (action.objective === "jumpToBlock" && !navigationTargetIds.has(action.target)) {
-          issues.push({
-            name: `${actionPath}.target`,
-            reason: `Jump target '${action.target}' is not defined in blocks or endings`,
-          });
-        }
-      });
-    });
-  });
-
-  addRecallReferenceIssues(input.blocks, "blocks", references, issues);
-  addRecallReferenceIssues(input.endings, "endings", references, issues);
-  addRecallReferenceIssues(input.welcomeCard, "welcomeCard", references, issues);
-  addRecallReferenceIssues(input.metadata, "metadata", references, issues);
-
-  return issues;
-}
-
-export function validateV3SurveyReferences(
-  input: TReferenceValidationInput
-): TV3SurveyReferenceValidationResult {
-  const invalidParams = getV3SurveyReferenceInvalidParams(input);
-
-  if (invalidParams.length > 0) {
-    return { ok: false, invalidParams };
-  }
-
-  return { ok: true, invalidParams: [] };
-}
-
-export function assertValidV3SurveyReferences(input: TReferenceValidationInput): void {
-  const result = validateV3SurveyReferences(input);
-
-  if (!result.ok) {
-    throw new V3SurveyReferenceValidationError(result.invalidParams);
-  }
-}
@@ -50,10 +50,6 @@ vi.mock("@/modules/survey/list/lib/survey", async (importOriginal) => {
  };
 });

-vi.mock("./create", () => ({
-  createV3Survey: vi.fn(),
-}));
-
 vi.mock("@formbricks/logger", () => ({
  logger: {
    withContext: vi.fn(() => ({
@@ -1,5 +1,5 @@
 /**
- * /api/v3/surveys — list and create block-based survey management resources.
+ * GET /api/v3/surveys — list surveys for a workspace.
 * Session cookie or x-api-key; scope by workspaceId only.
 */
 import { logger } from "@formbricks/logger";
@@ -7,7 +7,6 @@ import { DatabaseError, ResourceNotFoundError } from "@formbricks/types/errors";
 import { withV3ApiWrapper } from "@/app/api/v3/lib/api-wrapper";
 import { requireV3WorkspaceAccess } from "@/app/api/v3/lib/auth";
 import {
-  createdResponse,
  problemBadRequest,
  problemForbidden,
  problemInternalError,
@@ -15,15 +14,8 @@ import {
 } from "@/app/api/v3/lib/response";
 import { getSurveyCount } from "@/modules/survey/list/lib/survey";
 import { getSurveyListPage } from "@/modules/survey/list/lib/survey-page";
-import { V3SurveyCreatePermissionError, createV3Survey } from "./create";
 import { parseV3SurveysListQuery } from "./parse-v3-surveys-list-query";
-import { V3SurveyReferenceValidationError } from "./reference-validation";
-import { ZV3CreateSurveyBody } from "./schemas";
-import {
-  V3SurveyUnsupportedShapeError,
-  serializeV3SurveyListItem,
-  serializeV3SurveyResource,
-} from "./serializers";
+import { serializeV3SurveyListItem } from "./serializers";

 export const GET = withV3ApiWrapper({
  auth: "both",
@@ -88,81 +80,3 @@ export const GET = withV3ApiWrapper({
    }
  },
 });
-
-export const POST = withV3ApiWrapper({
-  auth: "both",
-  schemas: {
-    body: ZV3CreateSurveyBody,
-  },
-  action: "created",
-  targetType: "survey",
-  handler: async ({ authentication, auditLog, parsedInput, requestId, instance }) => {
-    const { body } = parsedInput;
-    const log = logger.withContext({ requestId, workspaceId: body.workspaceId });
-
-    try {
-      const authResult = await requireV3WorkspaceAccess(
-        authentication,
-        body.workspaceId,
-        "readWrite",
-        requestId,
-        instance
-      );
-      if (authResult instanceof Response) {
-        return authResult;
-      }
-
-      const survey = await createV3Survey(
-        {
-          ...body,
-          workspaceId: authResult.workspaceId,
-        },
-        authentication,
-        requestId,
-        authResult.organizationId
-      );
-      const resource = serializeV3SurveyResource(survey);
-
-      if (auditLog) {
-        auditLog.organizationId = authResult.organizationId;
-        auditLog.targetId = survey.id;
-        auditLog.newObject = resource;
-      }
-
-      return createdResponse(resource, {
-        requestId,
-        location: `/api/v3/surveys/${survey.id}`,
-      });
-    } catch (err) {
-      if (err instanceof V3SurveyReferenceValidationError) {
-        log.warn({ statusCode: 400, invalidParams: err.invalidParams }, "Survey reference validation failed");
-        return problemBadRequest(requestId, "Invalid survey references", {
-          invalid_params: err.invalidParams,
-          instance,
-        });
-      }
-      if (err instanceof V3SurveyUnsupportedShapeError) {
-        log.warn({ statusCode: 400, errorCode: err.name }, "Unsupported survey shape");
-        return problemBadRequest(requestId, err.message, {
-          invalid_params: [{ name: "body", reason: err.message }],
-          instance,
-        });
-      }
-      if (err instanceof V3SurveyCreatePermissionError) {
-        log.warn({ statusCode: 403, errorCode: err.name }, "Survey create permission check failed");
-        return problemForbidden(requestId, err.message, instance);
-      }
-      if (err instanceof ResourceNotFoundError) {
-        log.warn({ statusCode: 403, errorCode: err.name }, "Resource not found");
-        return problemForbidden(requestId, "You are not authorized to access this resource", instance);
-      }
-      if (err instanceof DatabaseError) {
-        log.error({ error: err, statusCode: 500 }, "Database error");
-        return problemInternalError(requestId, "An unexpected error occurred.", instance);
-      }
-
-      log.error({ error: err, statusCode: 500 }, "V3 survey create unexpected error");
-      return problemInternalError(requestId, "An unexpected error occurred.", instance);
-    }
-  },
-});
@@ -1,403 +0,0 @@
-import { describe, expect, test } from "vitest";
-import { ZV3CreateSurveyBody, ZV3PatchSurveyBody, createZV3PatchSurveyBodySchema } from "./schemas";
-
-const validCreateBody = {
-  workspaceId: "clxx1234567890123456789012",
-  name: "Product Feedback",
-  blocks: [
-    {
-      id: "clbk1234567890123456789012",
-      name: "Main Block",
-      elements: [
-        {
-          id: "satisfaction",
-          type: "openText",
-          headline: { "en-US": "What should we improve?" },
-          required: true,
-        },
-      ],
-    },
-  ],
-};
-
-describe("ZV3CreateSurveyBody", () => {
-  test("accepts a valid block-based create body and applies public defaults", () => {
-    const parsed = ZV3CreateSurveyBody.parse(validCreateBody);
-
-    expect(parsed).toMatchObject({
-      workspaceId: validCreateBody.workspaceId,
-      name: "Product Feedback",
-      type: "link",
-      status: "draft",
-      metadata: {},
-      defaultLanguage: "en-US",
-      languages: [],
-      welcomeCard: { enabled: false },
-      endings: [],
-      hiddenFields: { enabled: false },
-      variables: [],
-    });
-    expect(parsed.blocks[0].elements[0]).toMatchObject({
-      headline: { default: "What should we improve?" },
-    });
-  });
-
-  test("normalizes locale maps and language codes before shared survey validation", () => {
-    const parsed = ZV3CreateSurveyBody.parse({
-      ...validCreateBody,
-      defaultLanguage: "en_us",
-      languages: [{ code: "de_de" }],
-      welcomeCard: {
-        enabled: true,
-        headline: { en_us: "Welcome", de_de: "Willkommen" },
-      },
-      blocks: [
-        {
-          ...validCreateBody.blocks[0],
-          elements: [
-            {
-              ...validCreateBody.blocks[0].elements[0],
-              headline: { en_us: "Hello", de_de: "Hallo" },
-            },
-          ],
-        },
-      ],
-    });
-
-    expect(parsed.defaultLanguage).toBe("en-US");
-    expect(parsed.languages).toEqual([{ code: "de-DE", enabled: true }]);
-    expect(parsed.welcomeCard).toMatchObject({
-      headline: { default: "Welcome", "de-DE": "Willkommen" },
-    });
-    expect(parsed.blocks[0].elements[0]).toMatchObject({
-      headline: { default: "Hello", "de-DE": "Hallo" },
-    });
-  });
-
-  test("rejects an invalid defaultLanguage instead of silently defaulting", () => {
-    const result = ZV3CreateSurveyBody.safeParse({
-      ...validCreateBody,
-      defaultLanguage: "not a locale",
-    });
-
-    expect(result.success).toBe(false);
-    expect(result.error?.issues.map((issue) => issue.path.join("."))).toContain("defaultLanguage");
-  });
-
-  test("rejects duplicate locale keys after normalization", () => {
-    const result = ZV3CreateSurveyBody.safeParse({
-      ...validCreateBody,
-      blocks: [
-        {
-          ...validCreateBody.blocks[0],
-          elements: [
-            {
-              ...validCreateBody.blocks[0].elements[0],
-              headline: { "en-US": "Hello", en_us: "Duplicate" },
-            },
-          ],
-        },
-      ],
-    });
-
-    expect(result.success).toBe(false);
-    expect(result.error?.issues.map((issue) => issue.path.join("."))).toContain(
-      "blocks.0.elements.0.headline.en_us"
-    );
-  });
-
-  test("rejects unsupported top-level fields instead of silently ignoring them", () => {
-    const result = ZV3CreateSurveyBody.safeParse({
-      ...validCreateBody,
-      questions: [],
-      styling: {},
-      createdBy: "user_1",
-    });
-
-    expect(result.success).toBe(false);
-    expect(result.error?.issues.map((issue) => issue.path.join("."))).toEqual(
-      expect.arrayContaining(["questions", "styling", "createdBy"])
-    );
-  });
-
-  test("rejects unsupported nested fields instead of stripping them", () => {
-    const result = ZV3CreateSurveyBody.safeParse({
-      ...validCreateBody,
-      blocks: [
-        {
-          ...validCreateBody.blocks[0],
-          targeting: {},
-          elements: [
-            {
-              ...validCreateBody.blocks[0].elements[0],
-              analytics: {},
-            },
-          ],
-        },
-      ],
-    });
-
-    expect(result.success).toBe(false);
-    expect(result.error?.issues.map((issue) => issue.path.join("."))).toEqual(
-      expect.arrayContaining(["blocks.0.targeting", "blocks.0.elements.0.analytics"])
-    );
-  });
-
-  test("rejects element fields that do not belong to the selected element type", () => {
-    const result = ZV3CreateSurveyBody.safeParse({
-      ...validCreateBody,
-      blocks: [
-        {
-          ...validCreateBody.blocks[0],
-          elements: [
-            {
-              ...validCreateBody.blocks[0].elements[0],
-              buttonUrl: "https://example.com",
-              scale: "star",
-            },
-          ],
-        },
-      ],
-    });
-
-    expect(result.success).toBe(false);
-    expect(result.error?.issues.map((issue) => issue.path.join("."))).toContain(
-      "blocks.0.elements.0.buttonUrl"
-    );
-    expect(result.error?.issues.map((issue) => issue.path.join("."))).toContain("blocks.0.elements.0.scale");
-    expect(
-      result.error?.issues.find((issue) => issue.path.join(".") === "blocks.0.elements.0.buttonUrl")
-    ).toMatchObject({
-      message: expect.stringContaining("element type 'openText'"),
-    });
-  });
-
-  test("rejects choice fields that do not belong to the selected element type", () => {
-    const result = ZV3CreateSurveyBody.safeParse({
-      ...validCreateBody,
-      blocks: [
-        {
-          ...validCreateBody.blocks[0],
-          elements: [
-            {
-              id: "choices",
-              type: "multipleChoiceSingle",
-              headline: { "en-US": "Pick one" },
-              required: true,
-              choices: [
-                { id: "choice_1", label: { "en-US": "A" }, imageUrl: "https://example.com/a.png" },
-                { id: "choice_2", label: { "en-US": "B" } },
-              ],
-            },
-          ],
-        },
-      ],
-    });
-
-    expect(result.success).toBe(false);
-    expect(result.error?.issues.map((issue) => issue.path.join("."))).toContain(
-      "blocks.0.elements.0.choices.0.imageUrl"
-    );
-    expect(
-      result.error?.issues.find((issue) => issue.path.join(".") === "blocks.0.elements.0.choices.0.imageUrl")
-    ).toMatchObject({
-      message: expect.stringContaining("Allowed fields: id, label"),
-    });
-  });
-
-  test("does not rewrite locale-shaped objects in logic metadata", () => {
-    const result = ZV3CreateSurveyBody.safeParse({
-      ...validCreateBody,
-      blocks: [
-        {
-          ...validCreateBody.blocks[0],
-          elements: [
-            {
-              ...validCreateBody.blocks[0].elements[0],
-            },
-          ],
-          logic: [
-            {
-              id: "cllog123456789012345678901",
-              conditions: {
-                id: "clgrp123456789012345678901",
-                connector: "and",
-                conditions: [
-                  {
-                    id: "clcon123456789012345678901",
-                    leftOperand: {
-                      type: "element",
-                      value: "satisfaction",
-                      meta: { "en-US": "metadata" },
-                    },
-                    operator: "isSubmitted",
-                  },
-                ],
-              },
-              actions: [
-                {
-                  id: "clact123456789012345678901",
-                  objective: "requireAnswer",
-                  target: "satisfaction",
-                },
-              ],
-            },
-          ],
-        },
-      ],
-    });
-
-    expect(result.success).toBe(true);
-    if (!result.success) {
-      throw new Error("Expected schema validation to pass");
-    }
-    expect(result.data.blocks[0].logic?.[0].conditions.conditions[0]).toMatchObject({
-      leftOperand: {
-        meta: { "en-US": "metadata" },
-      },
-    });
-  });
-
-  test("rejects the internal default translation key in public v3 input", () => {
-    const result = ZV3CreateSurveyBody.safeParse({
-      ...validCreateBody,
-      blocks: [
-        {
-          ...validCreateBody.blocks[0],
-          elements: [
-            {
-              ...validCreateBody.blocks[0].elements[0],
-              headline: { default: "Internal key should not be public" },
-            },
-          ],
-        },
-      ],
-    });
-
-    expect(result.success).toBe(false);
-    expect(result.error?.issues[0].path.join(".")).toBe("blocks.0.elements.0.headline.default");
-  });
-
-  test("preserves arbitrary metadata while normalizing known translatable metadata fields", () => {
-    const parsed = ZV3CreateSurveyBody.parse({
-      ...validCreateBody,
-      metadata: {
-        cx_context: {
-          "de-DE": "This is arbitrary customer metadata, not translation content",
-        },
-        title: {
-          "en-US": "Feedback Survey",
-          "de-DE": "Feedback-Umfrage",
-        },
-      },
-    });
-
-    expect(parsed.metadata).toMatchObject({
-      cx_context: {
-        "de-DE": "This is arbitrary customer metadata, not translation content",
-      },
-      title: {
-        default: "Feedback Survey",
-        "de-DE": "Feedback-Umfrage",
-      },
-    });
-  });
-
-  test("rejects non-link survey types for this survey-template endpoint", () => {
-    const result = ZV3CreateSurveyBody.safeParse({
-      ...validCreateBody,
-      type: "app",
-    });
-
-    expect(result.success).toBe(false);
-    expect(result.error?.issues[0].path).toEqual(["type"]);
-  });
-
-  test("rejects malformed locale maps that do not include the default language", () => {
-    const result = ZV3CreateSurveyBody.safeParse({
-      ...validCreateBody,
-      blocks: [
-        {
-          ...validCreateBody.blocks[0],
-          elements: [
-            {
-              ...validCreateBody.blocks[0].elements[0],
-              headline: { "not a locale": "Hello" },
-            },
-          ],
-        },
-      ],
-    });
-
-    expect(result.success).toBe(false);
-  });
-
-  test("rejects duplicate language entries and disabled default language", () => {
-    const result = ZV3CreateSurveyBody.safeParse({
-      ...validCreateBody,
-      languages: [{ code: "en-US", enabled: false }, { code: "en_us" }],
-    });
-
-    expect(result.success).toBe(false);
-    expect(result.error?.issues.map((issue) => issue.path.join("."))).toEqual(
-      expect.arrayContaining(["languages.0.enabled", "languages.1.code"])
-    );
-  });
-});
-
-describe("ZV3PatchSurveyBody", () => {
-  test("accepts a strict top-level partial and preserves omitted defaults", () => {
-    const parsed = ZV3PatchSurveyBody.parse({
-      name: "Updated survey",
-    });
-
-    expect(parsed).toEqual({ name: "Updated survey" });
-  });
-
-  test("rejects an empty patch body", () => {
-    const result = ZV3PatchSurveyBody.safeParse({});
-
-    expect(result.success).toBe(false);
-    expect(result.error?.issues[0]).toMatchObject({
-      message: "Request body must include at least one updatable field",
-    });
-  });
-
-  test("rejects immutable and out-of-scope fields", () => {
-    const result = ZV3PatchSurveyBody.safeParse({
-      id: "clsv1234567890123456789012",
-      workspaceId: "clxx1234567890123456789012",
-      type: "link",
-      questions: [],
-    });
-
-    expect(result.success).toBe(false);
-    expect(result.error?.issues.map((issue) => issue.path.join("."))).toEqual(
-      expect.arrayContaining(["id", "workspaceId", "type", "questions"])
-    );
-  });
-
-  test("normalizes patch translation maps using the current default language", () => {
-    const parsed = createZV3PatchSurveyBodySchema("de-DE").parse({
-      blocks: [
-        {
-          id: "clbk1234567890123456789012",
-          name: "Main Block",
-          elements: [
-            {
-              id: "satisfaction",
-              type: "openText",
-              headline: { de_de: "Hallo", en_us: "Hello" },
-              required: true,
-            },
-          ],
-        },
-      ],
-    });
-
-    expect(parsed.blocks?.[0].elements[0]).toMatchObject({
-      headline: { default: "Hallo", "en-US": "Hello" },
-    });
-    expect(parsed).not.toHaveProperty("defaultLanguage");
-  });
-});
@@ -1,274 +0,0 @@
-import { describe, expect, test } from "vitest";
-import type { TSurvey } from "@formbricks/types/surveys/types";
-import { V3SurveyUnsupportedShapeError, serializeV3SurveyResource } from "./serializers";
-
-const baseSurvey = {
-  id: "survey_1",
-  workspaceId: "workspace_1",
-  createdAt: new Date("2026-04-21T10:00:00.000Z"),
-  updatedAt: new Date("2026-04-21T11:00:00.000Z"),
-  name: "Product Feedback",
-  type: "link",
-  status: "draft",
-  metadata: { cx: "enterprise" },
-  languages: [
-    {
-      default: true,
-      enabled: true,
-      language: { id: "lang_1", code: "en-US", alias: "en", createdAt: new Date(), updatedAt: new Date() },
-    },
-    {
-      default: false,
-      enabled: true,
-      language: { id: "lang_2", code: "de-DE", alias: "de", createdAt: new Date(), updatedAt: new Date() },
-    },
-    {
-      default: false,
-      enabled: false,
-      language: { id: "lang_3", code: "fr-FR", alias: "fr", createdAt: new Date(), updatedAt: new Date() },
-    },
-  ],
-  questions: [],
-  welcomeCard: {
-    enabled: true,
-    headline: { default: "Welcome", "de-DE": "Willkommen", "fr-FR": "Bienvenue" },
-  },
-  blocks: [
-    {
-      id: "block_1",
-      name: "Intro",
-      elements: [
-        {
-          id: "satisfaction",
-          type: "openText",
-          headline: { default: "What should we improve?", "de-DE": "Was sollen wir verbessern?" },
-          subheader: { default: "Tell us more" },
-          required: true,
-        },
-      ],
-    },
-  ],
-  endings: [],
-  hiddenFields: { enabled: false, fieldIds: [] },
-  variables: [],
-} as unknown as TSurvey;
-
-describe("serializeV3SurveyResource", () => {
-  test("returns canonical multilingual fields using real locale codes", () => {
-    const resource = serializeV3SurveyResource(baseSurvey);
-
-    expect(resource.defaultLanguage).toBe("en-US");
-    expect(resource).not.toHaveProperty("language");
-    expect(resource.languages).toEqual([
-      { code: "en-US", default: true, enabled: true },
-      { code: "de-DE", default: false, enabled: true },
-      { code: "fr-FR", default: false, enabled: false },
-    ]);
-    expect(resource).toMatchObject({
-      welcomeCard: {
-        headline: {
-          "en-US": "Welcome",
-          "de-DE": "Willkommen",
-          "fr-FR": "Bienvenue",
-        },
-      },
-    });
-    expect(resource).toMatchObject({
-      blocks: [
-        {
-          elements: [
-            {
-              headline: {
-                "en-US": "What should we improve?",
-                "de-DE": "Was sollen wir verbessern?",
-              },
-            },
-          ],
-        },
-      ],
-    });
-  });
-
-  test("does not expose the internal default pseudo-locale for surveys without configured languages", () => {
-    const survey = {
-      ...baseSurvey,
-      languages: [],
-      welcomeCard: {
-        enabled: true,
-        headline: { default: "Welcome" },
-      },
-      blocks: [
-        {
-          id: "block_1",
-          name: "Intro",
-          elements: [
-            {
-              id: "satisfaction",
-              type: "openText",
-              headline: { default: "What should we improve?" },
-              required: true,
-            },
-          ],
-        },
-      ],
-    } as unknown as TSurvey;
-
-    const resource = serializeV3SurveyResource(survey);
-
-    expect(resource.defaultLanguage).toBe("en-US");
-    expect(resource.languages).toEqual([{ code: "en-US", default: true, enabled: true }]);
-    expect(resource).toMatchObject({
-      welcomeCard: { headline: { "en-US": "Welcome" } },
-      blocks: [
-        {
-          elements: [
-            {
-              headline: { "en-US": "What should we improve?" },
-            },
-          ],
-        },
-      ],
-    });
-  });
-
-  test("filters the implicit default language for surveys without configured languages", () => {
-    const survey = {
-      ...baseSurvey,
-      languages: [],
-      welcomeCard: {
-        enabled: true,
-        headline: { default: "Welcome" },
-      },
-    } as unknown as TSurvey;
-
-    const resource = serializeV3SurveyResource(survey, { lang: ["en"] });
-
-    expect(resource).not.toHaveProperty("language");
-    expect(resource).toMatchObject({ welcomeCard: { headline: { "en-US": "Welcome" } } });
-  });
-
-  test("preserves stored locale variants when their keys use non-canonical casing or separators", () => {
-    const survey = {
-      ...baseSurvey,
-      welcomeCard: {
-        enabled: true,
-        headline: { default: "Welcome", de_de: "Willkommen" },
-      },
-    } as unknown as TSurvey;
-
-    const resource = serializeV3SurveyResource(survey);
-
-    expect(resource).toMatchObject({
-      welcomeCard: {
-        headline: {
-          "en-US": "Welcome",
-          "de-DE": "Willkommen",
-        },
-      },
-    });
-  });
-
-  test("filters fields for case-insensitive underscore language selectors while preserving maps", () => {
-    const resource = serializeV3SurveyResource(baseSurvey, { lang: ["DE_de"] });
-
-    expect(resource).not.toHaveProperty("language");
-    expect(resource).toMatchObject({
-      welcomeCard: { headline: { "de-DE": "Willkommen" } },
-      blocks: [
-        {
-          elements: [
-            {
-              headline: { "de-DE": "Was sollen wir verbessern?" },
-              subheader: { "de-DE": "Tell us more" },
-            },
-          ],
-        },
-      ],
-    });
-  });
-
-  test("resolves language-only selectors against configured survey languages", () => {
-    const resource = serializeV3SurveyResource(baseSurvey, { lang: ["de"] });
-
-    expect(resource).toMatchObject({ welcomeCard: { headline: { "de-DE": "Willkommen" } } });
-  });
-
-  test("filters disabled configured languages for management reads", () => {
-    const resource = serializeV3SurveyResource(baseSurvey, { lang: ["fr"] });
-
-    expect(resource).toMatchObject({ welcomeCard: { headline: { "fr-FR": "Bienvenue" } } });
-  });
-
-  test("filters multiple requested languages while preserving maps", () => {
-    const resource = serializeV3SurveyResource(baseSurvey, { lang: ["en-US", "de"] });
-
-    expect(resource).not.toHaveProperty("language");
-    expect(resource).toMatchObject({
-      welcomeCard: {
-        headline: {
-          "en-US": "Welcome",
-          "de-DE": "Willkommen",
-        },
-      },
-      blocks: [
-        {
-          elements: [
-            {
-              headline: {
-                "en-US": "What should we improve?",
-                "de-DE": "Was sollen wir verbessern?",
-              },
-            },
-          ],
-        },
-      ],
-    });
-  });
-
-  test("rejects ambiguous language-only selectors", () => {
-    const survey = {
-      ...baseSurvey,
-      languages: [
-        {
-          default: true,
-          enabled: true,
-          language: {
-            id: "lang_1",
-            code: "pt-BR",
-            alias: "br",
-            createdAt: new Date(),
-            updatedAt: new Date(),
-          },
-        },
-        {
-          default: false,
-          enabled: true,
-          language: {
-            id: "lang_2",
-            code: "pt-PT",
-            alias: "pt",
-            createdAt: new Date(),
-            updatedAt: new Date(),
-          },
-        },
-      ],
-    } as unknown as TSurvey;
-
-    expect(() => serializeV3SurveyResource(survey, { lang: ["pt"] })).toThrow(
-      "Language 'pt' is ambiguous for this survey; use one of pt-BR, pt-PT"
-    );
-  });
-
-  test("rejects legacy question-based survey shapes instead of returning an incomplete block resource", () => {
-    const survey = {
-      ...baseSurvey,
-      questions: [{ id: "legacy_question", type: "openText", headline: { default: "Legacy question" } }],
-      blocks: [],
-    } as unknown as TSurvey;
-
-    expect(() => serializeV3SurveyResource(survey)).toThrow(V3SurveyUnsupportedShapeError);
-    expect(() => serializeV3SurveyResource(survey)).toThrow(
-      "Legacy question-based surveys are not supported by the v3 survey management API"
-    );
-  });
-});
@@ -1,170 +1,13 @@
-import type { TSurvey as TInternalSurvey } from "@formbricks/types/surveys/types";
-import type { TSurvey as TSurveyListRecord } from "@/modules/survey/list/types/surveys";
-import {
-  type TV3SurveyLanguage,
-  getV3SurveyDefaultLanguage,
-  getV3SurveyLanguages,
-  normalizeV3SurveyLanguageTag,
-  resolveV3SurveyLanguageCode,
-} from "./language";
+import type { TSurvey } from "@/modules/survey/list/types/surveys";

