chore: updates to aws cloud resources (#4996)

Co-authored-by: Piyush Gupta <piyushguptaa2z123@gmail.com>
Co-authored-by: Matthias Nannt <mail@matthiasnannt.com>

.env.example

@@ -39,6 +39,7 @@ DATABASE_URL='postgresql://postgres:postgres@localhost:5432/formbricks?schema=pu
 # See optional configurations below if you want to disable these features.
 
 MAIL_FROM=noreply@example.com
+MAIL_FROM_NAME=Formbricks
 SMTP_HOST=localhost
 SMTP_PORT=1025
 # Enable SMTP_SECURE_ENABLED for TLS (port 465)
@@ -96,6 +97,9 @@ PASSWORD_RESET_DISABLED=1
 # Organization Invite. Disable the ability for invited users to create an account.
 # INVITE_DISABLED=1
 
+# Docker cron jobs. Disable the supercronic cron jobs in the Docker image (useful for cluster setups).
+# DOCKER_CRON_ENABLED=1
+
 ##########
 # Other  #
 ##########
@@ -184,11 +188,16 @@ ENTERPRISE_LICENSE_KEY=
 UNSPLASH_ACCESS_KEY=
 
 # The below is used for Next Caching (uses In-Memory from Next Cache if not provided)
-# REDIS_URL=redis://localhost:6379
+# You can also add more configuration to Redis using the redis.conf file in the root directory
+REDIS_URL=redis://localhost:6379
+REDIS_DEFAULT_TTL=86400 # 1 day 
 
 # The below is used for Rate Limiting (uses In-Memory LRU Cache if not provided) (You can use a service like Webdis for this)
 # REDIS_HTTP_URL:
 
+# The below is used for Rate Limiting for management API
+UNKEY_ROOT_KEY=
+
 # Disable custom cache handler if necessary (e.g. if deployed on Vercel)
 # CUSTOM_CACHE_DISABLED=1
 
@@ -198,5 +207,10 @@ UNSPLASH_ACCESS_KEY=
 # AI_AZURE_EMBEDDINGS_DEPLOYMENT_ID=
 # AI_AZURE_LLM_DEPLOYMENT_ID=
 
-# NEXT_PUBLIC_INTERCOM_APP_ID=
+# INTERCOM_APP_ID=
-# INTERCOM_SECRET_KEY=
+# INTERCOM_SECRET_KEY=
+
+# Enable Prometheus metrics
+# PROMETHEUS_ENABLED=
+# PROMETHEUS_EXPORTER_PORT=
+

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,6 +1,7 @@
 name: Bug report
 description: "Found a bug? Please fill out the sections below. \U0001F44D"
 type: bug
+labels: ["bug"]
 body:
   - type: textarea
     id: issue-summary

.github/workflows/apply-issue-labels-to-pr.yml

@@ -5,6 +5,9 @@ on:
     types:
       - opened
 
+permissions:
+  contents: read
+
 jobs:
   label_on_pr:
     runs-on: ubuntu-latest
@@ -15,8 +18,13 @@ jobs:
       pull-requests: write
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Apply labels from linked issue to PR
-        uses: actions/github-script@v5
+        uses: actions/github-script@211cb3fefb35a799baa5156f9321bb774fe56294 # v5.2.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

.github/workflows/build-web.yml

@@ -12,7 +12,12 @@ jobs:
     timeout-minutes: 30
 
     steps:
-      - uses: actions/checkout@v3
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - uses: ./.github/actions/dangerous-git-checkout
 
       - name: Build & Cache Web Binaries

.github/workflows/chromatic.yml

@@ -11,19 +11,24 @@ jobs:
     name: Run Chromatic
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version: 20
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
       - name: Install dependencies
         run: pnpm install --config.platform=linux --config.architecture=x64
       - name: Run Chromatic
-        uses: chromaui/action@latest
+        uses: chromaui/action@c93e0bc3a63aa176e14a75b61a31847cbfdd341c # latest
         with:
           # ⚠️ Make sure to configure a `CHROMATIC_PROJECT_TOKEN` repository secret
           projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }}

.github/workflows/cron-surveyStatusUpdate.yml

@@ -18,6 +18,11 @@ jobs:
       CRON_SECRET: ${{ secrets.CRON_SECRET }}
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: cURL request
         if: ${{ env.APP_URL && env.CRON_SECRET }}
         run: |

.github/workflows/cron-weeklySummary.yml

@@ -7,6 +7,9 @@ on:
   schedule:
     # Runs “At 08:00 on Monday.” (see https://crontab.guru)
     - cron: "0 8 * * 1"
+permissions:
+  contents: read
+
 jobs:
   cron-weeklySummary:
     permissions:
@@ -16,6 +19,10 @@ jobs:
       CRON_SECRET: ${{ secrets.CRON_SECRET }}
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481
+        with:
+          egress-policy: audit
       - name: cURL request
         if: ${{ env.APP_URL && env.CRON_SECRET }}
         run: |

.github/workflows/dependency-review.yml

@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0

.github/workflows/e2e.yml

@@ -43,16 +43,21 @@ jobs:
           --health-timeout=5s
           --health-retries=5
     steps:
-      - uses: actions/checkout@v3
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - uses: ./.github/actions/dangerous-git-checkout
 
       - name: Setup Node.js 20.x
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2
         with:
           node-version: 20.x
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
 
       - name: Install dependencies
         run: pnpm install --config.platform=linux --config.architecture=x64
@@ -84,7 +89,7 @@ jobs:
 
       - name: Run App
         run: |
-          NODE_ENV=test pnpm start --filter=@formbricks/web &
+          NODE_ENV=test pnpm start --filter=@formbricks/web | tee app.log 2>&1 &
           sleep 10  # Optional: gives some buffer for the app to start
           for attempt in {1..10}; do
             if [ $(curl -o /dev/null -s -w "%{http_code}" http://localhost:3000/health) -eq 200 ]; then
@@ -112,7 +117,7 @@ jobs:
 
       - name: Azure login
         if: env.AZURE_ENABLED == 'true'
-        uses: azure/login@v2
+        uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
@@ -130,9 +135,19 @@ jobs:
         run: |
           pnpm test:e2e
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         if: always()
         with:
           name: playwright-report
           path: playwright-report/
           retention-days: 30
+
+      - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        if: failure()
+        with:
+          name: app-logs
+          path: app.log
+
+      - name: Output App Logs
+        if: failure()
+        run: cat app.log

.github/workflows/labeler.yml

@@ -4,6 +4,9 @@ on:
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
+permissions:
+  contents: read
+
 jobs:
   labeler:
     name: Pull Request Labeler
@@ -12,7 +15,12 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/labeler@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 # v4.3.0
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
           # https://github.com/actions/labeler/issues/442#issuecomment-1297359481

.github/workflows/lint.yml

@@ -12,6 +12,11 @@ jobs:
     timeout-minutes: 15
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - uses: ./.github/actions/dangerous-git-checkout
 

.github/workflows/pr.yml

@@ -50,6 +50,10 @@ jobs:
       checks: write
       statuses: write
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481
+        with:
+          egress-policy: audit
       - name: fail if conditional jobs failed
         if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'skipped') || contains(needs.*.result, 'cancelled')
         run: exit 1

.github/workflows/prepare-release.yml

@@ -1,62 +0,0 @@
-name: Prepare release
-run-name: Prepare release ${{ inputs.next_version }}
-
-on:
-  workflow_dispatch:
-    inputs:
-      next_version:
-        required: true
-        type: string
-        description: "Version name"
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  prepare_release:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-
-      - uses: ./.github/actions/dangerous-git-checkout
-
-      - name: Configure git
-        run: |
-          git config --local user.email "github-actions@github.com"
-          git config --local user.name "GitHub Actions"
-
-      - name: Setup Node.js 20.x
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af
-        with:
-          node-version: 20.x
-
-      - name: Install pnpm
-        uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2
-
-      - name: Install dependencies
-        run: pnpm install --config.platform=linux --config.architecture=x64
-
-      - name: Bump version
-        run: |
-          cd apps/web
-          pnpm version ${{ inputs.next_version }} --no-workspaces-update
-
-      - name: Commit changes and create a branch
-        run: |
-          branch_name="release-v${{ inputs.next_version }}"
-          git checkout -b "$branch_name"
-          git add .
-          git commit -m "chore: release v${{ inputs.next_version }}"
-          git push origin "$branch_name"
-
-      - name: Create pull request
-        run: |
-          gh pr create \
-            --base main \
-            --head "release-v${{ inputs.next_version }}" \
-            --title "chore: bump version to v${{ inputs.next_version }}" \
-            --body "This PR contains the changes for the v${{ inputs.next_version }} release."
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release-changesets.yml

@@ -26,23 +26,28 @@ jobs:
       TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
       TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Checkout Repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
       - name: Setup Node.js 18.x
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@7c12f8017d5436eb855f1ed4399f037a36fbd9e8 # v2.5.2
         with:
           node-version: 18.x
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v2.2.4
+        uses: pnpm/action-setup@c3b53f6a16e57305370b4ae5a540c2077a1d50dd # v2.2.4
 
       - name: Install Dependencies
         run: pnpm install --config.platform=linux --config.architecture=x64
 
       - name: Create Release Pull Request or Publish to npm
         id: changesets
-        uses: changesets/action@v1
+        uses: changesets/action@c8bada60c408975afd1a20b3db81d6eee6789308 # v1.4.9
         with:
           # This expects you to have a script called release which does a build for your packages and calls changeset publish
           publish: pnpm release

.github/workflows/release-docker-github-experimental.yml

@@ -17,6 +17,9 @@ env:
   TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
   DATABASE_URL: "postgresql://postgres:postgres@localhost:5432/formbricks?schema=public"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -28,23 +31,28 @@ jobs:
       id-token: write
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Set up Depot CLI
-        uses: depot/setup-action@v1
+        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
 
       # Install the cosign tool except on PR
       # https://github.com/sigstore/cosign-installer
       - name: Install cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@v3.5.0
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
 
       # Login against a Docker registry except on PR
       # https://github.com/docker/login-action
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3 # v3.0.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -54,7 +62,7 @@ jobs:
       # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v5 # v5.0.0
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
@@ -62,7 +70,7 @@ jobs:
       # https://github.com/docker/build-push-action
       - name: Build and push Docker image
         id: build-and-push
-        uses: depot/build-push-action@v1
+        uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # v1.14.0
         with:
           project: tw0fqmsx3c
           token: ${{ secrets.DEPOT_PROJECT_TOKEN }}

.github/workflows/release-docker-github.yml

@@ -20,6 +20,9 @@ env:
   TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
   DATABASE_URL: "postgresql://postgres:postgres@localhost:5432/formbricks?schema=public"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -31,23 +34,40 @@ jobs:
       id-token: write
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+
+      - name: Get Release Tag
+        id: extract_release_tag
+        run: |
+          TAG=${{ github.ref }}
+          TAG=${TAG#refs/tags/v}
+          echo "RELEASE_TAG=$TAG" >> $GITHUB_ENV
+
+      - name: Update package.json version
+        run: |
+          sed -i "s/\"version\": \"0.0.0\"/\"version\": \"${{ env.RELEASE_TAG }}\"/" ./apps/web/package.json
+          cat ./apps/web/package.json | grep version
 
       - name: Set up Depot CLI
-        uses: depot/setup-action@v1
+        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
 
       # Install the cosign tool except on PR
       # https://github.com/sigstore/cosign-installer
       - name: Install cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@v3.5.0
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
 
       # Login against a Docker registry except on PR
       # https://github.com/docker/login-action
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3 # v3.0.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -57,7 +77,7 @@ jobs:
       # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v5 # v5.0.0
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
@@ -65,7 +85,7 @@ jobs:
       # https://github.com/docker/build-push-action
       - name: Build and push Docker image
         id: build-and-push
-        uses: depot/build-push-action@v1
+        uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # v1.14.0
         with:
           project: tw0fqmsx3c
           token: ${{ secrets.DEPOT_PROJECT_TOKEN }}

.github/workflows/release-docker.yml

@@ -5,6 +5,9 @@ on:
     tags:
       - "v*"
 
+permissions:
+  contents: read
+
 jobs:
   release-image-on-dockerhub:
     name: Release on Dockerhub
@@ -16,17 +19,13 @@ jobs:
       TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
       DATABASE_URL: "postgresql://postgres:postgres@localhost:5432/formbricks?schema=public"
     steps:
-      - name: Checkout Repo
+      - name: Harden the runner (Audit all outbound calls)
-        uses: actions/checkout@v2
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-
-      - name: Log in to Docker Hub
-        uses: docker/login-action@v2
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
+          egress-policy: audit
-          password: ${{ secrets.DOCKER_PASSWORD }}
 
-      - name: Set up Docker Buildx
+      - name: Checkout Repo
-        uses: docker/setup-buildx-action@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
       - name: Get Release Tag
         id: extract_release_tag
@@ -35,8 +34,22 @@ jobs:
           TAG=${TAG#refs/tags/v}
           echo "RELEASE_TAG=$TAG" >> $GITHUB_ENV
 
+      - name: Update package.json version
+        run: |
+          sed -i "s/\"version\": \"0.0.0\"/\"version\": \"${{ env.RELEASE_TAG }}\"/" ./apps/web/package.json
+          cat ./apps/web/package.json | grep version
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0
+
       - name: Build and push Docker image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
         with:
           context: .
           file: ./apps/web/Dockerfile

.github/workflows/release-helm-chart.yml

@@ -0,0 +1,51 @@
+name: Publish Helm Chart
+
+on:
+  release:
+    types:
+      - published
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Extract release version
+        run: echo "VERSION=${{ github.event.release.tag_name }}" >> $GITHUB_ENV
+
+      - name: Set up Helm
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+        with:
+          version: latest
+
+      - name: Log in to GitHub Container Registry
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io --username ${{ github.actor }} --password-stdin
+
+      - name: Install YQ
+        uses: dcarbone/install-yq-action@4075b4dca348d74bd83f2bf82d30f25d7c54539b # v1.3.1
+
+      - name: Update Chart.yaml with new version
+        run: |
+          yq -i ".version = \"${VERSION#v}\"" helm-chart/Chart.yaml
+          yq -i ".appVersion = \"${VERSION}\"" helm-chart/Chart.yaml
+
+      - name: Package Helm chart
+        run: |
+          helm package ./helm-chart
+
+      - name: Push Helm chart to GitHub Container Registry
+        run: |
+          helm push formbricks-${VERSION#v}.tgz oci://ghcr.io/formbricks/helm-charts

.github/workflows/scorecard.yml

@@ -34,6 +34,11 @@ jobs:
       # actions: read
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: "Checkout code"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
@@ -71,6 +76,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
         with:
           sarif_file: results.sarif

.github/workflows/semantic-pull-requests.yml

@@ -16,7 +16,12 @@ jobs:
     name: PR title
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v5
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
         id: lint_pr_title
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -35,7 +40,7 @@ jobs:
             revert
             ossgg
 
-      - uses: marocchino/sticky-pull-request-comment@v2
+      - uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1
         # When the previous steps fails, the workflow would stop. By adding this
         # condition you can continue the execution with the populated error message.
         if: always() && (steps.lint_pr_title.outputs.error_message != null)
@@ -54,7 +59,7 @@ jobs:
 
       # Delete a previous comment when the issue has been resolved
       - if: ${{ steps.lint_pr_title.outputs.error_message == null }}
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1
         with:
           header: pr-title-lint-error
           message: |

.github/workflows/sonarqube.yml

@@ -14,7 +14,12 @@ jobs:
     name: SonarQube
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
 

.github/workflows/terrafrom-plan-and-apply.yml

@@ -0,0 +1,74 @@
+name: 'Terraform'
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  id-token: write
+  contents: write
+
+jobs:
+  terraform:
+    runs-on: ubuntu-latest
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
+          aws-region: "eu-central-1"
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+
+      - name: Terraform Format
+        id: fmt
+        run: terraform fmt -check -recursive
+        continue-on-error: true
+        working-directory: infra/terraform
+
+      - name: Terraform Init
+        id: init
+        run: terraform init
+        working-directory: infra/terraform
+
+      - name: Terraform Validate
+        id: validate
+        run: terraform validate
+        working-directory: infra/terraform
+
+      - name: Terraform Plan
+        id: plan
+        run: terraform plan -out .planfile
+        working-directory: infra/terraform
+
+      - name: Post PR comment
+        uses: borchero/terraform-plan-comment@3399d8dbae8b05185e815e02361ede2949cd99c4 # v2.4.0
+        if: always() && github.ref != 'refs/heads/main' && (steps.validate.outcome == 'success' || steps.validate.outcome == 'failure')
+        with:
+          token: ${{ github.token }}
+          planfile: .planfile
+          working-directory: "infra/terraform"
+          skip-comment: true
+
+      - name: Terraform Apply
+        id: apply
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        run: terraform apply .planfile
+        working-directory: "infra/terraform"
+

.github/workflows/test.yml

@@ -1,6 +1,9 @@
 name: Tests
 on:
   workflow_call:
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Unit Tests
@@ -10,16 +13,21 @@ jobs:
       contents: read
 
     steps:
-      - uses: actions/checkout@v3
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - uses: ./.github/actions/dangerous-git-checkout
 
       - name: Setup Node.js 20.x
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2
         with:
           node-version: 20.x
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
 
       - name: Install dependencies
         run: pnpm install --config.platform=linux --config.architecture=x64

.github/workflows/tolgee-missing-key-check.yml

@@ -5,18 +5,30 @@ permissions:
 
 on:
   workflow_dispatch:
-  pull_request:
+  pull_request_target:
     types: [opened, synchronize, reopened]
 
 jobs:
   check-missing-translations:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          ref: ${{ github.event.pull_request.base.ref }}
+
+      - name: Checkout PR
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version: 18
 

.github/workflows/tolgee.yml

@@ -3,7 +3,7 @@ permissions:
   contents: read
 
 on:
-  pull_request:
+  pull_request_target:
     types: [closed]
     branches:
       - main
@@ -15,30 +15,33 @@ jobs:
     if: github.event.pull_request.merged == true
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0 # This ensures we get the full git history
 
       - name: Get source branch name
         id: branch-name
         run: |
-          # For PR merges, use the head ref from the pull request event
+          RAW_BRANCH="${{ github.head_ref }}"
-          SOURCE_BRANCH="${{ github.head_ref }}"
+          SOURCE_BRANCH=$(echo "$RAW_BRANCH" | sed 's/[^a-zA-Z0-9._\/-]//g')
 
-          # Only remove username prefix if needed
-          if [[ "$SOURCE_BRANCH" =~ ^[a-zA-Z0-9][a-zA-Z0-9-]+/ ]]; then
-            PREFIX=${SOURCE_BRANCH%%/*}
-            if [[ ! "$PREFIX" =~ ^(feature|fix|bugfix|hotfix|release|chore|docs|test|refactor|style|perf|build|ci|revert)$ ]]; then
-              SOURCE_BRANCH=${SOURCE_BRANCH#*/}
-            fi
-          fi
 
