fix: enable recall and render rich text default values in translation modal

Pass elementId, localSurvey, and selectedLanguageCode to the Editor so
the RecallPlugin activates. Render default text column as HTML for rich
text fields instead of showing raw markup.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.codex/environments/environment.toml

@@ -0,0 +1,9 @@
+# THIS IS AUTOGENERATED. DO NOT EDIT MANUALLY
+version = 1
+name = "formbricks"
+
+[setup]
+script = '''
+pnpm install
+pnpm dev:setup
+'''

.env.example

@@ -94,6 +94,12 @@ EMAIL_VERIFICATION_DISABLED=1
 # Password Reset. If you enable Password Reset functionality you have to setup SMTP-Settings, too.
 PASSWORD_RESET_DISABLED=1
 
+# Password reset token lifetime in minutes. Must be between 5 and 120 if set.
+# PASSWORD_RESET_TOKEN_LIFETIME_MINUTES=30
+
+# Development-only helper: log the password reset link to the server console instead of sending reset emails.
+# DEBUG_SHOW_RESET_LINK=1
+
 # Email login. Disable the ability for users to login with email.
 # EMAIL_AUTH_DISABLED=1
 
@@ -132,6 +138,31 @@ AZUREAD_CLIENT_ID=
 AZUREAD_CLIENT_SECRET=
 AZUREAD_TENANT_ID=
 
+# Configure Formbricks AI at the instance level
+# Set the provider used for AI features on this instance.
+# Accepted values for AI_PROVIDER: aws, gcp, azure
+# Set AI_MODEL to the provider-specific model or deployment name and configure the matching credentials below.
+# AI_PROVIDER=gcp
+# AI_MODEL=gemini-2.5-flash
+
+# Google Vertex AI credentials
+# AI_GCP_PROJECT=
+# AI_GCP_LOCATION=
+# AI_GCP_CREDENTIALS_JSON=
+# AI_GCP_APPLICATION_CREDENTIALS=
+
+# Amazon Bedrock credentials
+# AI_AWS_REGION=
+# AI_AWS_ACCESS_KEY_ID=
+# AI_AWS_SECRET_ACCESS_KEY=
+# AI_AWS_SESSION_TOKEN=
+
+# Azure AI / Microsoft Foundry credentials
+# AI_AZURE_BASE_URL=
+# AI_AZURE_RESOURCE_NAME=
+# AI_AZURE_API_KEY=
+# AI_AZURE_API_VERSION=v1
+
 # OpenID Connect (OIDC) configuration
 # OIDC_CLIENT_ID=
 # OIDC_CLIENT_SECRET=
@@ -185,6 +216,14 @@ ENTERPRISE_LICENSE_KEY=
 # Ignore Rate Limiting across the Formbricks app
 # RATE_LIMITING_DISABLED=1
 
+# Disable telemetry reporting (usage stats sent to Formbricks). Ignored when an EE license is active.
+# TELEMETRY_DISABLED=1
+
+# Allow webhook URLs to point to internal/private network addresses (e.g. localhost, 192.168.x.x)
+# WARNING: Only enable this if you understand the SSRF risks. Useful for self-hosted instances
+# that need to send webhooks to internal services.
+# DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS=1
+
 # OpenTelemetry OTLP endpoint (base URL, exporters append /v1/traces and /v1/metrics)
 # OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318
 # OTEL_EXPORTER_OTLP_PROTOCOL=http/protobuf
@@ -231,4 +270,4 @@ REDIS_URL=redis://localhost:6379
 
 
 # Lingo.dev API key for translation generation
-LINGODOTDEV_API_KEY=your_api_key_here
+LINGO_API_KEY=your_api_key_here

.gitignore

@@ -45,7 +45,7 @@ yarn-error.log*
 .direnv
 
 # Playwright
-/test-results/
+**/test-results/
 /playwright-report/
 /blob-report/
 /playwright/.cache/

AGENTS.md

@@ -52,6 +52,14 @@ We are using SonarQube to identify code smells and security hotspots.
 - Translations are in `apps/web/locales/`. Default is `en-US.json`.
 - Lingo.dev is automatically translating strings from en-US into other languages on commit. Run `pnpm i18n` to generate missing translations and validate keys.
 
+## Date and Time Rendering
+
+- All user-facing dates and times must use shared formatting helpers instead of ad hoc `date-fns`, `Intl`, or `toLocale*` calls in components.
+- Locale for display must come from the app language source of truth (`user.locale`, `getLocale()`, or `i18n.resolvedLanguage`), not browser defaults or implicit `undefined` locale behavior.
+- Locale and time zone are different concerns: locale controls formatting, time zone controls the represented clock/calendar moment.
+- Never infer a time zone from locale. If a product-level time zone source of truth exists, use it explicitly; otherwise preserve the existing semantic meaning of the stored value and avoid introducing browser-dependent conversions.
+- Machine-facing values for storage, APIs, exports, integrations, and logs must remain stable and non-localized (`ISO 8601` / UTC where applicable).
+
 ## Database & Prisma Performance
 
 - Multi-tenancy: All data must be scoped by Organization or Environment.

README.md

@@ -127,34 +127,10 @@ Formbricks has a hosted cloud offering with a generous free plan to get you up a
 
 Formbricks is available Open-Source under AGPLv3 license. You can host Formbricks on your own servers using Docker without a subscription.
 
-If you opt for self-hosting Formbricks, here are a few options to consider:
-
 #### Docker
 
 To get started with self-hosting with Docker, take a look at our [self-hosting docs](https://formbricks.com/docs/self-hosting/deployment).
 
-#### Community-managed One Click Hosting
-
-##### Railway
-
-You can deploy Formbricks on [Railway](https://railway.app) using the button below.
-
-[![Deploy on Railway](https://railway.app/button.svg)](https://railway.app/new/template/PPDzCd)
-
-##### RepoCloud
-
-Or you can also deploy Formbricks on [RepoCloud](https://repocloud.io) using the button below.
-
-[![Deploy on RepoCloud](https://d16t0pc4846x52.cloudfront.net/deploy.png)](https://repocloud.io/details/?app_id=254)
-
-##### Zeabur
-
-Or you can also deploy Formbricks on [Zeabur](https://zeabur.com) using the button below.
-
-[![Deploy to Zeabur](https://zeabur.com/button.svg)](https://zeabur.com/templates/G4TUJL)
-
-<a id="development"></a>
-
 ## 👨‍💻 Development
 
 ### Prerequisites
@@ -247,4 +223,4 @@ We currently do not offer Formbricks white-labeled. That means that we don't sel
 
 The Enterprise Edition allows us to fund the development of Formbricks sustainably. It guarantees that the free and open-source surveying infrastructure we're building will be around for decades to come.
 
-<p align="right"><a href="#top">🔼 Back to top</a></p>
+<a id="readme-de"></a>

apps/web/app/(app)/(onboarding)/environments/[environmentId]/connect/page.tsx

@@ -1,5 +1,6 @@
 import { XIcon } from "lucide-react";
 import Link from "next/link";
+import { ResourceNotFoundError } from "@formbricks/types/errors";
 import { ConnectWithFormbricks } from "@/app/(app)/(onboarding)/environments/[environmentId]/connect/components/ConnectWithFormbricks";
 import { getEnvironment } from "@/lib/environment/service";
 import { getPublicDomain } from "@/lib/getPublicUrl";
@@ -20,12 +21,12 @@ const Page = async (props: ConnectPageProps) => {
   const environment = await getEnvironment(params.environmentId);
 
   if (!environment) {
-    throw new Error(t("common.environment_not_found"));
+    throw new ResourceNotFoundError(t("common.environment"), params.environmentId);
   }
 
   const project = await getProjectByEnvironmentId(environment.id);
   if (!project) {
-    throw new Error(t("common.workspace_not_found"));
+    throw new ResourceNotFoundError(t("common.workspace"), null);
   }
 
   const channel = project.config.channel || null;

apps/web/app/(app)/(onboarding)/environments/[environmentId]/xm-templates/page.tsx

@@ -1,6 +1,7 @@
 import { XIcon } from "lucide-react";
 import { getServerSession } from "next-auth";
 import Link from "next/link";
+import { AuthenticationError, ResourceNotFoundError } from "@formbricks/types/errors";
 import { XMTemplateList } from "@/app/(app)/(onboarding)/environments/[environmentId]/xm-templates/components/XMTemplateList";
 import { getEnvironment } from "@/lib/environment/service";
 import { getProjectByEnvironmentId, getUserProjects } from "@/lib/project/service";
@@ -23,22 +24,22 @@ const Page = async (props: XMTemplatePageProps) => {
   const environment = await getEnvironment(params.environmentId);
   const t = await getTranslate();
   if (!session) {
-    throw new Error(t("common.session_not_found"));
+    throw new AuthenticationError(t("common.not_authenticated"));
   }
 
   const user = await getUser(session.user.id);
   if (!user) {
-    throw new Error(t("common.user_not_found"));
+    throw new AuthenticationError(t("common.not_authenticated"));
   }
   if (!environment) {
-    throw new Error(t("common.environment_not_found"));
+    throw new ResourceNotFoundError(t("common.environment"), params.environmentId);
   }
 
   const organizationId = await getOrganizationIdFromEnvironmentId(environment.id);
 
   const project = await getProjectByEnvironmentId(environment.id);
   if (!project) {
-    throw new Error(t("common.workspace_not_found"));
+    throw new ResourceNotFoundError(t("common.workspace"), null);
   }
 
   const projects = await getUserProjects(session.user.id, organizationId);

apps/web/app/(app)/(onboarding)/organizations/[organizationId]/layout.tsx

@@ -1,6 +1,6 @@
 import { getServerSession } from "next-auth";
 import { redirect } from "next/navigation";
-import { AuthorizationError } from "@formbricks/types/errors";
+import { AuthenticationError, AuthorizationError, ResourceNotFoundError } from "@formbricks/types/errors";
 import { canUserAccessOrganization } from "@/lib/organization/auth";
 import { getOrganization } from "@/lib/organization/service";
 import { getUser } from "@/lib/user/service";
@@ -25,7 +25,7 @@ const ProjectOnboardingLayout = async (props: {
 
   const user = await getUser(session.user.id);
   if (!user) {
-    throw new Error(t("common.user_not_found"));
+    throw new AuthenticationError(t("common.not_authenticated"));
   }
 
   const isAuthorized = await canUserAccessOrganization(session.user.id, params.organizationId);
@@ -36,7 +36,7 @@ const ProjectOnboardingLayout = async (props: {
 
   const organization = await getOrganization(params.organizationId);
   if (!organization) {
-    throw new Error(t("common.organization_not_found"));
+    throw new ResourceNotFoundError(t("common.organization"), params.organizationId);
   }
 
   return (

apps/web/app/(app)/(onboarding)/organizations/[organizationId]/workspaces/new/layout.tsx

@@ -1,5 +1,6 @@
 import { getServerSession } from "next-auth";
 import { notFound, redirect } from "next/navigation";
+import { ResourceNotFoundError } from "@formbricks/types/errors";
 import { getMembershipByUserIdOrganizationId } from "@/lib/membership/service";
 import { getAccessFlags } from "@/lib/membership/utils";
 import { getOrganization } from "@/lib/organization/service";
@@ -28,7 +29,7 @@ const OnboardingLayout = async (props: {
 
   const organization = await getOrganization(params.organizationId);
   if (!organization) {
-    throw new Error(t("common.organization_not_found"));
+    throw new ResourceNotFoundError(t("common.organization"), params.organizationId);
   }
 
   const [organizationProjectsLimit, organizationProjectsCount] = await Promise.all([

apps/web/app/(app)/(onboarding)/organizations/[organizationId]/workspaces/new/settings/page.tsx

@@ -1,6 +1,7 @@
 import { XIcon } from "lucide-react";
 import Link from "next/link";
 import { redirect } from "next/navigation";
+import { ResourceNotFoundError } from "@formbricks/types/errors";
 import { TProjectConfigChannel, TProjectConfigIndustry, TProjectMode } from "@formbricks/types/project";
 import { getTeamsByOrganizationId } from "@/app/(app)/(onboarding)/lib/onboarding";
 import { ProjectSettings } from "@/app/(app)/(onboarding)/organizations/[organizationId]/workspaces/new/settings/components/ProjectSettings";
@@ -45,7 +46,7 @@ const Page = async (props: ProjectSettingsPageProps) => {
   const isAccessControlAllowed = await getAccessControlPermission(organization.id);
 
   if (!organizationTeams) {
-    throw new Error(t("common.organization_teams_not_found"));
+    throw new ResourceNotFoundError(t("common.team"), null);
   }
 
   const publicDomain = getPublicDomain();

apps/web/app/(app)/(survey-editor)/environments/[environmentId]/layout.tsx

@@ -1,4 +1,5 @@
 import { redirect } from "next/navigation";
+import { AuthenticationError, ResourceNotFoundError } from "@formbricks/types/errors";
 import { getEnvironment } from "@/lib/environment/service";
 import { environmentIdLayoutChecks } from "@/modules/environments/lib/utils";
 
@@ -17,13 +18,13 @@ const SurveyEditorEnvironmentLayout = async (props: {
   }
 
   if (!user) {
-    throw new Error(t("common.user_not_found"));
+    throw new AuthenticationError(t("common.not_authenticated"));
   }
 
   const environment = await getEnvironment(params.environmentId);
 
   if (!environment) {
-    throw new Error(t("common.environment_not_found"));
+    throw new ResourceNotFoundError(t("common.environment"), params.environmentId);
   }
 
   return (

apps/web/app/(app)/environments/[environmentId]/actions.ts

@@ -2,7 +2,11 @@
 
 import { z } from "zod";
 import { ZId } from "@formbricks/types/common";
-import { AuthorizationError, OperationNotAllowedError } from "@formbricks/types/errors";
+import {
+  AuthorizationError,
+  OperationNotAllowedError,
+  ResourceNotFoundError,
+} from "@formbricks/types/errors";
 import { ZProjectUpdateInput } from "@formbricks/types/project";
 import { getMembershipByUserIdOrganizationId } from "@/lib/membership/service";
 import { getOrganization } from "@/lib/organization/service";
@@ -46,7 +50,7 @@ export const createProjectAction = authenticatedActionClient.inputSchema(ZCreate
     const organization = await getOrganization(organizationId);
 
     if (!organization) {
-      throw new Error("Organization not found");
+      throw new ResourceNotFoundError("Organization", organizationId);
     }
 
     const organizationProjectsLimit = await getOrganizationProjectsLimit(organization.id);

apps/web/app/(app)/environments/[environmentId]/components/EnvironmentLayout.tsx

@@ -1,3 +1,4 @@
+import { ResourceNotFoundError } from "@formbricks/types/errors";
 import { MainNavigation } from "@/app/(app)/environments/[environmentId]/components/MainNavigation";
 import { TopControlBar } from "@/app/(app)/environments/[environmentId]/components/TopControlBar";
 import { IS_DEVELOPMENT, IS_FORMBRICKS_CLOUD } from "@/lib/constants";
@@ -42,7 +43,7 @@ export const EnvironmentLayout = async ({ layoutData, children }: EnvironmentLay
 
   // Validate that project permission exists for members
   if (isMember && !projectPermission) {
-    throw new Error(t("common.workspace_permission_not_found"));
+    throw new ResourceNotFoundError(t("common.workspace"), null);
   }
 
   return (

apps/web/app/(app)/environments/[environmentId]/components/MainNavigation.tsx

@@ -11,7 +11,6 @@ import {
   RocketIcon,
   UserCircleIcon,
   UserIcon,
-  WorkflowIcon,
 } from "lucide-react";
 import Image from "next/image";
 import Link from "next/link";
@@ -116,13 +115,6 @@ export const MainNavigation = ({
           pathname?.includes("/segments") ||
           pathname?.includes("/attributes"),
       },
-      {
-        name: t("common.workflows"),
-        href: `/environments/${environment.id}/workflows`,
-        icon: WorkflowIcon,
-        isActive: pathname?.includes("/workflows"),
-        isHidden: !isFormbricksCloud,
-      },
       {
         name: t("common.configuration"),
         href: `/environments/${environment.id}/workspace/general`,
@@ -130,7 +122,7 @@ export const MainNavigation = ({
         isActive: pathname?.includes("/workspace"),
       },
     ],
-    [t, environment.id, pathname, isFormbricksCloud]
+    [t, environment.id, pathname]
   );
 
   const dropdownNavigation = [

apps/web/app/(app)/environments/[environmentId]/settings/(account)/layout.tsx

@@ -1,4 +1,5 @@
 import { getServerSession } from "next-auth";
+import { AuthenticationError, ResourceNotFoundError } from "@formbricks/types/errors";
 import { getOrganizationByEnvironmentId } from "@/lib/organization/service";
 import { getProjectByEnvironmentId } from "@/lib/project/service";
 import { getTranslate } from "@/lingodotdev/server";
@@ -20,15 +21,15 @@ const AccountSettingsLayout = async (props: {
   ]);
 
   if (!organization) {
-    throw new Error(t("common.organization_not_found"));
+    throw new ResourceNotFoundError(t("common.organization"), null);
   }
 
   if (!project) {
-    throw new Error(t("common.workspace_not_found"));
+    throw new ResourceNotFoundError(t("common.workspace"), null);
   }
 
   if (!session) {
-    throw new Error(t("common.session_not_found"));
+    throw new AuthenticationError(t("common.not_authenticated"));
   }
 
   return <>{children}</>;

apps/web/app/(app)/environments/[environmentId]/settings/(account)/notifications/page.tsx

@@ -1,5 +1,6 @@
 import { getServerSession } from "next-auth";
 import { prisma } from "@formbricks/database";
+import { AuthenticationError, ResourceNotFoundError } from "@formbricks/types/errors";
 import { TUserNotificationSettings } from "@formbricks/types/user";
 import { AccountSettingsNavbar } from "@/app/(app)/environments/[environmentId]/settings/(account)/components/AccountSettingsNavbar";
 import { SettingsCard } from "@/app/(app)/environments/[environmentId]/settings/components/SettingsCard";
@@ -146,18 +147,18 @@ const Page = async (props: {
   const t = await getTranslate();
   const session = await getServerSession(authOptions);
   if (!session) {
-    throw new Error(t("common.session_not_found"));
+    throw new AuthenticationError(t("common.not_authenticated"));
   }
   const autoDisableNotificationType = searchParams["type"];
   const autoDisableNotificationElementId = searchParams["elementId"];
 
   const [user, memberships] = await Promise.all([getUser(session.user.id), getMemberships(session.user.id)]);
   if (!user) {
-    throw new Error(t("common.user_not_found"));
+    throw new AuthenticationError(t("common.not_authenticated"));
   }
 
   if (!memberships) {
-    throw new Error(t("common.membership_not_found"));
+    throw new ResourceNotFoundError(t("common.membership"), null);
   }
 
   if (user?.notificationSettings) {

apps/web/app/(app)/environments/[environmentId]/settings/(account)/profile/actions.ts

@@ -10,15 +10,16 @@ import {
   getIsEmailUnique,
   verifyUserPassword,
 } from "@/app/(app)/environments/[environmentId]/settings/(account)/profile/lib/user";
-import { EMAIL_VERIFICATION_DISABLED } from "@/lib/constants";
+import { EMAIL_VERIFICATION_DISABLED, PASSWORD_RESET_DISABLED } from "@/lib/constants";
 import { getUser, updateUser } from "@/lib/user/service";
 import { authenticatedActionClient } from "@/lib/utils/action-client";
 import { AuthenticatedActionClientCtx } from "@/lib/utils/action-client/types/context";
+import { requestPasswordReset } from "@/modules/auth/forgot-password/lib/password-reset-service";
 import { updateBrevoCustomer } from "@/modules/auth/lib/brevo";
 import { applyRateLimit } from "@/modules/core/rate-limit/helpers";
 import { rateLimitConfigs } from "@/modules/core/rate-limit/rate-limit-configs";
 import { withAuditLogging } from "@/modules/ee/audit-logs/lib/handler";
-import { sendForgotPasswordEmail, sendVerificationNewEmail } from "@/modules/email";
+import { sendVerificationNewEmail } from "@/modules/email";
 
 function buildUserUpdatePayload(parsedInput: TUserPersonalInfoUpdateInput): TUserUpdateInput {
   return {
@@ -85,11 +86,15 @@ export const updateUserAction = authenticatedActionClient.inputSchema(ZUserPerso
 
 export const resetPasswordAction = authenticatedActionClient.action(
   withAuditLogging("passwordReset", "user", async ({ ctx }) => {
+    if (PASSWORD_RESET_DISABLED) {
+      throw new OperationNotAllowedError("Password reset is disabled");
+    }
+
     if (ctx.user.identityProvider !== "email") {
       throw new OperationNotAllowedError("Password reset is not allowed for this user.");
     }
 
-    await sendForgotPasswordEmail(ctx.user);
+    await requestPasswordReset(ctx.user, "profile");
 
     ctx.auditLoggingCtx.userId = ctx.user.id;
 

apps/web/app/(app)/environments/[environmentId]/settings/(account)/profile/page.tsx

@@ -1,3 +1,4 @@
+import { AuthenticationError } from "@formbricks/types/errors";
 import { AccountSettingsNavbar } from "@/app/(app)/environments/[environmentId]/settings/(account)/components/AccountSettingsNavbar";
 import { AccountSecurity } from "@/app/(app)/environments/[environmentId]/settings/(account)/profile/components/AccountSecurity";
 import { EMAIL_VERIFICATION_DISABLED, IS_FORMBRICKS_CLOUD, PASSWORD_RESET_DISABLED } from "@/lib/constants";
@@ -28,7 +29,7 @@ const Page = async (props: { params: Promise<{ environmentId: string }> }) => {
   const user = session?.user ? await getUser(session.user.id) : null;
 
   if (!user) {
-    throw new Error(t("common.user_not_found"));
+    throw new AuthenticationError(t("common.not_authenticated"));
   }
 
   const isPasswordResetEnabled = !PASSWORD_RESET_DISABLED && user.identityProvider === "email";

apps/web/app/(app)/environments/[environmentId]/settings/(organization)/domain/page.tsx

@@ -1,4 +1,5 @@
 import { notFound } from "next/navigation";
+import { AuthenticationError } from "@formbricks/types/errors";
 import { IS_FORMBRICKS_CLOUD, IS_STORAGE_CONFIGURED } from "@/lib/constants";
 import { getTranslate } from "@/lingodotdev/server";
 import { getWhiteLabelPermission } from "@/modules/ee/license-check/lib/utils";
@@ -25,7 +26,7 @@ const Page = async (props: { params: Promise<{ environmentId: string }> }) => {
   );
 
   if (!session) {
-    throw new Error(t("common.session_not_found"));
+    throw new AuthenticationError(t("common.not_authenticated"));
   }
 
   const hasWhiteLabelPermission = await getWhiteLabelPermission(organization.id);

apps/web/app/(app)/environments/[environmentId]/settings/(organization)/enterprise/components/EnterpriseLicenseStatus.tsx

@@ -6,6 +6,7 @@ import { useRouter } from "next/navigation";
 import { useState } from "react";
 import toast from "react-hot-toast";
 import { useTranslation } from "react-i18next";
+import { formatDateForDisplay, formatDateTimeForDisplay } from "@/lib/utils/datetime";
 import { recheckLicenseAction } from "@/modules/ee/license-check/actions";
 import type { TLicenseStatus } from "@/modules/ee/license-check/types/enterprise-license";
 import { Alert, AlertDescription } from "@/modules/ui/components/alert";
@@ -49,7 +50,8 @@ export const EnterpriseLicenseStatus = ({
   gracePeriodEnd,
   environmentId,
 }: EnterpriseLicenseStatusProps) => {
-  const { t } = useTranslation();
+  const { t, i18n } = useTranslation();
+  const locale = i18n.resolvedLanguage ?? i18n.language ?? "en-US";
   const router = useRouter();
   const [isRechecking, setIsRechecking] = useState(false);
 
@@ -97,14 +99,7 @@ export const EnterpriseLicenseStatus = ({
             <div className="flex flex-wrap items-center gap-3">
               <Badge type={badgeConfig.type} text={badgeConfig.label} size="normal" className="w-fit" />
               <span className="text-sm text-slate-500">
-                {t("common.updated_at")}{" "}
-                {new Date(lastChecked).toLocaleString(undefined, {
-                  year: "numeric",
-                  month: "short",
-                  day: "numeric",
-                  hour: "numeric",
-                  minute: "2-digit",
-                })}
+                {t("common.updated_at")} {formatDateTimeForDisplay(new Date(lastChecked), locale)}
               </span>
             </div>
           </div>
@@ -132,7 +127,7 @@ export const EnterpriseLicenseStatus = ({
           <Alert variant="warning" size="small">
             <AlertDescription className="overflow-visible whitespace-normal">
               {t("environments.settings.enterprise.license_unreachable_grace_period", {
-                gracePeriodEnd: new Date(gracePeriodEnd).toLocaleDateString(undefined, {
+                gracePeriodEnd: formatDateForDisplay(new Date(gracePeriodEnd), locale, {
                   year: "numeric",
                   month: "short",
                   day: "numeric",

apps/web/app/(app)/environments/[environmentId]/settings/(organization)/general/actions.test.ts

@@ -0,0 +1,218 @@
+import { beforeEach, describe, expect, test, vi } from "vitest";
+import { AuthorizationError, OperationNotAllowedError } from "@formbricks/types/errors";
+import { updateOrganizationAISettingsAction } from "./actions";
+import { ZOrganizationAISettingsInput } from "./schemas";
+
+const mocks = vi.hoisted(() => ({
+  isInstanceAIConfigured: vi.fn(),
+  checkAuthorizationUpdated: vi.fn(),
+  deleteOrganization: vi.fn(),
+  getOrganization: vi.fn(),
+  getIsMultiOrgEnabled: vi.fn(),
+  getTranslate: vi.fn(),
+  updateOrganization: vi.fn(),
+}));
+
+vi.mock("@/lib/utils/action-client", () => ({
+  authenticatedActionClient: {
+    inputSchema: vi.fn(() => ({
+      action: vi.fn((fn) => fn),
+    })),
+  },
+}));
+
+vi.mock("@/lib/utils/action-client/action-client-middleware", () => ({
+  checkAuthorizationUpdated: mocks.checkAuthorizationUpdated,
+}));
+
+vi.mock("@/lib/organization/service", () => ({
+  deleteOrganization: mocks.deleteOrganization,
+  getOrganization: mocks.getOrganization,
+  updateOrganization: mocks.updateOrganization,
+}));
+
+vi.mock("@/lib/ai/service", () => ({
+  isInstanceAIConfigured: mocks.isInstanceAIConfigured,
+}));
+
+vi.mock("@/lingodotdev/server", () => ({
+  getTranslate: mocks.getTranslate,
+}));
+
+vi.mock("@/modules/ee/audit-logs/lib/handler", () => ({
+  withAuditLogging: vi.fn((_eventName, _objectType, fn) => fn),
+}));
+
+vi.mock("@/modules/ee/license-check/lib/utils", () => ({
+  getIsMultiOrgEnabled: mocks.getIsMultiOrgEnabled,
+}));
+
+const organizationId = "cm9gptbhg0000192zceq9ayuc";
+
+describe("organization AI settings actions", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+
+    mocks.checkAuthorizationUpdated.mockResolvedValue(undefined);
+    mocks.getOrganization.mockResolvedValue({
+      id: organizationId,
+      isAISmartToolsEnabled: false,
+      isAIDataAnalysisEnabled: false,
+    });
+    mocks.isInstanceAIConfigured.mockReturnValue(true);
+    mocks.getTranslate.mockResolvedValue((key: string, values?: Record<string, string>) =>
+      values ? `${key}:${JSON.stringify(values)}` : key
+    );
+    mocks.updateOrganization.mockResolvedValue({
+      id: organizationId,
+      isAISmartToolsEnabled: true,
+      isAIDataAnalysisEnabled: false,
+    });
+    mocks.getIsMultiOrgEnabled.mockResolvedValue(true);
+  });
+
+  test("accepts AI toggle updates", () => {
+    expect(
+      ZOrganizationAISettingsInput.parse({
+        isAISmartToolsEnabled: true,
+      })
+    ).toEqual({
+      isAISmartToolsEnabled: true,
+    });
+  });
+
+  test("passes owner and manager roles to the authorization check and updates organization settings", async () => {
+    const ctx = {
+      user: { id: "user_1", locale: "en-US" },
+      auditLoggingCtx: {},
+    };
+    const parsedInput = {
+      organizationId,
+      data: {
+        isAISmartToolsEnabled: true,
+      },
+    };
+
+    const result = await updateOrganizationAISettingsAction({ ctx, parsedInput } as any);
+
+    expect(mocks.checkAuthorizationUpdated).toHaveBeenCalledWith({
+      userId: "user_1",
+      organizationId,
+      access: [
+        {
+          type: "organization",
+          schema: ZOrganizationAISettingsInput,
+          data: parsedInput.data,
+          roles: ["owner", "manager"],
+        },
+      ],
+    });
+    expect(mocks.getOrganization).toHaveBeenCalledWith(organizationId);
+    expect(mocks.updateOrganization).toHaveBeenCalledWith(organizationId, parsedInput.data);
+    expect(ctx.auditLoggingCtx).toMatchObject({
+      organizationId,
+      oldObject: {
+        id: organizationId,
+        isAISmartToolsEnabled: false,
+        isAIDataAnalysisEnabled: false,
+      },
+      newObject: {
+        id: organizationId,
+        isAISmartToolsEnabled: true,
+        isAIDataAnalysisEnabled: false,
+      },
+    });
+    expect(result).toEqual({
+      id: organizationId,
+      isAISmartToolsEnabled: true,
+      isAIDataAnalysisEnabled: false,
+    });
+  });
+
+  test("propagates authorization failures so members cannot update AI settings", async () => {
+    mocks.checkAuthorizationUpdated.mockRejectedValueOnce(new AuthorizationError("Not authorized"));
+
+    await expect(
+      updateOrganizationAISettingsAction({
+        ctx: {
+          user: { id: "user_member", locale: "en-US" },
+          auditLoggingCtx: {},
+        },
+        parsedInput: {
+          organizationId,
+          data: {
+            isAISmartToolsEnabled: true,
+          },
+        },
+      } as any)
+    ).rejects.toThrow(AuthorizationError);
+
+    expect(mocks.updateOrganization).not.toHaveBeenCalled();
+  });
+
+  test("rejects enabling AI when the instance AI provider is not configured", async () => {
+    mocks.isInstanceAIConfigured.mockReturnValueOnce(false);
+
+    await expect(
+      updateOrganizationAISettingsAction({
+        ctx: {
+          user: { id: "user_owner", locale: "en-US" },
+          auditLoggingCtx: {},
+        },
+        parsedInput: {
+          organizationId,
+          data: {
+            isAISmartToolsEnabled: true,
+          },
+        },
+      } as any)
+    ).rejects.toThrow(OperationNotAllowedError);
+
+    expect(mocks.updateOrganization).not.toHaveBeenCalled();
+  });
+
+  test("allows enabling AI when the instance configuration is valid", async () => {
+    await updateOrganizationAISettingsAction({
+      ctx: {
+        user: { id: "user_owner", locale: "en-US" },
+        auditLoggingCtx: {},
+      },
+      parsedInput: {
+        organizationId,
+        data: {
+          isAISmartToolsEnabled: true,
+        },
+      },
+    } as any);
+
+    expect(mocks.updateOrganization).toHaveBeenCalledWith(organizationId, {
+      isAISmartToolsEnabled: true,
+    });
+  });
+
+  test("allows disabling AI when the instance configuration later becomes invalid", async () => {
+    mocks.getOrganization.mockResolvedValueOnce({
+      id: organizationId,
+      isAISmartToolsEnabled: true,
+      isAIDataAnalysisEnabled: false,
+    });
+    mocks.isInstanceAIConfigured.mockReturnValueOnce(false);
+
+    await updateOrganizationAISettingsAction({
+      ctx: {
+        user: { id: "user_owner", locale: "en-US" },
+        auditLoggingCtx: {},
+      },
+      parsedInput: {
+        organizationId,
+        data: {
+          isAISmartToolsEnabled: false,
+        },
+      },
+    } as any);
+
+    expect(mocks.updateOrganization).toHaveBeenCalledWith(organizationId, {
+      isAISmartToolsEnabled: false,
+    });
+  });
+});

apps/web/app/(app)/environments/[environmentId]/settings/(organization)/general/actions.ts