-export type TV3SurveyListItem = Omit<TSurveyListRecord, "singleUse">;
-const DEFAULT_V3_SURVEY_LANGUAGE = "en-US";
-
-type TSerializedValue =
-  | string
-  | number
-  | boolean
-  | null
-  | TSerializedValue[]
-  | { [key: string]: TSerializedValue };
-
-export class V3SurveyLanguageError extends Error {
-  constructor(message: string) {
-    super(message);
-    this.name = "V3SurveyLanguageError";
-  }
-}
-
-export class V3SurveyUnsupportedShapeError extends Error {
-  constructor(message: string) {
-    super(message);
-    this.name = "V3SurveyUnsupportedShapeError";
-  }
-}
+export type TV3SurveyListItem = Omit<TSurvey, "singleUse">;

 /**
 * Keep the v3 API contract isolated from internal persistence naming.
 * Surveys are scoped by workspaceId.
 */
-export function serializeV3SurveyListItem(survey: TSurveyListRecord): TV3SurveyListItem {
+export function serializeV3SurveyListItem(survey: TSurvey): TV3SurveyListItem {
  const { singleUse: _omitSingleUse, ...rest } = survey;

  return rest;
 }
-
-function toIsoString(value: Date | string): string {
-  return value instanceof Date ? value.toISOString() : new Date(value).toISOString();
-}
-
-function isPlainObject(value: unknown): value is Record<string, unknown> {
-  return typeof value === "object" && value !== null && !Array.isArray(value);
-}
-
-function isI18nString(value: unknown): value is Record<string, string> {
-  return (
-    isPlainObject(value) &&
-    typeof value.default === "string" &&
-    Object.values(value).every((entry) => typeof entry === "string")
-  );
-}
-
-function getI18nValueForLanguage(value: Record<string, string>, languageCode: string): string | undefined {
-  if (typeof value[languageCode] === "string") {
-    return value[languageCode];
-  }
-
-  const matchingKey = Object.keys(value).find(
-    (key) => normalizeV3SurveyLanguageTag(key)?.toLowerCase() === languageCode.toLowerCase()
-  );
-  return matchingKey ? value[matchingKey] : undefined;
-}
-
-function serializeCanonicalValue(
-  value: unknown,
-  defaultLanguage: string,
-  languageCodes: Set<string>,
-  options?: { fallbackMissingTranslations?: boolean }
-): TSerializedValue {
-  if (isI18nString(value)) {
-    const result: Record<string, string> = {
-      [defaultLanguage]: value.default,
-    };
-
-    for (const languageCode of languageCodes) {
-      const translatedValue = getI18nValueForLanguage(value, languageCode);
-      if (languageCode !== defaultLanguage) {
-        if (translatedValue !== undefined) {
-          result[languageCode] = translatedValue;
-        } else if (options?.fallbackMissingTranslations) {
-          result[languageCode] = value.default;
-        }
-      }
-    }
-
-    if (!languageCodes.has(defaultLanguage)) {
-      delete result[defaultLanguage];
-    }
-
-    return result;
-  }
-
-  if (Array.isArray(value)) {
-    return value.map((entry) => serializeCanonicalValue(entry, defaultLanguage, languageCodes, options));
-  }
-
-  if (isPlainObject(value)) {
-    return Object.fromEntries(
-      Object.entries(value).map(([key, entry]) => [
-        key,
-        serializeCanonicalValue(entry, defaultLanguage, languageCodes, options),
-      ])
-    );
-  }
-
-  return value as TSerializedValue;
-}
-
-function resolveRequestedLanguage(languages: TV3SurveyLanguage[], language: string): string {
-  const result = resolveV3SurveyLanguageCode(language, languages);
-
-  if (!result.ok) {
-    throw new V3SurveyLanguageError(result.message);
-  }
-
-  return result.code;
-}
-
-function resolveRequestedLanguages(languages: TV3SurveyLanguage[], requestedLanguages?: string[]): string[] {
-  if (!requestedLanguages) {
-    return [];
-  }
-
-  return requestedLanguages.map((language) => resolveRequestedLanguage(languages, language));
-}
-
-export function serializeV3SurveyResource(survey: TInternalSurvey, options?: { lang?: string[] }) {
-  if (Array.isArray(survey.questions) && survey.questions.length > 0) {
-    throw new V3SurveyUnsupportedShapeError(
-      "Legacy question-based surveys are not supported by the v3 survey management API"
-    );
-  }
-
-  const defaultLanguage = getV3SurveyDefaultLanguage(survey, DEFAULT_V3_SURVEY_LANGUAGE);
-  const languages = getV3SurveyLanguages(survey, DEFAULT_V3_SURVEY_LANGUAGE);
-  const configuredLanguageCodes = new Set(languages.map((language) => language.code));
-  const requestedLanguages = resolveRequestedLanguages(languages, options?.lang);
-  const languageCodes = requestedLanguages.length > 0 ? new Set(requestedLanguages) : configuredLanguageCodes;
-  const serializeValue = (value: unknown) =>
-    serializeCanonicalValue(value, defaultLanguage, languageCodes, {
-      fallbackMissingTranslations: requestedLanguages.length > 0,
-    });
-
-  return {
-    id: survey.id,
-    workspaceId: survey.workspaceId,
-    createdAt: toIsoString(survey.createdAt),
-    updatedAt: toIsoString(survey.updatedAt),
-    name: survey.name,
-    type: survey.type,
-    status: survey.status,
-    metadata: survey.metadata,
-    defaultLanguage,
-    languages,
-    welcomeCard: serializeValue(survey.welcomeCard),
-    blocks: serializeValue(survey.blocks),
-    endings: serializeValue(survey.endings),
-    hiddenFields: survey.hiddenFields,
-    variables: survey.variables,
-  };
-}
@@ -1,108 +0,0 @@
-import { z } from "zod";
-import { logger } from "@formbricks/logger";
-import { DatabaseError } from "@formbricks/types/errors";
-import { withV3ApiWrapper } from "@/app/api/v3/lib/api-wrapper";
-import { requireV3WorkspaceAccess } from "@/app/api/v3/lib/auth";
-import { problemInternalError, successResponse } from "@/app/api/v3/lib/response";
-import { getAuthorizedV3Survey } from "../authorization";
-import {
-  type TV3SurveyPrepareResult,
-  prepareV3SurveyCreateInput,
-  prepareV3SurveyPatchInput,
-} from "../prepare";
-import { type TV3SurveyDocument, ZV3EmptyQuery, ZV3SurveyValidationRequestBody } from "../schemas";
-
-const createWorkspaceSchema = z.object({
-  workspaceId: z.cuid2(),
-});
-
-function serializeValidationResult<TDocument extends TV3SurveyDocument>(
-  operation: "create" | "patch",
-  preparation: TV3SurveyPrepareResult<TDocument>
-) {
-  if (!preparation.ok) {
-    return {
-      valid: false,
-      operation,
-      invalid_params: preparation.validation.invalidParams,
-    };
-  }
-
-  return {
-    valid: true,
-    operation,
-    invalid_params: [],
-    languages: preparation.languageRequests.map((languageRequest) => ({
-      ...languageRequest,
-      writeBehavior: "connect_or_create" as const,
-    })),
-  };
-}
-
-export const POST = withV3ApiWrapper({
-  auth: "both",
-  schemas: {
-    body: ZV3SurveyValidationRequestBody,
-    query: ZV3EmptyQuery,
-  },
-  handler: async ({ parsedInput, authentication, requestId, instance }) => {
-    const { body } = parsedInput;
-    const log = logger.withContext({ requestId, operation: body.operation });
-
-    try {
-      if (body.operation === "create") {
-        const workspaceResult = createWorkspaceSchema.safeParse(body.data);
-        if (workspaceResult.success) {
-          const authResult = await requireV3WorkspaceAccess(
-            authentication,
-            workspaceResult.data.workspaceId,
-            "readWrite",
-            requestId,
-            instance
-          );
-
-          if (authResult instanceof Response) {
-            return authResult;
-          }
-        }
-
-        return successResponse(serializeValidationResult("create", prepareV3SurveyCreateInput(body.data)), {
-          requestId,
-          cache: "private, no-store",
-        });
-      }
-
-      const { survey, response } = await getAuthorizedV3Survey({
-        surveyId: body.surveyId,
-        authentication,
-        access: "readWrite",
-        requestId,
-        instance,
-      });
-
-      if (response) {
-        log.warn(
-          { statusCode: response.status, surveyId: body.surveyId },
-          "Survey not found or not accessible"
-        );
-        return response;
-      }
-
-      return successResponse(
-        serializeValidationResult("patch", prepareV3SurveyPatchInput(survey, body.data)),
-        {
-          requestId,
-          cache: "private, no-store",
-        }
-      );
-    } catch (error) {
-      if (error instanceof DatabaseError) {
-        log.error({ error, statusCode: 500 }, "Database error");
-        return problemInternalError(requestId, "An unexpected error occurred.", instance);
-      }
-
-      log.error({ error, statusCode: 500 }, "V3 survey validation unexpected error");
-      return problemInternalError(requestId, "An unexpected error occurred.", instance);
-    }
-  },
-});
@@ -1,27 +0,0 @@
-import type { InvalidParam } from "@/app/api/v3/lib/response";
-import { validateV3SurveyReferences } from "./reference-validation";
-import type { TV3SurveyDocument } from "./schemas";
-
-export type TV3SurveyDocumentValidationResult =
-  | { valid: true; invalidParams: [] }
-  | { valid: false; invalidParams: InvalidParam[] };
-
-export function validateV3SurveyDocument(document: TV3SurveyDocument): TV3SurveyDocumentValidationResult {
-  const referenceValidation = validateV3SurveyReferences({
-    blocks: document.blocks,
-    endings: document.endings,
-    hiddenFields: document.hiddenFields,
-    metadata: document.metadata,
-    variables: document.variables,
-    welcomeCard: document.welcomeCard,
-  });
-
-  if (!referenceValidation.ok) {
-    return {
-      valid: false,
-      invalidParams: referenceValidation.invalidParams,
-    };
-  }
-
-  return { valid: true, invalidParams: [] };
-}
@@ -0,0 +1,254 @@
+import { beforeEach, describe, expect, test, vi } from "vitest";
+import { ErrorCode } from "@formbricks/cache";
+import { logger } from "@formbricks/logger";
+import { cache } from "@/lib/cache";
+import {
+  IntegrationOAuthStateError,
+  consumeIntegrationOAuthState,
+  createIntegrationOAuthState,
+  generatePkcePair,
+  getSafeOAuthCallbackError,
+} from "./integration-state";
+
+vi.mock("@formbricks/logger", () => ({
+  logger: {
+    error: vi.fn(),
+    warn: vi.fn(),
+  },
+}));
+
+vi.mock("@/lib/cache", () => ({
+  cache: {
+    getRedisClient: vi.fn(),
+    set: vi.fn(),
+  },
+}));
+
+const mockCache = vi.mocked(cache);
+
+const oauthStatePayload = {
+  createdAt: Date.now(),
+  provider: "slack",
+  userId: "user-1",
+  workspaceId: "workspace-1",
+} as const;
+
+const mockRedisConsume = (value: unknown) => {
+  const evalMock = vi.fn().mockResolvedValue(value === null ? null : JSON.stringify(value));
+  mockCache.getRedisClient.mockResolvedValueOnce({ eval: evalMock } as any);
+  return evalMock;
+};
+
+describe("integration OAuth state", () => {
+  beforeEach(() => {
+    vi.resetAllMocks();
+    mockCache.set.mockResolvedValue({ ok: true, data: undefined });
+  });
+
+  test("creates an opaque cached state that does not expose the workspace id", async () => {
+    const state = await createIntegrationOAuthState({
+      provider: "slack",
+      userId: oauthStatePayload.userId,
+      workspaceId: oauthStatePayload.workspaceId,
+    });
+
+    expect(state).toMatch(/^[A-Za-z0-9_-]{43,128}$/);
+    expect(state).not.toContain(oauthStatePayload.workspaceId);
+    expect(mockCache.set).toHaveBeenCalledWith(
+      "fb:oauth:state:fake-hash",
+      expect.objectContaining({
+        provider: oauthStatePayload.provider,
+        userId: oauthStatePayload.userId,
+        workspaceId: oauthStatePayload.workspaceId,
+      }),
+      10 * 60 * 1000
+    );
+  });
+
+  test("stores the PKCE verifier with Airtable OAuth state", async () => {
+    const pkceCodeVerifier = "E".repeat(43);
+
+    await createIntegrationOAuthState({
+      pkceCodeVerifier,
+      provider: "airtable",
+      userId: oauthStatePayload.userId,
+      workspaceId: oauthStatePayload.workspaceId,
+    });
+
+    expect(mockCache.set).toHaveBeenCalledWith(
+      "fb:oauth:state:fake-hash",
+      expect.objectContaining({ pkceCodeVerifier }),
+      10 * 60 * 1000
+    );
+  });
+
+  test("consumes a valid state atomically and returns the stored workspace", async () => {
+    const state = await createIntegrationOAuthState({
+      provider: "slack",
+      userId: oauthStatePayload.userId,
+      workspaceId: oauthStatePayload.workspaceId,
+    });
+    const redisEval = mockRedisConsume(oauthStatePayload);
+
+    const consumedState = await consumeIntegrationOAuthState({
+      provider: "slack",
+      userId: oauthStatePayload.userId,
+      state,
+    });
+
+    expect(consumedState).toEqual(oauthStatePayload);
+    expect(redisEval).toHaveBeenCalledWith(expect.stringContaining('redis.call("GET", KEYS[1])'), {
+      arguments: [],
+      keys: ["fb:oauth:state:fake-hash"],
+    });
+  });
+
+  test("rejects reused or unknown states", async () => {
+    mockRedisConsume(null);
+
+    await expect(
+      consumeIntegrationOAuthState({
+        provider: "slack",
+        userId: oauthStatePayload.userId,
+        state: "A".repeat(43),
+      })
+    ).rejects.toThrow(IntegrationOAuthStateError);
+  });
+
+  test("rejects malformed callback state before reading Redis", async () => {
+    await expect(