-          echo "SOURCE_BRANCH=$SOURCE_BRANCH" >> $GITHUB_ENV
+          # Safely add to environment variables using GitHub's recommended method
+          # This prevents environment variable injection attacks
+          echo "SOURCE_BRANCH<<EOF" >> $GITHUB_ENV
+          echo "$SOURCE_BRANCH" >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV
+
           echo "Detected source branch: $SOURCE_BRANCH"
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version: 18 # Ensure compatibility with your project
 
@@ -77,7 +80,7 @@ jobs:
             --yes
 
       - name: Upload backup as artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: tolgee-backup-${{ github.sha }}
           path: ./tolgee-backup

.github/workflows/welcome-new-contributors.yml

@@ -17,7 +17,12 @@ jobs:
     timeout-minutes: 10
     if: github.event.action == 'opened'
     steps:
-      - uses: actions/first-interaction@v1
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/first-interaction@3c71ce730280171fd1cfb57c00c774f8998586f7 # v1
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           pr-message: |-

.gitignore

@@ -53,4 +53,22 @@ yarn-error.log*
 packages/lib/uploads
 apps/web/public/js
 packages/database/migrations
-branch.json
+branch.json
+.vercel
+
+# Terraform
+infra/terraform/.terraform/
+**/.terraform.lock.hcl
+**/terraform.tfstate
+**/terraform.tfstate.*
+**/crash.log
+**/override.tf
+**/override.tf.json
+**/*.tfvars
+**/*.tfvars.json
+**/.terraformrc
+**/terraform.rc
+
+# IntelliJ IDEA
+/.idea/
+/*.iml

.gitpod/init.bash

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-images=($(yq eval '.services.*.image' packages/database/docker-compose.yml))
+images=($(yq eval '.services.*.image' docker-compose.dev.yml))
 
 pull_image() {
   docker pull "$1"

.tolgeerc.json

@@ -27,6 +27,10 @@
       {
         "language": "zh-Hant-TW",
         "path": "./packages/lib/messages/zh-Hant-TW.json"
+      },
+      {
+        "language": "pt-PT",
+        "path": "./packages/lib/messages/pt-PT.json"
       }
     ],
     "forceMode": "OVERRIDE"

.vscode/extensions.json

@@ -6,6 +6,8 @@
     "dbaeumer.vscode-eslint", // eslint plugin
     "esbenp.prettier-vscode", // prettier plugin
     "Prisma.prisma", // syntax|format|completion for prisma
-    "yzhang.markdown-all-in-one" // nicer markdown support
+    "yzhang.markdown-all-in-one", // nicer markdown support
+    "vitest.explorer", // run tests directly from the code window
+    "sonarsource.sonarlint-vscode" // sonarqube linter for vscode
   ]
 }

LICENSE

@@ -3,7 +3,7 @@ Copyright (c) 2024 Formbricks GmbH
 Portions of this software are licensed as follows:
 
 - All content that resides under the "apps/web/modules/ee" directory of this repository, if these directories exist, is licensed under the license defined in "apps/web/modules/ee/LICENSE".
-- All content that resides under the "packages/js/", "packages/react-native/" and "packages/api/" directories of this repository, if that directories exist, is licensed under the "MIT" license as defined in the "LICENSE" files of these packages.
+- All content that resides under the "packages/js/", "packages/react-native/", "packages/android/", "packages/ios/" and "packages/api/" directories of this repository, if that directories exist, is licensed under the "MIT" license as defined in the "LICENSE" files of these packages.
 - All third party components incorporated into the Formbricks Software are licensed under the original license provided by the owner of the applicable component.
 - Content outside of the above mentioned directories or restrictions above is available under the "AGPLv3" license as defined below.
 

apps/demo/pages/index.tsx

@@ -9,6 +9,12 @@ declare const window: Window;
 export default function AppPage(): React.JSX.Element {
   const [darkMode, setDarkMode] = useState(false);
   const router = useRouter();
+  const userId = "THIS-IS-A-VERY-LONG-USER-ID-FOR-TESTING";
+  const userAttributes = {
+    "Attribute 1": "one",
+    "Attribute 2": "two",
+    "Attribute 3": "three",
+  };
 
   useEffect(() => {
     if (darkMode) {
@@ -33,18 +39,9 @@ export default function AppPage(): React.JSX.Element {
       addFormbricksDebugParam();
 
       if (process.env.NEXT_PUBLIC_FORMBRICKS_ENVIRONMENT_ID && process.env.NEXT_PUBLIC_FORMBRICKS_API_HOST) {
-        const userId = "THIS-IS-A-VERY-LONG-USER-ID-FOR-TESTING";
+        void formbricks.setup({
-        const userInitAttributes = {
-          language: "de",
-          "Init Attribute 1": "eight",
-          "Init Attribute 2": "two",
-        };
-
-        void formbricks.init({
           environmentId: process.env.NEXT_PUBLIC_FORMBRICKS_ENVIRONMENT_ID,
-          apiHost: process.env.NEXT_PUBLIC_FORMBRICKS_API_HOST,
+          appUrl: process.env.NEXT_PUBLIC_FORMBRICKS_API_HOST,
-          userId,
-          attributes: userInitAttributes,
         });
       }
 
@@ -126,19 +123,19 @@ export default function AppPage(): React.JSX.Element {
         <div className="md:grid md:grid-cols-3">
           <div className="col-span-3 self-start rounded-lg border border-slate-300 bg-slate-100 p-6 dark:border-slate-600 dark:bg-slate-900">
             <h3 className="text-lg font-semibold dark:text-white">
-              Reset person / pull data from Formbricks app
+              Set a user ID / pull data from Formbricks app
             </h3>
             <p className="text-slate-700 dark:text-slate-300">
-              On formbricks.reset() the local state will <strong>be deleted</strong> and formbricks gets{" "}
+              On formbricks.setUserId() the user state will <strong>be fetched from Formbricks</strong> and
-              <strong>reinitialized</strong>.
+              the local state gets <strong>updated with the user state</strong>.
             </p>
             <button
               className="my-4 rounded-lg bg-slate-500 px-6 py-3 text-white hover:bg-slate-700 dark:bg-slate-700 dark:hover:bg-slate-600"
               type="button"
               onClick={() => {
-                void formbricks.reset();
+                void formbricks.setUserId(userId);
               }}>
-              Reset
+              Set user ID
             </button>
             <p className="text-xs text-slate-700 dark:text-slate-300">
               If you made a change in Formbricks app and it does not seem to work, hit &apos;Reset&apos; and
@@ -158,7 +155,7 @@ export default function AppPage(): React.JSX.Element {
               <p className="text-xs text-slate-700 dark:text-slate-300">
                 This button sends a{" "}
                 <a
-                  href="https://formbricks.com/docs/actions/no-code"
+                  href="https://formbricks.com/docs/xm-and-surveys/surveys/website-app-surveys/actions#setting-up-no-code-actions"
                   rel="noopener noreferrer"
                   className="underline dark:text-blue-500"
                   target="_blank">
@@ -166,7 +163,7 @@ export default function AppPage(): React.JSX.Element {
                 </a>{" "}
                 as long as you created it beforehand in the Formbricks App.{" "}
                 <a
-                  href="https://formbricks.com/docs/actions/no-code"
+                  href="https://formbricks.com/docs/xm-and-surveys/surveys/website-app-surveys/actions#setting-up-no-code-actions"
                   rel="noopener noreferrer"
                   target="_blank"
                   className="underline dark:text-blue-500">
@@ -175,6 +172,7 @@ export default function AppPage(): React.JSX.Element {
               </p>
             </div>
           </div>
+
           <div className="p-6">
             <div>
               <button
@@ -190,7 +188,7 @@ export default function AppPage(): React.JSX.Element {
               <p className="text-xs text-slate-700 dark:text-slate-300">
                 This button sets the{" "}
                 <a
-                  href="https://formbricks.com/docs/attributes/custom-attributes"
+                  href="https://formbricks.com/docs/xm-and-surveys/surveys/website-app-surveys/user-identification#setting-custom-user-attributes"
                   target="_blank"
                   rel="noopener noreferrer"
                   className="underline dark:text-blue-500">
@@ -215,7 +213,7 @@ export default function AppPage(): React.JSX.Element {
               <p className="text-xs text-slate-700 dark:text-slate-300">
                 This button sets the{" "}
                 <a
-                  href="https://formbricks.com/docs/attributes/custom-attributes"
+                  href="https://formbricks.com/docs/xm-and-surveys/surveys/website-app-surveys/user-identification#setting-custom-user-attributes"
                   target="_blank"
                   rel="noopener noreferrer"
                   className="underline dark:text-blue-500">
@@ -240,7 +238,7 @@ export default function AppPage(): React.JSX.Element {
               <p className="text-xs text-slate-700 dark:text-slate-300">
                 This button sets the{" "}
                 <a
-                  href="https://formbricks.com/docs/attributes/identify-users"
+                  href="https://formbricks.com/docs/xm-and-surveys/surveys/website-app-surveys/user-identification"
                   target="_blank"
                   rel="noopener noreferrer"
                   className="underline dark:text-blue-500">
@@ -250,6 +248,110 @@ export default function AppPage(): React.JSX.Element {
               </p>
             </div>
           </div>
+
+          <div className="p-6">
+            <div>
+              <button
+                type="button"
+                onClick={() => {
+                  void formbricks.setAttributes(userAttributes);
+                }}
+                className="mb-4 rounded-lg bg-slate-800 px-6 py-3 text-white hover:bg-slate-700 dark:bg-slate-700 dark:hover:bg-slate-600">
+                Set Multiple Attributes
+              </button>
+            </div>
+            <div>
+              <p className="text-xs text-slate-700 dark:text-slate-300">
+                This button sets the{" "}
+                <a
+                  href="https://formbricks.com/docs/xm-and-surveys/surveys/website-app-surveys/user-identification#setting-custom-user-attributes"
+                  target="_blank"
+                  rel="noopener noreferrer"
+                  className="underline dark:text-blue-500">
+                  user attributes
+                </a>{" "}
+                to &apos;one&apos;, &apos;two&apos;, &apos;three&apos;.
+              </p>
+            </div>
+          </div>
+
+          <div className="p-6">
+            <div>
+              <button
+                type="button"
+                onClick={() => {
+                  void formbricks.setLanguage("de");
+                }}
+                className="mb-4 rounded-lg bg-slate-800 px-6 py-3 text-white hover:bg-slate-700 dark:bg-slate-700 dark:hover:bg-slate-600">
+                Set Language to &apos;de&apos;
+              </button>
+            </div>
+            <div>
+              <p className="text-xs text-slate-700 dark:text-slate-300">
+                This button sets the{" "}
+                <a
+                  href="https://formbricks.com/docs/xm-and-surveys/surveys/general-features/multi-language-surveys"
+                  target="_blank"
+                  rel="noopener noreferrer"
+                  className="underline dark:text-blue-500">
+                  language
+                </a>{" "}
+                to &apos;de&apos;.
+              </p>
+            </div>
+          </div>
+
+          <div className="p-6">
+            <div>
+              <button
+                type="button"
+                className="mb-4 rounded-lg bg-slate-800 px-6 py-3 text-white hover:bg-slate-700 dark:bg-slate-700 dark:hover:bg-slate-600"
+                onClick={() => {
+                  void formbricks.track("code");
+                }}>
+                Code Action
+              </button>
+            </div>
+            <div>
+              <p className="text-xs text-slate-700 dark:text-slate-300">
+                This button sends a{" "}
+                <a
+                  href="https://formbricks.com/docs/xm-and-surveys/surveys/website-app-surveys/actions#setting-up-code-actions"
+                  rel="noopener noreferrer"
+                  className="underline dark:text-blue-500"
+                  target="_blank">
+                  Code Action
+                </a>{" "}
+                as long as you created it beforehand in the Formbricks App.{" "}
+                <a
+                  href="https://formbricks.com/docs/xm-and-surveys/surveys/website-app-surveys/actions#setting-up-code-actions"
+                  rel="noopener noreferrer"
+                  target="_blank"
+                  className="underline dark:text-blue-500">
+                  Here are instructions on how to do it.
+                </a>
+              </p>
+            </div>
+          </div>
+
+          <div className="p-6">
+            <div>
+              <button
+                type="button"
+                className="mb-4 rounded-lg bg-slate-800 px-6 py-3 text-white hover:bg-slate-700 dark:bg-slate-700 dark:hover:bg-slate-600"
+                onClick={() => {
+                  void formbricks.logout();
+                }}>
+                Logout
+              </button>
+            </div>
+            <div>
+              <p className="text-xs text-slate-700 dark:text-slate-300">
+                This button logs out the user and syncs the local state with Formbricks. (Only works if a
+                userId is set)
+              </p>
+            </div>
+          </div>
         </div>
       </div>
     </div>

apps/storybook/package.json

@@ -30,7 +30,7 @@
     "@typescript-eslint/eslint-plugin": "8.18.0",
     "@typescript-eslint/parser": "8.18.0",
     "@vitejs/plugin-react": "4.3.4",
-    "esbuild": "0.25.0",
+    "esbuild": "0.25.1",
     "eslint-plugin-storybook": "0.11.1",
     "prop-types": "15.8.1",
     "storybook": "8.4.7",

apps/web/Dockerfile

@@ -1,4 +1,4 @@
-FROM node:22-alpine3.20 AS base
+FROM node:22-alpine3.20@sha256:40be979442621049f40b1d51a26b55e281246b5de4e5f51a18da7beb6e17e3f9 AS base
 
 #
 ## step 1: Prune monorepo
@@ -111,7 +111,12 @@ VOLUME /home/nextjs/apps/web/uploads/
 RUN mkdir -p /home/nextjs/apps/web/saml-connection
 VOLUME /home/nextjs/apps/web/saml-connection
 
-CMD supercronic -quiet /app/docker/cronjobs & \
+CMD if [ "${DOCKER_CRON_ENABLED:-1}" = "1" ]; then \
+      echo "Starting cron jobs..."; \
+      supercronic -quiet /app/docker/cronjobs & \
+    else \
+      echo "Docker cron jobs are disabled via DOCKER_CRON_ENABLED=0"; \
+    fi; \
     (cd packages/database && npm run db:migrate:deploy) && \
     (cd packages/database && npm run db:create-saml-database:deploy) && \
     exec node apps/web/server.js

apps/web/app/(app)/(onboarding)/environments/[environmentId]/connect/components/OnboardingSetupInstructions.tsx

@@ -34,10 +34,9 @@ export const OnboardingSetupInstructions = ({
   const htmlSnippetForAppSurveys = `<!-- START Formbricks Surveys -->
   <script type="text/javascript">
   !function(){
-      var apiHost = "${webAppUrl}";
+      var appUrl = "${webAppUrl}";
       var environmentId = "${environmentId}";
-      var userId = "testUser";
+      var t=document.createElement("script");t.type="text/javascript",t.async=!0,t.src=appUrl+"/js/formbricks.umd.cjs";var e=document.getElementsByTagName("script")[0];e.parentNode.insertBefore(t,e),setTimeout(function(){window.formbricks.setup({environmentId: environmentId, appUrl: appUrl})},500)}();
-      var t=document.createElement("script");t.type="text/javascript",t.async=!0,t.src=apiHost+"/js/formbricks.umd.cjs";var e=document.getElementsByTagName("script")[0];e.parentNode.insertBefore(t,e),setTimeout(function(){window.formbricks.init({environmentId: environmentId, apiHost: apiHost, userId: userId})},500)}();
   </script>
   <!-- END Formbricks Surveys -->
   `;
@@ -45,9 +44,9 @@ export const OnboardingSetupInstructions = ({
   const htmlSnippetForWebsiteSurveys = `<!-- START Formbricks Surveys -->
   <script type="text/javascript">
   !function(){
-    var apiHost = "${webAppUrl}";
+    var appUrl = "${webAppUrl}";
     var environmentId = "${environmentId}";
-      var t=document.createElement("script");t.type="text/javascript",t.async=!0,t.src=apiHost+"/js/formbricks.umd.cjs";var e=document.getElementsByTagName("script")[0];e.parentNode.insertBefore(t,e),setTimeout(function(){window.formbricks.init({environmentId: environmentId, apiHost: apiHost})},500)}();
+      var t=document.createElement("script");t.type="text/javascript",t.async=!0,t.src=appUrl+"/js/formbricks.umd.cjs";var e=document.getElementsByTagName("script")[0];e.parentNode.insertBefore(t,e),setTimeout(function(){window.formbricks.setup({environmentId: environmentId, appUrl: appUrl })},500)}();
   </script>
   <!-- END Formbricks Surveys -->
   `;
@@ -56,10 +55,9 @@ export const OnboardingSetupInstructions = ({
   import formbricks from "@formbricks/js";
   
   if (typeof window !== "undefined") {
-    formbricks.init({
+    formbricks.setup({
       environmentId: "${environmentId}",
-      apiHost: "${webAppUrl}",
+      appUrl: "${webAppUrl}",
-      userId: "testUser",
     });
   }
   
@@ -75,9 +73,9 @@ export const OnboardingSetupInstructions = ({
   import formbricks from "@formbricks/js";
   
   if (typeof window !== "undefined") {
-    formbricks.init({
+    formbricks.setup({
       environmentId: "${environmentId}",
-      apiHost: "${webAppUrl}",
+      appUrl: "${webAppUrl}",
     });
   }
   

apps/web/app/(app)/(onboarding)/organizations/[organizationId]/projects/new/settings/components/ProjectSettings.tsx

@@ -231,6 +231,7 @@ export const ProjectSettings = ({
         <p className="text-sm text-slate-400">{t("common.preview")}</p>
         <div className="z-0 h-3/4 w-3/4">
           <SurveyInline
+            isPreviewMode={true}
             survey={previewSurvey(projectName || "my Product", t)}
             styling={{ brandColor: { light: brandColor } }}
             isBrandingEnabled={false}

apps/web/app/(app)/components/FormbricksClient.tsx

@@ -12,12 +12,12 @@ export const FormbricksClient = ({ userId, email }: { userId: string; email: str
 
   useEffect(() => {
     if (formbricksEnabled && userId) {
-      formbricks.init({
+      formbricks.setup({
         environmentId: env.NEXT_PUBLIC_FORMBRICKS_ENVIRONMENT_ID || "",
-        apiHost: env.NEXT_PUBLIC_FORMBRICKS_API_HOST || "",
+        appUrl: env.NEXT_PUBLIC_FORMBRICKS_API_HOST || "",
-        userId,
       });
 
+      formbricks.setUserId(userId);
       formbricks.setEmail(email);
     }
   }, [userId, email]);

apps/web/app/(app)/environments/[environmentId]/integrations/google-sheets/actions.ts

@@ -1,25 +1,41 @@
 "use server";
 