@@ -2,13 +2,44 @@
 
 import { z } from "zod";
 import { ZId } from "@formbricks/types/common";
-import { OperationNotAllowedError } from "@formbricks/types/errors";
+import { OperationNotAllowedError, ResourceNotFoundError } from "@formbricks/types/errors";
+import type { TOrganizationRole } from "@formbricks/types/memberships";
 import { ZOrganizationUpdateInput } from "@formbricks/types/organizations";
+import { isInstanceAIConfigured } from "@/lib/ai/service";
 import { deleteOrganization, getOrganization, updateOrganization } from "@/lib/organization/service";
 import { authenticatedActionClient } from "@/lib/utils/action-client";
 import { checkAuthorizationUpdated } from "@/lib/utils/action-client/action-client-middleware";
+import { AuthenticatedActionClientCtx } from "@/lib/utils/action-client/types/context";
+import { getTranslate } from "@/lingodotdev/server";
 import { withAuditLogging } from "@/modules/ee/audit-logs/lib/handler";
 import { getIsMultiOrgEnabled } from "@/modules/ee/license-check/lib/utils";
+import { ZOrganizationAISettingsInput, ZUpdateOrganizationAISettingsAction } from "./schemas";
+
+async function updateOrganizationAction<T extends z.ZodRawShape>({
+  ctx,
+  organizationId,
+  schema,
+  data,
+  roles,
+}: {
+  ctx: AuthenticatedActionClientCtx;
+  organizationId: string;
+  schema: z.ZodObject<T>;
+  data: z.infer<z.ZodObject<T>>;
+  roles: TOrganizationRole[];
+}) {
+  await checkAuthorizationUpdated({
+    userId: ctx.user.id,
+    organizationId,
+    access: [{ type: "organization", schema, data, roles }],
+  });
+  ctx.auditLoggingCtx.organizationId = organizationId;
+  const oldObject = await getOrganization(organizationId);
+  const result = await updateOrganization(organizationId, data);
+  ctx.auditLoggingCtx.oldObject = oldObject;
+  ctx.auditLoggingCtx.newObject = result;
+  return result;
+}
 
 const ZUpdateOrganizationNameAction = z.object({
   organizationId: ZId,
@@ -18,26 +49,114 @@ const ZUpdateOrganizationNameAction = z.object({
 export const updateOrganizationNameAction = authenticatedActionClient
   .inputSchema(ZUpdateOrganizationNameAction)
   .action(
-    withAuditLogging("updated", "organization", async ({ ctx, parsedInput }) => {
-      await checkAuthorizationUpdated({
-        userId: ctx.user.id,
-        organizationId: parsedInput.organizationId,
-        access: [
-          {
-            type: "organization",
-            schema: ZOrganizationUpdateInput.pick({ name: true }),
-            data: parsedInput.data,
-            roles: ["owner"],
-          },
-        ],
-      });
-      ctx.auditLoggingCtx.organizationId = parsedInput.organizationId;
-      const oldObject = await getOrganization(parsedInput.organizationId);
-      const result = await updateOrganization(parsedInput.organizationId, parsedInput.data);
-      ctx.auditLoggingCtx.oldObject = oldObject;
-      ctx.auditLoggingCtx.newObject = result;
-      return result;
-    })
+    withAuditLogging(
+      "updated",
+      "organization",
+      async ({
+        ctx,
+        parsedInput,
+      }: {
+        ctx: AuthenticatedActionClientCtx;
+        parsedInput: z.infer<typeof ZUpdateOrganizationNameAction>;
+      }) =>
+        updateOrganizationAction({
+          ctx,
+          organizationId: parsedInput.organizationId,
+          schema: ZOrganizationUpdateInput.pick({ name: true }),
+          data: parsedInput.data,
+          roles: ["owner"],
+        })
+    )
+  );
+
+type TOrganizationAISettings = Pick<
+  NonNullable<Awaited<ReturnType<typeof getOrganization>>>,
+  "isAISmartToolsEnabled" | "isAIDataAnalysisEnabled"
+>;
+
+type TResolvedOrganizationAISettings = {
+  smartToolsEnabled: boolean;
+  dataAnalysisEnabled: boolean;
+  isEnablingAnyAISetting: boolean;
+};
+
+const resolveOrganizationAISettings = ({
+  data,
+  organization,
+}: {
+  data: z.infer<typeof ZOrganizationAISettingsInput>;
+  organization: TOrganizationAISettings;
+}): TResolvedOrganizationAISettings => {
+  const smartToolsEnabled = Object.hasOwn(data, "isAISmartToolsEnabled")
+    ? (data.isAISmartToolsEnabled ?? organization.isAISmartToolsEnabled)
+    : organization.isAISmartToolsEnabled;
+  const dataAnalysisEnabled = Object.hasOwn(data, "isAIDataAnalysisEnabled")
+    ? (data.isAIDataAnalysisEnabled ?? organization.isAIDataAnalysisEnabled)
+    : organization.isAIDataAnalysisEnabled;
+
+  return {
+    smartToolsEnabled,
+    dataAnalysisEnabled,
+    isEnablingAnyAISetting:
+      (smartToolsEnabled && !organization.isAISmartToolsEnabled) ||
+      (dataAnalysisEnabled && !organization.isAIDataAnalysisEnabled),
+  };
+};
+
+const assertOrganizationAISettingsUpdateAllowed = ({
+  isInstanceAIConfigured,
+  resolvedSettings,
+  t,
+}: {
+  isInstanceAIConfigured: boolean;
+  resolvedSettings: TResolvedOrganizationAISettings;
+  t: Awaited<ReturnType<typeof getTranslate>>;
+}) => {
+  if (resolvedSettings.isEnablingAnyAISetting && !isInstanceAIConfigured) {
+    throw new OperationNotAllowedError(t("environments.settings.general.ai_instance_not_configured"));
+  }
+};
+
+export const updateOrganizationAISettingsAction = authenticatedActionClient
+  .inputSchema(ZUpdateOrganizationAISettingsAction)
+  .action(
+    withAuditLogging(
+      "updated",
+      "organization",
+      async ({
+        ctx,
+        parsedInput,
+      }: {
+        ctx: AuthenticatedActionClientCtx;
+        parsedInput: z.infer<typeof ZUpdateOrganizationAISettingsAction>;
+      }) => {
+        const t = await getTranslate(ctx.user.locale);
+        const organization = await getOrganization(parsedInput.organizationId);
+
+        if (!organization) {
+          throw new ResourceNotFoundError("Organization", parsedInput.organizationId);
+        }
+
+        const resolvedSettings = resolveOrganizationAISettings({
+          data: parsedInput.data,
+          organization,
+        });
+
+        assertOrganizationAISettingsUpdateAllowed({
+          isInstanceAIConfigured: isInstanceAIConfigured(),
+          resolvedSettings,
+          t,
+        });
+
+        return updateOrganizationAction({
+          ctx,
+          organizationId: parsedInput.organizationId,
+          schema: ZOrganizationAISettingsInput,
+          data: parsedInput.data,
+          roles: ["owner", "manager"],
+        });
+      }
+    )
   );
 
 const ZDeleteOrganizationAction = z.object({
@@ -49,7 +168,10 @@ export const deleteOrganizationAction = authenticatedActionClient
   .action(
     withAuditLogging("deleted", "organization", async ({ ctx, parsedInput }) => {
       const isMultiOrgEnabled = await getIsMultiOrgEnabled();
-      if (!isMultiOrgEnabled) throw new OperationNotAllowedError("Organization deletion disabled");
+      if (!isMultiOrgEnabled) {
+        const t = await getTranslate(ctx.user.locale);
+        throw new OperationNotAllowedError(t("environments.settings.general.organization_deletion_disabled"));
+      }
 
       await checkAuthorizationUpdated({
         userId: ctx.user.id,

apps/web/app/(app)/environments/[environmentId]/settings/(organization)/general/components/AISettingsToggle.tsx

@@ -0,0 +1,118 @@
+"use client";
+
+import { useRouter } from "next/navigation";
+import { useState } from "react";
+import toast from "react-hot-toast";
+import { useTranslation } from "react-i18next";
+import { TOrganizationRole } from "@formbricks/types/memberships";
+import { TOrganization } from "@formbricks/types/organizations";
+import { updateOrganizationAISettingsAction } from "@/app/(app)/environments/[environmentId]/settings/(organization)/general/actions";
+import { getDisplayedOrganizationAISettingValue, getOrganizationAIEnablementState } from "@/lib/ai/utils";
+import { getAccessFlags } from "@/lib/membership/utils";
+import { getFormattedErrorMessage } from "@/lib/utils/helper";
+import { AdvancedOptionToggle } from "@/modules/ui/components/advanced-option-toggle";
+import { Alert, AlertDescription } from "@/modules/ui/components/alert";
+
+interface AISettingsToggleProps {
+  organization: TOrganization;
+  membershipRole?: TOrganizationRole;
+  isInstanceAIConfigured: boolean;
+}
+
+export const AISettingsToggle = ({
+  organization,
+  membershipRole,
+  isInstanceAIConfigured,
+}: Readonly<AISettingsToggleProps>) => {
+  const [loadingField, setLoadingField] = useState<string | null>(null);
+  const { t } = useTranslation();
+  const router = useRouter();
+
+  const { isOwner, isManager } = getAccessFlags(membershipRole);
+  const canEdit = isOwner || isManager;
+  const aiEnablementState = getOrganizationAIEnablementState({
+    isInstanceConfigured: isInstanceAIConfigured,
+  });
+  const showInstanceConfigWarning = aiEnablementState.blockReason === "instanceNotConfigured";
+  const isToggleDisabled = loadingField !== null || !canEdit || !aiEnablementState.canEnableFeatures;
+  const aiEnablementBlockedMessage = t("environments.settings.general.ai_instance_not_configured");
+  const displayedSmartToolsValue = getDisplayedOrganizationAISettingValue({
+    currentValue: organization.isAISmartToolsEnabled,
+    isInstanceConfigured: isInstanceAIConfigured,
+  });
+  const displayedDataAnalysisValue = getDisplayedOrganizationAISettingValue({
+    currentValue: organization.isAIDataAnalysisEnabled,
+    isInstanceConfigured: isInstanceAIConfigured,
+  });
+
+  const handleToggle = async (
+    field: "isAISmartToolsEnabled" | "isAIDataAnalysisEnabled",
+    checked: boolean
+  ) => {
+    if (checked && !aiEnablementState.canEnableFeatures) {
+      toast.error(aiEnablementBlockedMessage);
+      return;
+    }
+
+    setLoadingField(field);
+    try {
+      const data =
+        field === "isAISmartToolsEnabled"
+          ? { isAISmartToolsEnabled: checked }
+          : { isAIDataAnalysisEnabled: checked };
+      const response = await updateOrganizationAISettingsAction({
+        organizationId: organization.id,
+        data,
+      });
+
+      if (response?.data) {
+        toast.success(t("environments.settings.general.ai_settings_updated_successfully"));
+        router.refresh();
+      } else {
+        toast.error(getFormattedErrorMessage(response));
+      }
+    } catch (error) {
+      toast.error(error instanceof Error ? error.message : t("common.something_went_wrong_please_try_again"));
+    } finally {
+      setLoadingField(null);
+    }
+  };
+
+  return (
+    <div className="space-y-4">
+      {showInstanceConfigWarning && (
+        <Alert variant="warning">
+          <AlertDescription>{aiEnablementBlockedMessage}</AlertDescription>
+        </Alert>
+      )}
+
+      <AdvancedOptionToggle
+        isChecked={displayedSmartToolsValue}
+        onToggle={(checked) => handleToggle("isAISmartToolsEnabled", checked)}
+        htmlId="ai-smart-tools-toggle"
+        title={t("environments.settings.general.ai_smart_tools_enabled")}
+        description={t("environments.settings.general.ai_smart_tools_enabled_description")}
+        disabled={isToggleDisabled}
+        customContainerClass="px-0"
+      />
+
+      <AdvancedOptionToggle
+        isChecked={displayedDataAnalysisValue}
+        onToggle={(checked) => handleToggle("isAIDataAnalysisEnabled", checked)}
+        htmlId="ai-data-analysis-toggle"
+        title={t("environments.settings.general.ai_data_analysis_enabled")}
+        description={t("environments.settings.general.ai_data_analysis_enabled_description")}
+        disabled={isToggleDisabled}
+        customContainerClass="px-0"
+      />
+
+      {!canEdit && (
+        <Alert variant="warning">
+          <AlertDescription>
+            {t("common.only_owners_managers_and_manage_access_members_can_perform_this_action")}
+          </AlertDescription>
+        </Alert>
+      )}
+    </div>
+  );
+};

apps/web/app/(app)/environments/[environmentId]/settings/(organization)/general/page.tsx

@@ -1,4 +1,5 @@
 import { OrganizationSettingsNavbar } from "@/app/(app)/environments/[environmentId]/settings/(organization)/components/OrganizationSettingsNavbar";
+import { isInstanceAIConfigured } from "@/lib/ai/service";
 import { FB_LOGO_URL, IS_FORMBRICKS_CLOUD, IS_STORAGE_CONFIGURED } from "@/lib/constants";
 import { getUser } from "@/lib/user/service";
 import { getTranslate } from "@/lingodotdev/server";
@@ -11,6 +12,7 @@ import { PageContentWrapper } from "@/modules/ui/components/page-content-wrapper
 import { PageHeader } from "@/modules/ui/components/page-header";
 import packageJson from "@/package.json";
 import { SettingsCard } from "../../components/SettingsCard";
+import { AISettingsToggle } from "./components/AISettingsToggle";
 import { DeleteOrganization } from "./components/DeleteOrganization";
 import { EditOrganizationNameForm } from "./components/EditOrganizationNameForm";
 import { SecurityListTip } from "./components/SecurityListTip";
@@ -60,6 +62,15 @@ const Page = async (props: { params: Promise<{ environmentId: string }> }) => {
           membershipRole={currentUserMembership?.role}
         />
       </SettingsCard>
+      <SettingsCard
+        title={t("environments.settings.general.ai_enabled")}
+        description={t("environments.settings.general.ai_enabled_description")}>
+        <AISettingsToggle
+          organization={organization}
+          membershipRole={currentUserMembership?.role}
+          isInstanceAIConfigured={isInstanceAIConfigured()}
+        />
+      </SettingsCard>
       <EmailCustomizationSettings
         organization={organization}
         hasWhiteLabelPermission={hasWhiteLabelPermission}

apps/web/app/(app)/environments/[environmentId]/settings/(organization)/general/schemas.ts

@@ -0,0 +1,13 @@
+import { z } from "zod";
+import { ZId } from "@formbricks/types/common";
+import { ZOrganizationUpdateInput } from "@formbricks/types/organizations";
+
+export const ZOrganizationAISettingsInput = ZOrganizationUpdateInput.pick({
+  isAISmartToolsEnabled: true,
+  isAIDataAnalysisEnabled: true,
+});
+
+export const ZUpdateOrganizationAISettingsAction = z.object({
+  organizationId: ZId,
+  data: ZOrganizationAISettingsInput,
+});

apps/web/app/(app)/environments/[environmentId]/settings/(organization)/layout.tsx

@@ -1,4 +1,5 @@
 import { getServerSession } from "next-auth";
+import { AuthenticationError, ResourceNotFoundError } from "@formbricks/types/errors";
 import { getOrganizationByEnvironmentId } from "@/lib/organization/service";
 import { getProjectByEnvironmentId } from "@/lib/project/service";
 import { getTranslate } from "@/lingodotdev/server";
@@ -17,15 +18,15 @@ const Layout = async (props: { params: Promise<{ environmentId: string }>; child
   ]);
 
   if (!organization) {
-    throw new Error(t("common.organization_not_found"));
+    throw new ResourceNotFoundError(t("common.organization"), null);
   }
 
   if (!project) {
-    throw new Error(t("common.workspace_not_found"));
+    throw new ResourceNotFoundError(t("common.workspace"), null);
   }
 
   if (!session) {
-    throw new Error(t("common.session_not_found"));
+    throw new AuthenticationError(t("common.not_authenticated"));
   }
 
   return <>{children}</>;

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/responses/components/ResponseTable.tsx

@@ -96,8 +96,8 @@ export const ResponseTable = ({
   const showQuotasColumn = isQuotasAllowed && quotas.length > 0;
   // Generate columns
   const columns = useMemo(
-    () => generateResponseTableColumns(survey, isExpanded ?? false, isReadOnly, t, showQuotasColumn),
-    [survey, isExpanded, isReadOnly, t, showQuotasColumn]
+    () => generateResponseTableColumns(survey, isExpanded ?? false, isReadOnly, locale, t, showQuotasColumn),
+    [survey, isExpanded, isReadOnly, locale, t, showQuotasColumn]
   );
 
   // Save settings to localStorage when they change
@@ -300,7 +300,6 @@ export const ResponseTable = ({
         <DataTableSettingsModal
           open={isTableSettingsModalOpen}
           setOpen={setIsTableSettingsModalOpen}
-          survey={survey}
           table={table}
           columnOrder={columnOrder}
           handleDragEnd={handleDragEnd}

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/responses/components/ResponseTableColumns.tsx

@@ -8,10 +8,11 @@ import { TResponseTableData } from "@formbricks/types/responses";
 import { TSurveyElement, TSurveyElementTypeEnum } from "@formbricks/types/surveys/elements";
 import { TSurvey } from "@formbricks/types/surveys/types";
 import { getTextContent } from "@formbricks/types/surveys/validation";
+import { TUserLocale } from "@formbricks/types/user";
 import { getLocalizedValue } from "@/lib/i18n/utils";
 import { extractChoiceIdsFromResponse } from "@/lib/response/utils";
 import { getContactIdentifier } from "@/lib/utils/contact";
-import { getFormattedDateTimeString } from "@/lib/utils/datetime";
+import { formatDateTimeForDisplay } from "@/lib/utils/datetime";
 import { recallToHeadline } from "@/lib/utils/recall";
 import { RenderResponse } from "@/modules/analysis/components/SingleResponseCard/components/RenderResponse";
 import { getElementsFromBlocks } from "@/modules/survey/lib/client-utils";
@@ -34,6 +35,7 @@ const getElementColumnsData = (
   element: TSurveyElement,
   survey: TSurvey,
   isExpanded: boolean,
+  locale: TUserLocale,
   t: TFunction
 ): ColumnDef<TResponseTableData>[] => {
   const ELEMENTS_ICON_MAP = getElementIconMap(t);
@@ -167,6 +169,7 @@ const getElementColumnsData = (
                 survey={survey}
                 responseData={responseValue}
                 language={language}
+                locale={locale}
                 isExpanded={isExpanded}
                 showId={false}
               />
@@ -218,6 +221,7 @@ const getElementColumnsData = (
                 survey={survey}
                 responseData={responseValue}
                 language={language}
+                locale={locale}
                 isExpanded={isExpanded}
                 showId={false}
               />
@@ -259,11 +263,14 @@ export const generateResponseTableColumns = (
   survey: TSurvey,
   isExpanded: boolean,
   isReadOnly: boolean,
+  locale: TUserLocale,
   t: TFunction,
   showQuotasColumn: boolean
 ): ColumnDef<TResponseTableData>[] => {
   const elements = getElementsFromBlocks(survey.blocks);
-  const elementColumns = elements.flatMap((element) => getElementColumnsData(element, survey, isExpanded, t));
+  const elementColumns = elements.flatMap((element) =>
+    getElementColumnsData(element, survey, isExpanded, locale, t)
+  );
 
   const dateColumn: ColumnDef<TResponseTableData> = {
     accessorKey: "createdAt",
@@ -271,7 +278,7 @@ export const generateResponseTableColumns = (
     size: 200,
     cell: ({ row }) => {
       const date = new Date(row.original.createdAt);
-      return <p className="text-slate-900">{getFormattedDateTimeString(date)}</p>;
+      return <p className="text-slate-900">{formatDateTimeForDisplay(date, locale)}</p>;
     },
   };
 

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/responses/page.tsx

@@ -1,3 +1,4 @@
+import { AuthenticationError, ResourceNotFoundError } from "@formbricks/types/errors";
 import { SurveyAnalysisNavigation } from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/components/SurveyAnalysisNavigation";
 import { ResponsePage } from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/responses/components/ResponsePage";
 import { SurveyAnalysisCTA } from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/SurveyAnalysisCTA";
@@ -7,7 +8,6 @@ import { getResponseCountBySurveyId, getResponses } from "@/lib/response/service
 import { getSurvey } from "@/lib/survey/service";
 import { getTagsByEnvironmentId } from "@/lib/tag/service";
 import { getUser } from "@/lib/user/service";
-import { findMatchingLocale } from "@/lib/utils/locale";
 import { getTranslate } from "@/lingodotdev/server";
 import { getSegments } from "@/modules/ee/contacts/segments/lib/segments";
 import { getIsContactsEnabled, getIsQuotasEnabled } from "@/modules/ee/license-check/lib/utils";
@@ -23,25 +23,24 @@ const Page = async (props: { params: Promise<{ environmentId: string; surveyId:
 
   const { session, environment, organization, isReadOnly } = await getEnvironmentAuth(params.environmentId);
 
-  const [survey, user, tags, isContactsEnabled, responseCount, locale] = await Promise.all([
+  const [survey, user, tags, isContactsEnabled, responseCount] = await Promise.all([
     getSurvey(params.surveyId),
     getUser(session.user.id),
     getTagsByEnvironmentId(params.environmentId),
     getIsContactsEnabled(organization.id),
     getResponseCountBySurveyId(params.surveyId),
-    findMatchingLocale(),
   ]);
 
   if (!survey) {
-    throw new Error(t("common.survey_not_found"));
+    throw new ResourceNotFoundError(t("common.survey"), params.surveyId);
   }
 
   if (!user) {
-    throw new Error(t("common.user_not_found"));
+    throw new AuthenticationError(t("common.not_authenticated"));
   }
 
   if (!organization) {
-    throw new Error(t("common.organization_not_found"));
+    throw new ResourceNotFoundError(t("common.organization"), null);
   }
 
   const segments = isContactsEnabled ? await getSegments(params.environmentId) : [];
@@ -50,7 +49,7 @@ const Page = async (props: { params: Promise<{ environmentId: string; surveyId:
 
   const organizationBilling = await getOrganizationBilling(organization.id);
   if (!organizationBilling) {
-    throw new Error(t("common.organization_not_found"));
+    throw new ResourceNotFoundError(t("common.organization"), organization.id);
   }
 
   const isQuotasAllowed = await getIsQuotasEnabled(organization.id);
@@ -86,7 +85,7 @@ const Page = async (props: { params: Promise<{ environmentId: string; surveyId:
         environmentTags={tags}
         user={user}
         responsesPerPage={RESPONSES_PER_PAGE}
-        locale={locale}
+        locale={user.locale}
         isReadOnly={isReadOnly}
         isQuotasAllowed={isQuotasAllowed}
         quotas={quotas}

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/DateElementSummary.tsx

@@ -7,7 +7,7 @@ import { TSurvey, TSurveyElementSummaryDate } from "@formbricks/types/surveys/ty
 import { TUserLocale } from "@formbricks/types/user";
 import { timeSince } from "@/lib/time";
 import { getContactIdentifier } from "@/lib/utils/contact";
-import { formatDateWithOrdinal } from "@/lib/utils/datetime";
+import { formatStoredDateForDisplay } from "@/lib/utils/date-display";
 import { PersonAvatar } from "@/modules/ui/components/avatars";
 import { Button } from "@/modules/ui/components/button";
 import { EmptyState } from "@/modules/ui/components/empty-state";
@@ -32,13 +32,14 @@ export const DateElementSummary = ({ elementSummary, environmentId, survey, loca
   };
 
   const renderResponseValue = (value: string) => {
-    const parsedDate = new Date(value);
+    const formattedDate = formatStoredDateForDisplay(value, elementSummary.element.format, locale);
 
-    const formattedDate = isNaN(parsedDate.getTime())
-      ? `${t("common.invalid_date")}(${value})`
-      : formatDateWithOrdinal(parsedDate);
-
-    return formattedDate;
+    return (
+      formattedDate ??
+      t("common.invalid_date_with_value", {
+        value,
+      })
+    );
   };
 
   return (
@@ -59,7 +60,7 @@ export const DateElementSummary = ({ elementSummary, environmentId, survey, loca
             elementSummary.samples.slice(0, visibleResponses).map((response) => (
               <div
                 key={response.id}
-                className="grid grid-cols-4 items-center border-b border-slate-100 py-2 text-sm text-slate-800 last:border-transparent md:text-base">
+                className="grid grid-cols-4 items-center border-b border-slate-100 py-2 text-sm text-slate-800 last:border-transparent">
                 <div className="pl-4 md:pl-6">
                   {response.contact ? (
                     <Link
@@ -84,7 +85,7 @@ export const DateElementSummary = ({ elementSummary, environmentId, survey, loca
                 <div className="ph-no-capture col-span-2 whitespace-pre-wrap pl-6 font-semibold">
                   {renderResponseValue(response.value)}
                 </div>
-                <div className="px-4 text-slate-500 md:px-6">
+                <div className="px-4 md:px-6">
                   {timeSince(new Date(response.updatedAt).toISOString(), locale)}
                 </div>
               </div>

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/lib/emailTemplate.tsx

@@ -1,3 +1,4 @@
+import { ResourceNotFoundError } from "@formbricks/types/errors";
 import { getPublicDomain } from "@/lib/getPublicUrl";
 import { getProjectByEnvironmentId } from "@/lib/project/service";
 import { getSurvey } from "@/lib/survey/service";
@@ -9,11 +10,11 @@ export const getEmailTemplateHtml = async (surveyId: string, locale: string) =>
   const t = await getTranslate();
   const survey = await getSurvey(surveyId);
   if (!survey) {
-    throw new Error("Survey not found");
+    throw new ResourceNotFoundError(t("common.survey"), surveyId);
   }
   const project = await getProjectByEnvironmentId(survey.environmentId);
   if (!project) {
-    throw new Error("Workspace not found");
+    throw new ResourceNotFoundError(t("common.workspace"), null);
   }
 
   const styling = getStyling(project, survey);