+      consumeIntegrationOAuthState({
+        provider: "slack",
+        userId: oauthStatePayload.userId,
+        state: "too-short",
+      })
+    ).rejects.toThrow(IntegrationOAuthStateError);
+
+    expect(mockCache.getRedisClient).not.toHaveBeenCalled();
+    expect(logger.warn).toHaveBeenCalled();
+  });
+
+  test("rejects wrong provider and wrong user states", async () => {
+    mockRedisConsume(oauthStatePayload);
+
+    await expect(
+      consumeIntegrationOAuthState({
+        provider: "notion",
+        userId: oauthStatePayload.userId,
+        state: "B".repeat(43),
+      })
+    ).rejects.toThrow(IntegrationOAuthStateError);
+
+    mockRedisConsume(oauthStatePayload);
+
+    await expect(
+      consumeIntegrationOAuthState({
+        provider: "slack",
+        userId: "user-2",
+        state: "C".repeat(43),
+      })
+    ).rejects.toThrow(IntegrationOAuthStateError);
+  });
+
+  test("fails closed when cache storage or Redis is unavailable", async () => {
+    mockCache.set.mockResolvedValueOnce({ ok: false, error: { code: ErrorCode.RedisConnectionError } });
+
+    await expect(
+      createIntegrationOAuthState({
+        provider: "slack",
+        userId: oauthStatePayload.userId,
+        workspaceId: oauthStatePayload.workspaceId,
+      })
+    ).rejects.toThrow("Unable to start OAuth flow");
+
+    mockCache.getRedisClient.mockResolvedValueOnce(null);
+
+    await expect(
+      consumeIntegrationOAuthState({
+        provider: "slack",
+        userId: oauthStatePayload.userId,
+        state: "D".repeat(43),
+      })
+    ).rejects.toThrow(IntegrationOAuthStateError);
+
+    expect(logger.error).toHaveBeenCalled();
+  });
+
+  test("fails closed when Redis client resolution throws", async () => {
+    mockCache.getRedisClient.mockRejectedValueOnce(new Error("Redis unavailable"));
+
+    await expect(
+      consumeIntegrationOAuthState({
+        provider: "slack",
+        userId: oauthStatePayload.userId,
+        state: "I".repeat(43),
+      })
+    ).rejects.toThrow(IntegrationOAuthStateError);
+
+    expect(logger.error).toHaveBeenCalled();
+  });
+
+  test("rejects malformed cached state values", async () => {
+    mockRedisConsume({
+      createdAt: Date.now(),
+      provider: "slack",
+      userId: oauthStatePayload.userId,
+    });
+
+    await expect(
+      consumeIntegrationOAuthState({
+        provider: "slack",
+        userId: oauthStatePayload.userId,
+        state: "F".repeat(43),
+      })
+    ).rejects.toThrow(IntegrationOAuthStateError);
+
+    expect(logger.error).toHaveBeenCalled();
+  });
+
+  test("rejects unexpected cached value types", async () => {
+    mockCache.getRedisClient.mockResolvedValueOnce({
+      eval: vi.fn().mockResolvedValue(42),
+    } as any);
+
+    await expect(
+      consumeIntegrationOAuthState({
+        provider: "slack",
+        userId: oauthStatePayload.userId,
+        state: "G".repeat(43),
+      })
+    ).rejects.toThrow(IntegrationOAuthStateError);
+
+    expect(logger.error).toHaveBeenCalled();
+  });
+
+  test("fails closed when atomic cache consumption fails", async () => {
+    mockCache.getRedisClient.mockResolvedValueOnce({
+      eval: vi.fn().mockRejectedValue(new Error("Redis failed")),
+    } as any);
+
+    await expect(
+      consumeIntegrationOAuthState({
+        provider: "slack",
+        userId: oauthStatePayload.userId,
+        state: "H".repeat(43),
+      })
+    ).rejects.toThrow(IntegrationOAuthStateError);
+
+    expect(logger.error).toHaveBeenCalled();
+  });
+
+  test("generates an RFC 7636 S256 PKCE pair", () => {
+    const { codeChallenge, codeChallengeMethod, codeVerifier } = generatePkcePair();
+
+    expect(codeVerifier).toMatch(/^[A-Za-z0-9_-]{43,128}$/);
+    expect(codeChallenge).toBe("fake-hash");
+    expect(codeChallengeMethod).toBe("S256");
+  });
+
+  test("sanitizes provider callback errors", () => {
+    expect(getSafeOAuthCallbackError("access_denied")).toBe("access_denied");
+    expect(getSafeOAuthCallbackError("https://evil.example")).toBe("oauth_error");
+    expect(getSafeOAuthCallbackError(null)).toBeNull();
+  });
+});
@@ -0,0 +1,215 @@
+import "server-only";
+import crypto from "node:crypto";
+import { createCacheKey } from "@formbricks/cache";
+import { logger } from "@formbricks/logger";
+import { cache } from "@/lib/cache";
+
+const INTEGRATION_OAUTH_STATE_TTL_MS = 10 * 60 * 1000;
+const OAUTH_STATE_ENTROPY_BYTES = 32;
+const BASE64URL_TOKEN_REGEX = /^[A-Za-z0-9_-]{43,128}$/;
+const SAFE_OAUTH_CALLBACK_ERRORS = new Set([
+  "access_denied",
+  "invalid_request",
+  "invalid_scope",
+  "server_error",
+  "temporarily_unavailable",
+]);
+
+export type TIntegrationOAuthProvider = "googleSheets" | "slack" | "notion" | "airtable";
+
+type TStoredIntegrationOAuthState = {
+  provider: TIntegrationOAuthProvider;
+  userId: string;
+  workspaceId: string;
+  pkceCodeVerifier?: string;
+  createdAt: number;
+};
+
+type TCreateIntegrationOAuthStateInput = {
+  provider: TIntegrationOAuthProvider;
+  userId: string;
+  workspaceId: string;
+  pkceCodeVerifier?: string;
+};
+
+type TConsumeIntegrationOAuthStateInput = {
+  provider: TIntegrationOAuthProvider;
+  userId: string;
+  state: string | null;
+};
+
+export class IntegrationOAuthStateError extends Error {
+  constructor(message = "Invalid OAuth state") {
+    super(message);
+    this.name = "IntegrationOAuthStateError";
+  }
+}
+
+const toBase64Url = (buffer: Buffer) =>
+  buffer.toString("base64").replaceAll("=", "").replaceAll("+", "-").replaceAll("/", "_");
+
+const generateRandomToken = () => toBase64Url(crypto.randomBytes(OAUTH_STATE_ENTROPY_BYTES));
+
+const hashState = (state: string) => crypto.createHash("sha256").update(state).digest("hex");
+
+const getIntegrationOAuthStateCacheKey = (stateHash: string) =>
+  createCacheKey.custom("oauth", "state", stateHash);
+
+const getValidToken = (token: string | undefined, label: string) => {
+  if (!token || !BASE64URL_TOKEN_REGEX.test(token)) {
+    throw new IntegrationOAuthStateError(`Invalid OAuth ${label}`);
+  }
+
+  return token;
+};
+
+const parseStoredIntegrationOAuthState = (serializedValue: string): TStoredIntegrationOAuthState => {
+  try {
+    const parsedValue = JSON.parse(serializedValue) as Partial<TStoredIntegrationOAuthState>;
+
+    if (
+      !parsedValue ||
+      typeof parsedValue.provider !== "string" ||
+      typeof parsedValue.userId !== "string" ||
+      typeof parsedValue.workspaceId !== "string" ||
+      typeof parsedValue.createdAt !== "number" ||
+      (parsedValue.pkceCodeVerifier !== undefined && typeof parsedValue.pkceCodeVerifier !== "string")
+    ) {
+      throw new Error("Invalid stored OAuth state shape");
+    }
+
+    return parsedValue as TStoredIntegrationOAuthState;
+  } catch (error) {
+    logger.error({ error }, "Failed to parse stored integration OAuth state");
+    throw new IntegrationOAuthStateError();
+  }
+};
+
+const consumeCachedIntegrationOAuthState = async (
+  cacheKey: string,
+  logContext: Record<string, unknown>
+): Promise<TStoredIntegrationOAuthState | null> => {
+  let redis;
+
+  try {
+    redis = await cache.getRedisClient();
+  } catch (error) {
+    logger.error({ ...logContext, error }, "Failed to resolve Redis client for integration OAuth state");
+    throw new IntegrationOAuthStateError("Unable to validate OAuth state");
+  }
+
+  if (!redis) {
+    logger.error({ ...logContext }, "Redis is required to validate integration OAuth state");
+    throw new IntegrationOAuthStateError("Unable to validate OAuth state");
+  }
+
+  try {
+    const serializedValue = await redis.eval(
+      `
+        local value = redis.call("GET", KEYS[1])
+        if value then
+          redis.call("DEL", KEYS[1])
+        end
+        return value
+      `,
+      {
+        arguments: [],
+        keys: [cacheKey],
+      }
+    );
+
+    if (serializedValue === null) {
+      return null;
+    }
+
+    if (typeof serializedValue !== "string") {
+      logger.error({ ...logContext }, "Unexpected cached integration OAuth state value");
+      throw new IntegrationOAuthStateError();
+    }
+
+    return parseStoredIntegrationOAuthState(serializedValue);
+  } catch (error) {
+    if (error instanceof IntegrationOAuthStateError) {
+      throw error;
+    }
+
+    logger.error({ ...logContext, error }, "Failed to consume integration OAuth state");
+    throw new IntegrationOAuthStateError("Unable to validate OAuth state");
+  }
+};
+
+export const createIntegrationOAuthState = async ({
+  provider,
+  userId,
+  workspaceId,
+  pkceCodeVerifier,
+}: TCreateIntegrationOAuthStateInput): Promise<string> => {
+  if (pkceCodeVerifier !== undefined) {
+    getValidToken(pkceCodeVerifier, "PKCE verifier");
+  }
+
+  const state = generateRandomToken();
+  const stateHash = hashState(state);
+  const cacheKey = getIntegrationOAuthStateCacheKey(stateHash);
+  const storedState: TStoredIntegrationOAuthState = {
+    provider,
+    userId,
+    workspaceId,
+    pkceCodeVerifier,
+    createdAt: Date.now(),
+  };
+
+  const result = await cache.set(cacheKey, storedState, INTEGRATION_OAUTH_STATE_TTL_MS);
+
+  if (!result.ok) {
+    logger.error({ error: result.error, provider, userId, workspaceId }, "Failed to store OAuth state");
+    throw new Error("Unable to start OAuth flow");
+  }
+
+  return state;
+};
+
+export const consumeIntegrationOAuthState = async ({
+  provider,
+  userId,
+  state,
+}: TConsumeIntegrationOAuthStateInput): Promise<TStoredIntegrationOAuthState> => {
+  let providedState;
+
+  try {
+    providedState = getValidToken(state ?? undefined, "state");
+  } catch (error) {
+    logger.warn({ provider, userId }, "Integration OAuth callback rejected due to malformed state");
+    throw error;
+  }
+
+  const stateHash = hashState(providedState);
+  const cacheKey = getIntegrationOAuthStateCacheKey(stateHash);
+  const storedState = await consumeCachedIntegrationOAuthState(cacheKey, { provider, stateHash, userId });
+
+  if (storedState?.provider !== provider || storedState?.userId !== userId) {
+    logger.warn({ provider, stateHash, userId }, "Integration OAuth callback rejected due to invalid state");
+    throw new IntegrationOAuthStateError();
+  }
+
+  return storedState;
+};
+
+export const getSafeOAuthCallbackError = (error: string | null): string | null => {
+  if (!error) {
+    return null;
+  }
+
+  return SAFE_OAUTH_CALLBACK_ERRORS.has(error) ? error : "oauth_error";
+};
+
+export const generatePkcePair = () => {
+  const verifier = generateRandomToken();
+  const challenge = toBase64Url(crypto.createHash("sha256").update(verifier).digest());
+
+  return {
+    codeChallenge: challenge,
+    codeChallengeMethod: "S256" as const,
+    codeVerifier: verifier,
+  };
+};
@@ -733,85 +733,6 @@ describe("Tests for createSurvey", () => {
        })
      );
    });
-
-    test("creates survey languages from validated language inputs", async () => {
-      vi.mocked(getOrganizationByWorkspaceId).mockResolvedValueOnce(mockOrganizationOutput);
-      prisma.survey.create.mockResolvedValueOnce({
-        ...mockSurveyOutput,
-      });
-
-      await createSurvey(mockWorkspaceId, {
-        ...mockCreateSurveyInput,
-        languages: [
-          {
-            default: true,
-            enabled: true,
-            language: {
-              id: "cllang12345678901234567890",
-              code: "en-US",
-              alias: null,
-              workspaceId: mockWorkspaceId,
-              createdAt: new Date(),
-              updatedAt: new Date(),
-            },
-          },
-        ],
-      });
-
-      expect(prisma.survey.create).toHaveBeenCalledWith(
-        expect.objectContaining({
-          data: expect.objectContaining({
-            languages: {
-              create: [
-                {
-                  language: {
-                    connect: {
-                      id: "cllang12345678901234567890",
-                    },
-                  },
-                  default: true,
-                  enabled: true,
-                },
-              ],
-            },
-          }),
-        })
-      );
-    });
-
-    test("preserves an explicitly provided segment relation for existing callers", async () => {
-      vi.mocked(getOrganizationByWorkspaceId).mockResolvedValueOnce(mockOrganizationOutput);
-      prisma.survey.create.mockResolvedValueOnce({
-        ...mockSurveyOutput,
-      });
-
-      await createSurvey(mockWorkspaceId, {
-        ...mockCreateSurveyInput,
-        segment: {
-          id: "clseg123456789012345678901",
-          title: "Segment",
-          description: null,
-          isPrivate: false,
-          filters: [],
-          workspaceId: mockWorkspaceId,
-          surveys: [],
-          createdAt: new Date(),
-          updatedAt: new Date(),
-        },
-      });
-
-      expect(prisma.survey.create).toHaveBeenCalledWith(
-        expect.objectContaining({
-          data: expect.objectContaining({
-            segment: {
-              connect: {
-                id: "clseg123456789012345678901",
-              },
-            },
-          }),
-        })
-      );
-    });
  });