-import { authOptions } from "@/modules/auth/lib/authOptions";
+import { authenticatedActionClient } from "@/lib/utils/action-client";
-import { getServerSession } from "next-auth";
+import { checkAuthorizationUpdated } from "@/lib/utils/action-client-middleware";
-import { hasUserEnvironmentAccess } from "@formbricks/lib/environment/auth";
+import { getOrganizationIdFromEnvironmentId, getProjectIdFromEnvironmentId } from "@/lib/utils/helper";
+import { z } from "zod";
 import { getSpreadsheetNameById } from "@formbricks/lib/googleSheet/service";
-import { AuthorizationError } from "@formbricks/types/errors";
+import { ZIntegrationGoogleSheets } from "@formbricks/types/integration/google-sheet";
-import { TIntegrationGoogleSheets } from "@formbricks/types/integration/google-sheet";
 
-export async function getSpreadsheetNameByIdAction(
+const ZGetSpreadsheetNameByIdAction = z.object({
-  googleSheetIntegration: TIntegrationGoogleSheets,
+  googleSheetIntegration: ZIntegrationGoogleSheets,
-  environmentId: string,
+  environmentId: z.string(),
-  spreadsheetId: string
+  spreadsheetId: z.string(),
-) {
+});
-  const session = await getServerSession(authOptions);
-  if (!session) throw new AuthorizationError("Not authorized");
 
-  const isAuthorized = await hasUserEnvironmentAccess(session.user.id, environmentId);
+export const getSpreadsheetNameByIdAction = authenticatedActionClient
-  if (!isAuthorized) throw new AuthorizationError("Not authorized");
+  .schema(ZGetSpreadsheetNameByIdAction)
-  const integrationData = structuredClone(googleSheetIntegration);
+  .action(async ({ ctx, parsedInput }) => {
-  integrationData.config.data.forEach((data) => {
+    await checkAuthorizationUpdated({
-    data.createdAt = new Date(data.createdAt);
+      userId: ctx.user.id,
+      organizationId: await getOrganizationIdFromEnvironmentId(parsedInput.environmentId),
+      access: [
+        {
+          type: "organization",
+          roles: ["owner", "manager"],
+        },
+        {
+          type: "projectTeam",
+          projectId: await getProjectIdFromEnvironmentId(parsedInput.environmentId),
+          minPermission: "readWrite",
+        },
+      ],
+    });
+
+    const integrationData = structuredClone(parsedInput.googleSheetIntegration);
+    integrationData.config.data.forEach((data) => {
+      data.createdAt = new Date(data.createdAt);
+    });
+
+    return await getSpreadsheetNameById(integrationData, parsedInput.spreadsheetId);
   });
-  return await getSpreadsheetNameById(integrationData, spreadsheetId);
-}

apps/web/app/(app)/environments/[environmentId]/integrations/google-sheets/components/AddIntegrationModal.tsx

@@ -8,6 +8,7 @@ import {
   isValidGoogleSheetsUrl,
 } from "@/app/(app)/environments/[environmentId]/integrations/google-sheets/lib/util";
 import GoogleSheetLogo from "@/images/googleSheetsLogo.png";
+import { getFormattedErrorMessage } from "@/lib/utils/helper";
 import { AdditionalIntegrationSettings } from "@/modules/ui/components/additional-integration-settings";
 import { Button } from "@/modules/ui/components/button";
 import { Checkbox } from "@/modules/ui/components/checkbox";
@@ -115,11 +116,18 @@ export const AddIntegrationModal = ({
         throw new Error(t("environments.integrations.select_at_least_one_question_error"));
       }
       const spreadsheetId = extractSpreadsheetIdFromUrl(spreadsheetUrl);
-      const spreadsheetName = await getSpreadsheetNameByIdAction(
+      const spreadsheetNameResponse = await getSpreadsheetNameByIdAction({
         googleSheetIntegration,
         environmentId,
-        spreadsheetId
+        spreadsheetId,
-      );
+      });
+
+      if (!spreadsheetNameResponse?.data) {
+        const errorMessage = getFormattedErrorMessage(spreadsheetNameResponse);
+        throw new Error(errorMessage);
+      }
+
+      const spreadsheetName = spreadsheetNameResponse.data;
 
       setIsLinkingSheet(true);
       integrationData.spreadsheetId = spreadsheetId;

apps/web/app/(app)/environments/[environmentId]/settings/(account)/notifications/components/EditAlerts.tsx

@@ -27,7 +27,7 @@ export const EditAlerts = ({
   return (
     <>
       {memberships.map((membership) => (
-        <>
+        <div key={membership.organization.id}>
           <div className="mb-5 grid grid-cols-6 items-center space-x-3">
             <div className="col-span-3 flex items-center space-x-3">
               <UsersIcon className="h-6 w-7 text-slate-600" />
@@ -110,7 +110,7 @@ export const EditAlerts = ({
               </Link>
             </p>
           </div>
-        </>
+        </div>
       ))}
     </>
   );

apps/web/app/(app)/environments/[environmentId]/settings/(account)/notifications/components/EditWeeklySummary.tsx

@@ -18,7 +18,7 @@ export const EditWeeklySummary = ({ memberships, user, environmentId }: EditAler
   return (
     <>
       {memberships.map((membership) => (
-        <>
+        <div key={membership.organization.id}>
           <div className="mb-5 flex items-center space-x-3 text-sm font-medium">
             <UsersIcon className="h-6 w-7 text-slate-600" />
 
@@ -52,7 +52,7 @@ export const EditWeeklySummary = ({ memberships, user, environmentId }: EditAler
               </Link>
             </p>
           </div>
-        </>
+        </div>
       ))}
     </>
   );

apps/web/app/(app)/environments/[environmentId]/settings/(account)/profile/page.tsx

@@ -9,8 +9,10 @@ import { UpgradePrompt } from "@/modules/ui/components/upgrade-prompt";
 import { getTranslate } from "@/tolgee/server";
 import { getServerSession } from "next-auth";
 import { IS_FORMBRICKS_CLOUD } from "@formbricks/lib/constants";
-import { getOrganizationsWhereUserIsSingleOwner } from "@formbricks/lib/organization/service";
+import {
-import { getOrganizationByEnvironmentId } from "@formbricks/lib/organization/service";
+  getOrganizationByEnvironmentId,
+  getOrganizationsWhereUserIsSingleOwner,
+} from "@formbricks/lib/organization/service";
 import { getUser } from "@formbricks/lib/user/service";
 import { SettingsCard } from "../../components/SettingsCard";
 import { DeleteAccount } from "./components/DeleteAccount";
@@ -71,7 +73,9 @@ const Page = async (props: { params: Promise<{ environmentId: string }> }) => {
                   description={t("environments.settings.profile.two_factor_authentication_description")}
                   buttons={[
                     {
-                      text: t("common.start_free_trial"),
+                      text: IS_FORMBRICKS_CLOUD
+                        ? t("common.start_free_trial")
+                        : t("common.request_trial_license"),
                       href: IS_FORMBRICKS_CLOUD
                         ? `/environments/${params.environmentId}/settings/billing`
                         : "https://formbricks.com/upgrade-self-hosting-license",

apps/web/app/(app)/environments/[environmentId]/settings/(organization)/general/page.test.tsx

@@ -0,0 +1,133 @@
+import {
+  getIsMultiOrgEnabled,
+  getIsOrganizationAIReady,
+  getWhiteLabelPermission,
+} from "@/modules/ee/license-check/lib/utils";
+import { getTranslate } from "@/tolgee/server";
+import { getServerSession } from "next-auth";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { getMembershipByUserIdOrganizationId } from "@formbricks/lib/membership/service";
+import { getAccessFlags } from "@formbricks/lib/membership/utils";
+import { getOrganizationByEnvironmentId } from "@formbricks/lib/organization/service";
+import { getUser } from "@formbricks/lib/user/service";
+import { TMembership } from "@formbricks/types/memberships";
+import { TOrganization } from "@formbricks/types/organizations";
+import { TUser } from "@formbricks/types/user";
+import Page from "./page";
+
+vi.mock("@formbricks/lib/constants", () => ({
+  IS_FORMBRICKS_CLOUD: false,
+  IS_PRODUCTION: false,
+  FB_LOGO_URL: "https://example.com/mock-logo.png",
+  ENCRYPTION_KEY: "mock-encryption-key",
+  ENTERPRISE_LICENSE_KEY: "mock-enterprise-license-key",
+  GITHUB_ID: "mock-github-id",
+  GITHUB_SECRET: "mock-github-secret",
+  GOOGLE_CLIENT_ID: "mock-google-client-id",
+  GOOGLE_CLIENT_SECRET: "mock-google-client-secret",
+  AZUREAD_CLIENT_ID: "mock-azuread-client-id",
+  AZUREAD_CLIENT_SECRET: "mock-azure-client-secret",
+  AZUREAD_TENANT_ID: "mock-azuread-tenant-id",
+  OIDC_CLIENT_ID: "mock-oidc-client-id",
+  OIDC_CLIENT_SECRET: "mock-oidc-client-secret",
+  OIDC_ISSUER: "mock-oidc-issuer",
+  OIDC_DISPLAY_NAME: "mock-oidc-display-name",
+  OIDC_SIGNING_ALGORITHM: "mock-oidc-signing-algorithm",
+  SAML_DATABASE_URL: "mock-saml-database-url",
+  WEBAPP_URL: "mock-webapp-url",
+  SMTP_HOST: "mock-smtp-host",
+  SMTP_PORT: "mock-smtp-port",
+}));
+
+vi.mock("next-auth", () => ({
+  getServerSession: vi.fn(),
+}));
+
+vi.mock("@/tolgee/server", () => ({
+  getTranslate: vi.fn(),
+}));
+
+vi.mock("@formbricks/lib/user/service", () => ({
+  getUser: vi.fn(),
+}));
+
+vi.mock("@formbricks/lib/organization/service", () => ({
+  getOrganizationByEnvironmentId: vi.fn(),
+}));
+
+vi.mock("@formbricks/lib/membership/service", () => ({
+  getMembershipByUserIdOrganizationId: vi.fn(),
+}));
+
+vi.mock("@formbricks/lib/membership/utils", () => ({
+  getAccessFlags: vi.fn(),
+}));
+
+vi.mock("@/modules/ee/license-check/lib/utils", () => ({
+  getIsMultiOrgEnabled: vi.fn(),
+  getIsOrganizationAIReady: vi.fn(),
+  getWhiteLabelPermission: vi.fn(),
+}));
+
+describe("Page", () => {
+  const mockParams = { environmentId: "test-environment-id" };
+  const mockSession = { user: { id: "test-user-id" } };
+  const mockUser = { id: "test-user-id" } as TUser;
+  const mockOrganization = { id: "test-organization-id", billing: { plan: "free" } } as TOrganization;
+  const mockMembership = { role: "owner" } as TMembership;
+  const mockTranslate = vi.fn((key) => key);
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    vi.mocked(getServerSession).mockResolvedValue(mockSession);
+    vi.mocked(getTranslate).mockResolvedValue(mockTranslate);
+    vi.mocked(getUser).mockResolvedValue(mockUser);
+    vi.mocked(getOrganizationByEnvironmentId).mockResolvedValue(mockOrganization);
+    vi.mocked(getMembershipByUserIdOrganizationId).mockResolvedValue(mockMembership);
+    vi.mocked(getAccessFlags).mockReturnValue({
+      isOwner: true,
+      isManager: false,
+      isBilling: false,
+      isMember: false,
+    });
+    vi.mocked(getIsMultiOrgEnabled).mockResolvedValue(true);
+    vi.mocked(getIsOrganizationAIReady).mockResolvedValue(true);
+    vi.mocked(getWhiteLabelPermission).mockResolvedValue(true);
+  });
+
+  it("renders the page with organization settings", async () => {
+    const props = {
+      params: Promise.resolve({ environmentId: "env-123" }),
+    };
+
+    const result = await Page(props);
+
+    expect(result).toBeTruthy();
+  });
+
+  it("renders if session user id is null", async () => {
+    vi.mocked(getServerSession).mockResolvedValue({ user: { id: null } });
+
+    const props = {
+      params: Promise.resolve({ environmentId: "env-123" }),
+    };
+
+    const result = await Page(props);
+
+    expect(result).toBeTruthy();
+  });
+
+  it("throws an error if the session is not found", async () => {
+    vi.mocked(getServerSession).mockResolvedValue(null);
+
+    await expect(Page({ params: Promise.resolve(mockParams) })).rejects.toThrow("common.session_not_found");
+  });
+
+  it("throws an error if the organization is not found", async () => {
+    vi.mocked(getOrganizationByEnvironmentId).mockResolvedValue(null);
+
+    await expect(Page({ params: Promise.resolve(mockParams) })).rejects.toThrow(
+      "common.organization_not_found"
+    );
+  });
+});

apps/web/app/(app)/environments/[environmentId]/settings/(organization)/general/page.tsx

@@ -12,7 +12,7 @@ import { PageHeader } from "@/modules/ui/components/page-header";
 import { SettingsId } from "@/modules/ui/components/settings-id";
 import { getTranslate } from "@/tolgee/server";
 import { getServerSession } from "next-auth";
-import { IS_FORMBRICKS_CLOUD } from "@formbricks/lib/constants";
+import { FB_LOGO_URL, IS_FORMBRICKS_CLOUD } from "@formbricks/lib/constants";
 import { getMembershipByUserIdOrganizationId } from "@formbricks/lib/membership/service";
 import { getAccessFlags } from "@formbricks/lib/membership/utils";
 import { getOrganizationByEnvironmentId } from "@formbricks/lib/organization/service";
@@ -84,6 +84,7 @@ const Page = async (props: { params: Promise<{ environmentId: string }> }) => {
         environmentId={params.environmentId}
         isReadOnly={!isOwnerOrManager}
         isFormbricksCloud={IS_FORMBRICKS_CLOUD}
+        fbLogoUrl={FB_LOGO_URL}
         user={user}
       />
       {isMultiOrgEnabled && (

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/responses/components/ResponseTableColumns.tsx

@@ -200,13 +200,6 @@ export const generateResponseTableColumns = (
             </TooltipTrigger>
             <TooltipContent side="bottom" className="font-normal">
               {t("environments.surveys.responses.how_to_identify_users")}
-              <Link
-                className="underline underline-offset-2 hover:text-slate-900"
-                href="https://formbricks.com/docs/link-surveys/user-identification"
-                target="_blank">
-                {t("common.link_surveys")}
-              </Link>{" "}
-              or{" "}
               <Link
                 className="underline underline-offset-2 hover:text-slate-900"
                 href="https://formbricks.com/docs/app-surveys/user-identification"

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/shareEmbedModal/AppTab.tsx

@@ -1,11 +1,12 @@
 "use client";
 
+import { MobileAppTab } from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/shareEmbedModal/MobileAppTab";
+import { WebAppTab } from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/shareEmbedModal/WebAppTab";
 import { OptionsSwitch } from "@/modules/ui/components/options-switch";
 import { useTranslate } from "@tolgee/react";
-import Link from "next/link";
 import { useState } from "react";
 
-export const AppTab = ({ environmentId }) => {
+export const AppTab = () => {
   const { t } = useTranslate();
   const [selectedTab, setSelectedTab] = useState("webapp");
 
@@ -20,79 +21,7 @@ export const AppTab = ({ environmentId }) => {
         handleOptionChange={(value) => setSelectedTab(value)}
       />
 
-      <div className="mt-4">
+      <div className="mt-4">{selectedTab === "webapp" ? <WebAppTab /> : <MobileAppTab />}</div>
-        {selectedTab === "webapp" ? <WebAppTab environmentId={environmentId} /> : <MobileAppTab />}
-      </div>
-    </div>
-  );
-};
-
-const MobileAppTab = () => {
-  const { t } = useTranslate();
-  return (
-    <div>
-      <p className="text-lg font-semibold text-slate-800">
-        {t("environments.surveys.summary.how_to_embed_a_survey_on_your_react_native_app")}
-      </p>
-      <ol className="mt-4 list-decimal space-y-2 pl-5 text-sm text-slate-700">
-        <li>
-          {t("common.follow_these")}{" "}
-          <Link
-            href="https://formbricks.com/docs/developer-docs/react-native-in-app-surveys"
-            target="_blank"
-            className="decoration-brand-dark font-medium underline underline-offset-2">
-            {t("environments.surveys.summary.setup_instructions_for_react_native_apps")}
-          </Link>{" "}
-          {t("environments.surveys.summary.to_connect_your_app_with_formbricks")}
-        </li>
-      </ol>
-      <div className="mt-2 text-sm italic text-slate-700">
-        {t("environments.surveys.summary.were_working_on_sdks_for_flutter_swift_and_kotlin")}
-      </div>
-    </div>
-  );
-};
-
-const WebAppTab = ({ environmentId }) => {
-  const { t } = useTranslate();
-  return (
-    <div>
-      <p className="text-lg font-semibold text-slate-800">
-        {t("environments.surveys.summary.how_to_embed_a_survey_on_your_web_app")}
-      </p>
-      <ol className="mt-4 list-decimal space-y-2 pl-5 text-sm text-slate-700">
-        <li>
-          {t("common.follow_these")}{" "}
-          <Link
-            href={`/environments/${environmentId}/project/app-connection`}
-            target="_blank"
-            className="decoration-brand-dark font-medium underline underline-offset-2">
-            {t("environments.surveys.summary.setup_instructions")}
-          </Link>{" "}
-          {t("environments.surveys.summary.to_connect_your_web_app_with_formbricks")}
-        </li>
-        <li>
-          {t("environments.surveys.summary.learn_how_to")}{" "}
-          <Link
-            href="https://formbricks.com/docs/app-surveys/user-identification"
-            target="_blank"
-            className="decoration-brand-dark font-medium underline underline-offset-2">
-            {t("environments.surveys.summary.identify_users_and_set_attributes")}
-          </Link>{" "}
-          {t("environments.surveys.summary.to_run_highly_targeted_surveys")}.
-        </li>
-        <li>
-          {t("environments.surveys.summary.make_sure_the_survey_type_is_set_to")}{" "}
-          <b>{t("common.app_survey")}</b>
-        </li>
-        <li>{t("environments.surveys.summary.define_when_and_where_the_survey_should_pop_up")}</li>
-      </ol>
-      <div className="mt-4">
-        <video autoPlay loop muted className="w-full rounded-xl border border-slate-200">
-          <source src="/video/tooltips/change-survey-type-app.mp4" type="video/mp4" />
-          {t("environments.surveys.summary.unsupported_video_tag_warning")}
-        </video>
-      </div>
     </div>
   );
 };

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/shareEmbedModal/EmbedView.tsx

@@ -88,7 +88,7 @@ export const EmbedView = ({
               locale={locale}
             />
           ) : activeId === "app" ? (
-            <AppTab environmentId={environmentId} />
+            <AppTab />
           ) : null}
           <div className="mt-2 rounded-md p-3 text-center lg:hidden">
             {tabs.slice(0, 2).map((tab) => (

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/shareEmbedModal/LinkTab.tsx