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/lib/surveySummary.test.ts

@@ -11,8 +11,7 @@ import { getDisplayCountBySurveyId } from "@/lib/display/service";
 import { getLocalizedValue } from "@/lib/i18n/utils";
 import { getResponseCountBySurveyId } from "@/lib/response/service";
 import { getSurvey } from "@/lib/survey/service";
-import { evaluateLogic, performActions } from "@/lib/surveyLogic/utils";
-import { getElementsFromBlocks } from "@/modules/survey/lib/client-utils";
+import { getElementsFromBlocks } from "@/lib/survey/utils";
 import {
   getElementSummary,
   getResponsesForSummary,
@@ -44,7 +43,7 @@ vi.mock("@/lib/survey/service", () => ({
 }));
 vi.mock("@/lib/surveyLogic/utils", () => ({
   evaluateLogic: vi.fn(),
-  performActions: vi.fn(() => ({ jumpTarget: undefined, requiredQuestionIds: [], calculations: {} })),
+  performActions: vi.fn(() => ({ jumpTarget: undefined, requiredElementIds: [], calculations: {} })),
 }));
 vi.mock("@/lib/utils/validate", () => ({
   validateInputs: vi.fn(),
@@ -229,12 +228,6 @@ describe("getSurveySummaryDropOff", () => {
     vi.mocked(convertFloatTo2Decimal).mockImplementation((num) =>
       num !== undefined && num !== null ? parseFloat(num.toFixed(2)) : 0
     );
-    vi.mocked(evaluateLogic).mockReturnValue(false); // Default: no logic triggers
-    vi.mocked(performActions).mockReturnValue({
-      jumpTarget: undefined,
-      requiredElementIds: [],
-      calculations: {},
-    });
   });
 
   test("calculates dropOff correctly with welcome card disabled", () => {
@@ -246,7 +239,7 @@ describe("getSurveySummaryDropOff", () => {
         contact: null,
         contactAttributes: {},
         language: "en",
-        ttc: { q1: 10 },
+        ttc: { q1: 10, q2: 5 }, // Saw q2 but didn't answer it
         finished: false,
       }, // Dropped at q2
       {
@@ -269,22 +262,55 @@ describe("getSurveySummaryDropOff", () => {
     );
 
     expect(dropOff.length).toBe(2);
-    // Q1
+    // Q1: welcome card disabled so impressions = displayCount
     expect(dropOff[0].elementId).toBe("q1");
-    expect(dropOff[0].impressions).toBe(displayCount); // Welcome card disabled, so first question impressions = displayCount
+    expect(dropOff[0].impressions).toBe(displayCount);
     expect(dropOff[0].dropOffCount).toBe(displayCount - responses.length); // 5 displays - 2 started = 3 dropped before q1
     expect(dropOff[0].dropOffPercentage).toBe(60); // (3/5)*100
     expect(dropOff[0].ttc).toBe(10);
 
-    // Q2
+    // Q2: both responses saw q2 (r1 has ttc for q2, r2 answered q2)
     expect(dropOff[1].elementId).toBe("q2");
-    expect(dropOff[1].impressions).toBe(responses.length); // 2 responses reached q1, so 2 impressions for q2
-    expect(dropOff[1].dropOffCount).toBe(1); // 1 response dropped at q2
+    expect(dropOff[1].impressions).toBe(2);
+    expect(dropOff[1].dropOffCount).toBe(1); // r1 dropped at q2 (last seen element)
     expect(dropOff[1].dropOffPercentage).toBe(50); // (1/2)*100
-    expect(dropOff[1].ttc).toBe(10);
+    expect(dropOff[1].ttc).toBe(7.5); // avg of r1(5ms) and r2(10ms)
   });
 
-  test("handles logic jumps", () => {
+  test("drop-off attributed to last seen element when user doesn't reach next question", () => {
+    // Welcome card enabled so first element drop-off is NOT overridden by displayCount
+    const surveyWithWelcome: TSurvey = {
+      ...surveyWithBlocks,
+      welcomeCard: { enabled: true, headline: { default: "Welcome" } } as unknown as TSurvey["welcomeCard"],
+    };
+    const responses = [
+      {
+        id: "r1",
+        data: { q1: "a" },
+        updatedAt: new Date(),
+        contact: null,
+        contactAttributes: {},
+        language: "en",
+        ttc: { q1: 10 }, // Only saw q1, never reached q2
+        finished: false,
+      },
+    ] as any;
+    const displayCount = 1;
+    const dropOff = getSurveySummaryDropOff(
+      surveyWithWelcome,
+      getElementsFromBlocks(surveyWithWelcome.blocks),
+      responses,
+      displayCount
+    );
+
+    expect(dropOff[0].impressions).toBe(1); // Saw q1
+    expect(dropOff[0].dropOffCount).toBe(1); // Dropped at q1 (last seen element)
+    expect(dropOff[1].impressions).toBe(0); // Never saw q2
+    expect(dropOff[1].dropOffCount).toBe(0);
+  });
+
+  test("handles logic jumps — impressions based on actual ttc/data, not logic replay", () => {
+    // Survey with 4 questions across 4 blocks, logic on block2 jumps q2->q4 (skipping q3)
     const surveyWithLogic: TSurvey = {
       ...mockBaseSurvey,
       blocks: [
@@ -315,36 +341,6 @@ describe("getSurveySummaryDropOff", () => {
               charLimit: { enabled: false },
             },
           ] as TSurveyElement[],
-          logic: [
-            {
-              id: "logic1",
-              conditions: {
-                id: "condition1",
-                connector: "and" as const,
-                conditions: [
-                  {
-                    id: "c1",
-                    leftOperand: {
-                      type: "element" as const,
-                      value: "q2",
-                    },
-                    operator: "equals" as const,
-                    rightOperand: {
-                      type: "static" as const,
-                      value: "b",
-                    },
-                  },
-                ],
-              },
-              actions: [
-                {
-                  id: "action1",
-                  objective: "jumpToBlock" as const,
-                  target: "q4",
-                },
-              ],
-            },
-          ],
         },
         {
           id: "block3",
@@ -377,28 +373,21 @@ describe("getSurveySummaryDropOff", () => {
       ],
       questions: [],
     };
+
+    // Response where user answered q1, q2, then logic jumped to q4 (skipping q3).
+    // The ttc/data reflects exactly what elements were shown — no logic replay needed.
     const responses = [
       {
         id: "r1",
-        data: { q1: "a", q2: "b" },
+        data: { q1: "a", q2: "b", q4: "d" },
         updatedAt: new Date(),
         contact: null,
         contactAttributes: {},
         language: "en",
-        ttc: { q1: 10, q2: 10 },
+        ttc: { q1: 10, q2: 10, q4: 10 }, // q3 has no ttc entry — was skipped by logic
         finished: false,
-      }, // Jumps from q2 to q4, drops at q4
+      },
     ];
-    vi.mocked(evaluateLogic).mockImplementation((_s, data, _v, _, _l) => {
-      // Simulate logic on q2 triggering
-      return data.q2 === "b";
-    });
-    vi.mocked(performActions).mockImplementation((_s, actions, _d, _v) => {
-      if (actions[0] && "objective" in actions[0] && actions[0].objective === "jumpToBlock") {
-        return { jumpTarget: actions[0].target, requiredElementIds: [], calculations: {} };
-      }
-      return { jumpTarget: undefined, requiredElementIds: [], calculations: {} };
-    });
 
     const dropOff = getSurveySummaryDropOff(
       surveyWithLogic,
@@ -407,11 +396,11 @@ describe("getSurveySummaryDropOff", () => {
       1
     );
 
-    expect(dropOff[0].impressions).toBe(1); // q1
-    expect(dropOff[1].impressions).toBe(1); // q2
-    expect(dropOff[2].impressions).toBe(0); // q3 (skipped)
-    expect(dropOff[3].impressions).toBe(1); // q4 (jumped to)
-    expect(dropOff[3].dropOffCount).toBe(1); // Dropped at q4
+    expect(dropOff[0].impressions).toBe(1); // q1: seen
+    expect(dropOff[1].impressions).toBe(1); // q2: seen
+    expect(dropOff[2].impressions).toBe(0); // q3: skipped by logic (no ttc, no data)
+    expect(dropOff[3].impressions).toBe(1); // q4: jumped to, seen
+    expect(dropOff[3].dropOffCount).toBe(1); // Dropped at q4 (last seen element, not finished)
   });
 });
 

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/lib/surveySummary.ts

@@ -11,7 +11,6 @@ import {
   TResponseData,
   TResponseFilterCriteria,
   TResponseTtc,
-  TResponseVariables,
   ZResponseFilterCriteria,
 } from "@formbricks/types/responses";
 import { TSurveyElement, TSurveyElementTypeEnum } from "@formbricks/types/surveys/elements";
@@ -37,8 +36,7 @@ import { getDisplayCountBySurveyId } from "@/lib/display/service";
 import { getLocalizedValue } from "@/lib/i18n/utils";
 import { buildWhereClause } from "@/lib/response/utils";
 import { getSurvey } from "@/lib/survey/service";
-import { findElementLocation, getElementsFromBlocks } from "@/lib/survey/utils";
-import { evaluateLogic, performActions } from "@/lib/surveyLogic/utils";
+import { getElementsFromBlocks } from "@/lib/survey/utils";
 import { validateInputs } from "@/lib/utils/validate";
 import { convertFloatTo2Decimal } from "./utils";
 
@@ -93,63 +91,13 @@ export const getSurveySummaryMeta = (
   };
 };
 
-const evaluateLogicAndGetNextElementId = (
-  localSurvey: TSurvey,
-  elements: TSurveyElement[],
-  data: TResponseData,
-  localVariables: TResponseVariables,
-  currentElementIndex: number,
-  currElementTemp: TSurveyElement,
-  selectedLanguage: string | null
-): {
-  nextElementId: string | undefined;
-  updatedSurvey: TSurvey;
-  updatedVariables: TResponseVariables;
-} => {
-  let updatedSurvey = { ...localSurvey };
-  let updatedVariables = { ...localVariables };
-
-  let firstJumpTarget: string | undefined;
-
-  const { block: currentBlock } = findElementLocation(localSurvey, currElementTemp.id);
-
-  if (currentBlock?.logic && currentBlock.logic.length > 0) {
-    for (const logic of currentBlock.logic) {
-      if (evaluateLogic(localSurvey, data, localVariables, logic.conditions, selectedLanguage ?? "default")) {
-        const { jumpTarget, requiredElementIds, calculations } = performActions(
-          updatedSurvey,
-          logic.actions,
-          data,
-          updatedVariables
-        );
-
-        if (requiredElementIds.length > 0) {
-          // Update blocks to mark elements as required
-          updatedSurvey.blocks = updatedSurvey.blocks.map((block) => ({
-            ...block,
-            elements: block.elements.map((e) =>
-              requiredElementIds.includes(e.id) ? { ...e, required: true } : e
-            ),
-          }));
-        }
-        updatedVariables = { ...updatedVariables, ...calculations };
-
-        if (jumpTarget && !firstJumpTarget) {
-          firstJumpTarget = jumpTarget;
-        }
-      }
-    }
-  }
-
-  // If no jump target was set, check for a fallback logic
-  if (!firstJumpTarget && currentBlock?.logicFallback) {
-    firstJumpTarget = currentBlock.logicFallback;
-  }
-
-  // Return the first jump target if found, otherwise go to the next element
-  const nextElementId = firstJumpTarget || elements[currentElementIndex + 1]?.id || undefined;
-
-  return { nextElementId, updatedSurvey, updatedVariables };
+// Determine whether a response interacted with a given element.
+// An element was "seen" if the respondent has a ttc entry for it OR provided an answer.
+// This is more reliable than replaying survey logic, which can misattribute impressions
+// when branching logic skips elements or when partial response data is insufficient
+// to evaluate conditions correctly.
+const wasElementSeen = (response: TSurveySummaryResponse, elementId: string): boolean => {
+  return (response.ttc != null && response.ttc[elementId] > 0) || response.data[elementId] !== undefined;
 };
 
 export const getSurveySummaryDropOff = (
@@ -170,16 +118,8 @@ export const getSurveySummaryDropOff = (
   let impressionsArr = new Array(elements.length).fill(0) as number[];
   let dropOffPercentageArr = new Array(elements.length).fill(0) as number[];
 
-  const surveyVariablesData = survey.variables?.reduce(
-    (acc, variable) => {
-      acc[variable.id] = variable.value;
-      return acc;
-    },
-    {} as Record<string, string | number>
-  );
-
   responses.forEach((response) => {
-    // Calculate total time-to-completion
+    // Calculate total time-to-completion per element
     Object.keys(totalTtc).forEach((elementId) => {
       if (response.ttc && response.ttc[elementId]) {
         totalTtc[elementId] += response.ttc[elementId];
@@ -187,51 +127,21 @@ export const getSurveySummaryDropOff = (
       }
     });
 
-    let localSurvey = structuredClone(survey);
-    let localResponseData: TResponseData = { ...response.data };
-    let localVariables: TResponseVariables = {
-      ...surveyVariablesData,
-    };
+    // Count impressions based on actual interaction data (ttc + response data)
+    // instead of replaying survey logic which is unreliable with branching
+    let lastSeenIdx = -1;
 
-    let currQuesIdx = 0;
-
-    while (currQuesIdx < elements.length) {
-      const currQues = elements[currQuesIdx];
-      if (!currQues) break;
-
-      // element is not answered and required
-      if (response.data[currQues.id] === undefined && currQues.required) {
-        dropOffArr[currQuesIdx]++;
-        impressionsArr[currQuesIdx]++;
-        break;
+    for (let i = 0; i < elements.length; i++) {
+      const element = elements[i];
+      if (wasElementSeen(response, element.id)) {
+        impressionsArr[i]++;
+        lastSeenIdx = i;
       }
+    }
 
-      impressionsArr[currQuesIdx]++;
-
-      const { nextElementId, updatedSurvey, updatedVariables } = evaluateLogicAndGetNextElementId(
-        localSurvey,
-        elements,
-        localResponseData,
-        localVariables,
-        currQuesIdx,
-        currQues,
-        response.language
-      );
-
-      localSurvey = updatedSurvey;
-      localVariables = updatedVariables;
-
-      if (nextElementId) {
-        const nextQuesIdx = elements.findIndex((q) => q.id === nextElementId);
-        if (!response.data[nextElementId] && !response.finished) {
-          dropOffArr[nextQuesIdx]++;
-          impressionsArr[nextQuesIdx]++;
-          break;
-        }
-        currQuesIdx = nextQuesIdx;
-      } else {
-        currQuesIdx++;
-      }
+    // Attribute drop-off to the last element the respondent interacted with
+    if (!response.finished && lastSeenIdx >= 0) {
+      dropOffArr[lastSeenIdx]++;
     }
   });
 
@@ -240,6 +150,8 @@ export const getSurveySummaryDropOff = (
     totalTtc[elementId] = responseCounts[elementId] > 0 ? totalTtc[elementId] / responseCounts[elementId] : 0;
   });
 
+  // When the welcome card is disabled, the first element's impressions should equal displayCount
+  // because every survey display is an impression of the first element
   if (!survey.welcomeCard.enabled) {
     dropOffArr[0] = displayCount - impressionsArr[0];
     if (impressionsArr[0] > displayCount) dropOffPercentageArr[0] = 0;
@@ -251,7 +163,7 @@ export const getSurveySummaryDropOff = (
 
     impressionsArr[0] = displayCount;
   } else {
-    dropOffPercentageArr[0] = (dropOffArr[0] / impressionsArr[0]) * 100;
+    dropOffPercentageArr[0] = impressionsArr[0] > 0 ? (dropOffArr[0] / impressionsArr[0]) * 100 : 0;
   }
 
   for (let i = 1; i < elements.length; i++) {

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/page.tsx

@@ -1,4 +1,5 @@
 import { notFound } from "next/navigation";
+import { AuthenticationError, ResourceNotFoundError } from "@formbricks/types/errors";
 import { SurveyAnalysisNavigation } from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/components/SurveyAnalysisNavigation";
 import { SummaryPage } from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/SummaryPage";
 import { SurveyAnalysisCTA } from "@/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/SurveyAnalysisCTA";
@@ -32,13 +33,13 @@ const SurveyPage = async (props: { params: Promise<{ environmentId: string; surv
   const survey = await getSurvey(params.surveyId);
 
   if (!survey) {
-    throw new Error(t("common.survey_not_found"));
+    throw new ResourceNotFoundError(t("common.survey"), params.surveyId);
   }
 
   const user = await getUser(session.user.id);
 
   if (!user) {
-    throw new Error(t("common.user_not_found"));
+    throw new AuthenticationError(t("common.not_authenticated"));
   }
   const organizationId = await getOrganizationIdFromEnvironmentId(environment.id);
 
@@ -46,11 +47,11 @@ const SurveyPage = async (props: { params: Promise<{ environmentId: string; surv
   const segments = isContactsEnabled ? await getSegments(environment.id) : [];
 
   if (!organizationId) {
-    throw new Error(t("common.organization_not_found"));
+    throw new ResourceNotFoundError(t("common.organization"), null);
   }
   const organizationBilling = await getOrganizationBilling(organizationId);
   if (!organizationBilling) {
-    throw new Error(t("common.organization_not_found"));
+    throw new ResourceNotFoundError(t("common.organization"), organizationId);
   }
   const isQuotasAllowed = await getIsQuotasEnabled(organizationId);
 

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/actions.ts

@@ -2,21 +2,16 @@
 
 import { z } from "zod";
 import { ZId } from "@formbricks/types/common";
-import { OperationNotAllowedError, ResourceNotFoundError } from "@formbricks/types/errors";
+import { ResourceNotFoundError } from "@formbricks/types/errors";
 import { ZResponseFilterCriteria } from "@formbricks/types/responses";
-import { ZSurvey } from "@formbricks/types/surveys/types";
-import { getOrganization } from "@/lib/organization/service";
 import { getResponseDownloadFile, getResponseFilteringValues } from "@/lib/response/service";
-import { getSurvey, updateSurvey } from "@/lib/survey/service";
+import { getSurvey } from "@/lib/survey/service";
 import { getTagsByEnvironmentId } from "@/lib/tag/service";
 import { authenticatedActionClient } from "@/lib/utils/action-client";
 import { checkAuthorizationUpdated } from "@/lib/utils/action-client/action-client-middleware";
 import { getOrganizationIdFromSurveyId, getProjectIdFromSurveyId } from "@/lib/utils/helper";
-import { withAuditLogging } from "@/modules/ee/audit-logs/lib/handler";
 import { getIsQuotasEnabled } from "@/modules/ee/license-check/lib/utils";
 import { getQuotas } from "@/modules/ee/quotas/lib/quotas";
-import { getSurveyFollowUpsPermission } from "@/modules/survey/follow-ups/lib/utils";
-import { checkSpamProtectionPermission } from "@/modules/survey/lib/permission";
 import { getOrganizationBilling } from "@/modules/survey/lib/survey";
 
 const ZGetResponsesDownloadUrlAction = z.object({
@@ -97,68 +92,3 @@ export const getSurveyFilterDataAction = authenticatedActionClient
 
     return { environmentTags: tags, attributes, meta, hiddenFields, quotas };
   });
-
-/**
- * Checks if survey follow-ups are enabled for the given organization.
- *
- * @param {string} organizationId  The ID of the organization to check.
- * @returns {Promise<void>}  A promise that resolves if the permission is granted.
- * @throws {ResourceNotFoundError}  If the organization is not found.
- * @throws {OperationNotAllowedError}  If survey follow-ups are not enabled for the organization.
- */
-const checkSurveyFollowUpsPermission = async (organizationId: string): Promise<void> => {
-  const organization = await getOrganization(organizationId);
-
-  if (!organization) {
-    throw new ResourceNotFoundError("Organization not found", organizationId);
-  }
-
-  const isSurveyFollowUpsEnabled = await getSurveyFollowUpsPermission(organizationId);
-  if (!isSurveyFollowUpsEnabled) {
-    throw new OperationNotAllowedError("Survey follow ups are not enabled for this organization");
-  }
-};
-
-export const updateSurveyAction = authenticatedActionClient.inputSchema(ZSurvey).action(
-  withAuditLogging("updated", "survey", async ({ ctx, parsedInput }) => {
-    const organizationId = await getOrganizationIdFromSurveyId(parsedInput.id);
-    await checkAuthorizationUpdated({
-      userId: ctx.user?.id ?? "",
-      organizationId,
-      access: [
-        {
-          type: "organization",
-          roles: ["owner", "manager"],
-        },
-        {
-          type: "projectTeam",
-          projectId: await getProjectIdFromSurveyId(parsedInput.id),
-          minPermission: "readWrite",
-        },
-      ],
-    });
-
-    const { followUps } = parsedInput;
-
-    const oldSurvey = await getSurvey(parsedInput.id);
-
-    if (parsedInput.recaptcha?.enabled) {
-      await checkSpamProtectionPermission(organizationId);
-    }
-
-    if (followUps?.length) {
-      await checkSurveyFollowUpsPermission(organizationId);
-    }
-
-    // Context for audit log
-    ctx.auditLoggingCtx.surveyId = parsedInput.id;
-    ctx.auditLoggingCtx.organizationId = organizationId;
-    ctx.auditLoggingCtx.oldObject = oldSurvey;
-
-    const newSurvey = await updateSurvey(parsedInput);
-
-    ctx.auditLoggingCtx.newObject = newSurvey;
-
-    return newSurvey;
-  })
-);

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/components/ElementsComboBox.tsx

@@ -1,6 +1,7 @@
 "use client";
 
 import clsx from "clsx";
+import { TFunction } from "i18next";
 import {
   AirplayIcon,
   ArrowUpFromDotIcon,
@@ -54,6 +55,25 @@ export enum OptionsType {
   QUOTAS = "Quotas",
 }
 
+const getOptionsTypeTranslationKey = (type: OptionsType, t: TFunction): string => {
+  switch (type) {
+    case OptionsType.ELEMENTS:
+      return t("common.elements");
+    case OptionsType.TAGS:
+      return t("common.tags");
+    case OptionsType.ATTRIBUTES:
+      return t("common.attributes");
+    case OptionsType.OTHERS:
+      return t("common.other_filters");
+    case OptionsType.META:
+      return t("common.meta");
+    case OptionsType.HIDDEN_FIELDS:
+      return t("common.hidden_fields");
+    case OptionsType.QUOTAS:
+      return t("common.quotas");
+  }
+};
+
 export type ElementOption = {
   label: string;
   elementType?: TSurveyElementTypeEnum;
@@ -218,7 +238,12 @@ export const ElementsComboBox = ({ options, selected, onChangeValue }: ElementCo
             {options?.map((data) => (
               <Fragment key={data.header}>
                 {data?.option.length > 0 && (
-                  <CommandGroup heading={<p className="text-sm font-medium text-slate-600">{data.header}</p>}>
+                  <CommandGroup
+                    heading={
+                      <p className="text-sm font-medium text-slate-600">
+                        {getOptionsTypeTranslationKey(data.header, t)}
+                      </p>
+                    }>
                     {data?.option?.map((o) => (
                       <CommandItem
                         key={o.id}

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/components/SurveyStatusDropdown.tsx

@@ -6,6 +6,7 @@ import { useTranslation } from "react-i18next";
 import { TEnvironment } from "@formbricks/types/environment";
 import { TSurvey } from "@formbricks/types/surveys/types";
 import { getFormattedErrorMessage } from "@/lib/utils/helper";
+import { updateSurveyAction } from "@/modules/survey/editor/actions";
 import {
   Select,
   SelectContent,
@@ -14,7 +15,6 @@ import {
   SelectValue,
 } from "@/modules/ui/components/select";
 import { SurveyStatusIndicator } from "@/modules/ui/components/survey-status-indicator";
-import { updateSurveyAction } from "../actions";
 
 interface SurveyStatusDropdownProps {
   environment: TEnvironment;

apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/layout.tsx

@@ -1,4 +1,6 @@
+import { ResourceNotFoundError } from "@formbricks/types/errors";
 import { getSurvey } from "@/lib/survey/service";
+import { getTranslate } from "@/lingodotdev/server";
 import { SurveyContextWrapper } from "./context/survey-context";
 
 interface SurveyLayoutProps {
@@ -10,9 +12,10 @@ const SurveyLayout = async ({ params, children }: SurveyLayoutProps) => {
   const resolvedParams = await params;
 
   const survey = await getSurvey(resolvedParams.surveyId);
+  const t = await getTranslate();
 
   if (!survey) {
-    throw new Error("Survey not found");
+    throw new ResourceNotFoundError(t("common.survey"), resolvedParams.surveyId);
   }
 
   return <SurveyContextWrapper survey={survey}>{children}</SurveyContextWrapper>;

apps/web/app/(app)/environments/[environmentId]/workflows/components/workflows-page.tsx