  describe("Sad Path", () => {
@@ -628,23 +628,9 @@ export const createSurvey = async (workspaceId: string, surveyBody: TSurveyCreat
  );

  try {
-    const { createdBy, languages, segment, followUps, ...restSurveyBody } = parsedSurveyBody;
+    const { createdBy, languages, ...restSurveyBody } = parsedSurveyBody;
    const normalizedCloseOn = restSurveyBody.closeOn instanceof Date ? restSurveyBody.closeOn : null;
    const normalizedPublishOn = restSurveyBody.publishOn instanceof Date ? restSurveyBody.publishOn : null;
-    const surveyLanguagesCreateData: Prisma.SurveyLanguageCreateNestedManyWithoutSurveyInput | undefined =
-      languages?.length
-        ? {
-            create: languages.map((surveyLanguage) => ({
-              language: {
-                connect: {
-                  id: surveyLanguage.language.id,
-                },
-              },
-              default: surveyLanguage.default,
-              enabled: surveyLanguage.enabled,
-            })),
-          }
-        : undefined;

    const actionClasses = await getActionClasses(parsedWorkspaceId);

@@ -655,15 +641,18 @@ export const createSurvey = async (workspaceId: string, surveyBody: TSurveyCreat
        publishOn: normalizedPublishOn,
        status: restSurveyBody.status ?? "draft",
      }),
-      languages: surveyLanguagesCreateData,
-      segment: segment?.id ? { connect: { id: segment.id } } : undefined,
+      // @ts-expect-error - languages would be undefined in case of empty array
+      languages: languages?.length ? languages : undefined,
      triggers: restSurveyBody.triggers
        ? handleTriggerUpdates(restSurveyBody.triggers, [], actionClasses)
        : undefined,
      attributeFilters: undefined,
    };
    const data = validateSurveyCreateDataMedia(
-      attachSurveyFollowUpsToCreateData(attachSurveyCreatorToCreateData(baseData, createdBy), followUps)
+      attachSurveyFollowUpsToCreateData(
+        attachSurveyCreatorToCreateData(baseData, createdBy),
+        restSurveyBody.followUps
+      )
    );

    const organization = await getOrganizationByWorkspaceId(parsedWorkspaceId);
@@ -5,6 +5,7 @@ import { afterEach, beforeEach, describe, expect, test, vi } from "vitest";
 import {
  AuthenticationError,
  AuthorizationError,
+  ConfigurationError,
  EXPECTED_ERROR_NAMES,
  INVALID_PASSWORD_RESET_TOKEN_ERROR_CODE,
  InvalidInputError,
@@ -74,6 +75,7 @@ describe("isExpectedError (shared helper)", () => {
      "ValidationError",
      "AuthenticationError",
      "OperationNotAllowedError",
+      "ConfigurationError",
      "QueryExecutionError",
      "TooManyRequestsError",
      "InvalidPasswordResetTokenError",
@@ -94,6 +96,7 @@ describe("isExpectedError (shared helper)", () => {
    { ErrorClass: InvalidInputError, args: ["Invalid input"] },
    { ErrorClass: ValidationError, args: ["Invalid data"] },
    { ErrorClass: OperationNotAllowedError, args: ["Not allowed"] },
+    { ErrorClass: ConfigurationError, args: ["Cube is not configured"] },
    { ErrorClass: QueryExecutionError, args: ["Cube query failed. Details: connect ECONNREFUSED"] },
    { ErrorClass: InvalidPasswordResetTokenError, args: [INVALID_PASSWORD_RESET_TOKEN_ERROR_CODE] },
    { ErrorClass: UniqueConstraintError, args: ["Already exists"] },
@@ -185,6 +188,12 @@ describe("actionClient handleServerError", () => {
      expect(Sentry.captureException).not.toHaveBeenCalled();
    });

+    test("ConfigurationError returns its message and is not sent to Sentry", async () => {
+      const result = await executeThrowingAction(new ConfigurationError("Cube is not configured"));
+      expect(result?.serverError).toBe("Cube is not configured");
+      expect(Sentry.captureException).not.toHaveBeenCalled();
+    });
+
    test("QueryExecutionError returns its message and is not sent to Sentry", async () => {
      const result = await executeThrowingAction(
        new QueryExecutionError("Cube query failed. Details: connect ECONNREFUSED")
@@ -2710,8 +2710,6 @@
        "save_the_following_backup_codes_in_a_safe_place": "Speichere die folgenden Backup-Codes an einem sicheren Ort.",
        "scan_the_qr_code_below_with_your_authenticator_app": "Scanne den QR-Code unten mit deiner Authenticator-App.",
        "security_description": "Verwalte dein Passwort und andere Sicherheitseinstellungen wie die Zwei-Faktor-Authentifizierung (2FA).",
-        "sso_identity_confirmation_failed": "SSO-Identitätsbestätigung fehlgeschlagen. Bitte versuche erneut, dein Konto zu löschen.",
-        "sso_identity_confirmation_may_be_required_for_deletion": "Bei SSO-Konten kann dich die Auswahl von Löschen zu deinem Identitätsanbieter weiterleiten, um dieses Konto zu bestätigen. Wenn dasselbe Konto bestätigt wird, wird die Löschung automatisch fortgesetzt.",
        "two_factor_authentication": "Zwei-Faktor-Authentifizierung",
        "two_factor_authentication_description": "Füge deinem Konto eine zusätzliche Sicherheitsebene hinzu, falls dein Passwort gestohlen wird.",
        "two_factor_authentication_enabled_please_enter_the_six_digit_code_from_your_authenticator_app": "Zwei-Faktor-Authentifizierung aktiviert. Bitte gib den sechsstelligen Code aus deiner Authenticator-App ein.",
@@ -2720,7 +2718,9 @@
        "update_personal_info": "Aktualisiere deine persönlichen Informationen",
        "warning_cannot_delete_account": "Du bist der einzige Inhaber dieser Organisation. Bitte übertrage zuerst die Inhaberschaft auf ein anderes Mitglied.",
        "warning_cannot_undo": "Dies kann nicht rückgängig gemacht werden",
-        "wrong_password": "Falsches Passwort"
+        "wrong_password": "Falsches Passwort",
+        "sso_identity_confirmation_failed": "SSO-Identitätsbestätigung fehlgeschlagen. Bitte versuche erneut, dein Konto zu löschen.",
+        "sso_identity_confirmation_may_be_required_for_deletion": "Bei SSO-Konten kann dich die Auswahl von Löschen zu deinem Identitätsanbieter weiterleiten, um dieses Konto zu bestätigen. Wenn dasselbe Konto bestätigt wird, wird die Löschung automatisch fortgesetzt."
      },
      "teams": {
        "add_members_description": "Füge Mitglieder zum Team hinzu und lege ihre Rolle fest.",
@@ -2710,8 +2710,6 @@
        "save_the_following_backup_codes_in_a_safe_place": "Aşağıdaki yedekleme kodlarını güvenli bir yerde sakla.",
        "scan_the_qr_code_below_with_your_authenticator_app": "Aşağıdaki QR kodunu kimlik doğrulayıcı uygulamanla tara.",
        "security_description": "Şifreni ve iki faktörlü kimlik doğrulama (2FA) gibi diğer güvenlik ayarlarını yönet.",
-        "sso_identity_confirmation_failed": "SSO kimlik doğrulaması başarısız oldu. Lütfen hesabınızı silmeyi tekrar deneyin.",
-        "sso_identity_confirmation_may_be_required_for_deletion": "SSO hesaplarında Sil'i seçmek, bu hesabı onaylamanız için sizi kimlik sağlayıcınıza yönlendirebilir. Aynı hesap onaylanırsa silme işlemi otomatik olarak devam eder.",
        "two_factor_authentication": "İki faktörlü kimlik doğrulama",
        "two_factor_authentication_description": "Şifren çalınması durumunda hesabına ekstra bir güvenlik katmanı ekle.",
        "two_factor_authentication_enabled_please_enter_the_six_digit_code_from_your_authenticator_app": "İki faktörlü kimlik doğrulama etkinleştirildi. Lütfen kimlik doğrulayıcı uygulamandaki altı haneli kodu gir.",
@@ -2720,7 +2718,9 @@
        "update_personal_info": "Kişisel bilgilerini güncelle",
        "warning_cannot_delete_account": "Bu organizasyonun tek sahibi sensin. Lütfen önce sahipliği başka bir üyeye aktar.",
        "warning_cannot_undo": "Bu geri alınamaz",
-        "wrong_password": "Yanlış şifre"
+        "wrong_password": "Yanlış şifre",
+        "sso_identity_confirmation_failed": "SSO kimlik doğrulaması başarısız oldu. Lütfen hesabınızı silmeyi tekrar deneyin.",
+        "sso_identity_confirmation_may_be_required_for_deletion": "SSO hesaplarında Sil'i seçmek, bu hesabı onaylamanız için sizi kimlik sağlayıcınıza yönlendirebilir. Aynı hesap onaylanırsa silme işlemi otomatik olarak devam eder."
      },
      "teams": {
        "add_members_description": "Ekibe üye ekle ve rollerini belirle.",
@@ -112,12 +112,4 @@ describe("cube-config", () => {

    await expect(import("./cube-config")).rejects.toThrow("Invalid environment variables");
  });
-
-  test("fails at env validation when CUBEJS_API_SECRET is an empty string", async () => {
-    setTestEnv({
-      CUBEJS_API_SECRET: "",
-    });
-
-    await expect(import("./cube-config")).rejects.toThrow("Invalid environment variables");
-  });
 });
@@ -1,8 +1,11 @@
 import "server-only";
 import jwt from "jsonwebtoken";
 import { randomUUID } from "node:crypto";
+import { ConfigurationError } from "@formbricks/types/errors";
 import { env } from "@/lib/env";