@@ -16,12 +16,8 @@ interface LinkTabProps {
 
 export const LinkTab = ({ survey, webAppUrl, surveyUrl, setSurveyUrl, locale }: LinkTabProps) => {
   const { t } = useTranslate();
+
   const docsLinks = [
-    {
-      title: t("environments.surveys.summary.identify_users"),
-      description: t("environments.surveys.summary.identify_users_description"),
-      link: "https://formbricks.com/docs/link-surveys/user-identification",
-    },
     {
       title: t("environments.surveys.summary.data_prefilling"),
       description: t("environments.surveys.summary.data_prefilling_description"),
@@ -53,6 +49,7 @@ export const LinkTab = ({ survey, webAppUrl, surveyUrl, setSurveyUrl, locale }:
           locale={locale}
         />
       </div>
+
       <div className="flex flex-wrap justify-between gap-2">
         <p className="pt-2 font-semibold text-slate-700">
           {t("environments.surveys.summary.you_can_do_a_lot_more_with_links_surveys")} 💡

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/shareEmbedModal/MobileAppTab.tsx

@@ -0,0 +1,25 @@
+"use client";
+
+import { Alert, AlertDescription, AlertTitle } from "@/modules/ui/components/alert";
+import { Button } from "@/modules/ui/components/button";
+import { useTranslate } from "@tolgee/react";
+import Link from "next/link";
+
+export const MobileAppTab = () => {
+  const { t } = useTranslate();
+  return (
+    <Alert>
+      <AlertTitle>{t("environments.surveys.summary.quickstart_mobile_apps")}</AlertTitle>
+      <AlertDescription>
+        {t("environments.surveys.summary.quickstart_mobile_apps_description")}
+        <Button asChild className="w-fit" size="sm" variant="link">
+          <Link
+            href="https://formbricks.com/docs/xm-and-surveys/surveys/website-app-surveys/framework-guides"
+            target="_blank">
+            {t("common.learn_more")}
+          </Link>
+        </Button>
+      </AlertDescription>
+    </Alert>
+  );
+};

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/shareEmbedModal/PanelInfoView.tsx

@@ -85,8 +85,10 @@ export const PanelInfoView = ({ disableBack, handleInitialPageButton }: PanelInf
             </p>
           </div>
           <Button className="justify-center" asChild>
-            <Link href="https://formbricks.com/docs/link-surveys/market-research-panel" target="_blank">
+            <Link
-              {t("common.get_started")}
+              href="https://formbricks.com/docs/xm-and-surveys/surveys/link-surveys/market-research-panel"
+              target="_blank">
+              {t("common.learn_more")}
             </Link>
           </Button>
         </div>

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/shareEmbedModal/WebAppTab.tsx

@@ -0,0 +1,25 @@
+"use client";
+
+import { Alert, AlertDescription, AlertTitle } from "@/modules/ui/components/alert";
+import { Button } from "@/modules/ui/components/button";
+import { useTranslate } from "@tolgee/react";
+import Link from "next/link";
+
+export const WebAppTab = () => {
+  const { t } = useTranslate();
+  return (
+    <Alert>
+      <AlertTitle>{t("environments.surveys.summary.quickstart_web_apps")}</AlertTitle>
+      <AlertDescription>
+        {t("environments.surveys.summary.quickstart_web_apps_description")}
+        <Button asChild className="w-fit" size="sm" variant="link">
+          <Link
+            href="https://formbricks.com/docs/xm-and-surveys/surveys/website-app-surveys/quickstart"
+            target="_blank">
+            {t("common.learn_more")}
+          </Link>
+        </Button>
+      </AlertDescription>
+    </Alert>
+  );
+};

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/lib/get-qr-code-options.ts

@@ -0,0 +1,36 @@
+import { Options } from "qr-code-styling";
+
+export const getQRCodeOptions = (width: number, height: number): Options => ({
+  width,
+  height,
+  type: "svg",
+  data: "",
+  margin: 0,
+  qrOptions: {
+    typeNumber: 0,
+    mode: "Byte",
+    errorCorrectionLevel: "L",
+  },
+  imageOptions: {
+    saveAsBlob: true,
+    hideBackgroundDots: false,
+    imageSize: 0,
+    margin: 0,
+  },
+  dotsOptions: {
+    type: "extra-rounded",
+    color: "#000000",
+    roundSize: true,
+  },
+  backgroundOptions: {
+    color: "#ffffff",
+  },
+  cornersSquareOptions: {
+    type: "dot",
+    color: "#000000",
+  },
+  cornersDotOptions: {
+    type: "dot",
+    color: "#000000",
+  },
+});

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/lib/survey-qr-code.tsx

@@ -0,0 +1,44 @@
+"use client";
+
+import { getQRCodeOptions } from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/lib/get-qr-code-options";
+import { useTranslate } from "@tolgee/react";
+import QRCodeStyling from "qr-code-styling";
+import { useEffect, useRef } from "react";
+import { toast } from "react-hot-toast";
+
+export const useSurveyQRCode = (surveyUrl: string) => {
+  const qrCodeRef = useRef<HTMLDivElement>(null);
+  const qrInstance = useRef<QRCodeStyling | null>(null);
+  const { t } = useTranslate();
+
+  useEffect(() => {
+    try {
+      if (!qrInstance.current) {
+        qrInstance.current = new QRCodeStyling(getQRCodeOptions(70, 70));
+      }
+
+      if (surveyUrl && qrInstance.current) {
+        qrInstance.current.update({ data: surveyUrl });
+
+        if (qrCodeRef.current) {
+          qrCodeRef.current.innerHTML = "";
+          qrInstance.current.append(qrCodeRef.current);
+        }
+      }
+    } catch (error) {
+      toast.error(t("environments.surveys.summary.failed_to_generate_qr_code"));
+    }
+  }, [surveyUrl]);
+
+  const downloadQRCode = () => {
+    try {
+      const downloadInstance = new QRCodeStyling(getQRCodeOptions(500, 500));
+      downloadInstance.update({ data: surveyUrl });
+      downloadInstance.download({ name: "survey-qr", extension: "png" });
+    } catch (error) {
+      toast.error(t("environments.surveys.summary.failed_to_generate_qr_code"));
+    }
+  };
+
+  return { qrCodeRef, downloadQRCode };
+};

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/lib/surveySummary.ts

@@ -380,7 +380,7 @@ export const getQuestionSummary = async (
 
           let hasValidAnswer = false;
 
-          if (Array.isArray(answer)) {
+          if (Array.isArray(answer) && question.type === TSurveyQuestionTypeEnum.MultipleChoiceMulti) {
             answer.forEach((value) => {
               if (value) {
                 totalSelectionCount++;
@@ -396,7 +396,10 @@ export const getQuestionSummary = async (
                 hasValidAnswer = true;
               }
             });
-          } else if (typeof answer === "string") {
+          } else if (
+            typeof answer === "string" &&
+            question.type === TSurveyQuestionTypeEnum.MultipleChoiceSingle
+          ) {
             if (answer) {
               totalSelectionCount++;
               if (questionChoices.includes(answer)) {

apps/web/app/(app)/layout.test.tsx

@@ -0,0 +1,92 @@
+import "@testing-library/jest-dom/vitest";
+import { cleanup, render, screen } from "@testing-library/react";
+import { getServerSession } from "next-auth";
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { getUser } from "@formbricks/lib/user/service";
+import { TUser } from "@formbricks/types/user";
+import AppLayout from "./layout";
+
+vi.mock("next-auth", () => ({
+  getServerSession: vi.fn(),
+}));
+
+vi.mock("@formbricks/lib/user/service", () => ({
+  getUser: vi.fn(),
+}));
+
+vi.mock("@formbricks/lib/constants", () => ({
+  INTERCOM_SECRET_KEY: "test-secret-key",
+  IS_INTERCOM_CONFIGURED: true,
+  INTERCOM_APP_ID: "test-app-id",
+  ENCRYPTION_KEY: "test-encryption-key",
+  ENTERPRISE_LICENSE_KEY: "test-enterprise-license-key",
+  GITHUB_ID: "test-github-id",
+  GITHUB_SECRET: "test-githubID",
+  GOOGLE_CLIENT_ID: "test-google-client-id",
+  GOOGLE_CLIENT_SECRET: "test-google-client-secret",
+  AZUREAD_CLIENT_ID: "test-azuread-client-id",
+  AZUREAD_CLIENT_SECRET: "test-azure",
+  AZUREAD_TENANT_ID: "test-azuread-tenant-id",
+  OIDC_DISPLAY_NAME: "test-oidc-display-name",
+  OIDC_CLIENT_ID: "test-oidc-client-id",
+  OIDC_ISSUER: "test-oidc-issuer",
+  OIDC_CLIENT_SECRET: "test-oidc-client-secret",
+  OIDC_SIGNING_ALGORITHM: "test-oidc-signing-algorithm",
+  WEBAPP_URL: "test-webapp-url",
+}));
+
+vi.mock("@/app/(app)/components/FormbricksClient", () => ({
+  FormbricksClient: () => <div data-testid="formbricks-client" />,
+}));
+vi.mock("@/app/intercom/IntercomClientWrapper", () => ({
+  IntercomClientWrapper: () => <div data-testid="mock-intercom-wrapper" />,
+}));
+vi.mock("@/modules/ui/components/no-mobile-overlay", () => ({
+  NoMobileOverlay: () => <div data-testid="no-mobile-overlay" />,
+}));
+vi.mock("@/modules/ui/components/post-hog-client", () => ({
+  PHProvider: ({ children }: { children: React.ReactNode }) => (
+    <div data-testid="ph-provider">{children}</div>
+  ),
+  PostHogPageview: () => <div data-testid="ph-pageview" />,
+}));
+vi.mock("@/modules/ui/components/toaster-client", () => ({
+  ToasterClient: () => <div data-testid="toaster-client" />,
+}));
+
+describe("(app) AppLayout", () => {
+  afterEach(() => {
+    cleanup();
+  });
+
+  it("renders child content and all sub-components when user exists", async () => {
+    vi.mocked(getServerSession).mockResolvedValueOnce({ user: { id: "user-123" } });
+    vi.mocked(getUser).mockResolvedValueOnce({ id: "user-123", email: "test@example.com" } as TUser);
+
+    // Because AppLayout is async, call it like a function
+    const element = await AppLayout({
+      children: <div data-testid="child-content">Hello from children</div>,
+    });
+
+    render(element);
+
+    expect(screen.getByTestId("no-mobile-overlay")).toBeInTheDocument();
+    expect(screen.getByTestId("ph-pageview")).toBeInTheDocument();
+    expect(screen.getByTestId("ph-provider")).toBeInTheDocument();
+    expect(screen.getByTestId("mock-intercom-wrapper")).toBeInTheDocument();
+    expect(screen.getByTestId("toaster-client")).toBeInTheDocument();
+    expect(screen.getByTestId("child-content")).toHaveTextContent("Hello from children");
+    expect(screen.getByTestId("formbricks-client")).toBeInTheDocument();
+  });
+
+  it("skips FormbricksClient if no user is present", async () => {
+    vi.mocked(getServerSession).mockResolvedValueOnce(null);
+
+    const element = await AppLayout({
+      children: <div data-testid="child-content">Hello from children</div>,
+    });
+    render(element);
+
+    expect(screen.queryByTestId("formbricks-client")).not.toBeInTheDocument();
+  });
+});

apps/web/app/(app)/layout.tsx

@@ -1,12 +1,11 @@
 import { FormbricksClient } from "@/app/(app)/components/FormbricksClient";
-import { IntercomClient } from "@/app/IntercomClient";
+import { IntercomClientWrapper } from "@/app/intercom/IntercomClientWrapper";
 import { authOptions } from "@/modules/auth/lib/authOptions";
 import { NoMobileOverlay } from "@/modules/ui/components/no-mobile-overlay";
 import { PHProvider, PostHogPageview } from "@/modules/ui/components/post-hog-client";
 import { ToasterClient } from "@/modules/ui/components/toaster-client";
 import { getServerSession } from "next-auth";
 import { Suspense } from "react";
-import { INTERCOM_SECRET_KEY, IS_INTERCOM_CONFIGURED } from "@formbricks/lib/constants";
 import { getUser } from "@formbricks/lib/user/service";
 
 const AppLayout = async ({ children }) => {
@@ -22,11 +21,7 @@ const AppLayout = async ({ children }) => {
       <PHProvider>
         <>
           {user ? <FormbricksClient userId={user.id} email={user.email} /> : null}
-          <IntercomClient
+          <IntercomClientWrapper user={user} />
-            isIntercomConfigured={IS_INTERCOM_CONFIGURED}
-            intercomSecretKey={INTERCOM_SECRET_KEY}
-            user={user}
-          />
           <ToasterClient />
           {children}
         </>

apps/web/app/(auth)/layout.test.tsx

@@ -0,0 +1,34 @@
+import "@testing-library/jest-dom/vitest";
+import { render, screen } from "@testing-library/react";
+import { describe, expect, it, vi } from "vitest";
+import AppLayout from "../(auth)/layout";
+
+vi.mock("@formbricks/lib/constants", () => ({
+  IS_FORMBRICKS_CLOUD: false,
+  IS_INTERCOM_CONFIGURED: true,
+  INTERCOM_SECRET_KEY: "mock-intercom-secret-key",
+  INTERCOM_APP_ID: "mock-intercom-app-id",
+}));
+
+vi.mock("@/app/intercom/IntercomClientWrapper", () => ({
+  IntercomClientWrapper: () => <div data-testid="mock-intercom-wrapper" />,
+}));
+vi.mock("@/modules/ui/components/no-mobile-overlay", () => ({
+  NoMobileOverlay: () => <div data-testid="mock-no-mobile-overlay" />,
+}));
+
+describe("(auth) AppLayout", () => {
+  it("renders the NoMobileOverlay and IntercomClient, plus children", async () => {
+    const appLayoutElement = await AppLayout({
+      children: <div data-testid="child-content">Hello from children!</div>,
+    });
+
+    const childContentText = "Hello from children!";
+
+    render(appLayoutElement);
+
+    expect(screen.getByTestId("mock-no-mobile-overlay")).toBeInTheDocument();
+    expect(screen.getByTestId("mock-intercom-wrapper")).toBeInTheDocument();
+    expect(screen.getByTestId("child-content")).toHaveTextContent(childContentText);
+  });
+});

apps/web/app/(auth)/layout.tsx

@@ -1,12 +1,11 @@
-import { IntercomClient } from "@/app/IntercomClient";
+import { IntercomClientWrapper } from "@/app/intercom/IntercomClientWrapper";
 import { NoMobileOverlay } from "@/modules/ui/components/no-mobile-overlay";
-import { INTERCOM_SECRET_KEY, IS_INTERCOM_CONFIGURED } from "@formbricks/lib/constants";
 
 const AppLayout = async ({ children }) => {
   return (
     <>
       <NoMobileOverlay />
-      <IntercomClient isIntercomConfigured={IS_INTERCOM_CONFIGURED} intercomSecretKey={INTERCOM_SECRET_KEY} />
+      <IntercomClientWrapper />
       {children}
     </>
   );

apps/web/app/(redirects)/organizations/[organizationId]/route.ts

@@ -1,8 +1,8 @@
-import { hasOrganizationAccess } from "@/app/lib/api/apiHelper";
 import { authOptions } from "@/modules/auth/lib/authOptions";
 import { getServerSession } from "next-auth";
 import { redirect } from "next/navigation";
 import { notFound } from "next/navigation";
+import { hasOrganizationAccess } from "@formbricks/lib/auth";
 import { getEnvironments } from "@formbricks/lib/environment/service";
 import { getMembershipByUserIdOrganizationId } from "@formbricks/lib/membership/service";
 import { getAccessFlags } from "@formbricks/lib/membership/utils";
@@ -16,7 +16,7 @@ export const GET = async (_: Request, context: { params: Promise<{ organizationI
   // check auth
   const session = await getServerSession(authOptions);
   if (!session) throw new AuthenticationError("Not authenticated");
-  const hasAccess = await hasOrganizationAccess(session.user, organizationId);
+  const hasAccess = await hasOrganizationAccess(session.user.id, organizationId);
   if (!hasAccess) throw new AuthorizationError("Unauthorized");
 
   const currentUserMembership = await getMembershipByUserIdOrganizationId(session?.user.id, organizationId);

apps/web/app/(redirects)/projects/[projectId]/route.ts

@@ -1,7 +1,7 @@
-import { hasOrganizationAccess } from "@/app/lib/api/apiHelper";
 import { authOptions } from "@/modules/auth/lib/authOptions";
 import { getServerSession } from "next-auth";
 import { notFound, redirect } from "next/navigation";
+import { hasOrganizationAccess } from "@formbricks/lib/auth";
 import { getEnvironments } from "@formbricks/lib/environment/service";
 import { getProject } from "@formbricks/lib/project/service";
 import { AuthenticationError, AuthorizationError } from "@formbricks/types/errors";
@@ -15,7 +15,7 @@ export const GET = async (_: Request, context: { params: Promise<{ projectId: st
   if (!session) throw new AuthenticationError("Not authenticated");
   const project = await getProject(projectId);
   if (!project) return notFound();
-  const hasAccess = await hasOrganizationAccess(session.user, project.organizationId);
+  const hasAccess = await hasOrganizationAccess(session.user.id, project.organizationId);
   if (!hasAccess) throw new AuthorizationError("Unauthorized");
   // redirect to project's production environment
   const environments = await getEnvironments(project.id);

apps/web/app/api/v1/auth.ts

@@ -1,16 +1,19 @@
+import { getEnvironmentIdFromApiKey } from "@/app/api/v1/lib/api-key";
 import { responses } from "@/app/lib/api/response";
+import { hashApiKey } from "@/modules/api/v2/management/lib/utils";
 import { TAuthenticationApiKey } from "@formbricks/types/auth";
 import { DatabaseError, InvalidInputError, ResourceNotFoundError } from "@formbricks/types/errors";
-import { getEnvironmentIdFromApiKey } from "./lib/api-key";
 
 export const authenticateRequest = async (request: Request): Promise<TAuthenticationApiKey | null> => {
   const apiKey = request.headers.get("x-api-key");
   if (apiKey) {
     const environmentId = await getEnvironmentIdFromApiKey(apiKey);
     if (environmentId) {
+      const hashedApiKey = hashApiKey(apiKey);
       const authentication: TAuthenticationApiKey = {
         type: "apiKey",
         environmentId,
+        hashedApiKey,
       };
       return authentication;
     }

apps/web/app/api/v1/lib/api-key.ts

@@ -6,8 +6,7 @@ import { cache } from "@formbricks/lib/cache";
 import { getHash } from "@formbricks/lib/crypto";
 import { validateInputs } from "@formbricks/lib/utils/validate";
 import { ZString } from "@formbricks/types/common";
-import { DatabaseError, ResourceNotFoundError } from "@formbricks/types/errors";
+import { DatabaseError, InvalidInputError, ResourceNotFoundError } from "@formbricks/types/errors";
-import { InvalidInputError } from "@formbricks/types/errors";
 