@@ -1,208 +0,0 @@
-"use client";
-
-import { CheckCircle2, Sparkles } from "lucide-react";
-import { useState } from "react";
-import { useTranslation } from "react-i18next";
-import { Button } from "@/modules/ui/components/button";
-
-const FORMBRICKS_HOST = "https://app.formbricks.com";
-const SURVEY_ID = "cr9r4b2r73x6hlmn5aa2ha44";
-const ENVIRONMENT_ID = "cmk41i8bi92bdad01svi74dec";
-
-interface WorkflowsPageProps {
-  userEmail: string;
-  organizationName: string;
-  billingPlan: string;
-}
-
-type Step = "prompt" | "followup" | "thankyou";
-
-export const WorkflowsPage = ({ userEmail, organizationName, billingPlan }: WorkflowsPageProps) => {
-  const { t } = useTranslation();
-  const [step, setStep] = useState<Step>("prompt");
-  const [promptValue, setPromptValue] = useState("");
-  const [detailsValue, setDetailsValue] = useState("");
-  const [responseId, setResponseId] = useState<string | null>(null);
-  const [isSubmitting, setIsSubmitting] = useState(false);
-
-  const handleGenerateWorkflow = async () => {
-    if (promptValue.trim().length < 100 || isSubmitting) return;
-    setIsSubmitting(true);
-
-    try {
-      const res = await fetch(`${FORMBRICKS_HOST}/api/v2/client/${ENVIRONMENT_ID}/responses`, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({
-          surveyId: SURVEY_ID,
-          finished: false,
-          data: {
-            workflow: promptValue.trim(),
-            useremail: userEmail,
-            orgname: organizationName,
-            billingplan: billingPlan,
-          },
-        }),
-      });
-
-      if (res.ok) {
-        const json = await res.json();
-        setResponseId(json.data?.id ?? null);
-      }
-
-      setStep("followup");
-    } catch {
-      setStep("followup");
-    } finally {
-      setIsSubmitting(false);
-    }
-  };
-
-  const handleSubmitFeedback = async () => {
-    if (isSubmitting) return;
-    setIsSubmitting(true);
-
-    if (responseId) {
-      try {
-        await fetch(`${FORMBRICKS_HOST}/api/v1/client/${ENVIRONMENT_ID}/responses/${responseId}`, {
-          method: "PUT",
-          headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({
-            finished: true,
-            data: {
-              details: detailsValue.trim(),
-            },
-          }),
-        });
-      } catch {
-        // silently fail
-      }
-    }
-
-    setIsSubmitting(false);
-    setStep("thankyou");
-  };
-
-  const handleSkipFeedback = async () => {
-    if (!responseId) {
-      setStep("thankyou");
-      return;
-    }
-
-    try {
-      await fetch(`${FORMBRICKS_HOST}/api/v1/client/${ENVIRONMENT_ID}/responses/${responseId}`, {
-        method: "PUT",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({
-          finished: true,
-          data: {},
-        }),
-      });
-    } catch {
-      // silently fail
-    }
-
-    setStep("thankyou");
-  };
-
-  if (step === "prompt") {
-    return (
-      <div className="flex h-full flex-col items-center px-4 pt-[15vh]">
-        <div className="w-full max-w-2xl space-y-8">
-          <div className="space-y-3 text-center">
-            <div className="mx-auto mb-4 flex h-12 w-12 items-center justify-center rounded-xl bg-gradient-to-br from-brand-light to-brand-dark shadow-md">
-              <Sparkles className="h-6 w-6 text-white" />
-            </div>
-            <h1 className="text-4xl font-bold tracking-tight text-slate-800">{t("workflows.heading")}</h1>
-            <p className="text-lg text-slate-500">{t("workflows.subheading")}</p>
-          </div>
-
-          <div className="relative">
-            <textarea
-              value={promptValue}
-              onChange={(e) => setPromptValue(e.target.value)}
-              placeholder={t("workflows.placeholder")}
-              rows={5}
-              className="w-full resize-none rounded-xl border border-slate-200 bg-white px-5 py-4 text-base text-slate-800 shadow-sm transition-all placeholder:text-slate-400 focus:border-brand-dark focus:outline-none focus:ring-2 focus:ring-brand-light/20"
-              onKeyDown={(e) => {
-                if (e.key === "Enter" && (e.metaKey || e.ctrlKey)) {
-                  handleGenerateWorkflow();
-                }
-              }}
-            />
-            <div className="mt-3 flex items-center justify-between">
-              <span
-                className={`text-xs ${promptValue.trim().length >= 100 ? "text-slate-400" : "text-amber-500"}`}>
-                {promptValue.trim().length} / 100
-              </span>
-              <Button
-                onClick={handleGenerateWorkflow}
-                disabled={promptValue.trim().length < 100 || isSubmitting}
-                loading={isSubmitting}
-                size="lg">
-                <Sparkles className="h-4 w-4" />
-                {t("workflows.generate_button")}
-              </Button>
-            </div>
-          </div>
-        </div>
-      </div>
-    );
-  }
-
-  if (step === "followup") {
-    return (
-      <div className="flex h-full flex-col items-center px-4 pt-[15vh]">
-        <div className="w-full max-w-2xl space-y-8">
-          <div className="space-y-3 text-center">
-            <div className="mx-auto mb-4 flex h-12 w-12 items-center justify-center rounded-xl bg-slate-100">
-              <Sparkles className="h-6 w-6 text-brand-dark" />
-            </div>
-            <h1 className="text-3xl font-bold tracking-tight text-slate-800">
-              {t("workflows.coming_soon_title")}
-            </h1>
-            <p className="mx-auto max-w-md text-base text-slate-500">
-              {t("workflows.coming_soon_description")}
-            </p>
-          </div>
-
-          <div className="rounded-xl border border-slate-200 bg-white p-6 shadow-sm">
-            <label className="text-md mb-2 block font-medium text-slate-700">
-              {t("workflows.follow_up_label")}
-            </label>
-            <textarea
-              value={detailsValue}
-              onChange={(e) => setDetailsValue(e.target.value)}
-              placeholder={t("workflows.follow_up_placeholder")}
-              rows={4}
-              className="w-full resize-none rounded-lg border border-slate-200 bg-slate-50 px-4 py-3 text-sm text-slate-800 transition-all placeholder:text-slate-400 focus:border-brand-dark focus:bg-white focus:outline-none focus:ring-2 focus:ring-brand-light/20"
-            />
-            <div className="mt-4 flex items-center justify-end gap-3">
-              <Button variant="ghost" onClick={handleSkipFeedback} className="text-slate-500">
-                {t("common.skip")}
-              </Button>
-              <Button
-                onClick={handleSubmitFeedback}
-                disabled={!detailsValue.trim() || isSubmitting}
-                loading={isSubmitting}>
-                {t("workflows.submit_button")}
-              </Button>
-            </div>
-          </div>
-        </div>
-      </div>
-    );
-  }
-
-  return (
-    <div className="flex h-full flex-col items-center px-4 pt-[15vh]">
-      <div className="w-full max-w-md space-y-6 text-center">
-        <div className="mx-auto flex h-16 w-16 items-center justify-center rounded-full bg-green-50">
-          <CheckCircle2 className="h-8 w-8 text-green-500" />
-        </div>
-        <h1 className="text-2xl font-bold text-slate-800">{t("workflows.thank_you_title")}</h1>
-        <p className="text-base text-slate-500">{t("workflows.thank_you_description")}</p>
-      </div>
-    </div>
-  );
-};

apps/web/app/(app)/environments/[environmentId]/workflows/page.tsx

@@ -1,42 +0,0 @@
-import { Metadata } from "next";
-import { notFound, redirect } from "next/navigation";
-import { IS_FORMBRICKS_CLOUD } from "@/lib/constants";
-import { getUser } from "@/lib/user/service";
-import { getCloudBillingDisplayContext } from "@/modules/ee/billing/lib/cloud-billing-display";
-import { getEnvironmentAuth } from "@/modules/environments/lib/utils";
-import { WorkflowsPage } from "./components/workflows-page";
-
-export const metadata: Metadata = {
-  title: "Workflows",
-};
-
-const Page = async (props: { params: Promise<{ environmentId: string }> }) => {
-  const params = await props.params;
-
-  if (!IS_FORMBRICKS_CLOUD) {
-    return notFound();
-  }
-
-  const { session, organization, isBilling } = await getEnvironmentAuth(params.environmentId);
-
-  if (isBilling) {
-    return redirect(`/environments/${params.environmentId}/settings/billing`);
-  }
-
-  const user = await getUser(session.user.id);
-  if (!user) {
-    return redirect("/auth/login");
-  }
-
-  const cloudBillingDisplayContext = await getCloudBillingDisplayContext(organization.id);
-
-  return (
-    <WorkflowsPage
-      userEmail={user.email}
-      organizationName={organization.name}
-      billingPlan={cloudBillingDisplayContext.currentCloudPlan}
-    />
-  );
-};
-
-export default Page;

apps/web/app/(app)/environments/[environmentId]/workspace/integrations/airtable/page.tsx

@@ -4,9 +4,9 @@ import { TIntegrationAirtable } from "@formbricks/types/integration/airtable";
 import { AirtableWrapper } from "@/app/(app)/environments/[environmentId]/workspace/integrations/airtable/components/AirtableWrapper";
 import { getSurveys } from "@/app/(app)/environments/[environmentId]/workspace/integrations/lib/surveys";
 import { getAirtableTables } from "@/lib/airtable/service";
-import { AIRTABLE_CLIENT_ID, WEBAPP_URL } from "@/lib/constants";
+import { AIRTABLE_CLIENT_ID, DEFAULT_LOCALE, WEBAPP_URL } from "@/lib/constants";
 import { getIntegrations } from "@/lib/integration/service";
-import { findMatchingLocale } from "@/lib/utils/locale";
+import { getUserLocale } from "@/lib/user/service";
 import { getTranslate } from "@/lingodotdev/server";
 import { getEnvironmentAuth } from "@/modules/environments/lib/utils";
 import { GoBackButton } from "@/modules/ui/components/go-back-button";
@@ -18,11 +18,12 @@ const Page = async (props: { params: Promise<{ environmentId: string }> }) => {
   const t = await getTranslate();
   const isEnabled = !!AIRTABLE_CLIENT_ID;
 
-  const { isReadOnly, environment } = await getEnvironmentAuth(params.environmentId);
+  const { isReadOnly, environment, session } = await getEnvironmentAuth(params.environmentId);
 
-  const [surveys, integrations] = await Promise.all([
+  const [surveys, integrations, locale] = await Promise.all([
     getSurveys(params.environmentId),
     getIntegrations(params.environmentId),
+    getUserLocale(session.user.id),
   ]);
 
   const airtableIntegration: TIntegrationAirtable | undefined = integrations?.find(
@@ -33,9 +34,6 @@ const Page = async (props: { params: Promise<{ environmentId: string }> }) => {
   if (airtableIntegration?.config.key) {
     airtableArray = await getAirtableTables(params.environmentId);
   }
-
-  const locale = await findMatchingLocale();
-
   if (isReadOnly) {
     return redirect("./");
   }
@@ -52,7 +50,7 @@ const Page = async (props: { params: Promise<{ environmentId: string }> }) => {
           environmentId={environment.id}
           surveys={surveys}
           webAppUrl={WEBAPP_URL}
-          locale={locale}
+          locale={locale ?? DEFAULT_LOCALE}
         />
       </div>
     </PageContentWrapper>

apps/web/app/(app)/environments/[environmentId]/workspace/integrations/google-sheets/page.tsx

@@ -3,13 +3,14 @@ import { TIntegrationGoogleSheets } from "@formbricks/types/integration/google-s
 import { GoogleSheetWrapper } from "@/app/(app)/environments/[environmentId]/workspace/integrations/google-sheets/components/GoogleSheetWrapper";
 import { getSurveys } from "@/app/(app)/environments/[environmentId]/workspace/integrations/lib/surveys";
 import {
+  DEFAULT_LOCALE,
   GOOGLE_SHEETS_CLIENT_ID,
   GOOGLE_SHEETS_CLIENT_SECRET,
   GOOGLE_SHEETS_REDIRECT_URL,
   WEBAPP_URL,
 } from "@/lib/constants";
 import { getIntegrations } from "@/lib/integration/service";
-import { findMatchingLocale } from "@/lib/utils/locale";
+import { getUserLocale } from "@/lib/user/service";
 import { getTranslate } from "@/lingodotdev/server";
 import { getEnvironmentAuth } from "@/modules/environments/lib/utils";
 import { GoBackButton } from "@/modules/ui/components/go-back-button";
@@ -21,19 +22,17 @@ const Page = async (props: { params: Promise<{ environmentId: string }> }) => {
   const t = await getTranslate();
   const isEnabled = !!(GOOGLE_SHEETS_CLIENT_ID && GOOGLE_SHEETS_CLIENT_SECRET && GOOGLE_SHEETS_REDIRECT_URL);
 
-  const { isReadOnly, environment } = await getEnvironmentAuth(params.environmentId);
+  const { isReadOnly, environment, session } = await getEnvironmentAuth(params.environmentId);
 
-  const [surveys, integrations] = await Promise.all([
+  const [surveys, integrations, locale] = await Promise.all([
     getSurveys(params.environmentId),
     getIntegrations(params.environmentId),
+    getUserLocale(session.user.id),
   ]);
 
   const googleSheetIntegration: TIntegrationGoogleSheets | undefined = integrations?.find(
     (integration): integration is TIntegrationGoogleSheets => integration.type === "googleSheets"
   );
-
-  const locale = await findMatchingLocale();
-
   if (isReadOnly) {
     return redirect("./");
   }
@@ -49,7 +48,7 @@ const Page = async (props: { params: Promise<{ environmentId: string }> }) => {
           surveys={surveys}
           googleSheetIntegration={googleSheetIntegration}
           webAppUrl={WEBAPP_URL}
-          locale={locale}
+          locale={locale ?? DEFAULT_LOCALE}
         />
       </div>
     </PageContentWrapper>

apps/web/app/(app)/environments/[environmentId]/workspace/integrations/notion/page.tsx

@@ -3,6 +3,7 @@ import { TIntegrationNotion, TIntegrationNotionDatabase } from "@formbricks/type
 import { getSurveys } from "@/app/(app)/environments/[environmentId]/workspace/integrations/lib/surveys";
 import { NotionWrapper } from "@/app/(app)/environments/[environmentId]/workspace/integrations/notion/components/NotionWrapper";
 import {
+  DEFAULT_LOCALE,
   NOTION_AUTH_URL,
   NOTION_OAUTH_CLIENT_ID,
   NOTION_OAUTH_CLIENT_SECRET,
@@ -11,7 +12,7 @@ import {
 } from "@/lib/constants";
 import { getIntegrationByType } from "@/lib/integration/service";
 import { getNotionDatabases } from "@/lib/notion/service";
-import { findMatchingLocale } from "@/lib/utils/locale";
+import { getUserLocale } from "@/lib/user/service";
 import { getTranslate } from "@/lingodotdev/server";
 import { getEnvironmentAuth } from "@/modules/environments/lib/utils";
 import { GoBackButton } from "@/modules/ui/components/go-back-button";
@@ -28,18 +29,18 @@ const Page = async (props: { params: Promise<{ environmentId: string }> }) => {
     NOTION_REDIRECT_URI
   );
 
-  const { isReadOnly, environment } = await getEnvironmentAuth(params.environmentId);
+  const { isReadOnly, environment, session } = await getEnvironmentAuth(params.environmentId);
 
-  const [surveys, notionIntegration] = await Promise.all([
+  const [surveys, notionIntegration, locale] = await Promise.all([
     getSurveys(params.environmentId),
     getIntegrationByType(params.environmentId, "notion"),
+    getUserLocale(session.user.id),
   ]);
 
   let databasesArray: TIntegrationNotionDatabase[] = [];
   if (notionIntegration && (notionIntegration as TIntegrationNotion).config.key?.bot_id) {
     databasesArray = (await getNotionDatabases(environment.id)) ?? [];
   }
-  const locale = await findMatchingLocale();
 
   if (isReadOnly) {
     return redirect("./");
@@ -56,7 +57,7 @@ const Page = async (props: { params: Promise<{ environmentId: string }> }) => {
         notionIntegration={notionIntegration as TIntegrationNotion}
         webAppUrl={WEBAPP_URL}
         databasesArray={databasesArray}
-        locale={locale}
+        locale={locale ?? DEFAULT_LOCALE}
       />
     </PageContentWrapper>
   );

apps/web/app/(app)/environments/[environmentId]/workspace/integrations/slack/page.tsx

@@ -2,9 +2,9 @@ import { redirect } from "next/navigation";
 import { TIntegrationSlack } from "@formbricks/types/integration/slack";
 import { getSurveys } from "@/app/(app)/environments/[environmentId]/workspace/integrations/lib/surveys";
 import { SlackWrapper } from "@/app/(app)/environments/[environmentId]/workspace/integrations/slack/components/SlackWrapper";
-import { SLACK_CLIENT_ID, SLACK_CLIENT_SECRET, WEBAPP_URL } from "@/lib/constants";
+import { DEFAULT_LOCALE, SLACK_CLIENT_ID, SLACK_CLIENT_SECRET, WEBAPP_URL } from "@/lib/constants";
 import { getIntegrationByType } from "@/lib/integration/service";
-import { findMatchingLocale } from "@/lib/utils/locale";
+import { getUserLocale } from "@/lib/user/service";
 import { getTranslate } from "@/lingodotdev/server";
 import { getEnvironmentAuth } from "@/modules/environments/lib/utils";
 import { GoBackButton } from "@/modules/ui/components/go-back-button";
@@ -17,15 +17,14 @@ const Page = async (props: { params: Promise<{ environmentId: string }> }) => {
 
   const t = await getTranslate();
 
-  const { isReadOnly, environment } = await getEnvironmentAuth(params.environmentId);
+  const { isReadOnly, environment, session } = await getEnvironmentAuth(params.environmentId);
 
-  const [surveys, slackIntegration] = await Promise.all([
+  const [surveys, slackIntegration, locale] = await Promise.all([
     getSurveys(params.environmentId),
     getIntegrationByType(params.environmentId, "slack"),
+    getUserLocale(session.user.id),
   ]);
 
-  const locale = await findMatchingLocale();
-
   if (isReadOnly) {
     return redirect("./");
   }
@@ -41,7 +40,7 @@ const Page = async (props: { params: Promise<{ environmentId: string }> }) => {
           surveys={surveys}
           slackIntegration={slackIntegration as TIntegrationSlack}
           webAppUrl={WEBAPP_URL}
-          locale={locale}
+          locale={locale ?? DEFAULT_LOCALE}
         />
       </div>
     </PageContentWrapper>

apps/web/app/(app)/layout.tsx

@@ -6,8 +6,10 @@ import {
   CHATWOOT_WEBSITE_TOKEN,
   IS_CHATWOOT_CONFIGURED,
   POSTHOG_KEY,
+  SESSION_MAX_AGE,
 } from "@/lib/constants";
 import { getUser } from "@/lib/user/service";
+import { NextAuthProvider } from "@/modules/auth/components/next-auth-provider";
 import { authOptions } from "@/modules/auth/lib/authOptions";
 import { ClientLogout } from "@/modules/ui/components/client-logout";
 import { NoMobileOverlay } from "@/modules/ui/components/no-mobile-overlay";
@@ -23,7 +25,7 @@ const AppLayout = async ({ children }: { children: React.ReactNode }) => {
   }
 
   return (
-    <>
+    <NextAuthProvider sessionMaxAge={SESSION_MAX_AGE}>
       <NoMobileOverlay />
       {POSTHOG_KEY && user && (
         <PostHogIdentify posthogKey={POSTHOG_KEY} userId={user.id} email={user.email} name={user.name} />
@@ -39,7 +41,7 @@ const AppLayout = async ({ children }: { children: React.ReactNode }) => {
       )}
       <ToasterClient />
       {children}
-    </>
+    </NextAuthProvider>
   );
 };
 

apps/web/app/api/(internal)/pipeline/lib/telemetry.test.ts

@@ -51,8 +51,20 @@ vi.mock("@/lib/env", () => ({
     RECAPTCHA_SECRET_KEY: "secret-key",
     GITHUB_ID: "github-id",
     SAML_DATABASE_URL: "postgresql://saml.example.com/formbricks",
+    ENTERPRISE_LICENSE_KEY: "test-license-key",
   },
 }));
+vi.mock("@/lib/constants", () => ({
+  E2E_TESTING: false,
+  IS_DEVELOPMENT: false,
+  TELEMETRY_DISABLED: false,
+}));
+vi.mock("@/lib/hash-string", () => ({
+  hashString: vi.fn((s: string) => `hashed-${s}`),
+}));
+vi.mock("@/modules/ee/license-check/lib/license", () => ({
+  getEnterpriseLicense: vi.fn(),
+}));
 
 // Mock fetch
 const fetchMock = vi.fn();
@@ -199,6 +211,14 @@ describe("sendTelemetryEvents", () => {
   test("should handle telemetry send failure and apply cooldown", async () => {
     // Reset module to clear nextTelemetryCheck state from previous tests
     vi.resetModules();
+    vi.doMock("@/lib/constants", () => ({
+      E2E_TESTING: false,
+      IS_DEVELOPMENT: false,
+      TELEMETRY_DISABLED: false,
+    }));
+    vi.doMock("@/modules/ee/license-check/lib/license", () => ({
+      getEnterpriseLicense: vi.fn().mockResolvedValue({ active: false }),
+    }));
     const { sendTelemetryEvents: freshSendTelemetryEvents } = await import("./telemetry");
 
     // Ensure we can acquire lock by setting last sent time far in the past
@@ -221,6 +241,7 @@ describe("sendTelemetryEvents", () => {
       expect.objectContaining({
         error: networkError,
         message: "Network error",
+        hashedLicenseKey: "hashed-test-license-key",
       }),
       "Failed to send telemetry - applying 1h cooldown"
     );
@@ -242,6 +263,14 @@ describe("sendTelemetryEvents", () => {
   test("should skip if no organization exists", async () => {
     // Reset module to clear nextTelemetryCheck state from previous tests
     vi.resetModules();
+    vi.doMock("@/lib/constants", () => ({
+      E2E_TESTING: false,
+      IS_DEVELOPMENT: false,
+      TELEMETRY_DISABLED: false,
+    }));
+    vi.doMock("@/modules/ee/license-check/lib/license", () => ({
+      getEnterpriseLicense: vi.fn().mockResolvedValue({ active: false }),
+    }));
     const { sendTelemetryEvents: freshSendTelemetryEvents } = await import("./telemetry");
 
     // Ensure we can acquire lock by setting last sent time far in the past
@@ -276,4 +305,113 @@ describe("sendTelemetryEvents", () => {
     // This might be a bug, but we test the actual behavior
     expect(mockCacheService.set).toHaveBeenCalled();
   });
+
+  test("should skip telemetry when TELEMETRY_DISABLED is true and no active EE license", async () => {
+    vi.resetModules();
+    vi.doMock("@/lib/constants", () => ({
+      E2E_TESTING: false,
+      IS_DEVELOPMENT: false,
+      TELEMETRY_DISABLED: true,
+    }));
+    vi.doMock("@/modules/ee/license-check/lib/license", () => ({
+      getEnterpriseLicense: vi.fn().mockResolvedValue({ active: false }),
+    }));
+    const { sendTelemetryEvents: freshSendTelemetryEvents } = await import("./telemetry");
+
+    await freshSendTelemetryEvents();
+
+    // Should return early without touching cache or sending telemetry
+    expect(getCacheService).not.toHaveBeenCalled();
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+
+  test("should send telemetry when TELEMETRY_DISABLED is true but EE license is active", async () => {
+    vi.resetModules();
+    vi.doMock("@/lib/constants", () => ({
+      E2E_TESTING: false,
+      IS_DEVELOPMENT: false,
+      TELEMETRY_DISABLED: true,
+    }));
+    vi.doMock("@/modules/ee/license-check/lib/license", () => ({
+      getEnterpriseLicense: vi.fn().mockResolvedValue({ active: true }),
+    }));
+    const { sendTelemetryEvents: freshSendTelemetryEvents } = await import("./telemetry");
+
+    // Re-setup mocks after resetModules
+    vi.mocked(getCacheService).mockResolvedValue({
+      ok: true,
+      data: mockCacheService as any,
+    });
+    mockCacheService.tryLock.mockResolvedValue({ ok: true, data: true });
+    mockCacheService.del.mockResolvedValue({ ok: true, data: undefined });
+    mockCacheService.get.mockResolvedValue({ ok: true, data: null });
+    mockCacheService.set.mockResolvedValue({ ok: true, data: undefined });
+
+    vi.mocked(prisma.organization.findFirst).mockResolvedValue({
+      id: "org-123",
+      createdAt: new Date("2023-01-01"),
+    } as any);
+    vi.mocked(prisma.$queryRaw).mockResolvedValue([
+      {
+        organizationCount: BigInt(1),
+        userCount: BigInt(5),
+        teamCount: BigInt(2),
+        projectCount: BigInt(3),
+        surveyCount: BigInt(10),
+        inProgressSurveyCount: BigInt(4),
+        completedSurveyCount: BigInt(6),
+        responseCountAllTime: BigInt(100),
+        responseCountSinceLastUpdate: BigInt(10),
+        displayCount: BigInt(50),
+        contactCount: BigInt(20),
+        segmentCount: BigInt(4),
+        newestResponseAt: new Date("2024-01-01T00:00:00.000Z"),
+      },
+    ] as any);
+    vi.mocked(prisma.integration.findMany).mockResolvedValue([{ type: IntegrationType.notion }] as any);
+    vi.mocked(prisma.account.findMany).mockResolvedValue([{ provider: "github" }] as any);
+    fetchMock.mockResolvedValue({ ok: true });
+
+    await freshSendTelemetryEvents();
+
+    // EE license active — telemetry should bypass TELEMETRY_DISABLED and send
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+  });
+
+  test("should unconditionally skip when E2E_TESTING is true even with active EE license", async () => {
+    vi.resetModules();
+    vi.doMock("@/lib/constants", () => ({
+      E2E_TESTING: true,
+      IS_DEVELOPMENT: false,
+      TELEMETRY_DISABLED: false,
+    }));
+    vi.doMock("@/modules/ee/license-check/lib/license", () => ({
+      getEnterpriseLicense: vi.fn().mockResolvedValue({ active: true }),
+    }));
+    const { sendTelemetryEvents: freshSendTelemetryEvents } = await import("./telemetry");
+
+    await freshSendTelemetryEvents();
+
+    // E2E_TESTING is a hard skip — no EE bypass, no cache, no fetch
+    expect(getCacheService).not.toHaveBeenCalled();
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+
+  test("should unconditionally skip when IS_DEVELOPMENT is true", async () => {
+    vi.resetModules();
+    vi.doMock("@/lib/constants", () => ({
+      E2E_TESTING: false,
+      IS_DEVELOPMENT: true,
+      TELEMETRY_DISABLED: false,
+    }));
+    vi.doMock("@/modules/ee/license-check/lib/license", () => ({
+      getEnterpriseLicense: vi.fn().mockResolvedValue({ active: true }),
+    }));
+    const { sendTelemetryEvents: freshSendTelemetryEvents } = await import("./telemetry");
+
+    await freshSendTelemetryEvents();
+
+    expect(getCacheService).not.toHaveBeenCalled();
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
 });

apps/web/app/api/(internal)/pipeline/lib/telemetry.ts

@@ -2,8 +2,11 @@ import { IntegrationType } from "@prisma/client";
 import { createCacheKey, getCacheService } from "@formbricks/cache";
 import { prisma } from "@formbricks/database";
 import { logger } from "@formbricks/logger";
+import { E2E_TESTING, IS_DEVELOPMENT, TELEMETRY_DISABLED } from "@/lib/constants";
 import { env } from "@/lib/env";
+import { hashString } from "@/lib/hash-string";
 import { getInstanceInfo } from "@/lib/instance";
+import { getEnterpriseLicense } from "@/modules/ee/license-check/lib/license";
 import packageJson from "@/package.json";
 
 const TELEMETRY_INTERVAL_MS = 24 * 60 * 60 * 1000; // 24 hours
@@ -24,8 +27,31 @@ let nextTelemetryCheck = 0;
  * 2. Redis check (shared across instances, persists across restarts)
  * 3. Distributed lock (prevents concurrent execution in multi-instance deployments)
  */
+// Hashed license key for log context — allows correlating log entries to a specific license
+// without exposing the raw key. Computed once at module load.
+const hashedLicenseKey = env.ENTERPRISE_LICENSE_KEY ? hashString(env.ENTERPRISE_LICENSE_KEY) : null;
+
+/**
+ * Returns true if telemetry is disabled via env var AND there is no active EE license.
+ * EE customers cannot opt out — telemetry is always enforced for license compliance.
+ */
+const isTelemetryDisabledForCE = async (): Promise<boolean> => {
+  if (!TELEMETRY_DISABLED) return false;
+  const license = await getEnterpriseLicense();
+  return !license.active;
+};
+
 export const sendTelemetryEvents = async () => {
   try {
+    // ============================================================
+    // CHECK 0: Non-Production Hard Skip
+    // ============================================================
+    // Purpose: Unconditionally skip telemetry in dev and test/CI environments.
+    // No EE bypass — these are internal flags, not customer-facing.
+    if (E2E_TESTING || IS_DEVELOPMENT) {
+      return;
+    }
+
     const now = Date.now();
 
     // ============================================================
@@ -39,7 +65,18 @@ export const sendTelemetryEvents = async () => {
     }
 
     // ============================================================
-    // CHECK 2: Redis Check (Shared State)
+    // CHECK 2: Telemetry Disabled Check
+    // ============================================================
+    // Purpose: Allow CE self-hosters to opt out of telemetry via env var.
+    // EE bypass: If an active Enterprise License is detected, telemetry is always sent
+    // regardless of the TELEMETRY_DISABLED setting to enforce license compliance.
+    // Placed after in-memory check to avoid calling getEnterpriseLicense() on every invocation.
+    if (await isTelemetryDisabledForCE()) {
+      return;
+    }
+
+    // ============================================================
+    // CHECK 3: Redis Check (Shared State)
     // ============================================================
     // Purpose: Check if telemetry was sent recently by ANY instance (shared across cluster).
     // This persists across restarts and works in multi-instance deployments.
@@ -66,7 +103,7 @@ export const sendTelemetryEvents = async () => {
     }
 
     // ============================================================
-    // CHECK 3: Distributed Lock (Prevent Concurrent Execution)
+    // CHECK 4: Distributed Lock (Prevent Concurrent Execution)
     // ============================================================
     // Purpose: Ensure only ONE instance executes telemetry at a time in a cluster.
     // How it works:
@@ -100,7 +137,7 @@ export const sendTelemetryEvents = async () => {
       // Log as warning since telemetry is non-essential
       const errorMessage = e instanceof Error ? e.message : String(e);
       logger.warn(
-        { error: e, message: errorMessage, lastSent, now },
+        { error: e, message: errorMessage, lastSent, now, hashedLicenseKey },
         "Failed to send telemetry - applying 1h cooldown"
       );
 