+export const CUBE_CONFIGURATION_ERROR_MESSAGE =
+  "Cube is not configured on this instance. Set CUBEJS_API_URL and CUBEJS_API_SECRET.";
 export const CUBE_API_TOKEN_TTL_SECONDS = 5 * 60;
 export const CUBE_QUERY_SCOPE = "xm:cube:query";
 export const DEFAULT_CUBE_JWT_AUDIENCE = "formbricks-cube";
@@ -36,12 +39,18 @@ export const normalizeCubeApiUrl = (baseUrl: string): string => {
  return `${normalizedBaseUrl}/cubejs-api/v1`;
 };

-export const getCubeApiCredentials = () => ({
-  apiUrl: normalizeCubeApiUrl(env.CUBEJS_API_URL),
-  apiSecret: env.CUBEJS_API_SECRET,
-  audience: env.CUBEJS_JWT_AUDIENCE ?? DEFAULT_CUBE_JWT_AUDIENCE,
-  issuer: env.CUBEJS_JWT_ISSUER ?? DEFAULT_CUBE_JWT_ISSUER,
-});
+export const getCubeApiCredentials = () => {
+  if (!env.CUBEJS_API_URL || !env.CUBEJS_API_SECRET) {
+    throw new ConfigurationError(CUBE_CONFIGURATION_ERROR_MESSAGE);
+  }
+
+  return {
+    apiUrl: normalizeCubeApiUrl(env.CUBEJS_API_URL),
+    apiSecret: env.CUBEJS_API_SECRET,
+    audience: env.CUBEJS_JWT_AUDIENCE ?? DEFAULT_CUBE_JWT_AUDIENCE,
+    issuer: env.CUBEJS_JWT_ISSUER ?? DEFAULT_CUBE_JWT_ISSUER,
+  };
+};

 export const createCubeApiToken = (
  apiSecret: string,
@@ -2,7 +2,6 @@ import { beforeEach, describe, expect, test, vi } from "vitest";
 import { StorageErrorCode } from "@formbricks/storage";
 import { TResponseData } from "@formbricks/types/responses";
 import { ZAllowedFileExtension } from "@formbricks/types/storage";
-import { TSurveyBlock } from "@formbricks/types/surveys/blocks";
 import { TSurveyQuestion } from "@formbricks/types/surveys/types";
 import {
  isAllowedFileExtension,
@@ -13,7 +12,6 @@ import {
  sanitizeFileName,
  validateFileUploads,
  validateSingleFile,
-  validateSurveyAllowsFileUpload,
 } from "@/modules/storage/utils";

 // Mock the getOriginalFileNameFromUrl function
@@ -353,148 +351,6 @@ describe("storage utils", () => {
    });
  });

-  describe("validateSurveyAllowsFileUpload", () => {
-    test("should allow a matching extension from a modern file upload block element", () => {
-      const blocks = [
-        {
-          id: "block1",
-          name: "Block 1",
-          elements: [
-            {
-              id: "element1",
-              type: "fileUpload" as const,
-              allowedFileExtensions: ["pdf"],
-            },
-          ],
-        },
-      ] as unknown as TSurveyBlock[];
-
-      expect(validateSurveyAllowsFileUpload({ fileName: "report.pdf", blocks })).toEqual({ ok: true });
-    });
-
-    test("should allow a matching extension from a legacy file upload question", () => {
-      const questions = [
-        {
-          id: "question1",
-          type: "fileUpload" as const,
-          allowedFileExtensions: ["png"],
-        },
-      ] as TSurveyQuestion[];
-
-      expect(validateSurveyAllowsFileUpload({ fileName: "image.png", questions })).toEqual({ ok: true });
-    });
-
-    test("should allow any globally safe extension when a file upload has no survey restriction", () => {
-      const blocks = [
-        {
-          id: "block1",
-          name: "Block 1",
-          elements: [
-            {
-              id: "element1",
-              type: "fileUpload" as const,
-            },
-          ],
-        },
-      ] as unknown as TSurveyBlock[];
-
-      expect(validateSurveyAllowsFileUpload({ fileName: "report.pdf", blocks })).toEqual({ ok: true });
-    });
-
-    test("should reject surveys without file upload blocks or questions", () => {
-      const blocks = [
-        {
-          id: "block1",
-          name: "Block 1",
-          elements: [
-            {
-              id: "element1",
-              type: "openText" as const,
-            },
-          ],
-        },
-      ] as unknown as TSurveyBlock[];
-      const questions = [
-        {
-          id: "question1",
-          type: "openText" as const,
-        },
-      ] as TSurveyQuestion[];
-
-      expect(validateSurveyAllowsFileUpload({ fileName: "report.pdf", blocks, questions })).toEqual({
-        ok: false,
-        reason: "no_file_upload_question",
-      });
-    });
-
-    test("should reject when no file upload entry allows the requested extension", () => {
-      const blocks = [
-        {
-          id: "block1",
-          name: "Block 1",
-          elements: [
-            {
-              id: "element1",
-              type: "fileUpload" as const,
-              allowedFileExtensions: ["jpg"],
-            },
-            {
-              id: "element2",
-              type: "fileUpload" as const,
-              allowedFileExtensions: ["png"],
-            },
-          ],
-        },
-      ] as unknown as TSurveyBlock[];
-
-      expect(validateSurveyAllowsFileUpload({ fileName: "report.pdf", blocks })).toEqual({
-        ok: false,
-        reason: "file_extension_not_allowed",
-      });
-    });
-
-    test("should allow when any file upload entry permits the requested extension", () => {
-      const blocks = [
-        {
-          id: "block1",
-          name: "Block 1",
-          elements: [
-            {
-              id: "element1",
-              type: "fileUpload" as const,
-              allowedFileExtensions: ["jpg"],
-            },
-            {
-              id: "element2",
-              type: "fileUpload" as const,
-              allowedFileExtensions: ["pdf"],
-            },
-          ],
-        },
-      ] as unknown as TSurveyBlock[];
-
-      expect(validateSurveyAllowsFileUpload({ fileName: "report.pdf", blocks })).toEqual({ ok: true });
-    });
-
-    test("should reject files without a globally safe extension even when the survey has an unrestricted upload", () => {
-      const questions = [
-        {
-          id: "question1",
-          type: "fileUpload" as const,
-        },
-      ] as TSurveyQuestion[];
-
-      expect(validateSurveyAllowsFileUpload({ fileName: "report", questions })).toEqual({
-        ok: false,
-        reason: "file_extension_not_allowed",
-      });
-      expect(validateSurveyAllowsFileUpload({ fileName: "malware.exe", questions })).toEqual({
-        ok: false,
-        reason: "file_extension_not_allowed",
-      });
-    });
-  });
-
  describe("isValidImageFile", () => {
    test("should return true for valid image file extensions", () => {
      expect(isValidImageFile("https://example.com/image.jpg")).toBe(true);
@@ -2,8 +2,6 @@ import "server-only";
 import { type StorageError, StorageErrorCode } from "@formbricks/storage";
 import { TResponseData } from "@formbricks/types/responses";
 import { TAllowedFileExtension, ZAllowedFileExtension } from "@formbricks/types/storage";
-import { TSurveyBlock } from "@formbricks/types/surveys/blocks";
-import { TSurveyElementTypeEnum, TSurveyFileUploadElement } from "@formbricks/types/surveys/elements";
 import { TSurveyQuestion, TSurveyQuestionTypeEnum } from "@formbricks/types/surveys/types";
 import { responses } from "@/app/lib/api/response";
 import { WEBAPP_URL } from "@/lib/constants";
@@ -59,27 +57,15 @@ export const sanitizeFileName = (rawFileName: string): string => {
  return result;
 };

-/**
- * Extracts the lowercase file extension from a file name
- * @param fileName The name of the file
- * @returns {string | null} The lowercase extension, or null when no extension exists
- */
-const extractFileExtension = (fileName: string): string | null => {
-  const extension = fileName.split(".").pop()?.toLowerCase();
-
-  if (!extension || extension === fileName.toLowerCase()) return null;
-
-  return extension;
-};
-
 /**
 * Validates if the file extension is allowed
 * @param fileName The name of the file to validate
 * @returns {boolean} True if the file extension is allowed, false otherwise
 */
 export const isAllowedFileExtension = (fileName: string): boolean => {
-  const extension = extractFileExtension(fileName);
-  if (!extension) return false;
+  // Extract the file extension
+  const extension = fileName.split(".").pop()?.toLowerCase();
+  if (!extension || extension === fileName.toLowerCase()) return false;

  // Check if the extension is in the allowed list
  return Object.values(ZAllowedFileExtension.enum).includes(extension as TAllowedFileExtension);
@@ -91,7 +77,7 @@ export const validateSingleFile = (
 ): boolean => {
  const fileName = getOriginalFileNameFromUrl(fileUrl);
  if (!fileName) return false;
-  const extension = extractFileExtension(fileName);
+  const extension = fileName.split(".").pop()?.toLowerCase();
  if (!extension) return false;
  return !allowedFileExtensions || allowedFileExtensions.includes(extension as TAllowedFileExtension);
 };
@@ -114,70 +100,6 @@ export const validateFileUploads = (data?: TResponseData, questions?: TSurveyQue
  return true;
 };

-export type TSurveyFileUploadPermissionResult =
-  | {
-      ok: true;
-    }
-  | {
-      ok: false;
-      reason: "no_file_upload_question" | "file_extension_not_allowed";
-    };
-
-const getAllowedFileExtensionFromFileName = (fileName: string): TAllowedFileExtension | null => {
-  const extension = extractFileExtension(fileName);
-  if (!extension) return null;
-
-  const extensionValidation = ZAllowedFileExtension.safeParse(extension);
-
-  return extensionValidation.success ? extensionValidation.data : null;
-};
-
-export const validateSurveyAllowsFileUpload = ({
-  fileName,
-  blocks,
-  questions,
-}: {
-  fileName: string;
-  blocks?: TSurveyBlock[] | null;
-  questions?: TSurveyQuestion[] | null;
-}): TSurveyFileUploadPermissionResult => {
-  const fileUploadConfigs = [
-    ...(blocks ?? [])
-      .flatMap((block) => block.elements)
-      .filter((element) => element.type === TSurveyElementTypeEnum.FileUpload),
-    ...(questions ?? []).filter((question) => question.type === TSurveyQuestionTypeEnum.FileUpload),
-  ] as TSurveyFileUploadElement[];
-
-  if (fileUploadConfigs.length === 0) {
-    return {
-      ok: false,
-      reason: "no_file_upload_question",
-    };
-  }
-
-  const fileExtension = getAllowedFileExtensionFromFileName(fileName);
-
-  if (!fileExtension) {
-    return {
-      ok: false,
-      reason: "file_extension_not_allowed",
-    };
-  }
-
-  const isFileExtensionAllowed = fileUploadConfigs.some((fileUploadConfig) => {
-    const { allowedFileExtensions } = fileUploadConfig;
-
-    return allowedFileExtensions === undefined || allowedFileExtensions.includes(fileExtension);
-  });
-
-  return isFileExtensionAllowed
-    ? { ok: true }
-    : {
-        ok: false,
-        reason: "file_extension_not_allowed",
-      };
-};
-
 export const isValidImageFile = (fileUrl: string): boolean => {
  const fileName = getOriginalFileNameFromUrl(fileUrl);
  if (!fileName || fileName.endsWith(".")) return false;
@@ -3,7 +3,6 @@
 import { Workspace } from "@prisma/client";
 import { useSearchParams } from "next/navigation";
 import { useCallback, useEffect, useMemo, useState } from "react";
-import { useTranslation } from "react-i18next";
 import { TResponseData } from "@formbricks/types/responses";
 import { TSurvey, TSurveyStyling } from "@formbricks/types/surveys/types";
 import { TWorkspaceStyling } from "@formbricks/types/workspace";
@@ -14,7 +13,7 @@ import { LinkSurveyWrapper } from "@/modules/survey/link/components/link-survey-
 import { OfflineAlert } from "@/modules/survey/link/components/offline-alert";
 import { getPrefillValue } from "@/modules/survey/link/lib/prefill";
 import { getUserIdFromSearchParams } from "@/modules/survey/link/lib/user-id";
-import { getWebAppLocale, isRTLLanguage } from "@/modules/survey/link/lib/utils";
+import { isRTLLanguage } from "@/modules/survey/link/lib/utils";
 import { SurveyInline } from "@/modules/ui/components/survey";

 interface SurveyClientWrapperProps {
@@ -64,17 +63,6 @@ export const SurveyClientWrapper = ({
  IS_FORMBRICKS_CLOUD,
 }: SurveyClientWrapperProps) => {
  const searchParams = useSearchParams();
-  const { i18n } = useTranslation();
-
-  useEffect(() => {
-    const webAppLocale = getWebAppLocale(languageCode, survey);
-    if (i18n.language !== webAppLocale) {
-      i18n.changeLanguage(webAppLocale).catch(() => {
-        i18n.changeLanguage("en-US");
-      });
-    }
-  }, [languageCode, survey, i18n]);
-
  const skipPrefilled = searchParams.get("skipPrefilled") === "true";
  const offlineSupport = searchParams.get("offlineSupport") === "true";
  const userId = canReadUserIdFromUrl ? getUserIdFromSearchParams(searchParams) : undefined;
@@ -99,7 +99,12 @@ describe("useDeleteSurvey", () => {
      0
    );