 export const getEnvironmentIdFromApiKey = reactCache(async (apiKey: string): Promise<string | null> => {
   const hashedKey = getHash(apiKey);
@@ -42,7 +41,7 @@ export const getEnvironmentIdFromApiKey = reactCache(async (apiKey: string): Pro
         throw error;
       }
     },
-    [`getEnvironmentIdFromApiKey-${apiKey}`],
+    [`management-api-getEnvironmentIdFromApiKey-${apiKey}`],
     {
       tags: [apiKeyCache.tag.byHashedKey(hashedKey)],
     }

apps/web/app/api/v1/management/me/lib/utils.ts

@@ -0,0 +1,15 @@
+import { authOptions } from "@/modules/auth/lib/authOptions";
+import { NextApiRequest, NextApiResponse } from "next";
+import type { Session } from "next-auth";
+import { getServerSession } from "next-auth";
+
+export const getSessionUser = async (req?: NextApiRequest, res?: NextApiResponse) => {
+  // check for session (browser usage)
+  let session: Session | null;
+  if (req && res) {
+    session = await getServerSession(req, res, authOptions);
+  } else {
+    session = await getServerSession(authOptions);
+  }
+  if (session && "user" in session) return session.user;
+};

apps/web/app/api/v1/management/me/route.ts

@@ -1,4 +1,5 @@
-import { getSessionUser, hashApiKey } from "@/app/lib/api/apiHelper";
+import { getSessionUser } from "@/app/api/v1/management/me/lib/utils";
+import { hashApiKey } from "@/modules/api/v2/management/lib/utils";
 import { headers } from "next/headers";
 import { prisma } from "@formbricks/database";
 

apps/web/app/api/v2/client/[environmentId]/contacts/[userId]/attributes/route.ts

@@ -0,0 +1,6 @@
+import {
+  OPTIONS,
+  PUT,
+} from "@/modules/ee/contacts/api/client/[environmentId]/contacts/[userId]/attributes/route";
+
+export { OPTIONS, PUT };

apps/web/app/api/v2/client/[environmentId]/displays/lib/contact.ts

@@ -0,0 +1,26 @@
+import { contactCache } from "@/lib/cache/contact";
+import { cache as reactCache } from "react";
+import { prisma } from "@formbricks/database";
+import { cache } from "@formbricks/lib/cache";
+
+export const doesContactExist = reactCache(
+  (id: string): Promise<boolean> =>
+    cache(
+      async () => {
+        const contact = await prisma.contact.findFirst({
+          where: {
+            id,
+          },
+          select: {
+            id: true,
+          },
+        });
+
+        return !!contact;
+      },
+      [`doesContactExistDisplaysApiV2-${id}`],
+      {
+        tags: [contactCache.tag.byId(id)],
+      }
+    )()
+);

apps/web/app/api/v2/client/[environmentId]/displays/lib/display.ts

@@ -0,0 +1,54 @@
+import {
+  TDisplayCreateInputV2,
+  ZDisplayCreateInputV2,
+} from "@/app/api/v2/client/[environmentId]/displays/types/display";
+import { Prisma } from "@prisma/client";
+import { prisma } from "@formbricks/database";
+import { displayCache } from "@formbricks/lib/display/cache";
+import { validateInputs } from "@formbricks/lib/utils/validate";
+import { DatabaseError } from "@formbricks/types/errors";
+import { doesContactExist } from "./contact";
+
+export const createDisplay = async (displayInput: TDisplayCreateInputV2): Promise<{ id: string }> => {
+  validateInputs([displayInput, ZDisplayCreateInputV2]);
+
+  const { environmentId, contactId, surveyId } = displayInput;
+
+  try {
+    const contactExists = contactId ? await doesContactExist(contactId) : false;
+
+    const display = await prisma.display.create({
+      data: {
+        survey: {
+          connect: {
+            id: surveyId,
+          },
+        },
+
+        ...(contactExists && {
+          contact: {
+            connect: {
+              id: contactId,
+            },
+          },
+        }),
+      },
+      select: { id: true, contactId: true, surveyId: true },
+    });
+
+    displayCache.revalidate({
+      id: display.id,
+      contactId: display.contactId,
+      surveyId: display.surveyId,
+      environmentId,
+    });
+
+    return display;
+  } catch (error) {
+    if (error instanceof Prisma.PrismaClientKnownRequestError) {
+      throw new DatabaseError(error.message);
+    }
+
+    throw error;
+  }
+};

apps/web/app/api/v2/client/[environmentId]/displays/route.ts

@@ -0,0 +1,55 @@
+import { ZDisplayCreateInputV2 } from "@/app/api/v2/client/[environmentId]/displays/types/display";
+import { responses } from "@/app/lib/api/response";
+import { transformErrorToDetails } from "@/app/lib/api/validator";
+import { getIsContactsEnabled } from "@/modules/ee/license-check/lib/utils";
+import { capturePosthogEnvironmentEvent } from "@formbricks/lib/posthogServer";
+import { InvalidInputError } from "@formbricks/types/errors";
+import { createDisplay } from "./lib/display";
+
+interface Context {
+  params: Promise<{
+    environmentId: string;
+  }>;
+}
+
+export const OPTIONS = async (): Promise<Response> => {
+  return responses.successResponse({}, true);
+};
+
+export const POST = async (request: Request, context: Context): Promise<Response> => {
+  const params = await context.params;
+  const jsonInput = await request.json();
+  const inputValidation = ZDisplayCreateInputV2.safeParse({
+    ...jsonInput,
+    environmentId: params.environmentId,
+  });
+
+  if (!inputValidation.success) {
+    return responses.badRequestResponse(
+      "Fields are missing or incorrectly formatted",
+      transformErrorToDetails(inputValidation.error),
+      true
+    );
+  }
+
+  if (inputValidation.data.contactId) {
+    const isContactsEnabled = await getIsContactsEnabled();
+    if (!isContactsEnabled) {
+      return responses.forbiddenResponse("User identification is only available for enterprise users.", true);
+    }
+  }
+
+  try {
+    const response = await createDisplay(inputValidation.data);
+
+    await capturePosthogEnvironmentEvent(inputValidation.data.environmentId, "display created");
+    return responses.successResponse(response, true);
+  } catch (error) {
+    if (error instanceof InvalidInputError) {
+      return responses.badRequestResponse(error.message);
+    } else {
+      console.error(error);
+      return responses.internalServerErrorResponse(error.message);
+    }
+  }
+};

apps/web/app/api/v2/client/[environmentId]/displays/types/display.ts

@@ -0,0 +1,9 @@
+import { z } from "zod";
+import { ZId } from "@formbricks/types/common";
+import { ZDisplayCreateInput } from "@formbricks/types/displays";
+
+export const ZDisplayCreateInputV2 = ZDisplayCreateInput.omit({ userId: true }).extend({
+  contactId: ZId.optional(),
+});
+
+export type TDisplayCreateInputV2 = z.infer<typeof ZDisplayCreateInputV2>;

apps/web/app/api/v2/client/[environmentId]/environment/route.ts

@@ -0,0 +1,3 @@
+import { GET, OPTIONS } from "@/app/api/v1/client/[environmentId]/environment/route";
+
+export { OPTIONS, GET };

apps/web/app/api/v2/client/[environmentId]/identify/contacts/[userId]/route.ts

@@ -0,0 +1,6 @@
+import {
+  GET,
+  OPTIONS,
+} from "@/modules/ee/contacts/api/client/[environmentId]/identify/contacts/[userId]/route";
+
+export { GET, OPTIONS };

apps/web/app/api/v2/client/[environmentId]/responses/[responseId]/route.ts

@@ -0,0 +1,3 @@
+import { OPTIONS, PUT } from "@/app/api/v1/client/[environmentId]/responses/[responseId]/route";
+
+export { OPTIONS, PUT };

apps/web/app/api/v2/client/[environmentId]/responses/lib/contact.ts

@@ -0,0 +1,42 @@
+import { contactCache } from "@/lib/cache/contact";
+import { cache as reactCache } from "react";
+import { prisma } from "@formbricks/database";
+import { cache } from "@formbricks/lib/cache";
+import { TContactAttributes } from "@formbricks/types/contact-attribute";
+
+export const getContact = reactCache((contactId: string) =>
+  cache(
+    async () => {
+      const contact = await prisma.contact.findUnique({
+        where: { id: contactId },
+        select: {
+          id: true,
+          attributes: {
+            select: {
+              attributeKey: { select: { key: true } },
+              value: true,
+            },
+          },
+        },
+      });
+
+      if (!contact) {
+        return null;
+      }
+
+      const contactAttributes = contact.attributes.reduce((acc, attr) => {
+        acc[attr.attributeKey.key] = attr.value;
+        return acc;
+      }, {}) as TContactAttributes;
+
+      return {
+        id: contact.id,
+        attributes: contactAttributes,
+      };
+    },
+    [`getContact-responses-api-${contactId}`],
+    {
+      tags: [contactCache.tag.byId(contactId)],
+    }
+  )()
+);

apps/web/app/api/v2/client/[environmentId]/responses/lib/response.ts

@@ -0,0 +1,145 @@
+import "server-only";
+import { responseSelection } from "@/app/api/v1/client/[environmentId]/responses/lib/response";
+import { TResponseInputV2 } from "@/app/api/v2/client/[environmentId]/responses/types/response";
+import { Prisma } from "@prisma/client";
+import { prisma } from "@formbricks/database";
+import { IS_FORMBRICKS_CLOUD } from "@formbricks/lib/constants";
+import {
+  getMonthlyOrganizationResponseCount,
+  getOrganizationByEnvironmentId,
+} from "@formbricks/lib/organization/service";
+import { sendPlanLimitsReachedEventToPosthogWeekly } from "@formbricks/lib/posthogServer";
+import { responseCache } from "@formbricks/lib/response/cache";
+import { calculateTtcTotal } from "@formbricks/lib/response/utils";
+import { responseNoteCache } from "@formbricks/lib/responseNote/cache";
+import { captureTelemetry } from "@formbricks/lib/telemetry";
+import { validateInputs } from "@formbricks/lib/utils/validate";
+import { TContactAttributes } from "@formbricks/types/contact-attribute";
+import { DatabaseError, ResourceNotFoundError } from "@formbricks/types/errors";
+import { TResponse, ZResponseInput } from "@formbricks/types/responses";
+import { TTag } from "@formbricks/types/tags";
+import { getContact } from "./contact";
+
+export const createResponse = async (responseInput: TResponseInputV2): Promise<TResponse> => {
+  validateInputs([responseInput, ZResponseInput]);
+  captureTelemetry("response created");
+
+  const {
+    environmentId,
+    language,
+    contactId,
+    surveyId,
+    displayId,
+    finished,
+    data,
+    meta,
+    singleUseId,
+    variables,
+    ttc: initialTtc,
+    createdAt,
+    updatedAt,
+  } = responseInput;
+
+  try {
+    let contact: { id: string; attributes: TContactAttributes } | null = null;
+    let userId: string | undefined = undefined;
+
+    const organization = await getOrganizationByEnvironmentId(environmentId);
+    if (!organization) {
+      throw new ResourceNotFoundError("Organization", environmentId);
+    }
+
+    if (contactId) {
+      contact = await getContact(contactId);
+      userId = contact?.attributes.userId;
+    }
+
+    const ttc = initialTtc ? (finished ? calculateTtcTotal(initialTtc) : initialTtc) : {};
+
+    const prismaData: Prisma.ResponseCreateInput = {
+      survey: {
+        connect: {
+          id: surveyId,
+        },
+      },
+      display: displayId ? { connect: { id: displayId } } : undefined,
+      finished: finished,
+      data: data,
+      language: language,
+      ...(contact?.id && {
+        contact: {
+          connect: {
+            id: contact.id,
+          },
+        },
+        contactAttributes: contact.attributes,
+      }),
+      ...(meta && ({ meta } as Prisma.JsonObject)),
+      singleUseId,
+      ...(variables && { variables }),
+      ttc: ttc,
+      createdAt,
+      updatedAt,
+    };
+
+    const responsePrisma = await prisma.response.create({
+      data: prismaData,
+      select: responseSelection,
+    });
+
+    const response: TResponse = {
+      ...responsePrisma,
+      contact: contact
+        ? {
+            id: contact.id,
+            userId: contact.attributes.userId,
+          }
+        : null,
+      tags: responsePrisma.tags.map((tagPrisma: { tag: TTag }) => tagPrisma.tag),
+    };
+
+    responseCache.revalidate({
+      environmentId,
+      id: response.id,
+      contactId: contact?.id,
+      ...(singleUseId && { singleUseId }),
+      userId,
+      surveyId,
+    });
+
+    responseNoteCache.revalidate({
+      responseId: response.id,
+    });
+
+    if (IS_FORMBRICKS_CLOUD) {
+      const responsesCount = await getMonthlyOrganizationResponseCount(organization.id);
+      const responsesLimit = organization.billing.limits.monthly.responses;
+
+      if (responsesLimit && responsesCount >= responsesLimit) {
+        try {
+          await sendPlanLimitsReachedEventToPosthogWeekly(environmentId, {
+            plan: organization.billing.plan,
+            limits: {
+              projects: null,
+              monthly: {
+                responses: responsesLimit,
+                miu: null,
+              },
+            },
+          });
+        } catch (err) {
+          // Log error but do not throw
+          console.error(`Error sending plan limits reached event to Posthog: ${err}`);
+        }
+      }
+    }
+
+    return response;
+  } catch (error) {
+    if (error instanceof Prisma.PrismaClientKnownRequestError) {
+      throw new DatabaseError(error.message);
+    }
+
+    throw error;
+  }
+};

apps/web/app/api/v2/client/[environmentId]/responses/route.ts

@@ -0,0 +1,138 @@
+import { responses } from "@/app/lib/api/response";
+import { transformErrorToDetails } from "@/app/lib/api/validator";
+import { sendToPipeline } from "@/app/lib/pipelines";
+import { getIsContactsEnabled } from "@/modules/ee/license-check/lib/utils";
+import { headers } from "next/headers";
+import { UAParser } from "ua-parser-js";
+import { capturePosthogEnvironmentEvent } from "@formbricks/lib/posthogServer";
+import { getSurvey } from "@formbricks/lib/survey/service";
+import { ZId } from "@formbricks/types/common";
+import { InvalidInputError } from "@formbricks/types/errors";
+import { TResponse } from "@formbricks/types/responses";
+import { createResponse } from "./lib/response";
+import { TResponseInputV2, ZResponseInputV2 } from "./types/response";
+
+interface Context {
+  params: Promise<{
+    environmentId: string;
+  }>;
+}
+
+export const OPTIONS = async (): Promise<Response> => {
+  return responses.successResponse({}, true);
+};
+
+export const POST = async (request: Request, context: Context): Promise<Response> => {
+  const params = await context.params;
+  const requestHeaders = await headers();
+  let responseInput;
+  try {
+    responseInput = await request.json();
+  } catch (error) {
+    return responses.badRequestResponse("Invalid JSON in request body", { error: error.message }, true);
+  }
+
+  const { environmentId } = params;
+  const environmentIdValidation = ZId.safeParse(environmentId);
+  const responseInputValidation = ZResponseInputV2.safeParse({ ...responseInput, environmentId });
+
+  if (!environmentIdValidation.success) {
+    return responses.badRequestResponse(
+      "Fields are missing or incorrectly formatted",
+      transformErrorToDetails(environmentIdValidation.error),
+      true
+    );
+  }
+
+  if (!responseInputValidation.success) {
+    return responses.badRequestResponse(
+      "Fields are missing or incorrectly formatted",
+      transformErrorToDetails(responseInputValidation.error),
+      true
+    );
+  }
+
+  const userAgent = request.headers.get("user-agent") || undefined;
+  const agent = new UAParser(userAgent);
+
+  const country =
+    requestHeaders.get("CF-IPCountry") ||
+    requestHeaders.get("X-Vercel-IP-Country") ||
+    requestHeaders.get("CloudFront-Viewer-Country") ||
+    undefined;
+
+  const responseInputData = responseInputValidation.data;
+
+  if (responseInputData.contactId) {
+    const isContactsEnabled = await getIsContactsEnabled();
+    if (!isContactsEnabled) {
+      return responses.forbiddenResponse("User identification is only available for enterprise users.", true);
+    }
+  }
+
+  // get and check survey
+  const survey = await getSurvey(responseInputData.surveyId);
+  if (!survey) {
+    return responses.notFoundResponse("Survey", responseInputData.surveyId, true);
+  }
+  if (survey.environmentId !== environmentId) {
+    return responses.badRequestResponse(
+      "Survey is part of another environment",
+      {
+        "survey.environmentId": survey.environmentId,
+        environmentId,
+      },
+      true
+    );
+  }
+
+  let response: TResponse;
+  try {
+    const meta: TResponseInputV2["meta"] = {
+      source: responseInputData?.meta?.source,
+      url: responseInputData?.meta?.url,
+      userAgent: {
+        browser: agent.getBrowser().name,
+        device: agent.getDevice().type || "desktop",
+        os: agent.getOS().name,
+      },
+      country: country,
+      action: responseInputData?.meta?.action,
+    };
+
+    response = await createResponse({
+      ...responseInputData,
+      meta,
+    });
+  } catch (error) {
+    if (error instanceof InvalidInputError) {
+      return responses.badRequestResponse(error.message);
+    } else {
+      console.error(error);
+      return responses.internalServerErrorResponse(error.message);
+    }
+  }
+
+  sendToPipeline({
+    event: "responseCreated",
+    environmentId: survey.environmentId,
+    surveyId: response.surveyId,
+    response: response,
+  });
+
+  if (responseInput.finished) {
+    sendToPipeline({
+      event: "responseFinished",
+      environmentId: survey.environmentId,
+      surveyId: response.surveyId,
+      response: response,
+    });
+  }
+
+  await capturePosthogEnvironmentEvent(survey.environmentId, "response created", {
+    surveyId: response.surveyId,
+    surveyType: survey.type,
+  });
+
+  return responses.successResponse({ id: response.id }, true);
+};

apps/web/app/api/v2/client/[environmentId]/responses/types/response.ts

@@ -0,0 +1,6 @@
+import { z } from "zod";
+import { ZId } from "@formbricks/types/common";
+import { ZResponseInput } from "@formbricks/types/responses";
+
+export const ZResponseInputV2 = ZResponseInput.omit({ userId: true }).extend({ contactId: ZId.nullish() });
+export type TResponseInputV2 = z.infer<typeof ZResponseInputV2>;

apps/web/app/api/v2/client/[environmentId]/storage/local/route.ts

@@ -0,0 +1,3 @@
+import { OPTIONS, POST } from "@/app/api/v1/client/[environmentId]/storage/local/route";
+
+export { OPTIONS, POST };

apps/web/app/api/v2/client/[environmentId]/storage/route.ts

@@ -0,0 +1,3 @@
+import { OPTIONS, POST } from "@/app/api/v1/client/[environmentId]/storage/route";
+
+export { OPTIONS, POST };

apps/web/app/api/v2/client/[environmentId]/user/route.ts

@@ -0,0 +1,3 @@
+import { OPTIONS, POST } from "@/modules/ee/contacts/api/client/[environmentId]/user/route";
+
+export { POST, OPTIONS };