@@ -118,7 +155,7 @@ export const sendTelemetryEvents = async () => {
     // Log as warning since telemetry is non-essential functionality
     const errorMessage = error instanceof Error ? error.message : String(error);
     logger.warn(
-      { error, message: errorMessage, timestamp: Date.now() },
+      { error, message: errorMessage, timestamp: Date.now(), hashedLicenseKey },
       "Unexpected error in sendTelemetryEvents wrapper - telemetry check skipped"
     );
   }

apps/web/app/api/auth/[...nextauth]/route.test.ts

@@ -0,0 +1,139 @@
+import { afterEach, beforeEach, describe, expect, test, vi } from "vitest";
+import { GET } from "./route";
+
+const mocks = vi.hoisted(() => {
+  const nextAuthHandler = vi.fn(async () => new Response(null, { status: 200 }));
+  const nextAuth = vi.fn(() => nextAuthHandler);
+
+  return {
+    nextAuth,
+    nextAuthHandler,
+    baseSignIn: vi.fn(async () => true),
+    baseSession: vi.fn(async ({ session }: { session: unknown }) => session),
+    baseEventSignIn: vi.fn(),
+    queueAuditEventBackground: vi.fn(),
+    captureException: vi.fn(),
+    loggerError: vi.fn(),
+  };
+});
+
+vi.mock("next-auth", () => ({
+  default: mocks.nextAuth,
+}));
+
+vi.mock("@/lib/constants", () => ({
+  IS_PRODUCTION: false,
+  SENTRY_DSN: undefined,
+}));
+
+vi.mock("@sentry/nextjs", () => ({
+  captureException: mocks.captureException,
+}));
+
+vi.mock("@formbricks/logger", () => ({
+  logger: {
+    withContext: vi.fn(() => ({
+      error: mocks.loggerError,
+    })),
+  },
+}));
+
+vi.mock("@/modules/auth/lib/authOptions", () => ({
+  authOptions: {
+    callbacks: {
+      signIn: mocks.baseSignIn,
+      session: mocks.baseSession,
+    },
+    events: {
+      signIn: mocks.baseEventSignIn,
+    },
+  },
+}));
+
+vi.mock("@/modules/ee/audit-logs/lib/handler", () => ({
+  queueAuditEventBackground: mocks.queueAuditEventBackground,
+}));
+
+const getWrappedAuthOptions = async (requestId: string = "req-123") => {
+  const request = new Request("http://localhost/api/auth/signin", {
+    headers: { "x-request-id": requestId },
+  });
+
+  await GET(request, {} as any);
+
+  expect(mocks.nextAuth).toHaveBeenCalledTimes(1);
+
+  return mocks.nextAuth.mock.calls[0][0];
+};
+
+describe("auth route audit logging", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  afterEach(() => {
+    vi.clearAllMocks();
+  });
+
+  test("logs successful sign-in from the NextAuth signIn event after session creation", async () => {
+    const authOptions = await getWrappedAuthOptions();
+    const user = { id: "user_1", email: "user@example.com", name: "User Example" };
+    const account = { provider: "keycloak" };
+
+    await expect(authOptions.callbacks.signIn({ user, account })).resolves.toBe(true);
+    expect(mocks.queueAuditEventBackground).not.toHaveBeenCalled();
+
+    await authOptions.events.signIn({ user, account, isNewUser: false });
+
+    expect(mocks.baseEventSignIn).toHaveBeenCalledWith({ user, account, isNewUser: false });
+    expect(mocks.queueAuditEventBackground).toHaveBeenCalledWith(
+      expect.objectContaining({
+        action: "signedIn",
+        targetType: "user",
+        userId: "user_1",
+        targetId: "user_1",
+        organizationId: "unknown",
+        status: "success",
+        userType: "user",
+        newObject: expect.objectContaining({
+          email: "user@example.com",
+          authMethod: "sso",
+          provider: "keycloak",
+          sessionStrategy: "database",
+          isNewUser: false,
+        }),
+      })
+    );
+  });
+
+  test("logs failed sign-in attempts from the callback stage with the request event id", async () => {
+    const error = new Error("Access denied");
+    mocks.baseSignIn.mockRejectedValueOnce(error);
+
+    const authOptions = await getWrappedAuthOptions("req-failure");
+    const user = { id: "user_2", email: "user2@example.com" };
+    const account = { provider: "credentials" };
+
+    await expect(authOptions.callbacks.signIn({ user, account })).rejects.toThrow("Access denied");
+
+    expect(mocks.baseEventSignIn).not.toHaveBeenCalled();
+    expect(mocks.queueAuditEventBackground).toHaveBeenCalledWith(
+      expect.objectContaining({
+        action: "signedIn",
+        targetType: "user",
+        userId: "user_2",
+        targetId: "user_2",
+        organizationId: "unknown",
+        status: "failure",
+        userType: "user",
+        eventId: "req-failure",
+        newObject: expect.objectContaining({
+          email: "user2@example.com",
+          authMethod: "password",
+          provider: "credentials",
+          errorMessage: "Access denied",
+        }),
+      })
+    );
+  });
+});

apps/web/app/api/auth/[...nextauth]/route.ts

@@ -6,10 +6,26 @@ import { logger } from "@formbricks/logger";
 import { IS_PRODUCTION, SENTRY_DSN } from "@/lib/constants";
 import { authOptions as baseAuthOptions } from "@/modules/auth/lib/authOptions";
 import { queueAuditEventBackground } from "@/modules/ee/audit-logs/lib/handler";
-import { TAuditStatus, UNKNOWN_DATA } from "@/modules/ee/audit-logs/types/audit-log";
+import { UNKNOWN_DATA } from "@/modules/ee/audit-logs/types/audit-log";
 
 export const fetchCache = "force-no-store";
 
+const getAuthMethod = (account: Account | null) => {
+  if (account?.provider === "credentials") {
+    return "password";
+  }
+
+  if (account?.provider === "token") {
+    return "email_verification";
+  }
+
+  if (account?.provider) {
+    return "sso";
+  }
+
+  return "unknown";
+};
+
 const handler = async (req: Request, ctx: any) => {
   const eventId = req.headers.get("x-request-id") ?? undefined;
 
@@ -17,44 +33,6 @@ const handler = async (req: Request, ctx: any) => {
     ...baseAuthOptions,
     callbacks: {
       ...baseAuthOptions.callbacks,
-      async jwt(params: any) {
-        let result: any = params.token;
-        let error: any = undefined;
-
-        try {
-          if (baseAuthOptions.callbacks?.jwt) {
-            result = await baseAuthOptions.callbacks.jwt(params);
-          }
-        } catch (err) {
-          error = err;
-          logger.withContext({ eventId, err }).error("JWT callback failed");
-
-          if (SENTRY_DSN && IS_PRODUCTION) {
-            Sentry.captureException(err);
-          }
-        }
-
-        // Audit JWT operations (token refresh, updates)
-        if (params.trigger && params.token?.profile?.id) {
-          const status: TAuditStatus = error ? "failure" : "success";
-          const auditLog = {
-            action: "jwtTokenCreated" as const,
-            targetType: "user" as const,
-            userId: params.token.profile.id,
-            targetId: params.token.profile.id,
-            organizationId: UNKNOWN_DATA,
-            status,
-            userType: "user" as const,
-            newObject: { trigger: params.trigger, tokenType: "jwt" },
-            ...(error ? { eventId } : {}),
-          };
-
-          queueAuditEventBackground(auditLog);
-        }
-
-        if (error) throw error;
-        return result;
-      },
       async session(params: any) {
         let result: any = params.session;
         let error: any = undefined;
@@ -90,7 +68,7 @@ const handler = async (req: Request, ctx: any) => {
       }) {
         let result: boolean | string = true;
         let error: any = undefined;
-        let authMethod = "unknown";
+        const authMethod = getAuthMethod(account);
 
         try {
           if (baseAuthOptions.callbacks?.signIn) {
@@ -102,15 +80,6 @@ const handler = async (req: Request, ctx: any) => {
               credentials,
             });
           }
-
-          // Determine authentication method for more detailed logging
-          if (account?.provider === "credentials") {
-            authMethod = "password";
-          } else if (account?.provider === "token") {
-            authMethod = "email_verification";
-          } else if (account?.provider && account.provider !== "credentials") {
-            authMethod = "sso";
-          }
         } catch (err) {
           error = err;
           result = false;
@@ -122,30 +91,60 @@ const handler = async (req: Request, ctx: any) => {
           }
         }
 
-        const status: TAuditStatus = result === false ? "failure" : "success";
-        const auditLog = {
-          action: "signedIn" as const,
-          targetType: "user" as const,
-          userId: user?.id ?? UNKNOWN_DATA,
-          targetId: user?.id ?? UNKNOWN_DATA,
-          organizationId: UNKNOWN_DATA,
-          status,
-          userType: "user" as const,
-          newObject: {
-            ...user,
-            authMethod,
-            provider: account?.provider,
-            ...(error ? { errorMessage: error.message } : {}),
-          },
-          ...(status === "failure" ? { eventId } : {}),
-        };
-
-        queueAuditEventBackground(auditLog);
+        if (result === false) {
+          queueAuditEventBackground({
+            action: "signedIn",
+            targetType: "user",
+            userId: user?.id ?? UNKNOWN_DATA,
+            targetId: user?.id ?? UNKNOWN_DATA,
+            organizationId: UNKNOWN_DATA,
+            status: "failure",
+            userType: "user",
+            newObject: {
+              ...user,
+              authMethod,
+              provider: account?.provider,
+              ...(error instanceof Error ? { errorMessage: error.message } : {}),
+            },
+            eventId,
+          });
+        }
 
         if (error) throw error;
         return result;
       },
     },
+    events: {
+      ...baseAuthOptions.events,
+      async signIn({ user, account, isNewUser }: any) {
+        try {
+          await baseAuthOptions.events?.signIn?.({ user, account, isNewUser });
+        } catch (err) {
+          logger.withContext({ eventId, err }).error("Sign-in event callback failed");
+
+          if (SENTRY_DSN && IS_PRODUCTION) {
+            Sentry.captureException(err);
+          }
+        }
+
+        queueAuditEventBackground({
+          action: "signedIn",
+          targetType: "user",
+          userId: user?.id ?? UNKNOWN_DATA,
+          targetId: user?.id ?? UNKNOWN_DATA,
+          organizationId: UNKNOWN_DATA,
+          status: "success",
+          userType: "user",
+          newObject: {
+            ...user,
+            authMethod: getAuthMethod(account),
+            provider: account?.provider,
+            sessionStrategy: "database",
+            isNewUser: isNewUser ?? false,
+          },
+        });
+      },
+    },
   };
 
   return NextAuth(authOptions)(req, ctx);

apps/web/app/api/v1/client/[environmentId]/environment/lib/environmentState.test.ts

@@ -76,7 +76,8 @@ const mockOrganization: TOrganization = {
     },
     usageCycleAnchor: new Date(),
   },
-  isAIEnabled: false,
+  isAISmartToolsEnabled: false,
+  isAIDataAnalysisEnabled: false,
 };
 
 const mockSurveys: TSurvey[] = [

apps/web/app/api/v1/client/[environmentId]/environment/route.ts

@@ -86,9 +86,11 @@ export const GET = withV1ApiWrapper({
         };
       }
 
+      const error = err instanceof Error ? err : new Error(String(err));
+
       logger.error(
         {
-          error: err,
+          error,
           url: req.url,
           environmentId: params.environmentId,
         },
@@ -96,9 +98,10 @@ export const GET = withV1ApiWrapper({
       );
       return {
         response: responses.internalServerErrorResponse(
-          err instanceof Error ? err.message : "Unknown error occurred",
+          "An error occurred while processing your request.",
           true
         ),
+        error,
       };
     }
   },

apps/web/app/api/v1/client/[environmentId]/responses/[responseId]/lib/put-response-handler.test.ts

@@ -0,0 +1,488 @@
+import { beforeEach, describe, expect, test, vi } from "vitest";
+import { DatabaseError, InvalidInputError, ResourceNotFoundError } from "@formbricks/types/errors";
+import { responses } from "@/app/lib/api/response";
+import { putResponseHandler } from "./put-response-handler";
+
+const mocks = vi.hoisted(() => ({
+  formatValidationErrorsForV1Api: vi.fn((errors) => errors),
+  getResponse: vi.fn(),
+  getSurvey: vi.fn(),
+  getValidatedResponseUpdateInput: vi.fn(),
+  loggerError: vi.fn(),
+  sendToPipeline: vi.fn(),
+  updateResponseWithQuotaEvaluation: vi.fn(),
+  validateFileUploads: vi.fn(),
+  validateOtherOptionLengthForMultipleChoice: vi.fn(),
+  validateResponseData: vi.fn(),
+}));
+
+vi.mock("@formbricks/logger", () => ({
+  logger: {
+    error: mocks.loggerError,
+  },
+}));
+
+vi.mock("@/app/lib/pipelines", () => ({
+  sendToPipeline: mocks.sendToPipeline,
+}));
+
+vi.mock("@/lib/response/service", () => ({
+  getResponse: mocks.getResponse,
+}));
+
+vi.mock("@/lib/survey/service", () => ({
+  getSurvey: mocks.getSurvey,
+}));
+
+vi.mock("@/modules/api/lib/validation", () => ({
+  formatValidationErrorsForV1Api: mocks.formatValidationErrorsForV1Api,
+  validateResponseData: mocks.validateResponseData,
+}));
+
+vi.mock("@/modules/api/v2/lib/element", () => ({
+  validateOtherOptionLengthForMultipleChoice: mocks.validateOtherOptionLengthForMultipleChoice,
+}));
+
+vi.mock("@/modules/storage/utils", () => ({
+  validateFileUploads: mocks.validateFileUploads,
+}));
+
+vi.mock("./response", () => ({
+  updateResponseWithQuotaEvaluation: mocks.updateResponseWithQuotaEvaluation,
+}));
+
+vi.mock("./validated-response-update-input", () => ({
+  getValidatedResponseUpdateInput: mocks.getValidatedResponseUpdateInput,
+}));
+
+const environmentId = "environment_a";
+const responseId = "response_123";
+const surveyId = "survey_123";
+
+const createRequest = () =>
+  new Request(`https://api.test/api/v1/client/${environmentId}/responses/${responseId}`, {
+    method: "PUT",
+  });
+
+const createHandlerParams = (params?: Partial<{ environmentId: string; responseId: string }>) =>
+  ({
+    req: createRequest(),
+    props: {
+      params: Promise.resolve({
+        environmentId,
+        responseId,
+        ...params,
+      }),
+    },
+  }) as never;
+
+const getBaseResponseUpdateInput = () => ({
+  data: {
+    q1: "updated-answer",
+  },
+  language: "en",
+});
+
+const getBaseExistingResponse = () =>
+  ({
+    id: responseId,
+    surveyId,
+    data: {
+      q0: "existing-answer",
+    },
+    finished: false,
+    language: "en",
+  }) as const;
+
+const getBaseSurvey = () =>
+  ({
+    id: surveyId,
+    environmentId,
+    blocks: [],
+    questions: [],
+  }) as const;
+
+const getBaseUpdatedResponse = () =>
+  ({
+    id: responseId,
+    surveyId,
+    data: {
+      q0: "existing-answer",
+      q1: "updated-answer",
+    },
+    finished: false,
+    quotaFull: undefined,
+  }) as const;
+
+describe("putResponseHandler", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+
+    mocks.getValidatedResponseUpdateInput.mockResolvedValue({
+      responseUpdateInput: getBaseResponseUpdateInput(),
+    });
+    mocks.getResponse.mockResolvedValue(getBaseExistingResponse());
+    mocks.getSurvey.mockResolvedValue(getBaseSurvey());
+    mocks.updateResponseWithQuotaEvaluation.mockResolvedValue(getBaseUpdatedResponse());
+    mocks.validateFileUploads.mockReturnValue(true);
+    mocks.validateOtherOptionLengthForMultipleChoice.mockReturnValue(null);
+    mocks.validateResponseData.mockReturnValue(null);
+  });
+
+  test("returns a bad request response when the response id is missing", async () => {
+    const result = await putResponseHandler(createHandlerParams({ responseId: "" }));
+
+    expect(result.response.status).toBe(400);
+    await expect(result.response.json()).resolves.toEqual({
+      code: "bad_request",
+      message: "Response ID is missing",
+      details: {},
+    });
+    expect(mocks.getValidatedResponseUpdateInput).not.toHaveBeenCalled();
+  });
+
+  test("returns the validation response from the parsed request input", async () => {
+    const validationResponse = responses.badRequestResponse(
+      "Malformed JSON in request body",
+      undefined,
+      true
+    );
+    mocks.getValidatedResponseUpdateInput.mockResolvedValue({
+      response: validationResponse,
+    });
+
+    const result = await putResponseHandler(createHandlerParams());
+
+    expect(result.response).toBe(validationResponse);
+    expect(mocks.getResponse).not.toHaveBeenCalled();
+  });
+
+  test("returns not found when the response does not exist", async () => {
+    mocks.getResponse.mockResolvedValue(null);
+
+    const result = await putResponseHandler(createHandlerParams());
+
+    expect(result.response.status).toBe(404);
+    await expect(result.response.json()).resolves.toEqual({
+      code: "not_found",
+      message: "Response not found",
+      details: {
+        resource_id: responseId,
+        resource_type: "Response",
+      },
+    });
+  });
+
+  test("maps resource lookup errors to a not found response", async () => {
+    mocks.getResponse.mockRejectedValue(new ResourceNotFoundError("Response", responseId));
+
+    const result = await putResponseHandler(createHandlerParams());
+
+    expect(result.response.status).toBe(404);
+    await expect(result.response.json()).resolves.toEqual({
+      code: "not_found",
+      message: "Response not found",
+      details: {
+        resource_id: responseId,
+        resource_type: "Response",
+      },
+    });
+  });
+
+  test("maps invalid lookup input errors to a bad request response", async () => {
+    mocks.getResponse.mockRejectedValue(new InvalidInputError("Invalid response id"));
+
+    const result = await putResponseHandler(createHandlerParams());
+
+    expect(result.response.status).toBe(400);
+    await expect(result.response.json()).resolves.toEqual({
+      code: "bad_request",
+      message: "Invalid response id",
+      details: {},
+    });
+  });
+
+  test("maps database lookup errors to a reported internal server error", async () => {
+    const error = new DatabaseError("Lookup failed");
+    mocks.getResponse.mockRejectedValue(error);
+
+    const result = await putResponseHandler(createHandlerParams());
+
+    expect(result.error).toBe(error);
+    expect(result.response.status).toBe(500);
+    await expect(result.response.json()).resolves.toEqual({
+      code: "internal_server_error",
+      message: "Lookup failed",
+      details: {},
+    });
+    expect(mocks.loggerError).toHaveBeenCalledWith(
+      {
+        error,
+        url: createRequest().url,
+      },
+      "Error in PUT /api/v1/client/[environmentId]/responses/[responseId]"
+    );
+  });
+
+  test("maps unknown lookup failures to a generic internal server error", async () => {
+    const error = new Error("boom");
+    mocks.getResponse.mockRejectedValue(error);
+
+    const result = await putResponseHandler(createHandlerParams());
+
+    expect(result.error).toBe(error);
+    expect(result.response.status).toBe(500);
+    await expect(result.response.json()).resolves.toEqual({
+      code: "internal_server_error",
+      message: "Unknown error occurred",
+      details: {},
+    });
+  });
+
+  test("rejects updates when the response survey does not belong to the requested environment", async () => {
+    mocks.getSurvey.mockResolvedValue({
+      ...getBaseSurvey(),
+      environmentId: "different_environment",
+    });
+
+    const result = await putResponseHandler(createHandlerParams());
+
+    expect(result.response.status).toBe(404);
+    await expect(result.response.json()).resolves.toEqual({
+      code: "not_found",
+      message: "Response not found",
+      details: {
+        resource_id: responseId,
+        resource_type: "Response",
+      },
+    });
+    expect(mocks.updateResponseWithQuotaEvaluation).not.toHaveBeenCalled();
+    expect(mocks.sendToPipeline).not.toHaveBeenCalled();
+  });
+
+  test("rejects updates when the response is already finished", async () => {
+    mocks.getResponse.mockResolvedValue({
+      ...getBaseExistingResponse(),
+      finished: true,
+    });
+
+    const result = await putResponseHandler(createHandlerParams());
+
+    expect(result.response.status).toBe(400);
+    await expect(result.response.json()).resolves.toEqual({
+      code: "bad_request",
+      message: "Response is already finished",
+      details: {},
+    });
+    expect(mocks.updateResponseWithQuotaEvaluation).not.toHaveBeenCalled();
+  });
+
+  test("rejects invalid file upload updates", async () => {
+    mocks.validateFileUploads.mockReturnValue(false);
+
+    const result = await putResponseHandler(createHandlerParams());
+
+    expect(result.response.status).toBe(400);
+    await expect(result.response.json()).resolves.toEqual({
+      code: "bad_request",
+      message: "Invalid file upload response",
+      details: {},
+    });
+    expect(mocks.updateResponseWithQuotaEvaluation).not.toHaveBeenCalled();
+  });
+
+  test("rejects updates when an other-option response exceeds the character limit", async () => {
+    mocks.validateOtherOptionLengthForMultipleChoice.mockReturnValue("question_123");
+
+    const result = await putResponseHandler(createHandlerParams());
+
+    expect(result.response.status).toBe(400);
+    await expect(result.response.json()).resolves.toEqual({
+      code: "bad_request",
+      message: "Response exceeds character limit",
+      details: {
+        questionId: "question_123",
+      },
+    });
+    expect(mocks.updateResponseWithQuotaEvaluation).not.toHaveBeenCalled();
+  });
+
+  test("returns validation details when merged response data is invalid", async () => {
+    mocks.validateResponseData.mockReturnValue([{ field: "q1", message: "Required" }]);
+    mocks.formatValidationErrorsForV1Api.mockReturnValue({
+      q1: "Required",
+    });
+
+    const result = await putResponseHandler(createHandlerParams());
+
+    expect(result.response.status).toBe(400);
+    await expect(result.response.json()).resolves.toEqual({
+      code: "bad_request",
+      message: "Validation failed",
+      details: {
+        q1: "Required",
+      },
+    });
+    expect(mocks.formatValidationErrorsForV1Api).toHaveBeenCalledWith([{ field: "q1", message: "Required" }]);
+  });
+
+  test("returns not found when the response disappears during update", async () => {
+    mocks.updateResponseWithQuotaEvaluation.mockRejectedValue(
+      new ResourceNotFoundError("Response", responseId)
+    );
+
+    const result = await putResponseHandler(createHandlerParams());
+
+    expect(result.response.status).toBe(404);
+    await expect(result.response.json()).resolves.toEqual({
+      code: "not_found",
+      message: "Response not found",
+      details: {
+        resource_id: responseId,
+        resource_type: "Response",
+      },
+    });
+  });
+
+  test("returns a bad request response for invalid update input during persistence", async () => {
+    mocks.updateResponseWithQuotaEvaluation.mockRejectedValue(
+      new InvalidInputError("Response update payload is invalid")
+    );
+
+    const result = await putResponseHandler(createHandlerParams());
+
+    expect(result.response.status).toBe(400);
+    await expect(result.response.json()).resolves.toEqual({
+      code: "bad_request",
+      message: "Response update payload is invalid",
+      details: {},
+    });
+  });
+
+  test("returns a reported internal server error for database update failures", async () => {
+    const error = new DatabaseError("Update failed");
+    mocks.updateResponseWithQuotaEvaluation.mockRejectedValue(error);
+
+    const result = await putResponseHandler(createHandlerParams());
+
+    expect(result.error).toBe(error);
+    expect(result.response.status).toBe(500);
+    await expect(result.response.json()).resolves.toEqual({
+      code: "internal_server_error",
+      message: "Update failed",
+      details: {},
+    });
+    expect(mocks.loggerError).toHaveBeenCalledWith(
+      {
+        error,
+        url: createRequest().url,
+      },
+      "Error in PUT /api/v1/client/[environmentId]/responses/[responseId]"
+    );
+  });
+
+  test("returns a generic internal server error for unexpected update failures", async () => {
+    const error = new Error("Unexpected persistence failure");
+    mocks.updateResponseWithQuotaEvaluation.mockRejectedValue(error);
+
+    const result = await putResponseHandler(createHandlerParams());
+
+    expect(result.error).toBe(error);
+    expect(result.response.status).toBe(500);
+    await expect(result.response.json()).resolves.toEqual({
+      code: "internal_server_error",
+      message: "Something went wrong",
+      details: {},
+    });
+    expect(mocks.loggerError).toHaveBeenCalledWith(
+      {
+        error,
+        url: createRequest().url,
+      },
+      "Error in PUT /api/v1/client/[environmentId]/responses/[responseId]"
+    );
+  });
+
+  test("returns a success payload and emits a responseUpdated pipeline event", async () => {
+    const result = await putResponseHandler(createHandlerParams());
+
+    expect(result.response.status).toBe(200);
+    await expect(result.response.json()).resolves.toEqual({
+      data: {
+        id: responseId,
+        quotaFull: false,
+      },
+    });
+    expect(mocks.sendToPipeline).toHaveBeenCalledTimes(1);
+    expect(mocks.sendToPipeline).toHaveBeenCalledWith({
+      event: "responseUpdated",
+      environmentId,
+      surveyId,
+      response: {
+        id: responseId,
+        surveyId,
+        data: {
+          q0: "existing-answer",
+          q1: "updated-answer",
+        },
+        finished: false,
+      },
+    });
+  });
+
+  test("emits both pipeline events and includes quota metadata when the response finishes", async () => {
+    mocks.updateResponseWithQuotaEvaluation.mockResolvedValue({
+      ...getBaseUpdatedResponse(),
+      finished: true,
+      quotaFull: {
+        id: "quota_123",
+        action: "endSurvey",
+        endingCardId: "ending_card_123",
+      },
+    });
+
+    const result = await putResponseHandler(createHandlerParams());
+
+    expect(result.response.status).toBe(200);
+    await expect(result.response.json()).resolves.toEqual({
+      data: {
+        id: responseId,
+        quotaFull: true,
+        quota: {
+          id: "quota_123",
+          action: "endSurvey",
+          endingCardId: "ending_card_123",
+        },
+      },
+    });
+    expect(mocks.sendToPipeline).toHaveBeenCalledTimes(2);
+    expect(mocks.sendToPipeline).toHaveBeenNthCalledWith(1, {
+      event: "responseUpdated",
+      environmentId,
+      surveyId,
+      response: {
+        id: responseId,
+        surveyId,
+        data: {
+          q0: "existing-answer",
+          q1: "updated-answer",
+        },
+        finished: true,
+      },
+    });
+    expect(mocks.sendToPipeline).toHaveBeenNthCalledWith(2, {
+      event: "responseFinished",
+      environmentId,
+      surveyId,
+      response: {
+        id: responseId,
+        surveyId,
+        data: {
+          q0: "existing-answer",
+          q1: "updated-answer",
+        },
+        finished: true,
+      },
+    });
+  });
+});

apps/web/app/api/v1/client/[environmentId]/responses/[responseId]/lib/put-response-handler.ts