-    resolveFetch?.(new Response(null, { status: 204 }));
+    resolveFetch?.(
+      new Response(JSON.stringify({ data: { id: "survey_1" } }), {
+        status: 200,
+        headers: { "Content-Type": "application/json" },
+      })
+    );

    await waitFor(() => expect(result.current.isSuccess).toBe(true));
    expect(invalidateQueriesSpy).toHaveBeenCalledWith({ queryKey: surveyKeys.lists() });
@@ -1,10 +1,5 @@
-import { afterEach, describe, expect, test, vi } from "vitest";
-import type { V3ApiError } from "@/modules/api/lib/v3-client";
-import { buildSurveyListSearchParams, deleteSurvey } from "./v3-surveys-client";
-
-afterEach(() => {
-  vi.unstubAllGlobals();
-});
+import { describe, expect, test } from "vitest";
+import { buildSurveyListSearchParams } from "./v3-surveys-client";

 describe("buildSurveyListSearchParams", () => {
  test("emits only supported v3 params using normalized filter values", () => {
@@ -44,39 +39,3 @@ describe("buildSurveyListSearchParams", () => {
    );
  });
 });
-
-describe("deleteSurvey", () => {
-  test("treats 204 No Content as a successful delete", async () => {
-    const fetchMock = vi.fn().mockResolvedValue(new Response(null, { status: 204 }));
-    vi.stubGlobal("fetch", fetchMock);
-
-    await expect(deleteSurvey("survey_1")).resolves.toBeUndefined();
-
-    expect(fetchMock).toHaveBeenCalledWith("/api/v3/surveys/survey_1", {
-      method: "DELETE",
-      cache: "no-store",
-    });
-  });
-
-  test("maps v3 problem responses to V3ApiError", async () => {
-    vi.stubGlobal(
-      "fetch",
-      vi.fn().mockResolvedValue(
-        Response.json(
-          {
-            status: 403,
-            detail: "You are not authorized to access this resource",
-            code: "forbidden",
-          },
-          { status: 403 }
-        )
-      )
-    );
-
-    await expect(deleteSurvey("survey_1")).rejects.toMatchObject<V3ApiError>({
-      status: 403,
-      detail: "You are not authorized to access this resource",
-      code: "forbidden",
-    });
-  });
-});
@@ -13,6 +13,12 @@ type TV3SurveyListResponse = {
  meta: TSurveyListPage["meta"];
 };

+type TV3DeleteSurveyResponse = {
+  data: {
+    id: string;
+  };
+};
+
 export type TSurveyListPage = {
  data: TSurveyListItem[];
  meta: {
@@ -116,7 +122,7 @@ export async function listSurveys({
  };
 }

-export async function deleteSurvey(surveyId: string): Promise<void> {
+export async function deleteSurvey(surveyId: string): Promise<{ id: string }> {
  const response = await fetch(`/api/v3/surveys/${surveyId}`, {
    method: "DELETE",
    cache: "no-store",
@@ -125,4 +131,7 @@ export async function deleteSurvey(surveyId: string): Promise<void> {
  if (!response.ok) {
    throw await parseV3ApiError(response);
  }
+
+  const body = (await response.json()) as TV3DeleteSurveyResponse;
+  return body.data;
 }
@@ -46,15 +46,14 @@ The intended defaults are:
 - self-hosted / single-tenant clusters: bundled controller mode
 - shared clusters with an existing platform controller: external-controller mode

-## Cube
+## Cube.js for XM Suite v5

-Cube is part of the baseline Formbricks v5 stack and is deployed by this chart by default
-(`cube.enabled: true`).
+XM Suite v5 dashboard and analysis features require Cube.js. Set `cube.enabled=true` to deploy an
+internal Cube service from this chart, or provide an external Cube endpoint.

- For the chart-managed Cube, `deployment.env.CUBEJS_API_URL` should point at `http://formbricks-cube:4000`
+- For chart-managed Cube, set `deployment.env.CUBEJS_API_URL` to `http://formbricks-cube:4000`
  when using the default release name.
- For an external Cube, set `cube.enabled: false` and point `deployment.env.CUBEJS_API_URL` at your
-  endpoint.
+- For external Cube, set `deployment.env.CUBEJS_API_URL` to your Cube endpoint.
 - Provide `CUBEJS_API_SECRET` through your existing secret management flow, such as the generated app secret override or `deployment.envFrom`.
 - Provide `CUBEJS_DB_*` connection variables to the Cube deployment through `cube.envFrom` or `cube.env`.
 - Keep `cube.replicas=1` while `cube.env.CUBEJS_CACHE_AND_QUEUE_DRIVER` is `memory`. Configure Cube Store before running multiple Cube replicas.
@@ -96,8 +96,8 @@ deployment:
    #   nameSuffix: app-secrets

  # Environment variables passed to the app container.
-  # Cube is bundled by default (see the `cube` section below). To use an external Cube cluster instead,
-  # set `cube.enabled: false` and provide CUBEJS_API_URL / CUBEJS_API_SECRET here via deployment.env or envFrom.
+  # XM Suite v5 analytics requires an external Cube endpoint when using Helm:
+  # set deployment.env.CUBEJS_API_URL and provide CUBEJS_API_SECRET through a Secret referenced by envFrom/existingSecret.
  env: {}

  # Tolerations for scheduling pods on tainted nodes
@@ -561,10 +561,8 @@ serviceMonitor:
 # Cube.js Analytics Configuration
 ##########################################################
 cube:
-  # Cube semantic-layer service used by Formbricks analytics. Bundled by default.
-  # Set to false only if you want to point the app at an external Cube cluster
-  # via deployment.env.CUBEJS_API_URL (CUBEJS_API_SECRET must still be provided).
-  enabled: true
+  # Optional internal Cube.js service for XM Suite v5 analytics.
+  enabled: false
  replicas: 1

  image:
@@ -902,6 +900,10 @@ hub:
    affinity: {}
    topologySpreadConstraints: []

+  # XM Suite v5 analytics also requires Cube. Use cube.enabled=true to deploy
+  # the internal chart-managed Cube service, or set deployment.env.CUBEJS_API_URL
+  # to an operator-managed Cube endpoint.
+
  # Upgrade migration job runs goose + river before Helm upgrades Hub resources.
  # Fresh installs run the same migrations through the Hub deployment init container.
  migration:
@@ -155,6 +155,7 @@ services:
      <<: *hub-runtime-environment

  cube:
+    profiles: ["xm"]
    image: cubejs/cube:v1.6.6
    env_file:
      - apps/web/.env
@@ -30,13 +30,13 @@ That's it! After running the command and providing the required information, vis

 ## Formbricks Hub and Cube

-The stack includes the [Formbricks Hub](https://github.com/formbricks/hub) API (`ghcr.io/formbricks/hub`) and the bundled Cube service. Hub and Cube share the same database as Formbricks by default and both start as part of the baseline `docker compose up`.
+The stack includes the [Formbricks Hub](https://github.com/formbricks/hub) API (`ghcr.io/formbricks/hub`) and can also run a bundled Cube.js service for XM Suite v5 analytics. Hub and Cube share the same database as Formbricks by default, and Cube is enabled through the optional Docker Compose `xm` profile.

 - **Migrations**: A `hub-migrate` service runs Hub's database migrations (goose + river) before the Hub API starts. It runs on every `docker compose up` and is idempotent.
- **Production** (`docker/docker-compose.yml`): Set `HUB_API_KEY` and `CUBEJS_API_SECRET` (both required). `HUB_API_URL` defaults to `http://hub:8080` and `CUBEJS_API_URL` defaults to `http://cube:4000` so the Formbricks app reaches Hub and Cube inside the compose network. Cube JWT issuer/audience default to `formbricks-web` and `formbricks-cube`, and the bundled Cube service exposes only `meta,data` API scopes. Override `HUB_DATABASE_URL` and `CUBEJS_DB_*` only if Hub or Cube should use a separate database. The Hub image tracks `:latest` by default so `formbricks.sh update` advances Hub in lockstep with the app. `hub` and `hub-migrate` always resolve to the same image. To pin to an immutable reference, set `HUB_IMAGE_REF` in `docker/.env` to either a tag (e.g. `:0.3.0`) or a digest (e.g. `@sha256:14db7b3d...`).
- **Development** (`docker-compose.dev.yml`): Hub uses a dedicated local `hub` database and `HUB_API_KEY` defaults to `dev-api-key`. The dev stack starts `hub` plus `hub-worker`; set `EMBEDDING_PROVIDER`, `EMBEDDING_MODEL`, and any provider credentials in the repo root `.env` to enable Hub embeddings locally. See the [Hub embeddings environment reference](https://hub.formbricks.com/reference/environment-variables/#embeddings) for provider-specific values. Cube starts with the dev stack, `CUBEJS_API_URL` defaults to `http://localhost:4000`, and `pnpm dev:setup` generates `CUBEJS_API_SECRET` in the repo root `.env`. The Hub image is pinned to a semver tag (`hub`, `hub-worker`, and `hub-migrate` share the same value); override `HUB_IMAGE_TAG` in the repo root `.env` to test a specific Hub release.
+- **Production** (`docker/docker-compose.yml`): Set `HUB_API_KEY` (required). `HUB_API_URL` defaults to `http://hub:8080` so the Formbricks app can reach Hub inside the compose network. To enable XM Suite v5 analytics, set `COMPOSE_PROFILES=xm` and `CUBEJS_API_SECRET`; `CUBEJS_API_URL` defaults to `http://cube:4000`. Cube JWT issuer/audience default to `formbricks-web` and `formbricks-cube`, and the bundled Cube service exposes only `meta,data` API scopes. Override `HUB_DATABASE_URL` and `CUBEJS_DB_*` only if Hub or Cube should use a separate database. The Hub image tracks `:latest` by default so `formbricks.sh update` advances Hub in lockstep with the app. `hub` and `hub-migrate` always resolve to the same image. To pin to an immutable reference, set `HUB_IMAGE_REF` in `docker/.env` to either a tag (e.g. `:0.3.0`) or a digest (e.g. `@sha256:14db7b3d...`).
+- **Development** (`docker-compose.dev.yml`): Hub uses a dedicated local `hub` database and `HUB_API_KEY` defaults to `dev-api-key`. The dev stack starts `hub` plus `hub-worker`; set `EMBEDDING_PROVIDER`, `EMBEDDING_MODEL`, and any provider credentials in the repo root `.env` to enable Hub embeddings locally. See the [Hub embeddings environment reference](https://hub.formbricks.com/reference/environment-variables/#embeddings) for provider-specific values. Cube is behind the `xm` profile, `CUBEJS_API_URL` defaults to `http://localhost:4000`, and `pnpm dev:setup` generates `CUBEJS_API_SECRET` in the repo root `.env`. The Hub image is pinned to a semver tag (`hub`, `hub-worker`, and `hub-migrate` share the same value); override `HUB_IMAGE_TAG` in the repo root `.env` to test a specific Hub release.

-In development, Hub is exposed locally on port **8080** and Cube on **4000** (with the Cube playground on **4001**). In production Docker Compose, both stay internal to the compose network at `http://hub:8080` and `http://cube:4000`.
+In development, Hub is exposed locally on port **8080**. When the `xm` profile is enabled, Cube is exposed on **4000** (with the Cube playground on **4001**). In production Docker Compose, Hub stays internal to the compose network at `http://hub:8080`; Cube also stays internal at `http://cube:4000` when enabled.

 The one-click Traefik installer exposes Hub-backed FeedbackRecords on the Formbricks origin at
 `/api/v3/feedbackRecords` and `/v1/feedback-records`. Traefik uses Formbricks gateway auth, rewrites the v3
@@ -38,7 +38,7 @@ x-environment: &environment
    # Hub database URL (optional). Default: same Postgres as Formbricks. Set only if Hub uses a separate DB.
    # HUB_DATABASE_URL:

-    # Cube semantic-layer API used by Formbricks analytics. Required.
+    # Cube.js analytics for XM Suite v5. Enable the optional xm profile and set CUBEJS_API_SECRET to run Cube.
    CUBEJS_API_URL: ${CUBEJS_API_URL:-http://cube:4000}
    CUBEJS_API_SECRET: ${CUBEJS_API_SECRET:-}
    CUBEJS_JWT_ISSUER: ${CUBEJS_JWT_ISSUER:-formbricks-web}
@@ -257,8 +257,6 @@ services:
        condition: service_healthy
      redis:
        condition: service_healthy
-      cube:
-        condition: service_healthy
    ports:
      - 3000:3000
    volumes:
@@ -296,8 +294,9 @@ services:
      API_KEY: ${HUB_API_KEY:?HUB_API_KEY is required to run Hub}
      DATABASE_URL: ${HUB_DATABASE_URL:-postgresql://postgres:postgres@postgres:5432/formbricks?sslmode=disable}

-  # Cube semantic-layer API used by Formbricks analytics dashboards.
+  # Optional Cube.js analytics service for XM Suite v5. Enable with COMPOSE_PROFILES=xm and set CUBEJS_API_SECRET.
  cube:
+    profiles: ["xm"]
    restart: always
    image: cubejs/cube:v1.6.6
    depends_on:
@@ -320,12 +319,6 @@ services:
    volumes:
      - ./cube/cube.js:/cube/conf/cube.js:ro
      - ./cube/schema:/cube/conf/model:ro
-    healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://localhost:4000/readyz"]
-      interval: 10s
-      timeout: 5s
-      retries: 12
-      start_period: 30s

 volumes:
  postgres:
@@ -527,6 +527,7 @@ EOT
  hub_api_key=$(openssl rand -hex 32)
  cubejs_api_secret=$(openssl rand -hex 32)
 cat <<EOF > .env
+COMPOSE_PROFILES=xm
 HUB_API_KEY=$hub_api_key
 CUBEJS_API_SECRET=$cubejs_api_secret
 CUBEJS_JWT_ISSUER=formbricks-web
@@ -12,12 +12,11 @@ deployment, review this section before starting the new version.
 ### What Changes In v5

 - **Formbricks Hub is now mandatory** for self-hosted Formbricks v5 deployments.
- **Cube is now part of the baseline stack** alongside Hub. Docker, one-click, and Helm all bundle Cube by
-  default; `CUBEJS_API_SECRET` is required. Operators can disable the bundled Cube deployment in Helm to use
-  an external cluster instead.
 - **Edge rate limiting is now required** for specific public and API-key routes. Those routes are no longer
  throttled inside the application server.
 - **AI features are configured at the instance level** via `AI_*` environment variables.
+- **XM Suite v5 analytics depends on Cube.js**. The Docker and one-click stack bundle it, while Helm
+  deployments still need a separate reachable Cube.js instance and `CUBEJS_API_SECRET`.

 <Warning>
  Formbricks v5 removes application-level rate limiting for several routes that are now expected to be
@@ -33,8 +32,7 @@ Before you restart your instance on Formbricks v5:
 - identify your current deployment type: one-click, manual Docker Compose, or Kubernetes/Helm
 - confirm Redis/Valkey and your file storage setup are already healthy from your v4 baseline
 - identify whether file uploads use external S3-compatible storage or a legacy bundled MinIO service
- budget approximately ~500 MB additional RAM headroom for the bundled Cube container (dashboards and analysis are part of the baseline now)
- decide whether this instance needs optional AI features
+- decide whether this instance needs AI features, dashboards/analysis, or only core survey flows
 - verify whether you already run Envoy Gateway or another equivalent edge rate limiter for the covered routes

 ### Required Config And Infrastructure Changes
@@ -77,15 +75,13 @@ enterprise functionality.
 - `AI_PROVIDER=azure` requires `AI_AZURE_API_KEY` and either `AI_AZURE_BASE_URL` or
  `AI_AZURE_RESOURCE_NAME`

-#### Cube
+#### Cube.js Analytics

-Cube is part of the baseline Formbricks v5 stack.
+XM Suite v5 dashboard and analysis features require Cube.js.