apps/web/app/api/v2/management/responses/[responseId]/route.ts

@@ -0,0 +1,3 @@
+import { DELETE, GET, PUT } from "@/modules/api/v2/management/responses/[responseId]/route";
+
+export { GET, PUT, DELETE };

apps/web/app/api/v2/management/responses/route.ts

@@ -0,0 +1,3 @@
+import { GET, POST } from "@/modules/api/v2/management/responses/route";
+
+export { GET, POST };

apps/web/app/intercom/IntercomClient.test.tsx

@@ -0,0 +1,186 @@
+import Intercom from "@intercom/messenger-js-sdk";
+import "@testing-library/jest-dom/vitest";
+import { cleanup, render } from "@testing-library/react";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { TUser } from "@formbricks/types/user";
+import { IntercomClient } from "./IntercomClient";
+
+// Mock the Intercom package
+vi.mock("@intercom/messenger-js-sdk", () => ({
+  default: vi.fn(),
+}));
+
+describe("IntercomClient", () => {
+  let originalWindowIntercom: any;
+  let mockWindowIntercom = vi.fn();
+
+  beforeEach(() => {
+    // Save original window.Intercom so we can restore it later
+    originalWindowIntercom = global.window?.Intercom;
+    // Mock window.Intercom so we can verify the shutdown call on unmount
+    global.window.Intercom = mockWindowIntercom;
+  });
+
+  afterEach(() => {
+    cleanup();
+    // Restore the original window.Intercom
+    global.window.Intercom = originalWindowIntercom;
+  });
+
+  it("calls Intercom with user data when isIntercomConfigured is true and user is provided", () => {
+    const testUser = {
+      id: "test-id",
+      name: "Test User",
+      email: "test@example.com",
+      createdAt: new Date("2020-01-01T00:00:00Z"),
+    } as TUser;
+
+    render(
+      <IntercomClient
+        isIntercomConfigured={true}
+        intercomUserHash="my-user-hash"
+        intercomAppId="my-app-id"
+        user={testUser}
+      />
+    );
+
+    // Verify Intercom was called with the expected params
+    expect(Intercom).toHaveBeenCalledTimes(1);
+    expect(Intercom).toHaveBeenCalledWith({
+      app_id: "my-app-id",
+      user_id: "test-id",
+      user_hash: "my-user-hash",
+      name: "Test User",
+      email: "test@example.com",
+      created_at: 1577836800, // Epoch for 2020-01-01T00:00:00Z
+    });
+  });
+
+  it("calls Intercom with user data without createdAt", () => {
+    const testUser = {
+      id: "test-id",
+      name: "Test User",
+      email: "test@example.com",
+    } as TUser;
+
+    render(
+      <IntercomClient
+        isIntercomConfigured={true}
+        intercomUserHash="my-user-hash"
+        intercomAppId="my-app-id"
+        user={testUser}
+      />
+    );
+
+    // Verify Intercom was called with the expected params
+    expect(Intercom).toHaveBeenCalledTimes(1);
+    expect(Intercom).toHaveBeenCalledWith({
+      app_id: "my-app-id",
+      user_id: "test-id",
+      user_hash: "my-user-hash",
+      name: "Test User",
+      email: "test@example.com",
+      created_at: undefined,
+    });
+  });
+
+  it("calls Intercom with minimal params if user is not provided", () => {
+    render(
+      <IntercomClient isIntercomConfigured={true} intercomAppId="my-app-id" intercomUserHash="my-user-hash" />
+    );
+
+    expect(Intercom).toHaveBeenCalledTimes(1);
+    expect(Intercom).toHaveBeenCalledWith({
+      app_id: "my-app-id",
+    });
+  });
+
+  it("does not call Intercom if isIntercomConfigured is false", () => {
+    render(
+      <IntercomClient
+        isIntercomConfigured={false}
+        intercomAppId="my-app-id"
+        user={{ id: "whatever" } as TUser}
+      />
+    );
+
+    expect(Intercom).not.toHaveBeenCalled();
+  });
+
+  it("shuts down Intercom on unmount", () => {
+    const { unmount } = render(
+      <IntercomClient isIntercomConfigured={true} intercomAppId="my-app-id" intercomUserHash="my-user-hash" />
+    );
+
+    // Reset call count; we only care about the shutdown after unmount
+    mockWindowIntercom.mockClear();
+
+    unmount();
+
+    // Intercom should be shut down on unmount
+    expect(mockWindowIntercom).toHaveBeenCalledWith("shutdown");
+  });
+
+  it("logs an error if Intercom initialization fails", () => {
+    // Spy on console.error
+    const consoleErrorSpy = vi.spyOn(console, "error").mockImplementation(() => {});
+
+    // Force Intercom to throw an error on invocation
+    vi.mocked(Intercom).mockImplementationOnce(() => {
+      throw new Error("Intercom test error");
+    });
+
+    // Render the component with isIntercomConfigured=true so it tries to initialize
+    render(
+      <IntercomClient isIntercomConfigured={true} intercomAppId="my-app-id" intercomUserHash="my-user-hash" />
+    );
+
+    // Verify that console.error was called with the correct message
+    expect(consoleErrorSpy).toHaveBeenCalledWith("Failed to initialize Intercom:", expect.any(Error));
+
+    // Clean up the spy
+    consoleErrorSpy.mockRestore();
+  });
+
+  it("logs an error if isIntercomConfigured is true but no intercomAppId is provided", () => {
+    const consoleErrorSpy = vi.spyOn(console, "error").mockImplementation(() => {});
+
+    render(
+      <IntercomClient
+        isIntercomConfigured={true}
+        // missing intercomAppId
+        intercomUserHash="my-user-hash"
+      />
+    );
+
+    // We expect a caught error: "Intercom app ID is required"
+    expect(consoleErrorSpy).toHaveBeenCalledWith("Failed to initialize Intercom:", expect.any(Error));
+    const [, caughtError] = consoleErrorSpy.mock.calls[0];
+    expect((caughtError as Error).message).toBe("Intercom app ID is required");
+    consoleErrorSpy.mockRestore();
+  });
+
+  it("logs an error if isIntercomConfigured is true but no intercomUserHash is provided", () => {
+    const consoleErrorSpy = vi.spyOn(console, "error").mockImplementation(() => {});
+    const testUser = {
+      id: "test-id",
+      name: "Test User",
+      email: "test@example.com",
+    } as TUser;
+
+    render(
+      <IntercomClient
+        isIntercomConfigured={true}
+        intercomAppId="some-app-id"
+        user={testUser}
+        // missing intercomUserHash
+      />
+    );
+
+    // We expect a caught error: "Intercom user hash is required"
+    expect(consoleErrorSpy).toHaveBeenCalledWith("Failed to initialize Intercom:", expect.any(Error));
+    const [, caughtError] = consoleErrorSpy.mock.calls[0];
+    expect((caughtError as Error).message).toBe("Intercom user hash is required");
+    consoleErrorSpy.mockRestore();
+  });
+});

apps/web/app/intercom/IntercomClient.tsx

@@ -1,30 +1,31 @@
 "use client";
 
 import Intercom from "@intercom/messenger-js-sdk";
-import { createHmac } from "crypto";
 import { useCallback, useEffect } from "react";
-import { env } from "@formbricks/lib/env";
 import { TUser } from "@formbricks/types/user";
 
-const intercomAppId = env.NEXT_PUBLIC_INTERCOM_APP_ID;
-
 interface IntercomClientProps {
   isIntercomConfigured: boolean;
-  intercomSecretKey?: string;
+  intercomUserHash?: string;
   user?: TUser | null;
+  intercomAppId?: string;
 }
 
-export const IntercomClient = ({ user, intercomSecretKey, isIntercomConfigured }: IntercomClientProps) => {
+export const IntercomClient = ({
+  user,
+  intercomUserHash,
+  isIntercomConfigured,
+  intercomAppId,
+}: IntercomClientProps) => {
   const initializeIntercom = useCallback(() => {
     let initParams = {};
 
-    if (user) {
+    if (user && intercomUserHash) {
       const { id, name, email, createdAt } = user;
-      const hash = createHmac("sha256", intercomSecretKey!).update(user?.id).digest("hex");
 
       initParams = {
         user_id: id,
-        user_hash: hash,
+        user_hash: intercomUserHash,
         name,
         email,
         created_at: createdAt ? Math.floor(createdAt.getTime() / 1000) : undefined,
@@ -35,11 +36,21 @@ export const IntercomClient = ({ user, intercomSecretKey, isIntercomConfigured }
       app_id: intercomAppId!,
       ...initParams,
     });
-  }, [user, intercomSecretKey]);
+  }, [user, intercomUserHash, intercomAppId]);
 
   useEffect(() => {
     try {
-      if (isIntercomConfigured) initializeIntercom();
+      if (isIntercomConfigured) {
+        if (!intercomAppId) {
+          throw new Error("Intercom app ID is required");
+        }
+
+        if (user && !intercomUserHash) {
+          throw new Error("Intercom user hash is required");
+        }
+
+        initializeIntercom();
+      }
 
       return () => {
         // Shutdown Intercom when component unmounts
@@ -50,7 +61,7 @@ export const IntercomClient = ({ user, intercomSecretKey, isIntercomConfigured }
     } catch (error) {
       console.error("Failed to initialize Intercom:", error);
     }
-  }, [isIntercomConfigured, initializeIntercom]);
+  }, [isIntercomConfigured, initializeIntercom, intercomAppId, intercomUserHash, user]);
 
   return null;
 };

apps/web/app/intercom/IntercomClientWrapper.test.tsx

@@ -0,0 +1,64 @@
+import { cleanup, render, screen } from "@testing-library/react";
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { TUser } from "@formbricks/types/user";
+import { IntercomClientWrapper } from "./IntercomClientWrapper";
+
+vi.mock("@formbricks/lib/constants", () => ({
+  IS_INTERCOM_CONFIGURED: true,
+  INTERCOM_APP_ID: "mock-intercom-app-id",
+  INTERCOM_SECRET_KEY: "mock-intercom-secret-key",
+}));
+
+// Mock the crypto createHmac function to return a fake hash.
+// Vite global setup doesn't work here due to Intercom probably using crypto themselves.
+vi.mock("crypto", () => ({
+  default: {
+    createHmac: vi.fn(() => ({
+      update: vi.fn().mockReturnThis(),
+      digest: vi.fn().mockReturnValue("fake-hash"),
+    })),
+  },
+}));
+
+vi.mock("./IntercomClient", () => ({
+  IntercomClient: (props: any) => (
+    <div data-testid="mock-intercom-client" data-props={JSON.stringify(props)} />
+  ),
+}));
+
+describe("IntercomClientWrapper", () => {
+  afterEach(() => {
+    cleanup();
+  });
+
+  it("renders IntercomClient with computed user hash when user is provided", () => {
+    const testUser = { id: "user-123", name: "Test User", email: "test@example.com" } as TUser;
+
+    render(<IntercomClientWrapper user={testUser} />);
+
+    const intercomClientEl = screen.getByTestId("mock-intercom-client");
+    expect(intercomClientEl).toBeInTheDocument();
+
+    const props = JSON.parse(intercomClientEl.getAttribute("data-props") ?? "{}");
+
+    // Check that the computed hash equals "fake-hash" (as per our crypto mock)
+    expect(props.intercomUserHash).toBe("fake-hash");
+    expect(props.intercomAppId).toBe("mock-intercom-app-id");
+    expect(props.isIntercomConfigured).toBe(true);
+    expect(props.user).toEqual(testUser);
+  });
+
+  it("renders IntercomClient without computing a hash when no user is provided", () => {
+    render(<IntercomClientWrapper user={null} />);
+
+    const intercomClientEl = screen.getByTestId("mock-intercom-client");
+    expect(intercomClientEl).toBeInTheDocument();
+
+    const props = JSON.parse(intercomClientEl.getAttribute("data-props") ?? "{}");
+
+    expect(props.intercomUserHash).toBeUndefined();
+    expect(props.intercomAppId).toBe("mock-intercom-app-id");
+    expect(props.isIntercomConfigured).toBe(true);
+    expect(props.user).toBeNull();
+  });
+});

apps/web/app/intercom/IntercomClientWrapper.tsx

@@ -0,0 +1,26 @@
+import { createHmac } from "crypto";
+import { INTERCOM_APP_ID, INTERCOM_SECRET_KEY, IS_INTERCOM_CONFIGURED } from "@formbricks/lib/constants";
+import type { TUser } from "@formbricks/types/user";
+import { IntercomClient } from "./IntercomClient";
+
+interface IntercomClientWrapperProps {
+  user?: TUser | null;
+}
+
+export const IntercomClientWrapper = ({ user }: IntercomClientWrapperProps) => {
+  let intercomUserHash: string | undefined;
+  if (user) {
+    const secretKey = INTERCOM_SECRET_KEY;
+    if (secretKey) {
+      intercomUserHash = createHmac("sha256", secretKey).update(user.id).digest("hex");
+    }
+  }
+  return (
+    <IntercomClient
+      isIntercomConfigured={IS_INTERCOM_CONFIGURED}
+      user={user}
+      intercomAppId={INTERCOM_APP_ID}
+      intercomUserHash={intercomUserHash}
+    />
+  );
+};

apps/web/app/lib/api/apiHelper.ts

@@ -1,75 +0,0 @@
-import { authOptions } from "@/modules/auth/lib/authOptions";
-import { createHash } from "crypto";
-import { NextApiRequest, NextApiResponse } from "next";
-import type { Session } from "next-auth";
-import { getServerSession } from "next-auth";
-import { prisma } from "@formbricks/database";
-import { hasUserEnvironmentAccess } from "@formbricks/lib/environment/auth";
-
-export const hashApiKey = (key: string): string => createHash("sha256").update(key).digest("hex");
-
-export const hasEnvironmentAccess = async (
-  req: NextApiRequest,
-  res: NextApiResponse,
-  environmentId: string
-) => {
-  if (req.headers["x-api-key"]) {
-    const ownership = await hasApiEnvironmentAccess(req.headers["x-api-key"].toString(), environmentId);
-    if (!ownership) {
-      return false;
-    }
-  } else {
-    const user = await getSessionUser(req, res);
-    if (!user) {
-      return false;
-    }
-    const ownership = await hasUserEnvironmentAccess(user.id, environmentId);
-    if (!ownership) {
-      return false;
-    }
-  }
-  return true;
-};
-
-export const hasApiEnvironmentAccess = async (apiKey, environmentId) => {
-  // write function to check if the API Key has access to the environment
-  const apiKeyData = await prisma.apiKey.findUnique({
-    where: {
-      hashedKey: hashApiKey(apiKey),
-    },
-    select: {
-      environmentId: true,
-    },
-  });
-
-  if (apiKeyData?.environmentId === environmentId) {
-    return true;
-  }
-  return false;
-};
-
-export const hasOrganizationAccess = async (user, organizationId) => {
-  const membership = await prisma.membership.findUnique({
-    where: {
-      userId_organizationId: {
-        userId: user.id,
-        organizationId: organizationId,
-      },
-    },
-  });
-  if (membership) {
-    return true;
-  }
-  return false;
-};
-
-export const getSessionUser = async (req?: NextApiRequest, res?: NextApiResponse) => {
-  // check for session (browser usage)
-  let session: Session | null;
-  if (req && res) {
-    session = await getServerSession(req, res, authOptions);
-  } else {
-    session = await getServerSession(authOptions);
-  }
-  if (session && "user" in session) return session.user;
-};

apps/web/app/lib/api/response.ts

@@ -15,7 +15,8 @@ interface ApiErrorResponse {
     | "unauthorized"
     | "method_not_allowed"
     | "not_authenticated"
-    | "forbidden";
+    | "forbidden"
+    | "too_many_requests";
   message: string;
   details: {
     [key: string]: string | string[] | number | number[] | boolean | boolean[];
@@ -247,7 +248,7 @@ const tooManyRequestsResponse = (
 
   return Response.json(
     {
-      code: "internal_server_error",
+      code: "too_many_requests",
       message,
       details: {},
     } as ApiErrorResponse,

apps/web/app/middleware/endpoint-validator.ts

@@ -14,6 +14,11 @@ export const isClientSideApiRoute = (url: string): boolean => {
   return regex.test(url);
 };
 
+export const isManagementApiRoute = (url: string): boolean => {
+  const regex = /^\/api\/v\d+\/management\//;
+  return regex.test(url);
+};
+
 export const isShareUrlRoute = (url: string): boolean => {
   const regex = /\/share\/[A-Za-z0-9]+\/(?:summary|responses)/;
   return regex.test(url);

apps/web/cache-handler.mjs

@@ -11,7 +11,7 @@ const createTimeoutPromise = (ms, rejectReason) => {
 CacheHandler.onCreation(async () => {
   let client;
 
-  if (process.env.REDIS_URL && process.env.ENTERPRISE_LICENSE_KEY) {
+  if (process.env.REDIS_URL) {
     try {
       // Create a Redis client.
       client = createClient({
@@ -45,20 +45,22 @@ CacheHandler.onCreation(async () => {
           });
       }
     }
-  } else if (process.env.REDIS_URL) {
-    console.log("Redis clustering requires an Enterprise License. Falling back to LRU cache.");
   }
 
   /** @type {import("@neshca/cache-handler").Handler | null} */
   let handler;
 
   if (client?.isReady) {
-    // Create the `redis-stack` Handler if the client is available and connected.
+    const redisHandlerOptions = {
-    handler = await createRedisHandler({
       client,
       keyPrefix: "fb:",
       timeoutMs: 1000,
-    });
+    };
+
+    redisHandlerOptions.ttl =  Number(process.env.REDIS_DEFAULT_TTL) || 86400; // 1 day
+
+    // Create the `redis-stack` Handler if the client is available and connected.
+    handler = await createRedisHandler(redisHandlerOptions);
   } else {
     // Fallback to LRU handler if Redis client is not available.
     // The application will still work, but the cache will be in memory only and not shared.