@@ -0,0 +1,283 @@
+import { logger } from "@formbricks/logger";
+import { DatabaseError, InvalidInputError, ResourceNotFoundError } from "@formbricks/types/errors";
+import { TResponse, TResponseUpdateInput } from "@formbricks/types/responses";
+import { TSurveyElement } from "@formbricks/types/surveys/elements";
+import { TSurvey } from "@formbricks/types/surveys/types";
+import { responses } from "@/app/lib/api/response";
+import { THandlerParams } from "@/app/lib/api/with-api-logging";
+import { sendToPipeline } from "@/app/lib/pipelines";
+import { getResponse } from "@/lib/response/service";
+import { getSurvey } from "@/lib/survey/service";
+import { formatValidationErrorsForV1Api, validateResponseData } from "@/modules/api/lib/validation";
+import { validateOtherOptionLengthForMultipleChoice } from "@/modules/api/v2/lib/element";
+import { createQuotaFullObject } from "@/modules/ee/quotas/lib/helpers";
+import { validateFileUploads } from "@/modules/storage/utils";
+import { updateResponseWithQuotaEvaluation } from "./response";
+import { getValidatedResponseUpdateInput } from "./validated-response-update-input";
+
+type TRouteResult = {
+  response: Response;
+  error?: unknown;
+};
+
+type TExistingResponseResult = { existingResponse: TResponse } | TRouteResult;
+type TSurveyResult = { survey: TSurvey } | TRouteResult;
+type TUpdatedResponseResult =
+  | { updatedResponse: Awaited<ReturnType<typeof updateResponseWithQuotaEvaluation>> }
+  | TRouteResult;
+
+export type TPutRouteParams = {
+  params: Promise<{
+    environmentId: string;
+    responseId: string;
+  }>;
+};
+
+const handleDatabaseError = (
+  error: Error,
+  url: string,
+  endpoint: string,
+  responseId: string
+): TRouteResult => {
+  if (error instanceof ResourceNotFoundError) {
+    return { response: responses.notFoundResponse("Response", responseId, true) };
+  }
+  if (error instanceof InvalidInputError) {
+    return { response: responses.badRequestResponse(error.message, undefined, true) };
+  }
+  if (error instanceof DatabaseError) {
+    logger.error({ error, url }, `Error in ${endpoint}`);
+    return {
+      response: responses.internalServerErrorResponse(error.message, true),
+      error,
+    };
+  }
+
+  return {
+    response: responses.internalServerErrorResponse("Unknown error occurred", true),
+    error,
+  };
+};
+
+const validateResponse = (
+  response: TResponse,
+  survey: TSurvey,
+  responseUpdateInput: TResponseUpdateInput
+) => {
+  const mergedData = {
+    ...response.data,
+    ...responseUpdateInput.data,
+  };
+
+  const validationErrors = validateResponseData(
+    survey.blocks,
+    mergedData,
+    responseUpdateInput.language ?? response.language ?? "en",
+    survey.questions
+  );
+
+  if (validationErrors) {
+    return {
+      response: responses.badRequestResponse(
+        "Validation failed",
+        formatValidationErrorsForV1Api(validationErrors),
+        true
+      ),
+    };
+  }
+};
+
+const getExistingResponse = async (req: Request, responseId: string): Promise<TExistingResponseResult> => {
+  try {
+    const existingResponse = await getResponse(responseId);
+
+    return existingResponse
+      ? { existingResponse }
+      : { response: responses.notFoundResponse("Response", responseId, true) };
+  } catch (error) {
+    return handleDatabaseError(
+      error instanceof Error ? error : new Error(String(error)),
+      req.url,
+      "PUT /api/v1/client/[environmentId]/responses/[responseId]",
+      responseId
+    );
+  }
+};
+
+const getSurveyForResponse = async (
+  req: Request,
+  responseId: string,
+  surveyId: string
+): Promise<TSurveyResult> => {
+  try {
+    const survey = await getSurvey(surveyId);
+
+    return survey ? { survey } : { response: responses.notFoundResponse("Survey", surveyId, true) };
+  } catch (error) {
+    return handleDatabaseError(
+      error instanceof Error ? error : new Error(String(error)),
+      req.url,
+      "PUT /api/v1/client/[environmentId]/responses/[responseId]",
+      responseId
+    );
+  }
+};
+
+const validateUpdateRequest = (
+  existingResponse: TResponse,
+  survey: TSurvey,
+  responseUpdateInput: TResponseUpdateInput
+): TRouteResult | undefined => {
+  if (existingResponse.finished) {
+    return {
+      response: responses.badRequestResponse("Response is already finished", undefined, true),
+    };
+  }
+
+  if (!validateFileUploads(responseUpdateInput.data, survey.questions)) {
+    return {
+      response: responses.badRequestResponse("Invalid file upload response", undefined, true),
+    };
+  }
+
+  const otherResponseInvalidQuestionId = validateOtherOptionLengthForMultipleChoice({
+    responseData: responseUpdateInput.data,
+    surveyQuestions: survey.questions as unknown as TSurveyElement[],
+    responseLanguage: responseUpdateInput.language,
+  });
+
+  if (otherResponseInvalidQuestionId) {
+    return {
+      response: responses.badRequestResponse(
+        `Response exceeds character limit`,
+        {
+          questionId: otherResponseInvalidQuestionId,
+        },
+        true
+      ),
+    };
+  }
+
+  return validateResponse(existingResponse, survey, responseUpdateInput);
+};
+
+const getUpdatedResponse = async (
+  req: Request,
+  responseId: string,
+  responseUpdateInput: TResponseUpdateInput
+): Promise<TUpdatedResponseResult> => {
+  try {
+    const updatedResponse = await updateResponseWithQuotaEvaluation(responseId, responseUpdateInput);
+    return { updatedResponse };
+  } catch (error) {
+    if (error instanceof ResourceNotFoundError) {
+      return {
+        response: responses.notFoundResponse("Response", responseId, true),
+      };
+    }
+    if (error instanceof InvalidInputError) {
+      return {
+        response: responses.badRequestResponse(error.message),
+      };
+    }
+    if (error instanceof DatabaseError) {
+      logger.error(
+        { error, url: req.url },
+        "Error in PUT /api/v1/client/[environmentId]/responses/[responseId]"
+      );
+      return {
+        response: responses.internalServerErrorResponse(error.message),
+        error,
+      };
+    }
+
+    const unexpectedError = error instanceof Error ? error : new Error(String(error));
+
+    logger.error(
+      { error: unexpectedError, url: req.url },
+      "Error in PUT /api/v1/client/[environmentId]/responses/[responseId]"
+    );
+    return {
+      response: responses.internalServerErrorResponse("Something went wrong"),
+      error: unexpectedError,
+    };
+  }
+};
+
+export const putResponseHandler = async ({
+  req,
+  props,
+}: THandlerParams<TPutRouteParams>): Promise<TRouteResult> => {
+  const params = await props.params;
+  const { environmentId, responseId } = params;
+
+  if (!responseId) {
+    return {
+      response: responses.badRequestResponse("Response ID is missing", undefined, true),
+    };
+  }
+
+  const validatedUpdateInput = await getValidatedResponseUpdateInput(req);
+  if ("response" in validatedUpdateInput) {
+    return validatedUpdateInput;
+  }
+  const { responseUpdateInput } = validatedUpdateInput;
+
+  const existingResponseResult = await getExistingResponse(req, responseId);
+  if ("response" in existingResponseResult) {
+    return existingResponseResult;
+  }
+  const { existingResponse } = existingResponseResult;
+
+  const surveyResult = await getSurveyForResponse(req, responseId, existingResponse.surveyId);
+  if ("response" in surveyResult) {
+    return surveyResult;
+  }
+  const { survey } = surveyResult;
+
+  if (survey.environmentId !== environmentId) {
+    return {
+      response: responses.notFoundResponse("Response", responseId, true),
+    };
+  }
+
+  const validationResult = validateUpdateRequest(existingResponse, survey, responseUpdateInput);
+  if (validationResult) {
+    return validationResult;
+  }
+
+  const updatedResponseResult = await getUpdatedResponse(req, responseId, responseUpdateInput);
+  if ("response" in updatedResponseResult) {
+    return updatedResponseResult;
+  }
+  const { updatedResponse } = updatedResponseResult;
+
+  const { quotaFull, ...responseData } = updatedResponse;
+
+  sendToPipeline({
+    event: "responseUpdated",
+    environmentId: survey.environmentId,
+    surveyId: survey.id,
+    response: responseData,
+  });
+
+  if (updatedResponse.finished) {
+    sendToPipeline({
+      event: "responseFinished",
+      environmentId: survey.environmentId,
+      surveyId: survey.id,
+      response: responseData,
+    });
+  }
+
+  const quotaObj = createQuotaFullObject(quotaFull);
+
+  const responseDataWithQuota = {
+    id: responseData.id,
+    ...quotaObj,
+  };
+
+  return {
+    response: responses.successResponse(responseDataWithQuota, true),
+  };
+};

apps/web/app/api/v1/client/[environmentId]/responses/[responseId]/lib/validated-response-update-input.test.ts

@@ -0,0 +1,84 @@
+import { describe, expect, test } from "vitest";
+import { getValidatedResponseUpdateInput } from "./validated-response-update-input";
+
+describe("getValidatedResponseUpdateInput", () => {
+  test("returns a bad request response for malformed JSON", async () => {
+    const request = new Request("http://localhost/api/v1/client/test/responses/response-id", {
+      method: "PUT",
+      headers: {
+        "Content-Type": "application/json",
+      },
+      body: "{invalid-json",
+    });
+
+    const result = await getValidatedResponseUpdateInput(request);
+
+    expect("response" in result).toBe(true);
+
+    if (!("response" in result)) {
+      throw new Error("Expected a response result");
+    }
+
+    expect(result.response.status).toBe(400);
+    await expect(result.response.json()).resolves.toEqual(
+      expect.objectContaining({
+        code: "bad_request",
+        message: "Malformed JSON in request body",
+        details: {
+          error: expect.any(String),
+        },
+      })
+    );
+  });
+
+  test("returns parsed response update input for valid JSON", async () => {
+    const request = new Request("http://localhost/api/v1/client/test/responses/response-id", {
+      method: "PUT",
+      headers: {
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({
+        finished: true,
+      }),
+    });
+
+    const result = await getValidatedResponseUpdateInput(request);
+
+    expect(result).toEqual({
+      responseUpdateInput: {
+        finished: true,
+      },
+    });
+  });
+
+  test("returns a bad request response for schema-invalid JSON", async () => {
+    const request = new Request("http://localhost/api/v1/client/test/responses/response-id", {
+      method: "PUT",
+      headers: {
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({
+        finished: "not-boolean",
+      }),
+    });
+
+    const result = await getValidatedResponseUpdateInput(request);
+
+    expect("response" in result).toBe(true);
+
+    if (!("response" in result)) {
+      throw new Error("Expected a response result");
+    }
+
+    expect(result.response.status).toBe(400);
+    await expect(result.response.json()).resolves.toEqual(
+      expect.objectContaining({
+        code: "bad_request",
+        message: "Fields are missing or incorrectly formatted",
+        details: expect.objectContaining({
+          finished: expect.any(String),
+        }),
+      })
+    );
+  });
+});

apps/web/app/api/v1/client/[environmentId]/responses/[responseId]/lib/validated-response-update-input.ts

@@ -0,0 +1,28 @@
+import { TResponseUpdateInput, ZResponseUpdateInput } from "@formbricks/types/responses";
+import {
+  TParseAndValidateJsonBodyResult,
+  parseAndValidateJsonBody,
+} from "@/app/lib/api/parse-and-validate-json-body";
+
+export type TValidatedResponseUpdateInputResult =
+  | { response: Response }
+  | { responseUpdateInput: TResponseUpdateInput };
+
+export const getValidatedResponseUpdateInput = async (
+  req: Request
+): Promise<TValidatedResponseUpdateInputResult> => {
+  const validatedInput: TParseAndValidateJsonBodyResult<TResponseUpdateInput> =
+    await parseAndValidateJsonBody({
+      request: req,
+      schema: ZResponseUpdateInput,
+      malformedJsonMessage: "Malformed JSON in request body",
+    });
+
+  if ("response" in validatedInput) {
+    return {
+      response: validatedInput.response,
+    };
+  }
+
+  return { responseUpdateInput: validatedInput.data };
+};

apps/web/app/api/v1/client/[environmentId]/responses/[responseId]/route.ts

@@ -1,235 +1,11 @@
-import { logger } from "@formbricks/logger";
-import { DatabaseError, InvalidInputError, ResourceNotFoundError } from "@formbricks/types/errors";
-import { TResponse, TResponseUpdateInput, ZResponseUpdateInput } from "@formbricks/types/responses";
-import { TSurveyElement } from "@formbricks/types/surveys/elements";
-import { TSurvey } from "@formbricks/types/surveys/types";
 import { responses } from "@/app/lib/api/response";
-import { transformErrorToDetails } from "@/app/lib/api/validator";
-import { THandlerParams, withV1ApiWrapper } from "@/app/lib/api/with-api-logging";
-import { sendToPipeline } from "@/app/lib/pipelines";
-import { getResponse } from "@/lib/response/service";
-import { getSurvey } from "@/lib/survey/service";
-import { formatValidationErrorsForV1Api, validateResponseData } from "@/modules/api/lib/validation";
-import { validateOtherOptionLengthForMultipleChoice } from "@/modules/api/v2/lib/element";
-import { createQuotaFullObject } from "@/modules/ee/quotas/lib/helpers";
-import { validateFileUploads } from "@/modules/storage/utils";
-import { updateResponseWithQuotaEvaluation } from "./lib/response";
+import { withV1ApiWrapper } from "@/app/lib/api/with-api-logging";
+import { putResponseHandler } from "./lib/put-response-handler";
 
 export const OPTIONS = async (): Promise<Response> => {
   return responses.successResponse({}, true);
 };
 
-const handleDatabaseError = (error: Error, url: string, endpoint: string, responseId: string): Response => {
-  if (error instanceof ResourceNotFoundError) {
-    return responses.notFoundResponse("Response", responseId, true);
-  }
-  if (error instanceof InvalidInputError) {
-    return responses.badRequestResponse(error.message, undefined, true);
-  }
-  if (error instanceof DatabaseError) {
-    logger.error({ error, url }, `Error in ${endpoint}`);
-    return responses.internalServerErrorResponse(error.message, true);
-  }
-  return responses.internalServerErrorResponse("Unknown error occurred", true);
-};
-
-const validateResponse = (
-  response: TResponse,
-  survey: TSurvey,
-  responseUpdateInput: TResponseUpdateInput
-) => {
-  // Validate response data against validation rules
-  const mergedData = {
-    ...response.data,
-    ...responseUpdateInput.data,
-  };
-
-  const validationErrors = validateResponseData(
-    survey.blocks,
-    mergedData,
-    responseUpdateInput.language ?? response.language ?? "en",
-    survey.questions
-  );
-
-  if (validationErrors) {
-    return {
-      response: responses.badRequestResponse(
-        "Validation failed",
-        formatValidationErrorsForV1Api(validationErrors),
-        true
-      ),
-    };
-  }
-};
-
 export const PUT = withV1ApiWrapper({
-  handler: async ({ req, props }: THandlerParams<{ params: Promise<{ responseId: string }> }>) => {
-    const params = await props.params;
-    const { responseId } = params;
-
-    if (!responseId) {
-      return {
-        response: responses.badRequestResponse("Response ID is missing", undefined, true),
-      };
-    }
-
-    const responseUpdate = await req.json();
-    const inputValidation = ZResponseUpdateInput.safeParse(responseUpdate);
-
-    if (!inputValidation.success) {
-      return {
-        response: responses.badRequestResponse(
-          "Fields are missing or incorrectly formatted",
-          transformErrorToDetails(inputValidation.error),
-          true
-        ),
-      };
-    }
-
-    let response;
-    try {
-      response = await getResponse(responseId);
-    } catch (error) {
-      const endpoint = "PUT /api/v1/client/[environmentId]/responses/[responseId]";
-      return {
-        response: handleDatabaseError(
-          error instanceof Error ? error : new Error(String(error)),
-          req.url,
-          endpoint,
-          responseId
-        ),
-      };
-    }
-
-    if (!response) {
-      return {
-        response: responses.notFoundResponse("Response", responseId, true),
-      };
-    }
-
-    if (response.finished) {
-      return {
-        response: responses.badRequestResponse("Response is already finished", undefined, true),
-      };
-    }
-
-    // get survey to get environmentId
-    let survey;
-    try {
-      survey = await getSurvey(response.surveyId);
-    } catch (error) {
-      const endpoint = "PUT /api/v1/client/[environmentId]/responses/[responseId]";
-      return {
-        response: handleDatabaseError(
-          error instanceof Error ? error : new Error(String(error)),
-          req.url,
-          endpoint,
-          responseId
-        ),
-      };
-    }
-
-    if (!survey) {
-      return {
-        response: responses.notFoundResponse("Survey", response.surveyId, true),
-      };
-    }
-
-    if (!validateFileUploads(inputValidation.data.data, survey.questions)) {
-      return {
-        response: responses.badRequestResponse("Invalid file upload response", undefined, true),
-      };
-    }
-
-    // Validate response data for "other" options exceeding character limit
-    const otherResponseInvalidQuestionId = validateOtherOptionLengthForMultipleChoice({
-      responseData: inputValidation.data.data,
-      surveyQuestions: survey.questions as unknown as TSurveyElement[],
-      responseLanguage: inputValidation.data.language,
-    });
-
-    if (otherResponseInvalidQuestionId) {
-      return {
-        response: responses.badRequestResponse(
-          `Response exceeds character limit`,
-          {
-            questionId: otherResponseInvalidQuestionId,
-          },
-          true
-        ),
-      };
-    }
-
-    const validationResult = validateResponse(response, survey, inputValidation.data);
-    if (validationResult) {
-      return validationResult;
-    }
-
-    // update response with quota evaluation
-    let updatedResponse;
-    try {
-      updatedResponse = await updateResponseWithQuotaEvaluation(responseId, inputValidation.data);
-    } catch (error) {
-      if (error instanceof ResourceNotFoundError) {
-        return {
-          response: responses.notFoundResponse("Response", responseId, true),
-        };
-      }
-      if (error instanceof InvalidInputError) {
-        return {
-          response: responses.badRequestResponse(error.message),
-        };
-      }
-      if (error instanceof DatabaseError) {
-        logger.error(
-          { error, url: req.url },
-          "Error in PUT /api/v1/client/[environmentId]/responses/[responseId]"
-        );
-        return {
-          response: responses.internalServerErrorResponse(error.message),
-        };
-      }
-
-      logger.error(
-        { error, url: req.url },
-        "Error in PUT /api/v1/client/[environmentId]/responses/[responseId]"
-      );
-      return {
-        response: responses.internalServerErrorResponse("Something went wrong"),
-      };
-    }
-
-    const { quotaFull, ...responseData } = updatedResponse;
-
-    // send response update to pipeline
-    // don't await to not block the response
-    sendToPipeline({
-      event: "responseUpdated",
-      environmentId: survey.environmentId,
-      surveyId: survey.id,
-      response: responseData,
-    });
-
-    if (updatedResponse.finished) {
-      // send response to pipeline
-      // don't await to not block the response
-      sendToPipeline({
-        event: "responseFinished",
-        environmentId: survey.environmentId,
-        surveyId: survey.id,
-        response: responseData,
-      });
-    }
-
-    const quotaObj = createQuotaFullObject(quotaFull);
-
-    const responseDataWithQuota = {
-      id: responseData.id,
-      ...quotaObj,
-    };
-
-    return {
-      response: responses.successResponse(responseDataWithQuota, true),
-    };
-  },
+  handler: putResponseHandler,
 });

apps/web/app/api/v1/client/[environmentId]/storage/route.ts

@@ -1,7 +1,7 @@
 import { logger } from "@formbricks/logger";
-import { TUploadPrivateFileRequest, ZUploadPrivateFileRequest } from "@formbricks/types/storage";
+import { ZUploadPrivateFileRequest } from "@formbricks/types/storage";
+import { parseAndValidateJsonBody } from "@/app/lib/api/parse-and-validate-json-body";
 import { responses } from "@/app/lib/api/response";
-import { transformErrorToDetails } from "@/app/lib/api/validator";
 import { THandlerParams, withV1ApiWrapper } from "@/app/lib/api/with-api-logging";
 import { MAX_FILE_UPLOAD_SIZES } from "@/lib/constants";
 import { getOrganizationByEnvironmentId } from "@/lib/organization/service";
@@ -30,33 +30,27 @@ export const POST = withV1ApiWrapper({
   handler: async ({ req, props }: THandlerParams<{ params: Promise<{ environmentId: string }> }>) => {
     const params = await props.params;
     const { environmentId } = params;
-    let jsonInput: TUploadPrivateFileRequest;
-
-    try {
-      jsonInput = await req.json();
-    } catch (error) {
-      logger.error({ error, url: req.url }, "Error parsing JSON input");
-      return {
-        response: responses.badRequestResponse("Malformed JSON input, please check your request body"),
-      };
-    }
-
-    const parsedInputResult = ZUploadPrivateFileRequest.safeParse({
-      ...jsonInput,
-      environmentId,
+    const parsedInputResult = await parseAndValidateJsonBody({
+      request: req,
+      schema: ZUploadPrivateFileRequest,
+      buildInput: (jsonInput) => ({
+        ...(jsonInput !== null && typeof jsonInput === "object" ? jsonInput : {}),
+        environmentId,
+      }),
     });
 
-    if (!parsedInputResult.success) {
-      const errorDetails = transformErrorToDetails(parsedInputResult.error);
-
-      logger.error({ error: errorDetails }, "Fields are missing or incorrectly formatted");
+    if ("response" in parsedInputResult) {
+      if (parsedInputResult.issue === "invalid_json") {
+        logger.error({ error: parsedInputResult.details, url: req.url }, "Error parsing JSON input");
+      } else {
+        logger.error(
+          { error: parsedInputResult.details, url: req.url },
+          "Fields are missing or incorrectly formatted"
+        );
+      }
 
       return {
-        response: responses.badRequestResponse(
-          "Fields are missing or incorrectly formatted",
-          errorDetails,
-          true
-        ),
+        response: parsedInputResult.response,
       };
     }
 
@@ -105,9 +99,14 @@ export const POST = withV1ApiWrapper({
     if (!signedUrlResponse.ok) {
       logger.error({ error: signedUrlResponse.error }, "Error getting signed url for upload");
       const errorResponse = getErrorResponseFromStorageError(signedUrlResponse.error, { fileName });
-      return {
-        response: errorResponse,
-      };
+      return errorResponse.status >= 500
+        ? {
+            response: errorResponse,
+            error: signedUrlResponse.error,
+          }
+        : {
+            response: errorResponse,
+          };
     }
 
     return {

apps/web/app/api/v1/management/surveys/lib/utils.test.ts

@@ -49,7 +49,8 @@ const mockOrganization: TOrganization = {
     },
     usageCycleAnchor: new Date(),
   },
-  isAIEnabled: false,
+  isAISmartToolsEnabled: false,
+  isAIDataAnalysisEnabled: false,
 };
 
 const mockFollowUp: TSurveyCreateInputWithEnvironmentId["followUps"][number] = {

apps/web/app/api/v2/client/[environmentId]/displays/route.test.ts

@@ -0,0 +1,126 @@
+import { beforeEach, describe, expect, test, vi } from "vitest";
+
+const mocks = vi.hoisted(() => ({
+  createDisplay: vi.fn(),
+  getIsContactsEnabled: vi.fn(),
+  getOrganizationIdFromEnvironmentId: vi.fn(),
+  reportApiError: vi.fn(),
+}));
+
+vi.mock("./lib/display", () => ({
+  createDisplay: mocks.createDisplay,
+}));
+
+vi.mock("@/modules/ee/license-check/lib/utils", () => ({
+  getIsContactsEnabled: mocks.getIsContactsEnabled,
+}));
+
+vi.mock("@/lib/utils/helper", () => ({
+  getOrganizationIdFromEnvironmentId: mocks.getOrganizationIdFromEnvironmentId,
+}));
+
+vi.mock("@/app/lib/api/api-error-reporter", () => ({
+  reportApiError: mocks.reportApiError,
+}));
+
+const environmentId = "cld1234567890abcdef123456";
+const surveyId = "clg123456789012345678901234";
+
+describe("api/v2 client displays route", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mocks.getOrganizationIdFromEnvironmentId.mockResolvedValue("org_123");
+    mocks.getIsContactsEnabled.mockResolvedValue(true);
+  });
+
+  test("returns a v2 bad request response for malformed JSON without reporting an internal error", async () => {
+    const request = new Request(`https://api.test/api/v2/client/${environmentId}/displays`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+      },
+      body: "{",
+    });
+
+    const { POST } = await import("./route");
+    const response = await POST(request, {
+      params: Promise.resolve({ environmentId }),
+    });
+
+    expect(response.status).toBe(400);
+    expect(await response.json()).toEqual(
+      expect.objectContaining({
+        code: "bad_request",
+        message: "Invalid JSON in request body",
+      })
+    );
+    expect(mocks.createDisplay).not.toHaveBeenCalled();
+    expect(mocks.reportApiError).not.toHaveBeenCalled();
+  });
+
+  test("reports unexpected createDisplay failures while keeping the response payload unchanged", async () => {
+    const underlyingError = new Error("display persistence failed");
+    mocks.createDisplay.mockRejectedValue(underlyingError);
+
+    const request = new Request(`https://api.test/api/v2/client/${environmentId}/displays`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({
+        surveyId,
+      }),
+    });
+
+    const { POST } = await import("./route");
+    const response = await POST(request, {
+      params: Promise.resolve({ environmentId }),
+    });
+
+    expect(response.status).toBe(500);
+    expect(await response.json()).toEqual({
+      code: "internal_server_error",
+      message: "Something went wrong. Please try again.",
+      details: {},
+    });
+    expect(mocks.reportApiError).toHaveBeenCalledWith({
+      request,
+      status: 500,
+      error: underlyingError,
+    });
+  });
+
+  test("reports unexpected contact-license lookup failures with the same generic public response", async () => {
+    const underlyingError = new Error("license lookup failed");
+    mocks.getOrganizationIdFromEnvironmentId.mockRejectedValue(underlyingError);
+
+    const request = new Request(`https://api.test/api/v2/client/${environmentId}/displays`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({
+        surveyId,
+        contactId: "clh123456789012345678901234",
+      }),
+    });
+
+    const { POST } = await import("./route");
+    const response = await POST(request, {
+      params: Promise.resolve({ environmentId }),
+    });
+
+    expect(response.status).toBe(500);
+    expect(await response.json()).toEqual({
+      code: "internal_server_error",
+      message: "Something went wrong. Please try again.",
+      details: {},
+    });
+    expect(mocks.reportApiError).toHaveBeenCalledWith({
+      request,
+      status: 500,
+      error: underlyingError,
+    });
+    expect(mocks.createDisplay).not.toHaveBeenCalled();
+  });
+});

apps/web/app/api/v2/client/[environmentId]/displays/route.ts

@@ -1,8 +1,11 @@
-import { logger } from "@formbricks/logger";
 import { ResourceNotFoundError } from "@formbricks/types/errors";
-import { ZDisplayCreateInputV2 } from "@/app/api/v2/client/[environmentId]/displays/types/display";
+import {
+  TDisplayCreateInputV2,
+  ZDisplayCreateInputV2,
+} from "@/app/api/v2/client/[environmentId]/displays/types/display";
+import { reportApiError } from "@/app/lib/api/api-error-reporter";
+import { parseAndValidateJsonBody } from "@/app/lib/api/parse-and-validate-json-body";
 import { responses } from "@/app/lib/api/response";
-import { transformErrorToDetails } from "@/app/lib/api/validator";
 import { getOrganizationIdFromEnvironmentId } from "@/lib/utils/helper";
 import { getIsContactsEnabled } from "@/modules/ee/license-check/lib/utils";
 import { createDisplay } from "./lib/display";
@@ -13,6 +16,29 @@ interface Context {
   }>;
 }
 
+type TValidatedDisplayInputResult = { displayInputData: TDisplayCreateInputV2 } | { response: Response };
+
+const parseAndValidateDisplayInput = async (
+  request: Request,
+  environmentId: string
+): Promise<TValidatedDisplayInputResult> => {
+  const inputValidation = await parseAndValidateJsonBody({
+    request,
+    schema: ZDisplayCreateInputV2,
+    buildInput: (jsonInput) => ({
+      ...(jsonInput !== null && typeof jsonInput === "object" ? jsonInput : {}),
+      environmentId,
+    }),
+    malformedJsonMessage: "Invalid JSON in request body",
+  });
+
+  if ("response" in inputValidation) {
+    return inputValidation;
+  }
+
+  return { displayInputData: inputValidation.data };
+};
+
 export const OPTIONS = async (): Promise<Response> => {
   return responses.successResponse(
     {},
@@ -25,38 +51,40 @@ export const OPTIONS = async (): Promise<Response> => {
 
 export const POST = async (request: Request, context: Context): Promise<Response> => {
   const params = await context.params;
-  const jsonInput = await request.json();
-  const inputValidation = ZDisplayCreateInputV2.safeParse({
-    ...jsonInput,
-    environmentId: params.environmentId,
-  });
+  const validatedInput = await parseAndValidateDisplayInput(request, params.environmentId);
 
-  if (!inputValidation.success) {
-    return responses.badRequestResponse(
-      "Fields are missing or incorrectly formatted",
-      transformErrorToDetails(inputValidation.error),
-      true
-    );
+  if ("response" in validatedInput) {
+    return validatedInput.response;
   }
 