- the Docker, one-click, and Helm deployments all bundle the `cube` service by default
- the Formbricks app requires `CUBEJS_API_URL` and `CUBEJS_API_SECRET`; the install/dev-setup scripts
-  generate the secret automatically for new installs
- Helm operators who want to run an external Cube cluster can set `cube.enabled: false` and provide their
-  own endpoint via `deployment.env.CUBEJS_API_URL`
+- the Docker and one-click stack bundle the `cube` service and expect `CUBEJS_API_SECRET`
+- Helm deployments still need a separate reachable Cube.js instance
+- the Formbricks app expects `CUBEJS_API_URL` and `CUBEJS_API_SECRET`
 - if you run Cube yourself, you may also need to override `CUBEJS_DB_*` values for the Cube service

 ### Upgrade Steps By Deployment Type
@@ -146,15 +142,15 @@ Cube is part of the baseline Formbricks v5 stack.
    - add a non-empty `HUB_API_KEY` and reuse the same value wherever your deployment resolves Hub auth
    - keep `HUB_API_URL` at `http://hub:8080` unless Hub runs elsewhere
    - include the bundled `hub-migrate` and `hub` services
-    - sync `formbricks/cube/cube.js` and `formbricks/cube/schema/FeedbackRecords.js` from the current
-      release and ensure `formbricks/.env` contains `CUBEJS_API_SECRET` (Cube is part of the baseline stack
-      in v5)
+    - if you use the bundled XM Suite v5 analytics stack, sync `formbricks/cube/cube.js` and
+      `formbricks/cube/schema/FeedbackRecords.js` from the current release and ensure
+      `formbricks/.env` contains `CUBEJS_API_SECRET`
    - if your older setup still uses bundled MinIO for uploads, review that storage path separately before the
      first v5 restart; newer self-hosting updates move the bundled object-storage path to RustFS, while
      external S3-compatible storage keeps the same `S3_*` app contract
    - add any `AI_*` variables you need
-    - if you prefer to run an external Cube instance, point `CUBEJS_API_URL` at it and provide the matching
-      `CUBEJS_API_SECRET`; otherwise the bundled `cube` service runs against the local Postgres
+    - if you do not run the bundled Docker analytics path, point `CUBEJS_API_URL` at your external Cube.js
+      instance and provide the matching `CUBEJS_API_SECRET`

    After the compose file is updated and your edge rate limiter is in place:

@@ -175,14 +171,15 @@ Cube is part of the baseline Formbricks v5 stack.
    - `HUB_API_KEY` is configured and the same value is available wherever your deployment resolves Hub auth
    - `HUB_API_URL` points to the Hub service the app can reach
    - the compose stack includes `hub-migrate` and `hub`
-    - the v5 stack also includes `cube`, `cube/cube.js`, and `cube/schema/FeedbackRecords.js`, with
-      `CUBEJS_API_SECRET` available through your `.env` or shell environment
+    - the XM Suite v5 Docker stack also includes `cube`, `cube/cube.js`, and
+      `cube/schema/FeedbackRecords.js`, with `CUBEJS_API_SECRET` available through your `.env` or shell
+      environment
    - if your legacy Compose file still includes bundled MinIO for uploads, treat that as a separate storage
      review when comparing files; newer bundled storage guidance uses RustFS, while external S3-compatible
      storage keeps the same `S3_*` app contract
    - any `AI_*` variables you need are set
-    - if you prefer to run an external Cube instance, point `CUBEJS_API_URL` at it and supply the matching
-      `CUBEJS_API_SECRET`; otherwise the bundled `cube` service runs against the local Postgres
+    - if you override the bundled analytics path, point `CUBEJS_API_URL` at your external Cube.js instance and
+      supply the matching `CUBEJS_API_SECRET`

    Then restart the stack:

@@ -193,8 +190,8 @@ Cube is part of the baseline Formbricks v5 stack.
    ```

    <Info>
-      The v5 Docker Compose stack bundles Hub and Cube. Keep the bundled `cube/` config files in sync with
-      `docker-compose.yml` when you update this path.
+      The XM Suite v5 Docker Compose stack bundles Hub and Cube.js. Keep the bundled `cube/` config files in
+      sync with `docker-compose.yml` when you update this path.
    </Info>
  </Tab>
  <Tab title="Kubernetes">
@@ -214,8 +211,8 @@ Cube is part of the baseline Formbricks v5 stack.
      - `envoy.controller.enabled=false` when the cluster already has a compatible Envoy Gateway controller
    - if you use bundled Envoy rate limiting, enable a dedicated backend with `envoyRedis.enabled=true`
    - if you already have an equivalent edge rate limiter outside the chart, keep that protection in place
-    - `CUBEJS_API_SECRET` is provided (Cube is bundled by default at `cube.enabled: true`; set to `false`
-      and point `CUBEJS_API_URL` at your own endpoint if you prefer an external Cube cluster)
+    - if the instance needs XM Suite v5 analytics or dashboards, provide `CUBEJS_API_URL` and
+      `CUBEJS_API_SECRET` for the external Cube.js deployment
  </Tab>
 </Tabs>

@@ -228,7 +225,8 @@ After the upgrade:
 - verify any Hub-backed connector or feedback flows you use
 - verify covered routes are rate-limited at the edge layer
 - verify AI features only if you configured the required `AI_*` variables
- verify dashboards and analysis flows against the bundled (or external) Cube endpoint
+- verify dashboards and analysis flows only if your deployment path includes Cube.js or points to an external
+  Cube.js instance

 ### Troubleshooting And Rollback

@@ -240,9 +238,7 @@ Common upgrade issues:
  protected by the legacy in-app limiter
 - **Missing AI credentials**: AI features remain unavailable until `AI_PROVIDER`, `AI_MODEL`, and the matching
  provider credentials are set correctly
- **Missing `CUBEJS_API_SECRET`** (or unreachable Cube endpoint): the Formbricks app fails env validation
-  at boot, or — if env vars are present but Cube is unreachable — dashboards and analysis queries fail
-  while the rest of the app stays healthy
+- **Cube not configured**: dashboards or analysis queries fail even though the core Formbricks app is healthy

 If you need to roll back:

@@ -119,30 +119,30 @@ bundled Docker Compose or Helm assets, the following variables apply:
 | HUB_API_URL      | Base URL the Formbricks app uses to call Hub. With the bundled Docker stack, keep this at `http://hub:8080` unless Hub runs elsewhere.             | required | `http://hub:8080` (bundled Docker), `http://localhost:8080` (local dev) |
 | HUB_DATABASE_URL | PostgreSQL connection URL for Hub. Omit to use the same database as Formbricks.    | optional | Same as Formbricks `DATABASE_URL` (shared database) |

-#### Cube Analytics
+#### Cube.js Analytics for XM Suite v5

-Cube is part of the baseline Formbricks v5 stack and is required. Formbricks generates the backend
+XM Suite v5 dashboard and analysis features require a reachable Cube.js instance. Formbricks generates the backend
 Cube JWT from `CUBEJS_API_SECRET`, so `CUBEJS_API_TOKEN` is not part of the supported setup contract.
+If you do not use XM Suite v5 analytics, omit the Cube variables and leave the bundled Docker `xm` profile disabled.

-| Variable                  | Description                                                                                            | Required | Default                              |
-| ------------------------- | ------------------------------------------------------------------------------------------------------ | -------- | ------------------------------------ |
-| CUBEJS_API_URL            | Base URL the Formbricks app uses to call Cube. Local dev (app on host): `http://localhost:4000`. Docker/container: `http://cube:4000` (service name). | required | |
-| CUBEJS_API_SECRET         | Shared secret Formbricks uses to sign Cube API JWTs. Generate with `openssl rand -hex 32`.             | required |                                      |
-| CUBEJS_JWT_ISSUER         | JWT issuer expected by Cube and used by Formbricks when signing per-request Cube tokens.               | optional | `formbricks-web`                     |
-| CUBEJS_JWT_AUDIENCE       | JWT audience expected by Cube and used by Formbricks when signing per-request Cube tokens.             | optional | `formbricks-cube`                    |
-| CUBEJS_DB_HOST            | Database host for the Cube service. Only needed when you run Cube yourself and override defaults.      | optional | Depends on your Cube deployment      |
-| CUBEJS_DB_PORT            | Database port for the Cube service. Only needed when you run Cube yourself and override defaults.      | optional | Depends on your Cube deployment      |
-| CUBEJS_DB_NAME            | Database name for the Cube service. Only needed when you run Cube yourself and override defaults.      | optional | Depends on your Cube deployment      |
-| CUBEJS_DB_USER            | Database user for the Cube service. Only needed when you run Cube yourself and override defaults.      | optional | Depends on your Cube deployment      |
-| CUBEJS_DB_PASS            | Database password for the Cube service. Only needed when you run Cube yourself and override defaults.  | optional | Depends on your Cube deployment      |
+| Variable                  | Description                                                                                            | Required                           | Default                              |
+| ------------------------- | ------------------------------------------------------------------------------------------------------ | ---------------------------------- | ------------------------------------ |
+| CUBEJS_API_URL            | Base URL the Formbricks app uses to call Cube. Use `http://localhost:4000` locally.                    | required for XM Suite v5 analytics | `http://localhost:4000` in local dev |
+| CUBEJS_API_SECRET         | Shared secret Formbricks uses to sign Cube API JWTs. Generate with `openssl rand -hex 32`.             | required for XM Suite v5 analytics |                                      |
+| CUBEJS_JWT_ISSUER         | JWT issuer expected by Cube and used by Formbricks when signing per-request Cube tokens.               | optional                           | `formbricks-web`                     |
+| CUBEJS_JWT_AUDIENCE       | JWT audience expected by Cube and used by Formbricks when signing per-request Cube tokens.             | optional                           | `formbricks-cube`                    |
+| CUBEJS_DB_HOST            | Database host for the Cube service. Only needed when you run Cube yourself and override defaults.      | optional                           | Depends on your Cube deployment      |
+| CUBEJS_DB_PORT            | Database port for the Cube service. Only needed when you run Cube yourself and override defaults.      | optional                           | Depends on your Cube deployment      |
+| CUBEJS_DB_NAME            | Database name for the Cube service. Only needed when you run Cube yourself and override defaults.      | optional                           | Depends on your Cube deployment      |
+| CUBEJS_DB_USER            | Database user for the Cube service. Only needed when you run Cube yourself and override defaults.      | optional                           | Depends on your Cube deployment      |
+| CUBEJS_DB_PASS            | Database password for the Cube service. Only needed when you run Cube yourself and override defaults.  | optional                           | Depends on your Cube deployment      |

 The bundled Docker Compose Cube service sets `CUBEJS_DEFAULT_API_SCOPES=meta,data` directly on the Cube
 container. If you run Cube outside the bundled Compose stack, configure the equivalent Cube service environment
 there rather than adding it to the Formbricks app environment.

-For Helm deployments, the chart deploys Cube by default (`cube.enabled: true`). To use an external Cube
-cluster instead, set `cube.enabled: false`, point `CUBEJS_API_URL` at your endpoint, and supply
-`CUBEJS_API_SECRET` through your existing secret management setup.
+For Helm deployments, Formbricks does not deploy Cube for you in this chart. Provide an external Cube endpoint with
+`CUBEJS_API_URL` and supply `CUBEJS_API_SECRET` through your existing secret management setup.

 <!-- prettier-ignore-end -->

@@ -16,8 +16,8 @@ Make sure Docker and Docker Compose are installed on your system. These are usua
 </Note>

 <Info>
-  Starting with Formbricks v5, the production Docker Compose stack includes Formbricks Hub and Cube as part of
-  the baseline. Generate `HUB_API_KEY` and `CUBEJS_API_SECRET` during setup, keep `HUB_API_URL` at its
+  Starting with Formbricks v5, the production Docker Compose stack includes Formbricks Hub and the XM Suite v5
+  Cube.js services. Generate `HUB_API_KEY` and `CUBEJS_API_SECRET` during setup, keep `HUB_API_URL` at its
  internal default unless Hub runs elsewhere, and use the [migration guide](/self-hosting/advanced/migration#v5)
  when upgrading an existing 4.x instance.
 </Info>
@@ -34,7 +34,7 @@ Make sure Docker and Docker Compose are installed on your system. These are usua

 1. **Download the Docker Files**

-   Get the Docker Compose file plus the Cube configuration shipped with the baseline stack:
+   Get the Docker Compose file plus the Cube.js configuration shipped with the XM Suite v5 stack:

   ```bash
   mkdir -p cube/schema
@@ -43,12 +43,15 @@ Make sure Docker and Docker Compose are installed on your system. These are usua
   curl -o cube/schema/FeedbackRecords.js https://raw.githubusercontent.com/formbricks/formbricks/stable/docker/cube/schema/FeedbackRecords.js
   ```

-1. **Generate Hub and Cube Secrets**
+1. **Generate Hub Secret and Optional Cube Secret**

-   Formbricks Hub and Cube each require a shared secret. Create `.env` with both:
+   Formbricks Hub requires an API key. XM Suite v5 analytics also requires Cube.js; set the optional `xm`
+   Compose profile and Cube secret when you want to run the bundled Cube service. For a Hub-only stack, create
+   `.env` with just `HUB_API_KEY` and omit `COMPOSE_PROFILES` and `CUBEJS_API_SECRET`.

   ```bash
   cat <<EOF > .env
+   COMPOSE_PROFILES=xm
   HUB_API_KEY=$(openssl rand -hex 32)
   CUBEJS_API_SECRET=$(openssl rand -hex 32)
   CUBEJS_JWT_ISSUER=formbricks-web
@@ -130,7 +133,8 @@ Make sure Docker and Docker Compose are installed on your system. These are usua
 1. **Start the Docker Setup**

   Now, you're ready to run Formbricks with Docker. Use the command below to start Formbricks together with
-   PostgreSQL, Redis, Formbricks Hub, and Cube.
+   PostgreSQL, Redis, and Formbricks Hub. If the `xm` profile is set in `.env`, Docker Compose also starts Cube.js
+   for XM Suite v5 analytics.

   ```bash
   docker compose up -d
@@ -143,8 +147,8 @@ Make sure Docker and Docker Compose are installed on your system. These are usua
   Once the setup is running, open [**http://localhost:3000**](http://localhost:3000) in your browser to access Formbricks. The first time you visit, you'll see a setup wizard. Follow the steps to create your first user and start using Formbricks.

 <Note>
-  The bundled Docker stack keeps Formbricks Hub and Cube internal to the compose network. The app reaches
-  them through `http://hub:8080` and `http://cube:4000`.
+  The bundled Docker stack keeps Formbricks Hub internal to the compose network. When the `xm` profile is
+  enabled, Cube.js is internal too. The app reaches them through `http://hub:8080` and `http://cube:4000`.
 </Note>

 <Info>
@@ -160,8 +164,8 @@ Please take a look at our [migration guide](/self-hosting/advanced/migration) fo

 <Info>
  For a major migration such as Formbricks 4.x to 5.0, update your compose structure and configuration first.
-  Pulling images alone is not enough if your stack does not yet include Hub (`HUB_API_KEY`), Cube (`cube/`
-  config files plus `CUBEJS_API_SECRET`), or the new edge rate-limiting setup.
+  Pulling images alone is not enough if your stack does not yet include Hub, `HUB_API_KEY`, the bundled
+  `cube/` config files plus `CUBEJS_API_SECRET`, or the new edge rate-limiting setup.
 </Info>

 1. Pull the latest Formbricks image
@@ -109,14 +109,13 @@ envoyRedis:

 This keeps Envoy rate-limiting state separate from the application's own Redis traffic.

-### Cube
+### Cube Is Optional

-Cube is part of the baseline Formbricks v5 stack and is bundled with the chart by default
-(`cube.enabled: true`). To run an external Cube cluster instead:
+Cube is only needed for analytics dashboards or other analysis flows that depend on Cube queries.