apps/web/instrumentation-node.ts

@@ -0,0 +1,58 @@
+// instrumentation-node.ts
+import { PrometheusExporter } from "@opentelemetry/exporter-prometheus";
+import { HostMetrics } from "@opentelemetry/host-metrics";
+import { registerInstrumentations } from "@opentelemetry/instrumentation";
+import { HttpInstrumentation } from "@opentelemetry/instrumentation-http";
+import { RuntimeNodeInstrumentation } from "@opentelemetry/instrumentation-runtime-node";
+import {
+  Resource,
+  detectResourcesSync,
+  envDetector,
+  hostDetector,
+  processDetector,
+} from "@opentelemetry/resources";
+import { MeterProvider } from "@opentelemetry/sdk-metrics";
+import { env } from "@formbricks/lib/env";
+
+const exporter = new PrometheusExporter({
+  port: env.PROMETHEUS_EXPORTER_PORT ? parseInt(env.PROMETHEUS_EXPORTER_PORT) : 9464,
+  endpoint: "/metrics",
+  host: "0.0.0.0", // Listen on all network interfaces
+});
+
+const detectedResources = detectResourcesSync({
+  detectors: [envDetector, processDetector, hostDetector],
+});
+
+const customResources = new Resource({});
+
+const resources = detectedResources.merge(customResources);
+
+const meterProvider = new MeterProvider({
+  readers: [exporter],
+  resource: resources,
+});
+
+const hostMetrics = new HostMetrics({
+  name: `otel-metrics`,
+  meterProvider,
+});
+
+registerInstrumentations({
+  meterProvider,
+  instrumentations: [new HttpInstrumentation(), new RuntimeNodeInstrumentation()],
+});
+
+hostMetrics.start();
+
+process.on("SIGTERM", async () => {
+  try {
+    // Stop collecting metrics or flush them if needed
+    await meterProvider.shutdown();
+    // Possibly close other instrumentation resources
+  } catch (e) {
+    console.error("Error during graceful shutdown:", e);
+  } finally {
+    process.exit(0);
+  }
+});

apps/web/instrumentation.ts

@@ -1,25 +1,8 @@
-import { registerOTel } from "@vercel/otel";
-import { LangfuseExporter } from "langfuse-vercel";
 import { env } from "@formbricks/lib/env";
 
-export async function register() {
+// instrumentation.ts
-  if (env.LANGFUSE_SECRET_KEY && env.LANGFUSE_PUBLIC_KEY && env.LANGFUSE_BASEURL) {
+export const register = async () => {
-    registerOTel({
+  if (process.env.NEXT_RUNTIME === "nodejs" && env.PROMETHEUS_ENABLED) {
-      serviceName: "formbricks-cloud-dev",
+    await import("./instrumentation-node");
-      traceExporter: new LangfuseExporter({
-        debug: false,
-        secretKey: env.LANGFUSE_SECRET_KEY,
-        publicKey: env.LANGFUSE_PUBLIC_KEY,
-        baseUrl: env.LANGFUSE_BASEURL,
-      }),
-    });
   }
-
+};
-  if (process.env.NEXT_RUNTIME === "nodejs") {
-    await import("./sentry.server.config");
-  }
-
-  if (process.env.NEXT_RUNTIME === "edge") {
-    await import("./sentry.edge.config");
-  }
-}

apps/web/middleware.ts

@@ -12,22 +12,36 @@ import {
   isClientSideApiRoute,
   isForgotPasswordRoute,
   isLoginRoute,
+  isManagementApiRoute,
   isShareUrlRoute,
   isSignupRoute,
   isSyncWithUserIdentificationEndpoint,
   isVerifyEmailRoute,
 } from "@/app/middleware/endpoint-validator";
+import { logApiError } from "@/modules/api/v2/lib/utils";
+import { ApiErrorResponseV2 } from "@/modules/api/v2/types/api-error";
 import { ipAddress } from "@vercel/functions";
 import { getToken } from "next-auth/jwt";
-import type { NextRequest } from "next/server";
+import { NextRequest, NextResponse } from "next/server";
-import { NextResponse } from "next/server";
+import { v4 as uuidv4 } from "uuid";
-import { RATE_LIMITING_DISABLED, WEBAPP_URL } from "@formbricks/lib/constants";
+import { E2E_TESTING, IS_PRODUCTION, RATE_LIMITING_DISABLED, WEBAPP_URL } from "@formbricks/lib/constants";
 import { isValidCallbackUrl } from "@formbricks/lib/utils/url";
 
-export const middleware = async (request: NextRequest) => {
+const enforceHttps = (request: NextRequest): Response | null => {
-  // issue with next auth types; let's review when new fixes are available
+  const forwardedProto = request.headers.get("x-forwarded-proto") ?? "http";
-  const token = await getToken({ req: request as any });
+  if (IS_PRODUCTION && !E2E_TESTING && forwardedProto !== "https") {
+    const apiError: ApiErrorResponseV2 = {
+      type: "forbidden",
+      details: [{ field: "", issue: "Only HTTPS connections are allowed on the management endpoint." }],
+    };
+    logApiError(request, apiError);
+    return NextResponse.json(apiError, { status: 403 });
+  }
+  return null;
+};
 
+const handleAuth = async (request: NextRequest): Promise<Response | null> => {
+  const token = await getToken({ req: request as any });
   if (isAuthProtectedRoute(request.nextUrl.pathname) && !token) {
     const loginUrl = `${WEBAPP_URL}/auth/login?callbackUrl=${encodeURIComponent(WEBAPP_URL + request.nextUrl.pathname + request.nextUrl.search)}`;
     return NextResponse.redirect(loginUrl);
@@ -35,13 +49,62 @@ export const middleware = async (request: NextRequest) => {
 
   const callbackUrl = request.nextUrl.searchParams.get("callbackUrl");
   if (callbackUrl && !isValidCallbackUrl(callbackUrl, WEBAPP_URL)) {
-    return NextResponse.json({ error: "Invalid callback URL" });
+    return NextResponse.json({ error: "Invalid callback URL" }, { status: 400 });
   }
   if (token && callbackUrl) {
     return NextResponse.redirect(WEBAPP_URL + callbackUrl);
   }
-  if (process.env.NODE_ENV !== "production" || RATE_LIMITING_DISABLED) {
+  return null;
-    return NextResponse.next();
+};
+
+const applyRateLimiting = (request: NextRequest, ip: string) => {
+  if (isLoginRoute(request.nextUrl.pathname)) {
+    loginLimiter(`login-${ip}`);
+  } else if (isSignupRoute(request.nextUrl.pathname)) {
+    signupLimiter(`signup-${ip}`);
+  } else if (isVerifyEmailRoute(request.nextUrl.pathname)) {
+    verifyEmailLimiter(`verify-email-${ip}`);
+  } else if (isForgotPasswordRoute(request.nextUrl.pathname)) {
+    forgotPasswordLimiter(`forgot-password-${ip}`);
+  } else if (isClientSideApiRoute(request.nextUrl.pathname)) {
+    clientSideApiEndpointsLimiter(`client-side-api-${ip}`);
+    const envIdAndUserId = isSyncWithUserIdentificationEndpoint(request.nextUrl.pathname);
+    if (envIdAndUserId) {
+      const { environmentId, userId } = envIdAndUserId;
+      syncUserIdentificationLimiter(`sync-${environmentId}-${userId}`);
+    }
+  } else if (isShareUrlRoute(request.nextUrl.pathname)) {
+    shareUrlLimiter(`share-${ip}`);
+  }
+};
+
+export const middleware = async (originalRequest: NextRequest) => {
+  // Create a new Request object to override headers and add a unique request ID header
+  const request = new NextRequest(originalRequest, {
+    headers: new Headers(originalRequest.headers),
+  });
+
+  request.headers.set("x-request-id", uuidv4());
+
+  // Create a new NextResponse object to forward the new request with headers
+  const nextResponseWithCustomHeader = NextResponse.next({
+    request: {
+      headers: request.headers,
+    },
+  });
+
+  // Enforce HTTPS for management endpoints
+  if (isManagementApiRoute(request.nextUrl.pathname)) {
+    const httpsResponse = enforceHttps(request);
+    if (httpsResponse) return httpsResponse;
+  }
+
+  // Handle authentication
+  const authResponse = await handleAuth(request);
+  if (authResponse) return authResponse;
+
+  if (!IS_PRODUCTION || RATE_LIMITING_DISABLED) {
+    return nextResponseWithCustomHeader;
   }
 
   let ip =
@@ -51,32 +114,19 @@ export const middleware = async (request: NextRequest) => {
 
   if (ip) {
     try {
-      if (isLoginRoute(request.nextUrl.pathname)) {
+      applyRateLimiting(request, ip);
-        await loginLimiter(`login-${ip}`);
+      return nextResponseWithCustomHeader;
-      } else if (isSignupRoute(request.nextUrl.pathname)) {
-        await signupLimiter(`signup-${ip}`);
-      } else if (isVerifyEmailRoute(request.nextUrl.pathname)) {
-        await verifyEmailLimiter(`verify-email-${ip}`);
-      } else if (isForgotPasswordRoute(request.nextUrl.pathname)) {
-        await forgotPasswordLimiter(`forgot-password-${ip}`);
-      } else if (isClientSideApiRoute(request.nextUrl.pathname)) {
-        await clientSideApiEndpointsLimiter(`client-side-api-${ip}`);
-
-        const envIdAndUserId = isSyncWithUserIdentificationEndpoint(request.nextUrl.pathname);
-        if (envIdAndUserId) {
-          const { environmentId, userId } = envIdAndUserId;
-          await syncUserIdentificationLimiter(`sync-${environmentId}-${userId}`);
-        }
-      } else if (isShareUrlRoute(request.nextUrl.pathname)) {
-        await shareUrlLimiter(`share-${ip}`);
-      }
-      return NextResponse.next();
     } catch (e) {
-      console.log(`Rate Limiting IP: ${ip}`);
+      const apiError: ApiErrorResponseV2 = {
-      return NextResponse.json({ error: "Too many requests, Please try after a while!" }, { status: 429 });
+        type: "too_many_requests",
+        details: [{ field: "", issue: "Too many requests. Please try again later." }],
+      };
+      logApiError(request, apiError);
+      return NextResponse.json(apiError, { status: 429 });
     }
   }
-  return NextResponse.next();
+
+  return nextResponseWithCustomHeader;
 };
 
 export const config = {
@@ -94,5 +144,7 @@ export const config = {
     "/api/packages/:path*",
     "/auth/verification-requested",
     "/auth/forgot-password",
+    "/api/v1/management/:path*",
+    "/api/v2/management/:path*",
   ],
 };

apps/web/modules/analysis/components/ShareSurveyLink/components/SurveyLinkDisplay.tsx

@@ -8,7 +8,7 @@ export const SurveyLinkDisplay = ({ surveyUrl }: SurveyLinkDisplayProps) => {
   return (
     <Input
       autoFocus={true}
-      className="mt-2 w-full min-w-96 text-ellipsis rounded-lg border bg-white px-4 py-2 text-center text-slate-800 caret-transparent"
+      className="mt-2 w-full min-w-96 text-ellipsis rounded-lg border bg-white px-4 py-2 text-slate-800 caret-transparent"
       defaultValue={surveyUrl}
     />
   );

apps/web/modules/analysis/components/ShareSurveyLink/index.tsx

@@ -1,10 +1,11 @@
 "use client";
 
+import { useSurveyQRCode } from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/lib/survey-qr-code";
 import { getFormattedErrorMessage } from "@/lib/utils/helper";
 import { generateSingleUseIdAction } from "@/modules/survey/list/actions";
 import { Button } from "@/modules/ui/components/button";
 import { useTranslate } from "@tolgee/react";
-import { Copy, RefreshCcw, SquareArrowOutUpRight } from "lucide-react";
+import { Copy, QrCode, RefreshCcw, SquareArrowOutUpRight } from "lucide-react";
 import { useCallback, useEffect, useState } from "react";
 import { toast } from "react-hot-toast";
 import { TSurvey } from "@formbricks/types/surveys/types";
@@ -68,10 +69,12 @@ export const ShareSurveyLink = ({
     getUrl();
   }, [survey, getUrl, language]);
 
+  const { downloadQRCode } = useSurveyQRCode(surveyUrl);
+
   return (
     <div
       className={`flex max-w-full flex-col items-center justify-center space-x-2 ${survey.singleUse?.enabled ? "flex-col" : "lg:flex-row"}`}>
-      <SurveyLinkDisplay surveyUrl={surveyUrl} />
+      <SurveyLinkDisplay surveyUrl={surveyUrl} key={surveyUrl} />
       <div className="mt-2 flex items-center justify-center space-x-2">
         <LanguageDropdown survey={survey} setLanguage={setLanguage} locale={locale} />
         <Button
@@ -100,6 +103,14 @@ export const ShareSurveyLink = ({
           {t("common.copy")}
           <Copy />
         </Button>
+        <Button
+          variant="secondary"
+          title={t("environments.surveys.summary.download_qr_code")}
+          aria-label={t("environments.surveys.summary.download_qr_code")}
+          size={"icon"}
+          onClick={downloadQRCode}>
+          <QrCode style={{ width: "24px", height: "24px" }} />
+        </Button>
         {survey.singleUse?.enabled && (
           <Button
             title="Regenerate single use survey link"

apps/web/modules/api/v2/lib/rate-limit.ts

@@ -0,0 +1,70 @@
+import { ApiErrorResponseV2 } from "@/modules/api/v2/types/api-error";
+import { type LimitOptions, Ratelimit, type RatelimitResponse } from "@unkey/ratelimit";
+import { MANAGEMENT_API_RATE_LIMIT, RATE_LIMITING_DISABLED, UNKEY_ROOT_KEY } from "@formbricks/lib/constants";
+import { Result, err, okVoid } from "@formbricks/types/error-handlers";
+
+export type RateLimitHelper = {
+  identifier: string;
+  opts?: LimitOptions;
+  /**
+   * Using a callback instead of a regular return to provide headers even
+   * when the rate limit is reached and an error is thrown.
+   **/
+  onRateLimiterResponse?: (response: RatelimitResponse) => void;
+};
+
+let warningDisplayed = false;
+
+/** Prevent flooding the logs while testing/building */
+function logOnce(message: string) {
+  if (warningDisplayed) return;
+  console.warn(message);
+  warningDisplayed = true;
+}
+
+export function rateLimiter() {
+  if (RATE_LIMITING_DISABLED) {
+    logOnce("Rate limiting disabled");
+    return () => ({ success: true, limit: 10, remaining: 999, reset: 0 }) as RatelimitResponse;
+  }
+
+  if (!UNKEY_ROOT_KEY) {
+    logOnce("Disabled due to not finding UNKEY_ROOT_KEY env variable");
+    return () => ({ success: true, limit: 10, remaining: 999, reset: 0 }) as RatelimitResponse;
+  }
+  const timeout = {
+    fallback: { success: true, limit: 10, remaining: 999, reset: 0 },
+    ms: 5000,
+  };
+
+  const limiter = {
+    api: new Ratelimit({
+      rootKey: UNKEY_ROOT_KEY,
+      namespace: "api",
+      limit: MANAGEMENT_API_RATE_LIMIT.allowedPerInterval,
+      duration: MANAGEMENT_API_RATE_LIMIT.interval * 1000,
+      timeout,
+    }),
+  };
+
+  async function rateLimit({ identifier, opts }: RateLimitHelper) {
+    return await limiter.api.limit(identifier, opts);
+  }
+
+  return rateLimit;
+}
+
+export const checkRateLimitAndThrowError = async ({
+  identifier,
+  opts,
+}: RateLimitHelper): Promise<Result<void, ApiErrorResponseV2>> => {
+  const response = await rateLimiter()({ identifier, opts });
+  const { success } = response;
+
+  if (!success) {
+    return err({
+      type: "too_many_requests",
+    });
+  }
+  return okVoid();
+};

apps/web/modules/api/v2/lib/response.ts

@@ -0,0 +1,270 @@
+import { ApiErrorDetails, ApiErrorResponseV2 } from "@/modules/api/v2/types/api-error";
+import { ApiSuccessResponse } from "@/modules/api/v2/types/api-success";
+
+export type ApiResponse<T> = ApiSuccessResponse<T> | ApiErrorResponseV2;
+
+const corsHeaders = {
+  "Access-Control-Allow-Origin": "*",
+  "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
+  "Access-Control-Allow-Headers": "Content-Type, Authorization",
+};
+
+const badRequestResponse = ({
+  details = [],
+  cors = false,
+  cache = "private, no-store",
+}: {
+  details?: ApiErrorDetails;
+  cors?: boolean;
+  cache?: string;
+} = {}) => {
+  const headers = {
+    ...(cors && corsHeaders),
+    "Cache-Control": cache,
+  };
+
+  return Response.json(
+    {
+      error: {
+        code: 400,
+        message: "Bad Request",
+        details,
+      },
+    },
+    {
+      status: 400,
+      headers,
+    }
+  );
+};
+
+const unauthorizedResponse = ({
+  cors = false,
+  cache = "private, no-store",
+}: {
+  cors?: boolean;
+  cache?: string;
+} = {}) => {
+  const headers = {
+    ...(cors && corsHeaders),
+    "Cache-Control": cache,
+  };
+
+  return Response.json(
+    {
+      error: {
+        code: 401,
+        message: "Unauthorized",
+      },
+    },
+    {
+      status: 401,
+      headers,
+    }
+  );
+};
+
+const forbiddenResponse = ({
+  cors = false,
+  cache = "private, no-store",
+}: {
+  cors?: boolean;
+  cache?: string;
+} = {}) => {
+  const headers = {
+    ...(cors && corsHeaders),
+    "Cache-Control": cache,
+  };
+
+  return Response.json(
+    {
+      error: {
+        code: 403,
+        message: "Forbidden",
+      },
+    },
+    {
+      status: 403,
+      headers,
+    }
+  );
+};
+
+const notFoundResponse = ({
+  details = [],
+  cors = false,
+  cache = "private, no-store",
+}: {
+  details?: ApiErrorDetails;
+  cors?: boolean;
+  cache?: string;
+}) => {
+  const headers = {
+    ...(cors && corsHeaders),
+    "Cache-Control": cache,
+  };
+
+  return Response.json(
+    {
+      error: {
+        code: 404,
+        message: "Not Found",
+        details,
+      },
+    },
+    {
+      status: 404,
+      headers,
+    }
+  );
+};
+
+const conflictResponse = ({
+  cors = false,
+  cache = "private, no-store",
+}: {
+  cors?: boolean;
+  cache?: string;
+} = {}) => {
+  const headers = {
+    ...(cors && corsHeaders),
+    "Cache-Control": cache,
+  };
+
+  return Response.json(
+    {
+      error: {
+        code: 409,
+        message: "Conflict",
+      },
+    },
+    {
+      status: 409,
+      headers,
+    }
+  );
+};
+
+const unprocessableEntityResponse = ({
+  details = [],
+  cors = false,
+  cache = "private, no-store",
+}: {
+  details: ApiErrorDetails;
+  cors?: boolean;
+  cache?: string;
+}) => {
+  const headers = {
+    ...(cors && corsHeaders),
+    "Cache-Control": cache,
+  };
+
+  return Response.json(
+    {
+      error: {
+        code: 422,
+        message: "Unprocessable Entity",
+        details,
+      },
+    },
+    {
+      status: 422,
+      headers,
+    }
+  );
+};
+
+const tooManyRequestsResponse = ({
+  cors = false,
+  cache = "private, no-store",
+}: {
+  cors?: boolean;
+  cache?: string;
+} = {}) => {
+  const headers = {
+    ...(cors && corsHeaders),
+    "Cache-Control": cache,
+  };
+
+  return Response.json(
+    {
+      error: {
+        code: 429,
+        message: "Too Many Requests",
+      },
+    },
+    {
+      status: 429,
+      headers,
+    }
+  );
+};
+
+const internalServerErrorResponse = ({
+  details = [],
+  cors = false,
+  cache = "private, no-store",
+}: {
+  details?: ApiErrorDetails;
+  cors?: boolean;
+  cache?: string;
+} = {}) => {
+  const headers = {
+    ...(cors && corsHeaders),
+    "Cache-Control": cache,
+  };
+
+  return Response.json(
+    {
+      error: {
+        code: 500,
+        message: "Internal Server Error",
+        details,
+      },
+    },
+    {
+      status: 500,
+      headers,
+    }
+  );
+};
+
+const successResponse = ({
+  data,
+  meta,
+  cors = false,
+  cache = "private, no-store",
+}: {
+  data: Object;
+  meta?: Record<string, unknown>;
+  cors?: boolean;
+  cache?: string;
+}) => {
+  const headers = {
+    ...(cors && corsHeaders),
+    "Cache-Control": cache,
+  };
+
+  return Response.json(
+    {
+      data,
+      meta,
+    } as ApiSuccessResponse,
+    {
+      status: 200,
+      headers,
+    }
+  );
+};
+
+export const responses = {
+  badRequestResponse,
+  unauthorizedResponse,
+  forbiddenResponse,
+  notFoundResponse,
+  conflictResponse,
+  unprocessableEntityResponse,
+  tooManyRequestsResponse,
+  internalServerErrorResponse,
+  successResponse,
+};