-  if (inputValidation.data.contactId) {
-    const organizationId = await getOrganizationIdFromEnvironmentId(params.environmentId);
-    const isContactsEnabled = await getIsContactsEnabled(organizationId);
-    if (!isContactsEnabled) {
-      return responses.forbiddenResponse("User identification is only available for enterprise users.", true);
-    }
-  }
+  const { displayInputData } = validatedInput;
 
   try {
-    const response = await createDisplay(inputValidation.data);
+    if (displayInputData.contactId) {
+      const organizationId = await getOrganizationIdFromEnvironmentId(params.environmentId);
+      const isContactsEnabled = await getIsContactsEnabled(organizationId);
+      if (!isContactsEnabled) {
+        return responses.forbiddenResponse(
+          "User identification is only available for enterprise users.",
+          true
+        );
+      }
+    }
+
+    const response = await createDisplay(displayInputData);
 
     return responses.successResponse(response, true);
   } catch (error) {
     if (error instanceof ResourceNotFoundError) {
-      return responses.notFoundResponse("Survey", inputValidation.data.surveyId);
-    } else {
-      logger.error({ error, url: request.url }, "Error creating display");
-      return responses.internalServerErrorResponse("Something went wrong. Please try again.");
+      return responses.notFoundResponse("Survey", displayInputData.surveyId, true);
     }
+
+    const response = responses.internalServerErrorResponse("Something went wrong. Please try again.", true);
+    reportApiError({
+      request,
+      status: response.status,
+      error,
+    });
+    return response;
   }
 };

apps/web/app/api/v2/client/[environmentId]/environment/route.test.ts

@@ -0,0 +1,135 @@
+import * as Sentry from "@sentry/nextjs";
+import { type NextRequest } from "next/server";
+import { beforeEach, describe, expect, test, vi } from "vitest";
+
+const mocks = vi.hoisted(() => ({
+  applyIPRateLimit: vi.fn(),
+  getEnvironmentState: vi.fn(),
+  contextualLoggerError: vi.fn(),
+}));
+
+vi.mock("@/app/api/v1/client/[environmentId]/environment/lib/environmentState", () => ({
+  getEnvironmentState: mocks.getEnvironmentState,
+}));
+
+vi.mock("@/modules/core/rate-limit/helpers", () => ({
+  applyIPRateLimit: mocks.applyIPRateLimit,
+  applyRateLimit: vi.fn(),
+}));
+
+vi.mock("@/modules/core/rate-limit/rate-limit-configs", () => ({
+  rateLimitConfigs: {
+    api: {
+      client: { windowMs: 60000, max: 100 },
+      v1: { windowMs: 60000, max: 1000 },
+    },
+  },
+}));
+
+vi.mock("@sentry/nextjs", () => ({
+  captureException: vi.fn(),
+  withScope: vi.fn(),
+}));
+
+vi.mock("@formbricks/logger", () => ({
+  logger: {
+    withContext: vi.fn(() => ({
+      error: mocks.contextualLoggerError,
+      warn: vi.fn(),
+      info: vi.fn(),
+    })),
+    error: vi.fn(),
+    warn: vi.fn(),
+    info: vi.fn(),
+  },
+}));
+
+vi.mock("@/lib/constants", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("@/lib/constants")>();
+  return {
+    ...actual,
+    AUDIT_LOG_ENABLED: false,
+    IS_PRODUCTION: true,
+    SENTRY_DSN: "test-dsn",
+    ENCRYPTION_KEY: "test-key",
+    REDIS_URL: "redis://localhost:6379",
+  };
+});
+
+const createMockRequest = (url: string, headers = new Map<string, string>()): NextRequest => {
+  const parsedUrl = new URL(url);
+
+  return {
+    method: "GET",
+    url,
+    headers: {
+      get: (key: string) => headers.get(key),
+    },
+    nextUrl: {
+      pathname: parsedUrl.pathname,
+    },
+  } as unknown as NextRequest;
+};
+
+describe("api/v2 client environment route", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mocks.applyIPRateLimit.mockResolvedValue(undefined);
+  });
+
+  test("reports v1-backed failures as v2 and keeps the response payload unchanged", async () => {
+    const underlyingError = new Error("Environment load failed");
+    mocks.getEnvironmentState.mockRejectedValue(underlyingError);
+
+    const request = createMockRequest(
+      "https://api.test/api/v2/client/ck12345678901234567890123/environment",
+      new Map([["x-request-id", "req-v2-env"]])
+    );
+
+    const { GET } = await import("./route");
+    const response = await GET(request, {
+      params: Promise.resolve({
+        environmentId: "ck12345678901234567890123",
+      }),
+    });
+
+    expect(response.status).toBe(500);
+    expect(await response.json()).toEqual({
+      code: "internal_server_error",
+      message: "An error occurred while processing your request.",
+      details: {},
+    });
+
+    expect(Sentry.withScope).not.toHaveBeenCalled();
+    expect(Sentry.captureException).toHaveBeenCalledWith(
+      underlyingError,
+      expect.objectContaining({
+        tags: expect.objectContaining({
+          apiVersion: "v2",
+          correlationId: "req-v2-env",
+          method: "GET",
+          path: "/api/v2/client/ck12345678901234567890123/environment",
+        }),
+        extra: expect.objectContaining({
+          error: expect.objectContaining({
+            name: "Error",
+            message: "Environment load failed",
+          }),
+          originalError: expect.objectContaining({
+            name: "Error",
+            message: "Environment load failed",
+          }),
+        }),
+        contexts: expect.objectContaining({
+          apiRequest: expect.objectContaining({
+            apiVersion: "v2",
+            correlationId: "req-v2-env",
+            method: "GET",
+            path: "/api/v2/client/ck12345678901234567890123/environment",
+            status: 500,
+          }),
+        }),
+      })
+    );
+  });
+});

apps/web/app/api/v2/client/[environmentId]/responses/route.test.ts

@@ -0,0 +1,144 @@
+import { beforeEach, describe, expect, test, vi } from "vitest";
+
+const mocks = vi.hoisted(() => ({
+  checkSurveyValidity: vi.fn(),
+  createResponseWithQuotaEvaluation: vi.fn(),
+  getClientIpFromHeaders: vi.fn(),
+  getIsContactsEnabled: vi.fn(),
+  getOrganizationIdFromEnvironmentId: vi.fn(),
+  getSurvey: vi.fn(),
+  reportApiError: vi.fn(),
+  sendToPipeline: vi.fn(),
+  validateResponseData: vi.fn(),
+}));
+
+vi.mock("@/app/api/v2/client/[environmentId]/responses/lib/utils", () => ({
+  checkSurveyValidity: mocks.checkSurveyValidity,
+}));
+
+vi.mock("./lib/response", () => ({
+  createResponseWithQuotaEvaluation: mocks.createResponseWithQuotaEvaluation,
+}));
+
+vi.mock("@/app/lib/api/api-error-reporter", () => ({
+  reportApiError: mocks.reportApiError,
+}));
+
+vi.mock("@/app/lib/pipelines", () => ({
+  sendToPipeline: mocks.sendToPipeline,
+}));
+
+vi.mock("@/lib/survey/service", () => ({
+  getSurvey: mocks.getSurvey,
+}));
+
+vi.mock("@/lib/utils/client-ip", () => ({
+  getClientIpFromHeaders: mocks.getClientIpFromHeaders,
+}));
+
+vi.mock("@/lib/utils/helper", () => ({
+  getOrganizationIdFromEnvironmentId: mocks.getOrganizationIdFromEnvironmentId,
+}));
+
+vi.mock("@/modules/api/lib/validation", () => ({
+  formatValidationErrorsForV1Api: vi.fn((errors) => errors),
+  validateResponseData: mocks.validateResponseData,
+}));
+
+vi.mock("@/modules/ee/license-check/lib/utils", () => ({
+  getIsContactsEnabled: mocks.getIsContactsEnabled,
+}));
+
+const environmentId = "cld1234567890abcdef123456";
+const surveyId = "clg123456789012345678901234";
+
+describe("api/v2 client responses route", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mocks.checkSurveyValidity.mockResolvedValue(null);
+    mocks.getSurvey.mockResolvedValue({
+      id: surveyId,
+      environmentId,
+      blocks: [],
+      questions: [],
+      isCaptureIpEnabled: false,
+    });
+    mocks.validateResponseData.mockReturnValue(null);
+    mocks.getOrganizationIdFromEnvironmentId.mockResolvedValue("org_123");
+    mocks.getIsContactsEnabled.mockResolvedValue(true);
+    mocks.getClientIpFromHeaders.mockResolvedValue("127.0.0.1");
+  });
+
+  test("reports unexpected response creation failures while keeping the public payload generic", async () => {
+    const underlyingError = new Error("response persistence failed");
+    mocks.createResponseWithQuotaEvaluation.mockRejectedValue(underlyingError);
+
+    const request = new Request(`https://api.test/api/v2/client/${environmentId}/responses`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "x-request-id": "req-v2-response",
+      },
+      body: JSON.stringify({
+        surveyId,
+        finished: false,
+        data: {},
+      }),
+    });
+
+    const { POST } = await import("./route");
+    const response = await POST(request, {
+      params: Promise.resolve({ environmentId }),
+    });
+
+    expect(response.status).toBe(500);
+    expect(await response.json()).toEqual({
+      code: "internal_server_error",
+      message: "Something went wrong. Please try again.",
+      details: {},
+    });
+    expect(mocks.reportApiError).toHaveBeenCalledWith({
+      request,
+      status: 500,
+      error: underlyingError,
+    });
+    expect(mocks.sendToPipeline).not.toHaveBeenCalled();
+  });
+
+  test("reports unexpected pre-persistence failures with the same generic public response", async () => {
+    const underlyingError = new Error("survey lookup failed");
+    mocks.getSurvey.mockRejectedValue(underlyingError);
+
+    const request = new Request(`https://api.test/api/v2/client/${environmentId}/responses`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "x-request-id": "req-v2-response-pre-check",
+      },
+      body: JSON.stringify({
+        surveyId,
+        finished: false,
+        data: {},
+      }),
+    });
+
+    const { POST } = await import("./route");
+    const response = await POST(request, {
+      params: Promise.resolve({ environmentId }),
+    });
+
+    expect(response.status).toBe(500);
+    expect(await response.json()).toEqual({
+      code: "internal_server_error",
+      message: "Something went wrong. Please try again.",
+      details: {},
+    });
+    expect(mocks.reportApiError).toHaveBeenCalledWith({
+      request,
+      status: 500,
+      error: underlyingError,
+    });
+    expect(mocks.createResponseWithQuotaEvaluation).not.toHaveBeenCalled();
+    expect(mocks.sendToPipeline).not.toHaveBeenCalled();
+  });
+});

apps/web/app/api/v2/client/[environmentId]/responses/route.ts

@@ -1,10 +1,10 @@
-import { headers } from "next/headers";
 import { UAParser } from "ua-parser-js";
-import { logger } from "@formbricks/logger";
 import { ZEnvironmentId } from "@formbricks/types/environment";
 import { InvalidInputError } from "@formbricks/types/errors";
 import { TResponseWithQuotaFull } from "@formbricks/types/quota";
 import { checkSurveyValidity } from "@/app/api/v2/client/[environmentId]/responses/lib/utils";
+import { reportApiError } from "@/app/lib/api/api-error-reporter";
+import { parseAndValidateJsonBody } from "@/app/lib/api/parse-and-validate-json-body";
 import { responses } from "@/app/lib/api/response";
 import { transformErrorToDetails } from "@/app/lib/api/validator";
 import { sendToPipeline } from "@/app/lib/pipelines";
@@ -25,78 +25,86 @@ interface Context {
   }>;
 }
 
-export const OPTIONS = async (): Promise<Response> => {
-  return responses.successResponse(
-    {},
-    true,
-    // Cache CORS preflight responses for 1 hour (conservative approach)
-    // Balances performance gains with flexibility for CORS policy changes
-    "public, s-maxage=3600, max-age=3600"
-  );
-};
+type TResponseSurvey = NonNullable<Awaited<ReturnType<typeof getSurvey>>>;
 
-export const POST = async (request: Request, context: Context): Promise<Response> => {
-  const params = await context.params;
-  const requestHeaders = await headers();
-  let responseInput;
-  try {
-    responseInput = await request.json();
-  } catch (error) {
-    return responses.badRequestResponse(
-      "Invalid JSON in request body",
-      { error: error instanceof Error ? error.message : "Unknown error occurred" },
-      true
-    );
-  }
+type TValidatedResponseInputResult =
+  | {
+      environmentId: string;
+      responseInputData: TResponseInputV2;
+    }
+  | { response: Response };
 
-  const { environmentId } = params;
+const getCountry = (requestHeaders: Headers): string | undefined =>
+  requestHeaders.get("CF-IPCountry") ||
+  requestHeaders.get("X-Vercel-IP-Country") ||
+  requestHeaders.get("CloudFront-Viewer-Country") ||
+  undefined;
+
+const getUnexpectedPublicErrorResponse = (): Response =>
+  responses.internalServerErrorResponse("Something went wrong. Please try again.", true);
+
+const parseAndValidateResponseInput = async (
+  request: Request,
+  environmentId: string
+): Promise<TValidatedResponseInputResult> => {
   const environmentIdValidation = ZEnvironmentId.safeParse(environmentId);
-  const responseInputValidation = ZResponseInputV2.safeParse({ ...responseInput, environmentId });
 
   if (!environmentIdValidation.success) {
-    return responses.badRequestResponse(
-      "Fields are missing or incorrectly formatted",
-      transformErrorToDetails(environmentIdValidation.error),
-      true
-    );
+    return {
+      response: responses.badRequestResponse(
+        "Fields are missing or incorrectly formatted",
+        transformErrorToDetails(environmentIdValidation.error),
+        true
+      ),
+    };
   }
 
-  if (!responseInputValidation.success) {
-    return responses.badRequestResponse(
-      "Fields are missing or incorrectly formatted",
-      transformErrorToDetails(responseInputValidation.error),
-      true
-    );
+  const responseInputValidation = await parseAndValidateJsonBody({
+    request,
+    schema: ZResponseInputV2,
+    buildInput: (jsonInput) => ({
+      ...(jsonInput !== null && typeof jsonInput === "object" ? jsonInput : {}),
+      environmentId,
+    }),
+    malformedJsonMessage: "Invalid JSON in request body",
+  });
+
+  if ("response" in responseInputValidation) {
+    return responseInputValidation;
   }
 
-  const userAgent = request.headers.get("user-agent") || undefined;
-  const agent = new UAParser(userAgent);
+  return {
+    environmentId,
+    responseInputData: responseInputValidation.data,
+  };
+};
 
-  const country =
-    requestHeaders.get("CF-IPCountry") ||
-    requestHeaders.get("X-Vercel-IP-Country") ||
-    requestHeaders.get("CloudFront-Viewer-Country") ||
-    undefined;
-
-  const responseInputData = responseInputValidation.data;
-
-  if (responseInputData.contactId) {
-    const organizationId = await getOrganizationIdFromEnvironmentId(environmentId);
-    const isContactsEnabled = await getIsContactsEnabled(organizationId);
-    if (!isContactsEnabled) {
-      return responses.forbiddenResponse("User identification is only available for enterprise users.", true);
-    }
+const getContactsDisabledResponse = async (
+  environmentId: string,
+  contactId: string | null | undefined
+): Promise<Response | null> => {
+  if (!contactId) {
+    return null;
   }
 
-  // get and check survey
-  const survey = await getSurvey(responseInputData.surveyId);
-  if (!survey) {
-    return responses.notFoundResponse("Survey", responseInput.surveyId, true);
-  }
-  const surveyCheckResult = await checkSurveyValidity(survey, environmentId, responseInput);
-  if (surveyCheckResult) return surveyCheckResult;
+  const organizationId = await getOrganizationIdFromEnvironmentId(environmentId);
+  const isContactsEnabled = await getIsContactsEnabled(organizationId);
+
+  return isContactsEnabled
+    ? null
+    : responses.forbiddenResponse("User identification is only available for enterprise users.", true);
+};
+
+const validateResponseSubmission = async (
+  environmentId: string,
+  responseInputData: TResponseInputV2,
+  survey: TResponseSurvey
+): Promise<Response | null> => {
+  const surveyCheckResult = await checkSurveyValidity(survey, environmentId, responseInputData);
+  if (surveyCheckResult) {
+    return surveyCheckResult;
+  }
 
-  // Validate response data for "other" options exceeding character limit
   const otherResponseInvalidQuestionId = validateOtherOptionLengthForMultipleChoice({
     responseData: responseInputData.data,
     surveyQuestions: getElementsFromBlocks(survey.blocks),
@@ -113,7 +121,6 @@ export const POST = async (request: Request, context: Context): Promise<Response
     );
   }
 
-  // Validate response data against validation rules
   const validationErrors = validateResponseData(
     survey.blocks,
     responseInputData.data,
@@ -121,15 +128,29 @@ export const POST = async (request: Request, context: Context): Promise<Response
     survey.questions
   );
 
-  if (validationErrors) {
-    return responses.badRequestResponse(
-      "Validation failed",
-      formatValidationErrorsForV1Api(validationErrors),
-      true
-    );
-  }
+  return validationErrors
+    ? responses.badRequestResponse(
+        "Validation failed",
+        formatValidationErrorsForV1Api(validationErrors),
+        true
+      )
+    : null;
+};
+
+const createResponseForRequest = async ({
+  request,
+  survey,
+  responseInputData,
+  country,
+}: {
+  request: Request;
+  survey: TResponseSurvey;
+  responseInputData: TResponseInputV2;
+  country: string | undefined;
+}): Promise<TResponseWithQuotaFull | Response> => {
+  const userAgent = request.headers.get("user-agent") || undefined;
+  const agent = new UAParser(userAgent);
 
-  let response: TResponseWithQuotaFull;
   try {
     const meta: TResponseInputV2["meta"] = {
       source: responseInputData?.meta?.source,
@@ -139,54 +160,115 @@ export const POST = async (request: Request, context: Context): Promise<Response
         device: agent.getDevice().type || "desktop",
         os: agent.getOS().name,
       },
-      country: country,
+      country,
       action: responseInputData?.meta?.action,
     };
 
-    // Capture IP address if the survey has IP capture enabled
-    // Server-derived IP always overwrites any client-provided value
     if (survey.isCaptureIpEnabled) {
-      const ipAddress = await getClientIpFromHeaders();
-      meta.ipAddress = ipAddress;
+      meta.ipAddress = await getClientIpFromHeaders();
     }
 
-    response = await createResponseWithQuotaEvaluation({
+    return await createResponseWithQuotaEvaluation({
       ...responseInputData,
       meta,
     });
   } catch (error) {
     if (error instanceof InvalidInputError) {
-      return responses.badRequestResponse(error.message);
+      return responses.badRequestResponse(error.message, undefined, true);
     }
-    logger.error({ error, url: request.url }, "Error creating response");
-    return responses.internalServerErrorResponse(
-      error instanceof Error ? error.message : "Unknown error occurred"
-    );
+
+    const response = getUnexpectedPublicErrorResponse();
+    reportApiError({
+      request,
+      status: response.status,
+      error,
+    });
+    return response;
   }
-  const { quotaFull, ...responseData } = response;
+};
 
-  sendToPipeline({
-    event: "responseCreated",
-    environmentId,
-    surveyId: responseData.surveyId,
-    response: responseData,
-  });
+export const OPTIONS = async (): Promise<Response> => {
+  return responses.successResponse(
+    {},
+    true,
+    // Cache CORS preflight responses for 1 hour (conservative approach)
+    // Balances performance gains with flexibility for CORS policy changes
+    "public, s-maxage=3600, max-age=3600"
+  );
+};
+
+export const POST = async (request: Request, context: Context): Promise<Response> => {
+  const params = await context.params;
+  const validatedInput = await parseAndValidateResponseInput(request, params.environmentId);
+
+  if ("response" in validatedInput) {
+    return validatedInput.response;
+  }
+
+  const { environmentId, responseInputData } = validatedInput;
+  const country = getCountry(request.headers);
+
+  try {
+    const contactsDisabledResponse = await getContactsDisabledResponse(
+      environmentId,
+      responseInputData.contactId
+    );
+    if (contactsDisabledResponse) {
+      return contactsDisabledResponse;
+    }
+
+    const survey = await getSurvey(responseInputData.surveyId);
+    if (!survey) {
+      return responses.notFoundResponse("Survey", responseInputData.surveyId, true);
+    }
+
+    const validationResponse = await validateResponseSubmission(environmentId, responseInputData, survey);
+    if (validationResponse) {
+      return validationResponse;
+    }
+
+    const createdResponse = await createResponseForRequest({
+      request,
+      survey,
+      responseInputData,
+      country,
+    });
+    if (createdResponse instanceof Response) {
+      return createdResponse;
+    }
+    const { quotaFull, ...responseData } = createdResponse;
 
-  if (responseData.finished) {
     sendToPipeline({
-      event: "responseFinished",
+      event: "responseCreated",
       environmentId,
       surveyId: responseData.surveyId,
       response: responseData,
     });
+
+    if (responseData.finished) {
+      sendToPipeline({
+        event: "responseFinished",
+        environmentId,
+        surveyId: responseData.surveyId,
+        response: responseData,
+      });
+    }
+
+    const quotaObj = createQuotaFullObject(quotaFull);
+
+    const responseDataWithQuota = {
+      id: responseData.id,
+      ...quotaObj,
+    };
+
+    return responses.successResponse(responseDataWithQuota, true);
+  } catch (error) {
+    const response = getUnexpectedPublicErrorResponse();
+    reportApiError({
+      request,
+      status: response.status,
+      error,
+    });
+    return response;
   }
-
-  const quotaObj = createQuotaFullObject(quotaFull);
-
-  const responseDataWithQuota = {
-    id: responseData.id,
-    ...quotaObj,
-  };
-
-  return responses.successResponse(responseDataWithQuota, true);
 };

apps/web/app/api/v3/lib/api-wrapper.test.ts

@@ -0,0 +1,324 @@
+import { NextRequest } from "next/server";
+import { afterEach, beforeEach, describe, expect, test, vi } from "vitest";
+import { z } from "zod";
+import { TooManyRequestsError } from "@formbricks/types/errors";
+import { withV3ApiWrapper } from "./api-wrapper";
+
+const { mockAuthenticateRequest, mockGetServerSession } = vi.hoisted(() => ({
+  mockAuthenticateRequest: vi.fn(),
+  mockGetServerSession: vi.fn(),
+}));
+
+vi.mock("next-auth", () => ({
+  getServerSession: mockGetServerSession,
+}));
+
+vi.mock("@/app/api/v1/auth", () => ({
+  authenticateRequest: mockAuthenticateRequest,
+}));
+
+vi.mock("@/modules/auth/lib/authOptions", () => ({
+  authOptions: {},
+}));
+
+vi.mock("@/modules/core/rate-limit/helpers", () => ({
+  applyRateLimit: vi.fn().mockResolvedValue(undefined),
+}));
+
+vi.mock("@formbricks/logger", () => ({
+  logger: {
+    withContext: vi.fn(() => ({
+      error: vi.fn(),
+      warn: vi.fn(),
+    })),
+  },
+}));
+
+describe("withV3ApiWrapper", () => {
+  beforeEach(() => {
+    vi.resetAllMocks();
+    mockGetServerSession.mockResolvedValue(null);
+    mockAuthenticateRequest.mockResolvedValue(null);
+  });
+
+  afterEach(() => {
+    vi.clearAllMocks();
+  });
+
+  test("uses session auth first in both mode and injects request id into plain responses", async () => {
+    const { applyRateLimit } = await import("@/modules/core/rate-limit/helpers");
+    mockGetServerSession.mockResolvedValue({
+      user: { id: "user_1", name: "Test", email: "t@example.com" },
+      expires: "2026-01-01",
+    });
+
+    const handler = vi.fn(async ({ authentication, requestId, instance }) => {
+      expect(authentication).toMatchObject({ user: { id: "user_1" } });
+      expect(requestId).toBe("req-1");
+      expect(instance).toBe("/api/v3/surveys");
+      return Response.json({ ok: true });
+    });
+
+    const wrapped = withV3ApiWrapper({
+      auth: "both",
+      handler,
+    });
+
+    const response = await wrapped(
+      new NextRequest("http://localhost/api/v3/surveys?limit=10", {
+        headers: { "x-request-id": "req-1" },
+      }),
+      {} as never
+    );
+
+    expect(response.status).toBe(200);
+    expect(response.headers.get("X-Request-Id")).toBe("req-1");
+    expect(handler).toHaveBeenCalledOnce();
+    expect(vi.mocked(applyRateLimit)).toHaveBeenCalledWith(
+      expect.objectContaining({ namespace: "api:v3" }),
+      "user_1"
+    );
+    expect(mockAuthenticateRequest).not.toHaveBeenCalled();
+  });
+
+  test("falls back to api key auth in both mode", async () => {
+    const { applyRateLimit } = await import("@/modules/core/rate-limit/helpers");
+    mockAuthenticateRequest.mockResolvedValue({
+      type: "apiKey",
+      apiKeyId: "key_1",
+      organizationId: "org_1",
+      organizationAccess: { accessControl: { read: true, write: false } },
+      environmentPermissions: [],
+    });
+
+    const handler = vi.fn(async ({ authentication }) => {
+      expect(authentication).toMatchObject({ apiKeyId: "key_1" });
+      return Response.json({ ok: true });
+    });
+
+    const wrapped = withV3ApiWrapper({
+      auth: "both",
+      handler,
+    });
+
+    const response = await wrapped(
+      new NextRequest("http://localhost/api/v3/surveys", {
+        headers: { "x-api-key": "fbk_test" },
+      }),
+      {} as never
+    );
+
+    expect(response.status).toBe(200);
+    expect(vi.mocked(applyRateLimit)).toHaveBeenCalledWith(
+      expect.objectContaining({ namespace: "api:v3" }),
+      "key_1"
+    );
+    expect(mockGetServerSession).not.toHaveBeenCalled();
+  });
+
+  test("returns 401 problem response when authentication is required but missing", async () => {
+    const handler = vi.fn(async () => Response.json({ ok: true }));
+    const wrapped = withV3ApiWrapper({
+      auth: "both",
+      handler,
+    });
+
+    const response = await wrapped(new NextRequest("http://localhost/api/v3/surveys"), {} as never);
+
+    expect(response.status).toBe(401);
+    expect(handler).not.toHaveBeenCalled();
+    expect(response.headers.get("Content-Type")).toBe("application/problem+json");
+  });
+
+  test("returns 400 problem response for invalid query input", async () => {
+    mockGetServerSession.mockResolvedValue({
+      user: { id: "user_1" },
+      expires: "2026-01-01",
+    });
+
+    const handler = vi.fn(async () => Response.json({ ok: true }));
+    const wrapped = withV3ApiWrapper({
+      auth: "both",
+      schemas: {
+        query: z.object({
+          limit: z.coerce.number().int().positive(),
+        }),
+      },
+      handler,
+    });
+
+    const response = await wrapped(
+      new NextRequest("http://localhost/api/v3/surveys?limit=oops", {
+        headers: { "x-request-id": "req-invalid" },
+      }),
+      {} as never
+    );
+
+    expect(response.status).toBe(400);
+    expect(handler).not.toHaveBeenCalled();
+    const body = await response.json();
+    expect(body.invalid_params).toEqual(expect.arrayContaining([expect.objectContaining({ name: "limit" })]));
+    expect(body.requestId).toBe("req-invalid");
+  });
+
+  test("parses body, repeated query params, and async route params", async () => {
+    const handler = vi.fn(async ({ parsedInput }) => {
+      expect(parsedInput).toEqual({
+        body: { name: "Survey API" },
+        query: { tag: ["a", "b"] },
+        params: { workspaceId: "ws_123" },
+      });
+
+      return Response.json(
+        { ok: true },
+        {
+          headers: {
+            "X-Request-Id": "handler-request-id",
+          },
+        }
+      );
+    });
+
+    const wrapped = withV3ApiWrapper({
+      auth: "none",
+      schemas: {
+        body: z.object({
+          name: z.string(),
+        }),
+        query: z.object({
+          tag: z.array(z.string()),
+        }),
+        params: z.object({
+          workspaceId: z.string(),
+        }),
+      },
+      handler,
+    });
+
+    const response = await wrapped(
+      new NextRequest("http://localhost/api/v3/surveys?tag=a&tag=b", {
+        method: "POST",
+        body: JSON.stringify({ name: "Survey API" }),
+        headers: {
+          "Content-Type": "application/json",
+        },
+      }),
+      {
+        params: Promise.resolve({
+          workspaceId: "ws_123",
+        }),
+      } as never
+    );
+
+    expect(response.status).toBe(200);
+    expect(response.headers.get("X-Request-Id")).toBe("handler-request-id");
+    expect(handler).toHaveBeenCalledOnce();
+  });
+
+  test("returns 400 problem response for malformed JSON input", async () => {
+    const handler = vi.fn(async () => Response.json({ ok: true }));
+    const wrapped = withV3ApiWrapper({
+      auth: "none",
+      schemas: {
+        body: z.object({
+          name: z.string(),
+        }),
+      },
+      handler,
+    });
+
+    const response = await wrapped(
+      new NextRequest("http://localhost/api/v3/surveys", {
+        method: "POST",
+        body: "{",
+        headers: {
+          "Content-Type": "application/json",
+        },
+      }),
+      {} as never
+    );
+
+    expect(response.status).toBe(400);
+    expect(handler).not.toHaveBeenCalled();
+    const body = await response.json();
+    expect(body.invalid_params).toEqual([
+      {
+        name: "body",
+        reason: "Malformed JSON input, please check your request body",
+      },
+    ]);
+  });
+
+  test("returns 400 problem response for invalid route params", async () => {
+    const handler = vi.fn(async () => Response.json({ ok: true }));
+    const wrapped = withV3ApiWrapper({
+      auth: "none",
+      schemas: {
+        params: z.object({
+          workspaceId: z.string().min(3),
+        }),
+      },
+      handler,
+    });
+
+    const response = await wrapped(new NextRequest("http://localhost/api/v3/surveys"), {
+      params: Promise.resolve({
+        workspaceId: "x",
+      }),
+    } as never);
+
+    expect(response.status).toBe(400);
+    expect(handler).not.toHaveBeenCalled();
+    const body = await response.json();
+    expect(body.invalid_params).toEqual(
+      expect.arrayContaining([expect.objectContaining({ name: "workspaceId" })])
+    );
+  });
+
+  test("returns 429 problem response when rate limited", async () => {
+    const { applyRateLimit } = await import("@/modules/core/rate-limit/helpers");
+    mockGetServerSession.mockResolvedValue({
+      user: { id: "user_1" },
+      expires: "2026-01-01",
+    });
+    vi.mocked(applyRateLimit).mockRejectedValueOnce(new TooManyRequestsError("Too many requests", 60));
+
+    const wrapped = withV3ApiWrapper({
+      auth: "both",
+      handler: async () => Response.json({ ok: true }),
+    });
+
+    const response = await wrapped(new NextRequest("http://localhost/api/v3/surveys"), {} as never);
+
+    expect(response.status).toBe(429);
+    expect(response.headers.get("Retry-After")).toBe("60");
+    const body = await response.json();
+    expect(body.code).toBe("too_many_requests");
+  });
+
+  test("returns 500 problem response when the handler throws unexpectedly", async () => {
+    mockGetServerSession.mockResolvedValue({
+      user: { id: "user_1" },
+      expires: "2026-01-01",
+    });
+
+    const wrapped = withV3ApiWrapper({
+      auth: "both",
+      handler: async () => {
+        throw new Error("boom");
+      },
+    });
+
+    const response = await wrapped(
+      new NextRequest("http://localhost/api/v3/surveys", {
+        headers: { "x-request-id": "req-boom" },
+      }),
+      {} as never
+    );
+
+    expect(response.status).toBe(500);
+    const body = await response.json();
+    expect(body.code).toBe("internal_server_error");
+    expect(body.requestId).toBe("req-boom");
+  });
+});