- set `cube.enabled: false` to skip the bundled Cube deployment
- point the app at your external endpoint via `deployment.env.CUBEJS_API_URL`
- supply `CUBEJS_API_SECRET` via `deployment.env` or `deployment.envFrom`
+- deploy Cube separately when you need it
+- configure `CUBEJS_API_URL` and `CUBEJS_API_SECRET` for the Formbricks app
+- do not expect the main Formbricks chart to provision Cube automatically

 ## 4. Upgrade The Deployment

@@ -134,8 +133,7 @@ For a Formbricks 4.x to 5.0 migration, confirm the following before running the
 - `HUB_API_KEY` is present
 - your edge rate-limiting plan is in place
 - any required `AI_*` variables are added
- `CUBEJS_API_SECRET` is configured (Cube is bundled by default; provide an external endpoint if you set
-  `cube.enabled: false`)
+- Cube is configured only if this instance needs analytics dashboards or analysis queries

 ## 5. Key Values

@@ -53,8 +53,8 @@ curl -fsSL https://raw.githubusercontent.com/formbricks/formbricks/stable/docker
 ```

 <Info>
-  The current v5 one-click stack is based on the production Docker Compose file and includes Formbricks Hub
-  and Cube as part of the baseline (Cube configuration lives under `formbricks/cube/`). Ensure your generated
+  The current v5 one-click stack is based on the production Docker Compose file and includes Formbricks Hub plus
+  the bundled XM Suite v5 Cube.js files under `formbricks/cube/`. Ensure your generated
  `formbricks/docker-compose.yml` contains a non-empty `HUB_API_KEY` and that `formbricks/.env` contains
  `CUBEJS_API_SECRET` before treating the v5 stack as ready. If either value is missing after the script
  finishes, add it manually. `HUB_API_URL` should normally stay at `http://hub:8080`.
@@ -91,14 +91,17 @@ describe("@formbricks/cache types/keys", () => {
  });

  describe("CustomCacheNamespace type", () => {
-    test("should include expected namespaces", () => {
+    test("should support known custom namespaces in parsed cache keys", () => {
      // Type test - this will fail at compile time if types don't match
-      const accountDeletionNamespace: CustomCacheNamespace = "account_deletion";
-      const analyticsNamespace: CustomCacheNamespace = "analytics";
-      const billingNamespace: CustomCacheNamespace = "billing";
-      expect(accountDeletionNamespace).toBe("account_deletion");
-      expect(analyticsNamespace).toBe("analytics");
-      expect(billingNamespace).toBe("billing");
+      const namespaces: CustomCacheNamespace[] = ["account_deletion", "analytics", "billing", "oauth"];
+      const cacheKeys = namespaces.map((namespace) => ZCacheKey.parse(`${namespace}:test:123`));
+
+      expect(cacheKeys).toEqual([
+        "account_deletion:test:123",
+        "analytics:test:123",
+        "billing:test:123",
+        "oauth:test:123",
+      ]);
    });

    test("should be usable in cache key construction", () => {
@@ -16,4 +16,4 @@ export type CacheKey = z.infer<typeof ZCacheKey>;
 * Possible namespaces for custom cache keys
 * Add new namespaces here as they are introduced
 */
-export type CustomCacheNamespace = "account_deletion" | "analytics" | "billing";
+export type CustomCacheNamespace = "account_deletion" | "analytics" | "billing" | "oauth";
@@ -31,6 +31,14 @@ class ValidationError extends Error {
  }
 }

+class ConfigurationError extends Error {
+  statusCode = 503;
+  constructor(message: string) {
+    super(message);
+    this.name = "ConfigurationError";
+  }
+}
+
 class QueryExecutionError extends Error {
  statusCode = 500;
  constructor(message: string) {
@@ -143,6 +151,7 @@ export {
  ResourceNotFoundError,
  InvalidInputError,
  ValidationError,
+  ConfigurationError,
  QueryExecutionError,
  DatabaseError,
  UniqueConstraintError,
@@ -172,6 +181,7 @@ export const EXPECTED_ERROR_NAMES = new Set([
  "AuthorizationError",
  "InvalidInputError",
  "ValidationError",
+  "ConfigurationError",
  "QueryExecutionError",
  "AuthenticationError",
  "OperationNotAllowedError",
@@ -278,13 +278,11 @@ export const ZSurveyRecaptcha = z

 export type TSurveyRecaptcha = z.infer<typeof ZSurveyRecaptcha>;

-export const ZSurveyMetadata = z
-  .object({
-    title: ZI18nString.optional(),
-    description: ZI18nString.optional(),
-    ogImage: ZStorageUrl.optional(),
-  })
-  .catchall(z.unknown());
+export const ZSurveyMetadata = z.object({
+  title: ZI18nString.optional(),
+  description: ZI18nString.optional(),
+  ogImage: ZStorageUrl.optional(),
+});

 export type TSurveyMetadata = z.infer<typeof ZSurveyMetadata>;

@@ -1,135 +1,237 @@
 {
  "$schema": "https://turborepo.org/schema.json",
-  "globalEnv": [],
  "tasks": {
    "@formbricks/ai#build": {
-      "dependsOn": ["@formbricks/logger#build"],
-      "outputs": ["dist/**"]
+      "dependsOn": [
+        "@formbricks/logger#build"
+      ],
+      "outputs": [
+        "dist/**"
+      ]
    },
    "@formbricks/ai#lint": {
-      "dependsOn": ["@formbricks/logger#build"]
+      "dependsOn": [
+        "@formbricks/logger#build"
+      ]
    },
    "@formbricks/ai#test": {
-      "dependsOn": ["@formbricks/logger#build"]
+      "dependsOn": [
+        "@formbricks/logger#build"
+      ]
    },
    "@formbricks/ai#test:coverage": {
-      "dependsOn": ["@formbricks/logger#build"]
+      "dependsOn": [
+        "@formbricks/logger#build"
+      ]
    },
    "@formbricks/cache#build": {
-      "dependsOn": ["@formbricks/logger#build"],
-      "outputs": ["dist/**"]
+      "dependsOn": [
+        "@formbricks/logger#build"
+      ],
+      "outputs": [
+        "dist/**"
+      ]
    },
    "@formbricks/cache#go": {
-      "dependsOn": ["@formbricks/logger#build"]
+      "dependsOn": [
+        "@formbricks/logger#build"
+      ]
    },
    "@formbricks/cache#lint": {
-      "dependsOn": ["@formbricks/logger#build"]
+      "dependsOn": [
+        "@formbricks/logger#build"
+      ]
    },
    "@formbricks/cache#test": {
-      "dependsOn": ["@formbricks/logger#build"]
+      "dependsOn": [
+        "@formbricks/logger#build"
+      ]
    },
    "@formbricks/cache#test:coverage": {
-      "dependsOn": ["@formbricks/logger#build"]
+      "dependsOn": [
+        "@formbricks/logger#build"
+      ]
    },
    "@formbricks/database#build": {
-      "dependsOn": ["^build"],
-      "outputs": ["dist/**", "../../node_modules/.prisma/client/**"]
+      "dependsOn": [
+        "^build"
+      ],
+      "outputs": [
+        "dist/**",
+        "../../node_modules/.prisma/client/**"
+      ]
    },
    "@formbricks/database#lint": {
-      "dependsOn": ["@formbricks/logger#build", "@formbricks/database#build"]
+      "dependsOn": [
+        "@formbricks/logger#build",
+        "@formbricks/database#build"
+      ]
    },
    "@formbricks/email#build": {
-      "dependsOn": ["^build"],
+      "dependsOn": [
+        "^build"
+      ],
      "outputs": []
    },
    "@formbricks/i18n-utils#build": {
-      "dependsOn": ["^build"],
-      "outputs": ["dist/**"]
+      "dependsOn": [
+        "^build"
+      ],
+      "outputs": [
+        "dist/**"
+      ]
    },
    "@formbricks/i18n-utils#lint": {
-      "dependsOn": ["^lint"]
+      "dependsOn": [
+        "^lint"
+      ]
    },
    "@formbricks/i18n-utils#test": {
-      "dependsOn": ["@formbricks/i18n-utils#build"]
+      "dependsOn": [
+        "@formbricks/i18n-utils#build"
+      ]
    },
    "@formbricks/jobs#build": {
-      "dependsOn": ["@formbricks/logger#build"],
-      "outputs": ["dist/**"]
+      "dependsOn": [
+        "@formbricks/logger#build"
+      ],
+      "outputs": [
+        "dist/**"
+      ]
    },
    "@formbricks/jobs#lint": {
-      "dependsOn": ["@formbricks/logger#build"]
+      "dependsOn": [
+        "@formbricks/logger#build"
+      ]
    },
    "@formbricks/jobs#test": {
-      "dependsOn": ["@formbricks/logger#build"]
+      "dependsOn": [
+        "@formbricks/logger#build"
+      ]
    },
    "@formbricks/jobs#test:coverage": {
-      "dependsOn": ["@formbricks/logger#build"]
+      "dependsOn": [
+        "@formbricks/logger#build"
+      ]
    },
    "@formbricks/js-core#build": {
-      "dependsOn": ["^build", "@formbricks/database#build"],
-      "outputs": ["dist/**"]
+      "dependsOn": [
+        "^build",
+        "@formbricks/database#build"
+      ],
+      "outputs": [
+        "dist/**"
+      ]
    },
    "@formbricks/js-core#go": {
      "cache": false,
-      "dependsOn": ["@formbricks/database#db:setup"],
+      "dependsOn": [
+        "@formbricks/database#db:setup"
+      ],
      "persistent": true
    },
    "@formbricks/js-core#lint": {
-      "dependsOn": ["@formbricks/database#build"]
+      "dependsOn": [
+        "@formbricks/database#build"
+      ]
    },
    "@formbricks/logger#build": {
-      "dependsOn": ["^build"],
-      "outputs": ["dist/**"]
+      "dependsOn": [
+        "^build"
+      ],
+      "outputs": [
+        "dist/**"
+      ]
    },
    "@formbricks/storage#build": {
-      "dependsOn": ["@formbricks/logger#build"],
-      "outputs": ["dist/**"]
+      "dependsOn": [
+        "@formbricks/logger#build"
+      ],
+      "outputs": [
+        "dist/**"
+      ]
    },
    "@formbricks/storage#go": {
      "cache": false,
-      "dependsOn": ["@formbricks/storage#build"],
+      "dependsOn": [
+        "@formbricks/storage#build"
+      ],
      "persistent": true
    },
    "@formbricks/storage#lint": {
-      "dependsOn": ["@formbricks/logger#build"]
+      "dependsOn": [
+        "@formbricks/logger#build"
+      ]
    },
    "@formbricks/storage#test": {
-      "dependsOn": ["@formbricks/logger#build"]
+      "dependsOn": [
+        "@formbricks/logger#build"
+      ]
    },
    "@formbricks/storage#test:coverage": {
-      "dependsOn": ["@formbricks/logger#build"]
+      "dependsOn": [
+        "@formbricks/logger#build"
+      ]
    },
    "@formbricks/survey-ui#build": {
-      "dependsOn": ["^build"],
-      "outputs": ["dist/**"]
+      "dependsOn": [
+        "^build"
+      ],
+      "outputs": [
+        "dist/**"
+      ]
    },
    "@formbricks/survey-ui#build:dev": {
-      "dependsOn": ["^build:dev"],
-      "outputs": ["dist/**"]
+      "dependsOn": [
+        "^build:dev"
+      ],
+      "outputs": [
+        "dist/**"
+      ]
    },
    "@formbricks/survey-ui#go": {
      "cache": false,
-      "dependsOn": ["@formbricks/survey-ui#build"],
+      "dependsOn": [
+        "@formbricks/survey-ui#build"
+      ],
      "persistent": true
    },
    "@formbricks/surveys#build": {
-      "dependsOn": ["^build", "@formbricks/survey-ui#build"],
-      "outputs": ["dist/**"]
+      "dependsOn": [
+        "^build",
+        "@formbricks/survey-ui#build"
+      ],
+      "outputs": [
+        "dist/**"
+      ]
    },
    "@formbricks/surveys#build:dev": {
-      "dependsOn": ["^build:dev", "@formbricks/i18n-utils#build", "@formbricks/survey-ui#build:dev"],
-      "outputs": ["dist/**"]
+      "dependsOn": [
+        "^build:dev",
+        "@formbricks/i18n-utils#build",
+        "@formbricks/survey-ui#build:dev"
+      ],
+      "outputs": [
+        "dist/**"
+      ]
    },
    "@formbricks/surveys#go": {
      "cache": false,
-      "dependsOn": ["@formbricks/survey-ui#build", "@formbricks/surveys#build"],
+      "dependsOn": [
+        "@formbricks/survey-ui#build",
+        "@formbricks/surveys#build"
+      ],
      "persistent": true
    },
    "@formbricks/surveys#test": {
-      "dependsOn": ["@formbricks/survey-ui#build"]
+      "dependsOn": [
+        "@formbricks/survey-ui#build"
+      ]
    },
    "@formbricks/surveys#test:coverage": {
-      "dependsOn": ["@formbricks/survey-ui#build"]
+      "dependsOn": [
+        "@formbricks/survey-ui#build"
+      ]
    },
    "@formbricks/web#dev": {
      "cache": false,
@@ -179,7 +281,9 @@
      ]
    },
    "build": {
-      "dependsOn": ["^build"],
+      "dependsOn": [
+        "^build"
+      ],
      "env": [
        "AUDIT_LOG_ENABLED",
        "AUDIT_LOG_GET_USER_IP",
@@ -324,11 +428,19 @@
        "PROMETHEUS_EXPORTER_PORT",
        "USER_MANAGEMENT_MINIMUM_ROLE"
      ],
-      "outputs": ["dist/**", ".next/**"]
+      "outputs": [
+        "dist/**",
+        ".next/**"
+      ]
    },
    "build:dev": {
-      "dependsOn": ["^build:dev"],
-      "outputs": ["dist/**", ".next/**"]
+      "dependsOn": [
+        "^build:dev"
+      ],
+      "outputs": [
+        "dist/**",
+        ".next/**"
+      ]
    },
    "clean": {
      "cache": false,
@@ -350,12 +462,17 @@
      "outputs": []
    },
    "db:seed": {
-      "env": ["ALLOW_SEED"],
+      "env": [
+        "ALLOW_SEED"
+      ],
      "outputs": []
    },
    "db:setup": {
      "cache": false,
-      "dependsOn": ["@formbricks/logger#build", "@formbricks/database#build"],
+      "dependsOn": [
+        "@formbricks/logger#build",
+        "@formbricks/database#build"
+      ],
      "outputs": []
    },
    "db:start": {
@@ -370,7 +487,9 @@
      "persistent": true
    },
    "generate": {
-      "dependsOn": ["^generate"]
+      "dependsOn": [
+        "^generate"
+      ]
    },
    "go": {
      "cache": false,
@@ -387,7 +506,9 @@
      "persistent": true
    },
    "storybook#storybook": {
-      "dependsOn": ["@formbricks/logger#build"]
+      "dependsOn": [
+        "@formbricks/logger#build"
+      ]
    },
    "test": {
      "outputs": []
@@ -396,5 +517,6 @@
      "outputs": []
    }
  },
-  "ui": "stream"
+  "ui": "stream",
+  "globalEnv": []
 }
Author	SHA1	Message	Date
Tiago Farto	1fb59f4b60	chore: improved test coverage	2026-05-18 12:09:01 +00:00
Tiago Farto	ebf8fc017c	chore: improve test coverage	2026-05-18 11:57:56 +00:00
Tiago Farto	5c4f5eb0d6	chore: increased test coverage	2026-05-18 11:41:30 +00:00
Tiago Farto	fe4b7d9962	chore: linting fixes	2026-05-18 11:20:53 +00:00
Tiago Farto	a9939c65c4	fix: add CSRF protection to integration OAuth flows	2026-05-18 10:28:38 +00:00