apps/web/modules/api/v2/lib/tests/rate-limit.test.ts

@@ -0,0 +1,107 @@
+import { beforeEach, describe, expect, test, vi } from "vitest";
+
+vi.mock("@unkey/ratelimit", () => ({
+  Ratelimit: vi.fn(),
+}));
+
+describe("when rate limiting is disabled", () => {
+  beforeEach(async () => {
+    vi.resetModules();
+    const constants = await vi.importActual("@formbricks/lib/constants");
+    vi.doMock("@formbricks/lib/constants", () => ({
+      ...constants,
+      MANAGEMENT_API_RATE_LIMIT: { allowedPerInterval: 5, interval: 60 },
+      RATE_LIMITING_DISABLED: true,
+    }));
+  });
+
+  test("should log a warning once and return a stubbed response", async () => {
+    const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+    const { rateLimiter } = await import("@/modules/api/v2/lib/rate-limit");
+
+    const res1 = await rateLimiter()({ identifier: "test-id" });
+    expect(res1).toEqual({ success: true, limit: 10, remaining: 999, reset: 0 });
+    expect(warnSpy).toHaveBeenCalledWith("Rate limiting disabled");
+
+    // Subsequent calls won't log again.
+    await rateLimiter()({ identifier: "another-id" });
+
+    expect(warnSpy).toHaveBeenCalledTimes(1);
+    warnSpy.mockRestore();
+  });
+});
+
+describe("when UNKEY_ROOT_KEY is missing", () => {
+  beforeEach(async () => {
+    vi.resetModules();
+    const constants = await vi.importActual("@formbricks/lib/constants");
+    vi.doMock("@formbricks/lib/constants", () => ({
+      ...constants,
+      MANAGEMENT_API_RATE_LIMIT: { allowedPerInterval: 5, interval: 60 },
+      RATE_LIMITING_DISABLED: false,
+      UNKEY_ROOT_KEY: "",
+    }));
+  });
+
+  test("should log a warning about missing UNKEY_ROOT_KEY and return stub response", async () => {
+    const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+    const { rateLimiter } = await import("@/modules/api/v2/lib/rate-limit");
+    const limiterFunc = rateLimiter();
+
+    const res = await limiterFunc({ identifier: "test-id" });
+    expect(res).toEqual({ success: true, limit: 10, remaining: 999, reset: 0 });
+    expect(warnSpy).toHaveBeenCalledWith("Disabled due to not finding UNKEY_ROOT_KEY env variable");
+    warnSpy.mockRestore();
+  });
+});
+
+describe("when rate limiting is active (enabled)", () => {
+  const mockResponse = { success: true, limit: 5, remaining: 2, reset: 1000 };
+  let limitMock: ReturnType<typeof vi.fn>;
+
+  beforeEach(async () => {
+    vi.resetModules();
+    const constants = await vi.importActual("@formbricks/lib/constants");
+    vi.doMock("@formbricks/lib/constants", () => ({
+      ...constants,
+      MANAGEMENT_API_RATE_LIMIT: { allowedPerInterval: 5, interval: 60 },
+      RATE_LIMITING_DISABLED: false,
+      UNKEY_ROOT_KEY: "valid-key",
+    }));
+
+    limitMock = vi.fn().mockResolvedValue(mockResponse);
+    const RatelimitMock = vi.fn().mockImplementation(() => {
+      return { limit: limitMock };
+    });
+    vi.doMock("@unkey/ratelimit", () => ({
+      Ratelimit: RatelimitMock,
+    }));
+  });
+
+  test("should create a rate limiter that calls the limit method with the proper arguments", async () => {
+    const { rateLimiter } = await import("../rate-limit");
+    const limiterFunc = rateLimiter();
+    const res = await limiterFunc({ identifier: "abc", opts: { cost: 1 } });
+    expect(limitMock).toHaveBeenCalledWith("abc", { cost: 1 });
+    expect(res).toEqual(mockResponse);
+  });
+
+  test("checkRateLimitAndThrowError returns okVoid when rate limit is not exceeded", async () => {
+    limitMock.mockResolvedValueOnce({ success: true, limit: 5, remaining: 3, reset: 1000 });
+
+    const { checkRateLimitAndThrowError } = await import("../rate-limit");
+    const result = await checkRateLimitAndThrowError({ identifier: "abc" });
+    expect(result.ok).toBe(true);
+  });
+
+  test("checkRateLimitAndThrowError returns an error when the rate limit is exceeded", async () => {
+    limitMock.mockResolvedValueOnce({ success: false, limit: 5, remaining: 0, reset: 1000 });
+
+    const { checkRateLimitAndThrowError } = await import("../rate-limit");
+    const result = await checkRateLimitAndThrowError({ identifier: "abc" });
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.error).toEqual({ type: "too_many_requests" });
+    }
+  });
+});

apps/web/modules/api/v2/lib/tests/response.test.ts

@@ -0,0 +1,183 @@
+import { describe, expect, test } from "vitest";
+import { responses } from "../response";
+
+describe("API Responses", () => {
+  describe("badRequestResponse", () => {
+    test("return a 400 response with error details", async () => {
+      const details = [{ field: "param", issue: "invalid" }];
+      const res = responses.badRequestResponse({ details });
+      expect(res.status).toBe(400);
+      expect(res.headers.get("Cache-Control")).toBe("private, no-store");
+      const body = await res.json();
+      expect(body).toEqual({
+        error: {
+          code: 400,
+          message: "Bad Request",
+          details,
+        },
+      });
+    });
+
+    test("include CORS headers when cors is true", () => {
+      const res = responses.badRequestResponse({ cors: true });
+      expect(res.headers.get("Access-Control-Allow-Origin")).toBe("*");
+    });
+  });
+
+  describe("unauthorizedResponse", () => {
+    test("return a 401 response with the proper error message", async () => {
+      const res = responses.unauthorizedResponse();
+      expect(res.status).toBe(401);
+      const body = await res.json();
+      expect(body).toEqual({
+        error: {
+          code: 401,
+          message: "Unauthorized",
+        },
+      });
+    });
+
+    test("include CORS headers when cors is true", () => {
+      const res = responses.unauthorizedResponse({ cors: true });
+      expect(res.headers.get("Access-Control-Allow-Origin")).toBe("*");
+    });
+  });
+
+  describe("forbiddenResponse", () => {
+    test("return a 403 response", async () => {
+      const res = responses.forbiddenResponse();
+      expect(res.status).toBe(403);
+      const body = await res.json();
+      expect(body).toEqual({
+        error: {
+          code: 403,
+          message: "Forbidden",
+        },
+      });
+    });
+
+    test("include CORS headers when cors is true", () => {
+      const res = responses.forbiddenResponse({ cors: true });
+      expect(res.headers.get("Access-Control-Allow-Origin")).toBe("*");
+    });
+  });
+
+  describe("notFoundResponse", () => {
+    test("return a 404 response with error details", async () => {
+      const details = [{ field: "resource", issue: "not found" }];
+      const res = responses.notFoundResponse({ details });
+      expect(res.status).toBe(404);
+      const body = await res.json();
+      expect(body).toEqual({
+        error: {
+          code: 404,
+          message: "Not Found",
+          details,
+        },
+      });
+    });
+
+    test("include CORS headers when cors is true", () => {
+      const res = responses.notFoundResponse({ cors: true });
+      expect(res.headers.get("Access-Control-Allow-Origin")).toBe("*");
+    });
+  });
+
+  describe("conflictResponse", () => {
+    test("return a 409 response", async () => {
+      const res = responses.conflictResponse();
+      expect(res.status).toBe(409);
+      const body = await res.json();
+      expect(body).toEqual({
+        error: {
+          code: 409,
+          message: "Conflict",
+        },
+      });
+    });
+
+    test("include CORS headers when cors is true", () => {
+      const res = responses.conflictResponse({ cors: true });
+      expect(res.headers.get("Access-Control-Allow-Origin")).toBe("*");
+    });
+  });
+
+  describe("unprocessableEntityResponse", () => {
+    test("return a 422 response with error details", async () => {
+      const details = [{ field: "data", issue: "malformed" }];
+      const res = responses.unprocessableEntityResponse({ details });
+      expect(res.status).toBe(422);
+      const body = await res.json();
+      expect(body).toEqual({
+        error: {
+          code: 422,
+          message: "Unprocessable Entity",
+          details,
+        },
+      });
+    });
+
+    test("include CORS headers when cors is true", () => {
+      const res = responses.unprocessableEntityResponse({ cors: true });
+      expect(res.headers.get("Access-Control-Allow-Origin")).toBe("*");
+    });
+  });
+
+  describe("tooManyRequestsResponse", () => {
+    test("return a 429 response", async () => {
+      const res = responses.tooManyRequestsResponse();
+      expect(res.status).toBe(429);
+      const body = await res.json();
+      expect(body).toEqual({
+        error: {
+          code: 429,
+          message: "Too Many Requests",
+        },
+      });
+    });
+
+    test("include CORS headers when cors is true", () => {
+      const res = responses.tooManyRequestsResponse({ cors: true });
+      expect(res.headers.get("Access-Control-Allow-Origin")).toBe("*");
+    });
+  });
+
+  describe("internalServerErrorResponse", () => {
+    test("return a 500 response with error details", async () => {
+      const details = [{ field: "server", issue: "crashed" }];
+      const res = responses.internalServerErrorResponse({ details });
+      expect(res.status).toBe(500);
+      const body = await res.json();
+      expect(body).toEqual({
+        error: {
+          code: 500,
+          message: "Internal Server Error",
+          details,
+        },
+      });
+    });
+
+    test("include CORS headers when cors is true", () => {
+      const res = responses.internalServerErrorResponse({ cors: true });
+      expect(res.headers.get("Access-Control-Allow-Origin")).toBe("*");
+    });
+  });
+
+  describe("successResponse", () => {
+    test("return a success response with the provided data", async () => {
+      const data = { foo: "bar" };
+      const meta = { page: 1 };
+      const res = responses.successResponse({ data, meta });
+      expect(res.status).toBe(200);
+      const body = await res.json();
+      expect(body.data).toEqual(data);
+      expect(body.meta).toEqual(meta);
+    });
+
+    test("include CORS headers when cors is true", () => {
+      const data = { foo: "bar" };
+      const res = responses.successResponse({ data, cors: true });
+      expect(res.headers.get("Access-Control-Allow-Origin")).toBe("*");
+    });
+  });
+});

apps/web/modules/api/v2/lib/tests/utils.test.ts

@@ -0,0 +1,201 @@
+import { ApiErrorResponseV2 } from "@/modules/api/v2/types/api-error";
+import { describe, expect, test, vi } from "vitest";
+import { ZodError } from "zod";
+import { formatZodError, handleApiError, logApiError, logApiRequest } from "../utils";
+
+const mockRequest = new Request("http://localhost");
+
+// Add the request id header
+mockRequest.headers.set("x-request-id", "123");
+
+describe("utils", () => {
+  describe("handleApiError", () => {
+    test('return bad request response for "bad_request" error', async () => {
+      const details = [{ field: "param", issue: "invalid" }];
+      const error: ApiErrorResponseV2 = { type: "bad_request", details };
+
+      const response = handleApiError(mockRequest, error);
+      expect(response.status).toBe(400);
+      const body = await response.json();
+      expect(body.error.code).toBe(400);
+      expect(body.error.message).toBe("Bad Request");
+      expect(body.error.details).toEqual(details);
+    });
+
+    test('return unauthorized response for "unauthorized" error', async () => {
+      const error: ApiErrorResponseV2 = { type: "unauthorized" };
+      const response = handleApiError(mockRequest, error);
+      expect(response.status).toBe(401);
+      const body = await response.json();
+      expect(body.error.code).toBe(401);
+      expect(body.error.message).toBe("Unauthorized");
+    });
+
+    test('return forbidden response for "forbidden" error', async () => {
+      const error: ApiErrorResponseV2 = { type: "forbidden" };
+      const response = handleApiError(mockRequest, error);
+      expect(response.status).toBe(403);
+      const body = await response.json();
+      expect(body.error.code).toBe(403);
+      expect(body.error.message).toBe("Forbidden");
+    });
+
+    test('return not found response for "not_found" error', async () => {
+      const details = [{ field: "resource", issue: "not found" }];
+      const error: ApiErrorResponseV2 = { type: "not_found", details };
+
+      const response = handleApiError(mockRequest, error);
+      expect(response.status).toBe(404);
+      const body = await response.json();
+      expect(body.error.code).toBe(404);
+      expect(body.error.message).toBe("Not Found");
+      expect(body.error.details).toEqual(details);
+    });
+
+    test('return conflict response for "conflict" error', async () => {
+      const error: ApiErrorResponseV2 = { type: "conflict" };
+      const response = handleApiError(mockRequest, error);
+      expect(response.status).toBe(409);
+      const body = await response.json();
+      expect(body.error.code).toBe(409);
+      expect(body.error.message).toBe("Conflict");
+    });
+
+    test('return unprocessable entity response for "unprocessable_entity" error', async () => {
+      const details = [{ field: "data", issue: "malformed" }];
+      const error: ApiErrorResponseV2 = { type: "unprocessable_entity", details };
+
+      const response = handleApiError(mockRequest, error);
+      expect(response.status).toBe(422);
+      const body = await response.json();
+      expect(body.error.code).toBe(422);
+      expect(body.error.message).toBe("Unprocessable Entity");
+      expect(body.error.details).toEqual(details);
+    });
+
+    test('return too many requests response for "too_many_requests" error', async () => {
+      const error: ApiErrorResponseV2 = { type: "too_many_requests" };
+      const response = handleApiError(mockRequest, error);
+      expect(response.status).toBe(429);
+      const body = await response.json();
+      expect(body.error.code).toBe(429);
+      expect(body.error.message).toBe("Too Many Requests");
+    });
+
+    test('return internal server error response for "internal_server_error" error with default message', async () => {
+      const details = [{ field: "server", issue: "error occurred" }];
+      const error: ApiErrorResponseV2 = { type: "internal_server_error", details };
+
+      const response = handleApiError(mockRequest, error);
+      expect(response.status).toBe(500);
+      const body = await response.json();
+      expect(body.error.code).toBe(500);
+      expect(body.error.message).toBe("Internal Server Error");
+      expect(body.error.details).toEqual([
+        { field: "error", issue: "An error occurred while processing your request. Please try again later." },
+      ]);
+    });
+  });
+
+  describe("formatZodError", () => {
+    test("correctly format a Zod error", () => {
+      const zodError = {
+        issues: [
+          {
+            path: ["field1"],
+            message: "Invalid value for field1",
+          },
+          {
+            path: ["field2", "subfield"],
+            message: "Field2 subfield is required",
+          },
+        ],
+      } as ZodError;
+
+      const formatted = formatZodError(zodError);
+      expect(formatted).toEqual([
+        { field: "field1", issue: "Invalid value for field1" },
+        { field: "field2.subfield", issue: "Field2 subfield is required" },
+      ]);
+    });
+
+    test("return an empty array if there are no issues", () => {
+      const zodError = { issues: [] } as unknown as ZodError;
+      const formatted = formatZodError(zodError);
+      expect(formatted).toEqual([]);
+    });
+  });
+
+  describe("logApiRequest", () => {
+    test("logs API request details", () => {
+      const consoleLogSpy = vi.spyOn(console, "log").mockImplementation(() => {});
+
+      const mockRequest = new Request("http://localhost/api/test?apikey=123&token=abc&safeParam=value");
+      mockRequest.headers.set("x-request-id", "123");
+
+      logApiRequest(mockRequest, 200, 100);
+
+      expect(consoleLogSpy).toHaveBeenCalledWith(
+        `[API REQUEST DETAILS] GET /api/test - 200 - 100ms\n correlationId: 123\n queryParams: {"safeParam":"value"}`
+      );
+
+      consoleLogSpy.mockRestore();
+    });
+
+    test("logs API request details without correlationId and without safe query params", () => {
+      const consoleLogSpy = vi.spyOn(console, "log").mockImplementation(() => {});
+
+      const mockRequest = new Request("http://localhost/api/test?apikey=123&token=abc");
+      mockRequest.headers.delete("x-request-id");
+
+      logApiRequest(mockRequest, 200, 100);
+      expect(consoleLogSpy).toHaveBeenCalledWith(
+        `[API REQUEST DETAILS] GET /api/test - 200 - 100ms\n queryParams: {}`
+      );
+
+      consoleLogSpy.mockRestore();
+    });
+  });
+
+  describe("logApiError", () => {
+    test("logs API error details", () => {
+      const consoleErrorSpy = vi.spyOn(console, "error").mockImplementation(() => {});
+
+      const mockRequest = new Request("http://localhost/api/test");
+      mockRequest.headers.set("x-request-id", "123");
+
+      const error: ApiErrorResponseV2 = {
+        type: "internal_server_error",
+        details: [{ field: "server", issue: "error occurred" }],
+      };
+
+      logApiError(mockRequest, error);
+
+      expect(consoleErrorSpy).toHaveBeenCalledWith(
+        `[API ERROR DETAILS]\n correlationId: 123\n error: ${JSON.stringify(error, null, 2)}`
+      );
+
+      consoleErrorSpy.mockRestore();
+    });
+
+    test("logs API error details without correlationId", () => {
+      const consoleErrorSpy = vi.spyOn(console, "error").mockImplementation(() => {});
+
+      const mockRequest = new Request("http://localhost/api/test");
+      mockRequest.headers.delete("x-request-id");
+
+      const error: ApiErrorResponseV2 = {
+        type: "internal_server_error",
+        details: [{ field: "server", issue: "error occurred" }],
+      };
+
+      logApiError(mockRequest, error);
+
+      expect(consoleErrorSpy).toHaveBeenCalledWith(
+        `[API ERROR DETAILS]\n error: ${JSON.stringify(error, null, 2)}`
+      );
+
+      consoleErrorSpy.mockRestore();
+    });
+  });
+});