apps/web/app/api/v3/lib/api-wrapper.ts

@@ -0,0 +1,349 @@
+import { getServerSession } from "next-auth";
+import { type NextRequest } from "next/server";
+import { z } from "zod";
+import { logger } from "@formbricks/logger";
+import { TooManyRequestsError } from "@formbricks/types/errors";
+import { authenticateRequest } from "@/app/api/v1/auth";
+import { authOptions } from "@/modules/auth/lib/authOptions";
+import { applyRateLimit } from "@/modules/core/rate-limit/helpers";
+import { rateLimitConfigs } from "@/modules/core/rate-limit/rate-limit-configs";
+import type { TRateLimitConfig } from "@/modules/core/rate-limit/types/rate-limit";
+import {
+  type InvalidParam,
+  problemBadRequest,
+  problemInternalError,
+  problemTooManyRequests,
+  problemUnauthorized,
+} from "./response";
+import type { TV3Authentication } from "./types";
+
+type TV3Schema = z.ZodTypeAny;
+type MaybePromise<T> = T | Promise<T>;
+
+export type TV3AuthMode = "none" | "session" | "apiKey" | "both";
+
+export type TV3Schemas = {
+  body?: TV3Schema;
+  query?: TV3Schema;
+  params?: TV3Schema;
+};
+
+export type TV3ParsedInput<S extends TV3Schemas | undefined> = S extends object
+  ? {
+      [K in keyof S as NonNullable<S[K]> extends TV3Schema ? K : never]: z.infer<NonNullable<S[K]>>;
+    }
+  : Record<string, never>;
+
+export type TV3HandlerParams<TParsedInput = Record<string, never>, TProps = unknown> = {
+  req: NextRequest;
+  props: TProps;
+  authentication: TV3Authentication;
+  parsedInput: TParsedInput;
+  requestId: string;
+  instance: string;
+};
+
+export type TWithV3ApiWrapperParams<S extends TV3Schemas | undefined, TProps = unknown> = {
+  auth?: TV3AuthMode;
+  schemas?: S;
+  rateLimit?: boolean;
+  customRateLimitConfig?: TRateLimitConfig;
+  handler: (params: TV3HandlerParams<TV3ParsedInput<S>, TProps>) => MaybePromise<Response>;
+};
+
+function getUnauthenticatedDetail(authMode: TV3AuthMode): string {
+  if (authMode === "session") {
+    return "Session required";
+  }
+
+  if (authMode === "apiKey") {
+    return "API key required";
+  }
+
+  return "Not authenticated";
+}
+
+function formatZodIssues(error: z.ZodError, fallbackName: "body" | "query" | "params"): InvalidParam[] {
+  return error.issues.map((issue) => ({
+    name: issue.path.length > 0 ? issue.path.join(".") : fallbackName,
+    reason: issue.message,
+  }));
+}
+
+function searchParamsToObject(searchParams: URLSearchParams): Record<string, string | string[]> {
+  const query: Record<string, string | string[]> = {};
+
+  for (const key of new Set(searchParams.keys())) {
+    const values = searchParams.getAll(key);
+    query[key] = values.length > 1 ? values : (values[0] ?? "");
+  }
+
+  return query;
+}
+
+function getRateLimitIdentifier(authentication: TV3Authentication): string | null {
+  if (!authentication) {
+    return null;
+  }
+
+  if ("user" in authentication && authentication.user?.id) {
+    return authentication.user.id;
+  }
+
+  if ("apiKeyId" in authentication) {
+    return authentication.apiKeyId;
+  }
+
+  return null;
+}
+
+function isPromiseLike<T>(value: unknown): value is Promise<T> {
+  return typeof value === "object" && value !== null && "then" in value;
+}
+
+async function getRouteParams<TProps>(props: TProps): Promise<Record<string, unknown>> {
+  if (!props || typeof props !== "object" || !("params" in props)) {
+    return {};
+  }
+
+  const params = (props as { params?: unknown }).params;
+  if (!params) {
+    return {};
+  }
+
+  const resolvedParams = isPromiseLike<Record<string, unknown>>(params) ? await params : params;
+  return typeof resolvedParams === "object" && resolvedParams !== null
+    ? (resolvedParams as Record<string, unknown>)
+    : {};
+}
+
+async function authenticateV3Request(req: NextRequest, authMode: TV3AuthMode): Promise<TV3Authentication> {
+  if (authMode === "none") {
+    return null;
+  }
+
+  if (authMode === "both" && req.headers.has("x-api-key")) {
+    const apiKeyAuth = await authenticateRequest(req);
+    if (apiKeyAuth) {
+      return apiKeyAuth;
+    }
+  }
+
+  if (authMode === "session" || authMode === "both") {
+    const session = await getServerSession(authOptions);
+    if (session?.user?.id) {
+      return session;
+    }
+
+    if (authMode === "session") {
+      return null;
+    }
+  }
+
+  if (authMode === "apiKey" || authMode === "both") {
+    return await authenticateRequest(req);
+  }
+
+  return null;
+}
+
+async function parseV3Input<S extends TV3Schemas | undefined, TProps>(
+  req: NextRequest,
+  props: TProps,
+  schemas: S | undefined,
+  requestId: string,
+  instance: string
+): Promise<
+  | { ok: true; parsedInput: TV3ParsedInput<S> }
+  | {
+      ok: false;
+      response: Response;
+    }
+> {
+  const parsedInput = {} as TV3ParsedInput<S>;
+
+  if (schemas?.body) {
+    let bodyData: unknown;
+
+    try {
+      bodyData = await req.json();
+    } catch {
+      return {
+        ok: false,
+        response: problemBadRequest(requestId, "Invalid request body", {
+          instance,
+          invalid_params: [{ name: "body", reason: "Malformed JSON input, please check your request body" }],
+        }),
+      };
+    }
+
+    const bodyResult = schemas.body.safeParse(bodyData);
+    if (!bodyResult.success) {
+      return {
+        ok: false,
+        response: problemBadRequest(requestId, "Invalid request body", {
+          instance,
+          invalid_params: formatZodIssues(bodyResult.error, "body"),
+        }),
+      };
+    }
+
+    parsedInput.body = bodyResult.data as TV3ParsedInput<S>["body"];
+  }
+
+  if (schemas?.query) {
+    const queryResult = schemas.query.safeParse(searchParamsToObject(req.nextUrl.searchParams));
+    if (!queryResult.success) {
+      return {
+        ok: false,
+        response: problemBadRequest(requestId, "Invalid query parameters", {
+          instance,
+          invalid_params: formatZodIssues(queryResult.error, "query"),
+        }),
+      };
+    }
+
+    parsedInput.query = queryResult.data as TV3ParsedInput<S>["query"];
+  }
+
+  if (schemas?.params) {
+    const paramsResult = schemas.params.safeParse(await getRouteParams(props));
+    if (!paramsResult.success) {
+      return {
+        ok: false,
+        response: problemBadRequest(requestId, "Invalid route parameters", {
+          instance,
+          invalid_params: formatZodIssues(paramsResult.error, "params"),
+        }),
+      };
+    }
+
+    parsedInput.params = paramsResult.data as TV3ParsedInput<S>["params"];
+  }
+
+  return { ok: true, parsedInput };
+}
+
+function ensureRequestIdHeader(response: Response, requestId: string): Response {
+  if (response.headers.get("X-Request-Id")) {
+    return response;
+  }
+
+  const headers = new Headers(response.headers);
+  headers.set("X-Request-Id", requestId);
+
+  return new Response(response.body, {
+    status: response.status,
+    statusText: response.statusText,
+    headers,
+  });
+}
+
+async function authenticateV3RequestOrRespond(
+  req: NextRequest,
+  authMode: TV3AuthMode,
+  requestId: string,
+  instance: string
+): Promise<
+  { authentication: TV3Authentication; response: null } | { authentication: null; response: Response }
+> {
+  const authentication = await authenticateV3Request(req, authMode);
+
+  if (!authentication && authMode !== "none") {
+    return {
+      authentication: null,
+      response: problemUnauthorized(requestId, getUnauthenticatedDetail(authMode), instance),
+    };
+  }
+
+  return {
+    authentication,
+    response: null,
+  };
+}
+
+async function applyV3RateLimitOrRespond(params: {
+  authentication: TV3Authentication;
+  enabled: boolean;
+  config: TRateLimitConfig;
+  requestId: string;
+  log: ReturnType<typeof logger.withContext>;
+}): Promise<Response | null> {
+  const { authentication, enabled, config, requestId, log } = params;
+  if (!enabled) {
+    return null;
+  }
+
+  const identifier = getRateLimitIdentifier(authentication);
+  if (!identifier) {
+    return null;
+  }
+
+  try {
+    await applyRateLimit(config, identifier);
+  } catch (error) {
+    log.warn({ error, statusCode: 429 }, "V3 API rate limit exceeded");
+    return problemTooManyRequests(
+      requestId,
+      error instanceof Error ? error.message : "Rate limit exceeded",
+      error instanceof TooManyRequestsError ? error.retryAfter : undefined
+    );
+  }
+
+  return null;
+}
+
+export const withV3ApiWrapper = <S extends TV3Schemas | undefined, TProps = unknown>(
+  params: TWithV3ApiWrapperParams<S, TProps>
+): ((req: NextRequest, props: TProps) => Promise<Response>) => {
+  const { auth = "both", schemas, rateLimit = true, customRateLimitConfig, handler } = params;
+
+  return async (req: NextRequest, props: TProps): Promise<Response> => {
+    const requestId = req.headers.get("x-request-id") ?? crypto.randomUUID();
+    const instance = req.nextUrl.pathname;
+    const log = logger.withContext({
+      requestId,
+      method: req.method,
+      path: instance,
+    });
+
+    try {
+      const authResult = await authenticateV3RequestOrRespond(req, auth, requestId, instance);
+      if (authResult.response) {
+        log.warn({ statusCode: authResult.response.status }, "V3 API authentication failed");
+        return authResult.response;
+      }
+
+      const parsedInputResult = await parseV3Input(req, props, schemas, requestId, instance);
+      if (!parsedInputResult.ok) {
+        log.warn({ statusCode: parsedInputResult.response.status }, "V3 API request validation failed");
+        return parsedInputResult.response;
+      }
+
+      const rateLimitResponse = await applyV3RateLimitOrRespond({
+        authentication: authResult.authentication,
+        enabled: rateLimit,
+        config: customRateLimitConfig ?? rateLimitConfigs.api.v3,
+        requestId,
+        log,
+      });
+      if (rateLimitResponse) {
+        return rateLimitResponse;
+      }
+
+      const response = await handler({
+        req,
+        props,
+        authentication: authResult.authentication,
+        parsedInput: parsedInputResult.parsedInput,
+        requestId,
+        instance,
+      });
+
+      return ensureRequestIdHeader(response, requestId);
+    } catch (error) {
+      log.error({ error, statusCode: 500 }, "V3 API unexpected error");
+      return problemInternalError(requestId, "An unexpected error occurred.", instance);
+    }
+  };
+};

apps/web/app/api/v3/lib/auth.test.ts

@@ -0,0 +1,274 @@
+import { ApiKeyPermission, EnvironmentType } from "@prisma/client";
+import { beforeEach, describe, expect, test, vi } from "vitest";
+import { AuthorizationError, ResourceNotFoundError } from "@formbricks/types/errors";
+import { checkAuthorizationUpdated } from "@/lib/utils/action-client/action-client-middleware";
+import { getOrganizationIdFromProjectId } from "@/lib/utils/helper";
+import { getEnvironment } from "@/lib/utils/services";
+import { requireSessionWorkspaceAccess, requireV3WorkspaceAccess } from "./auth";
+
+vi.mock("@formbricks/logger", () => ({
+  logger: {
+    withContext: vi.fn(() => ({
+      warn: vi.fn(),
+      error: vi.fn(),
+    })),
+  },
+}));
+
+vi.mock("@/lib/utils/helper", () => ({
+  getOrganizationIdFromProjectId: vi.fn(),
+}));
+
+vi.mock("@/lib/utils/services", () => ({
+  getEnvironment: vi.fn(),
+}));
+
+vi.mock("@/lib/utils/action-client/action-client-middleware", () => ({
+  checkAuthorizationUpdated: vi.fn(),
+}));
+
+const requestId = "req-123";
+
+describe("requireSessionWorkspaceAccess", () => {
+  test("returns 401 when authentication is null", async () => {
+    const result = await requireSessionWorkspaceAccess(null, "proj_abc", "read", requestId);
+    expect(result).toBeInstanceOf(Response);
+    expect((result as Response).status).toBe(401);
+    expect((result as Response).headers.get("Content-Type")).toBe("application/problem+json");
+    const body = await (result as Response).json();
+    expect(body.requestId).toBe(requestId);
+    expect(body.status).toBe(401);
+    expect(body.code).toBe("not_authenticated");
+    expect(getEnvironment).not.toHaveBeenCalled();
+    expect(checkAuthorizationUpdated).not.toHaveBeenCalled();
+  });
+
+  test("returns 401 when authentication is API key (no user)", async () => {
+    const result = await requireSessionWorkspaceAccess(
+      { apiKeyId: "key_1", organizationId: "org_1", environmentPermissions: [] } as any,
+      "proj_abc",
+      "read",
+      requestId
+    );
+    expect(result).toBeInstanceOf(Response);
+    expect((result as Response).status).toBe(401);
+    const body = await (result as Response).json();
+    expect(body.requestId).toBe(requestId);
+    expect(body.code).toBe("not_authenticated");
+    expect(getEnvironment).not.toHaveBeenCalled();
+  });
+
+  test("returns 403 when workspace (environment) is not found (avoid leaking existence)", async () => {
+    vi.mocked(getEnvironment).mockResolvedValueOnce(null);
+    const result = await requireSessionWorkspaceAccess(
+      { user: { id: "user_1" }, expires: "" } as any,
+      "env_nonexistent",
+      "read",
+      requestId
+    );
+    expect(result).toBeInstanceOf(Response);
+    expect((result as Response).status).toBe(403);
+    expect((result as Response).headers.get("Content-Type")).toBe("application/problem+json");
+    const body = await (result as Response).json();
+    expect(body.requestId).toBe(requestId);
+    expect(body.code).toBe("forbidden");
+    expect(getEnvironment).toHaveBeenCalledWith("env_nonexistent");
+    expect(checkAuthorizationUpdated).not.toHaveBeenCalled();
+  });
+
+  test("returns 403 when user has no access to workspace", async () => {
+    vi.mocked(getEnvironment).mockResolvedValueOnce({
+      id: "env_abc",
+      projectId: "proj_abc",
+    } as any);
+    vi.mocked(getOrganizationIdFromProjectId).mockResolvedValueOnce("org_1");
+    vi.mocked(checkAuthorizationUpdated).mockRejectedValueOnce(new AuthorizationError("Not authorized"));
+    const result = await requireSessionWorkspaceAccess(
+      { user: { id: "user_1" }, expires: "" } as any,
+      "env_abc",
+      "read",
+      requestId
+    );
+    expect(result).toBeInstanceOf(Response);
+    expect((result as Response).status).toBe(403);
+    const body = await (result as Response).json();
+    expect(body.requestId).toBe(requestId);
+    expect(body.code).toBe("forbidden");
+    expect(checkAuthorizationUpdated).toHaveBeenCalledWith({
+      userId: "user_1",
+      organizationId: "org_1",
+      access: [
+        { type: "organization", roles: ["owner", "manager"] },
+        { type: "projectTeam", projectId: "proj_abc", minPermission: "read" },
+      ],
+    });
+  });
+
+  test("returns workspace context when session is valid and user has access", async () => {
+    vi.mocked(getEnvironment).mockResolvedValueOnce({
+      id: "env_abc",
+      projectId: "proj_abc",
+    } as any);
+    vi.mocked(getOrganizationIdFromProjectId).mockResolvedValueOnce("org_1");
+    vi.mocked(checkAuthorizationUpdated).mockResolvedValueOnce(undefined as any);
+    const result = await requireSessionWorkspaceAccess(
+      { user: { id: "user_1" }, expires: "" } as any,
+      "env_abc",
+      "readWrite",
+      requestId
+    );
+    expect(result).not.toBeInstanceOf(Response);
+    expect(result).toEqual({
+      environmentId: "env_abc",
+      projectId: "proj_abc",
+      organizationId: "org_1",
+    });
+    expect(checkAuthorizationUpdated).toHaveBeenCalledWith({
+      userId: "user_1",
+      organizationId: "org_1",
+      access: [
+        { type: "organization", roles: ["owner", "manager"] },
+        { type: "projectTeam", projectId: "proj_abc", minPermission: "readWrite" },
+      ],
+    });
+  });
+});
+
+const keyBase = {
+  type: "apiKey" as const,
+  apiKeyId: "key_1",
+  organizationId: "org_k",
+  organizationAccess: { accessControl: { read: true, write: false } },
+};
+
+function envPerm(environmentId: string, permission: ApiKeyPermission = ApiKeyPermission.read) {
+  return {
+    environmentId,
+    environmentType: EnvironmentType.development,
+    projectId: "proj_k",
+    projectName: "K",
+    permission,
+  };
+}
+
+describe("requireV3WorkspaceAccess", () => {
+  beforeEach(() => {
+    vi.mocked(getEnvironment).mockResolvedValue({
+      id: "env_k",
+      projectId: "proj_k",
+    } as any);
+    vi.mocked(getOrganizationIdFromProjectId).mockResolvedValue("org_k");
+  });
+
+  test("401 when authentication is null", async () => {
+    const r = await requireV3WorkspaceAccess(null, "env_x", "read", requestId);
+    expect((r as Response).status).toBe(401);
+  });
+
+  test("delegates to session flow when user is present", async () => {
+    vi.mocked(getEnvironment).mockResolvedValueOnce({
+      id: "env_s",
+      projectId: "proj_s",
+    } as any);
+    vi.mocked(getOrganizationIdFromProjectId).mockResolvedValueOnce("org_s");
+    vi.mocked(checkAuthorizationUpdated).mockResolvedValueOnce(undefined as any);
+    const r = await requireV3WorkspaceAccess(
+      { user: { id: "user_1" }, expires: "" } as any,
+      "env_s",
+      "read",
+      requestId
+    );
+    expect(r).toEqual({
+      environmentId: "env_s",
+      projectId: "proj_s",
+      organizationId: "org_s",
+    });
+  });
+
+  test("returns context for API key with read on workspace", async () => {
+    const auth = {
+      ...keyBase,
+      environmentPermissions: [envPerm("ws_a", ApiKeyPermission.read)],
+    };
+    const r = await requireV3WorkspaceAccess(auth as any, "ws_a", "read", requestId);
+    expect(r).toEqual({
+      environmentId: "ws_a",
+      projectId: "proj_k",
+      organizationId: "org_k",
+    });
+    expect(getEnvironment).toHaveBeenCalledWith("ws_a");
+  });
+
+  test("returns context for API key with write on workspace", async () => {
+    const auth = {
+      ...keyBase,
+      environmentPermissions: [envPerm("ws_b", ApiKeyPermission.write)],
+    };
+    const r = await requireV3WorkspaceAccess(auth as any, "ws_b", "read", requestId);
+    expect(r).toEqual({
+      environmentId: "ws_b",
+      projectId: "proj_k",
+      organizationId: "org_k",
+    });
+  });
+
+  test("returns 403 when API key permission is lower than the required permission", async () => {
+    const auth = {
+      ...keyBase,
+      environmentPermissions: [envPerm("ws_write", ApiKeyPermission.read)],
+    };
+    const r = await requireV3WorkspaceAccess(auth as any, "ws_write", "readWrite", requestId);
+    expect((r as Response).status).toBe(403);
+  });
+
+  test("403 when API key has no matching environment", async () => {
+    const auth = {
+      ...keyBase,
+      environmentPermissions: [envPerm("other_env")],
+    };
+    const r = await requireV3WorkspaceAccess(auth as any, "wanted", "read", requestId);
+    expect((r as Response).status).toBe(403);
+  });
+
+  test("403 when API key permission is not list-eligible (runtime value)", async () => {
+    const auth = {
+      ...keyBase,
+      environmentPermissions: [
+        {
+          ...envPerm("ws_c"),
+          permission: "invalid" as unknown as ApiKeyPermission,
+        },
+      ],
+    };
+    const r = await requireV3WorkspaceAccess(auth as any, "ws_c", "read", requestId);
+    expect((r as Response).status).toBe(403);
+  });
+
+  test("returns context for API key with manage on workspace", async () => {
+    const auth = {
+      ...keyBase,
+      environmentPermissions: [envPerm("ws_m", ApiKeyPermission.manage)],
+    };
+    const r = await requireV3WorkspaceAccess(auth as any, "ws_m", "manage", requestId);
+    expect(r).toEqual({
+      environmentId: "ws_m",
+      projectId: "proj_k",
+      organizationId: "org_k",
+    });
+  });
+
+  test("returns 403 when the workspace cannot be resolved for an API key", async () => {
+    vi.mocked(getEnvironment).mockResolvedValueOnce(null);
+    const auth = {
+      ...keyBase,
+      environmentPermissions: [envPerm("ws_missing", ApiKeyPermission.manage)],
+    };
+    const r = await requireV3WorkspaceAccess(auth as any, "ws_missing", "read", requestId);
+    expect((r as Response).status).toBe(403);
+  });
+
+  test("401 when auth is neither session nor valid API key payload", async () => {
+    const r = await requireV3WorkspaceAccess({ user: {} } as any, "env", "read", requestId);
+    expect((r as Response).status).toBe(401);
+  });
+});

apps/web/app/api/v3/lib/auth.ts

@@ -0,0 +1,122 @@
+/**
+ * V3 API auth — session (browser) or API key with environment-scoped access.
+ */
+import { ApiKeyPermission } from "@prisma/client";
+import { logger } from "@formbricks/logger";
+import type { TAuthenticationApiKey } from "@formbricks/types/auth";
+import { AuthorizationError, ResourceNotFoundError } from "@formbricks/types/errors";
+import { checkAuthorizationUpdated } from "@/lib/utils/action-client/action-client-middleware";
+import type { TTeamPermission } from "@/modules/ee/teams/project-teams/types/team";
+import { problemForbidden, problemUnauthorized } from "./response";
+import type { TV3Authentication } from "./types";
+import { type V3WorkspaceContext, resolveV3WorkspaceContext } from "./workspace-context";
+
+function apiKeyPermissionAllows(permission: ApiKeyPermission, minPermission: TTeamPermission): boolean {
+  const grantedRank = {
+    [ApiKeyPermission.read]: 1,
+    [ApiKeyPermission.write]: 2,
+    [ApiKeyPermission.manage]: 3,
+  }[permission];
+
+  const requiredRank = {
+    read: 1,
+    readWrite: 2,
+    manage: 3,
+  }[minPermission];
+
+  return grantedRank >= requiredRank;
+}
+
+/**
+ * Require session and workspace access. workspaceId is resolved via the V3 workspace-context layer.
+ * Returns a Response (401 or 403) on failure, or the resolved workspace context on success so callers
+ * use internal IDs (environmentId, projectId, organizationId) without resolving again.
+ * We use 403 (not 404) when the workspace is not found to avoid leaking resource existence.
+ */
+export async function requireSessionWorkspaceAccess(
+  authentication: TV3Authentication,
+  workspaceId: string,
+  minPermission: TTeamPermission,
+  requestId: string,
+  instance?: string
+): Promise<Response | V3WorkspaceContext> {
+  // --- Session checks ---
+  if (!authentication) {
+    return problemUnauthorized(requestId, "Not authenticated", instance);
+  }
+  if (!("user" in authentication) || !authentication.user?.id) {
+    return problemUnauthorized(requestId, "Session required", instance);
+  }
+
+  const userId = authentication.user.id;
+  const log = logger.withContext({ requestId, workspaceId });
+
+  try {
+    // Resolve workspaceId → environmentId, projectId, organizationId (single place to change when Workspace exists).
+    const context = await resolveV3WorkspaceContext(workspaceId);
+
+    // Org + project-team access; we use internal IDs from context.
+    await checkAuthorizationUpdated({
+      userId,
+      organizationId: context.organizationId,
+      access: [
+        { type: "organization", roles: ["owner", "manager"] },
+        { type: "projectTeam", projectId: context.projectId, minPermission },
+      ],
+    });
+
+    return context;
+  } catch (err) {
+    if (err instanceof ResourceNotFoundError || err instanceof AuthorizationError) {
+      const message = err instanceof ResourceNotFoundError ? "Workspace not found" : "Forbidden";
+      log.warn({ statusCode: 403, errorCode: err.name }, message);
+      return problemForbidden(requestId, "You are not authorized to access this resource", instance);
+    }
+    throw err;
+  }
+}
+
+/** Session or API key: authorize `workspaceId` against the resolved V3 workspace context. */
+export async function requireV3WorkspaceAccess(
+  authentication: TV3Authentication,
+  workspaceId: string,
+  minPermission: TTeamPermission,
+  requestId: string,
+  instance?: string
+): Promise<Response | V3WorkspaceContext> {
+  if (!authentication) {
+    return problemUnauthorized(requestId, "Not authenticated", instance);
+  }
+
+  if ("user" in authentication && authentication.user?.id) {
+    return requireSessionWorkspaceAccess(authentication, workspaceId, minPermission, requestId, instance);
+  }
+
+  const keyAuth = authentication as TAuthenticationApiKey;
+  if (keyAuth.apiKeyId && Array.isArray(keyAuth.environmentPermissions)) {
+    const log = logger.withContext({ requestId, workspaceId, apiKeyId: keyAuth.apiKeyId });
+
+    try {
+      const context = await resolveV3WorkspaceContext(workspaceId);
+      const permission = keyAuth.environmentPermissions.find(
+        (environmentPermission) => environmentPermission.environmentId === context.environmentId
+      );
+
+      if (!permission || !apiKeyPermissionAllows(permission.permission, minPermission)) {
+        log.warn({ statusCode: 403 }, "API key not allowed for workspace");
+        return problemForbidden(requestId, "You are not authorized to access this resource", instance);
+      }
+
+      return context;
+    } catch (error) {
+      if (error instanceof ResourceNotFoundError) {
+        log.warn({ statusCode: 403, errorCode: error.name }, "Workspace not found");
+        return problemForbidden(requestId, "You are not authorized to access this resource", instance);
+      }
+
+      throw error;
+    }
+  }
+
+  return problemUnauthorized(requestId, "Not authenticated", instance);
+}

apps/web/app/api/v3/lib/response.test.ts

@@ -0,0 +1,95 @@
+import { describe, expect, test } from "vitest";
+import {
+  problemBadRequest,
+  problemForbidden,
+  problemInternalError,
+  problemNotFound,
+  problemTooManyRequests,
+  problemUnauthorized,
+  successListResponse,
+} from "./response";
+
+describe("v3 problem responses", () => {
+  test("problemBadRequest includes invalid_params", async () => {
+    const res = problemBadRequest("rid", "bad", {
+      invalid_params: [{ name: "x", reason: "y" }],
+      instance: "/p",
+    });
+    expect(res.status).toBe(400);
+    expect(res.headers.get("X-Request-Id")).toBe("rid");
+    const body = await res.json();
+    expect(body.code).toBe("bad_request");
+    expect(body.requestId).toBe("rid");
+    expect(body.invalid_params).toEqual([{ name: "x", reason: "y" }]);
+    expect(body.instance).toBe("/p");
+  });
+
+  test("problemUnauthorized default detail", async () => {
+    const res = problemUnauthorized("r1");
+    expect(res.status).toBe(401);
+    const body = await res.json();
+    expect(body.detail).toBe("Not authenticated");
+    expect(body.code).toBe("not_authenticated");
+  });
+
+  test("problemForbidden", async () => {
+    const res = problemForbidden("r2", undefined, "/api/x");
+    expect(res.status).toBe(403);
+    const body = await res.json();
+    expect(body.code).toBe("forbidden");
+    expect(body.instance).toBe("/api/x");
+  });
+
+  test("problemInternalError", async () => {
+    const res = problemInternalError("r3", "oops", "/i");
+    expect(res.status).toBe(500);
+    const body = await res.json();
+    expect(body.code).toBe("internal_server_error");
+    expect(body.detail).toBe("oops");
+  });
+
+  test("problemNotFound includes details", async () => {
+    const res = problemNotFound("r4", "Survey", "s1", "/s");
+    expect(res.status).toBe(404);
+    const body = await res.json();
+    expect(body.code).toBe("not_found");
+    expect(body.details).toEqual({ resource_type: "Survey", resource_id: "s1" });
+  });
+
+  test("problemTooManyRequests with Retry-After", async () => {
+    const res = problemTooManyRequests("r5", "slow down", 60);
+    expect(res.status).toBe(429);
+    expect(res.headers.get("Retry-After")).toBe("60");
+    const body = await res.json();
+    expect(body.code).toBe("too_many_requests");
+  });
+
+  test("problemTooManyRequests without Retry-After", async () => {
+    const res = problemTooManyRequests("r6", "nope");
+    expect(res.headers.get("Retry-After")).toBeNull();
+  });
+});
+
+describe("successListResponse", () => {
+  test("sets X-Request-Id and default cache", async () => {
+    const res = successListResponse(
+      [{ a: 1 }],
+      { limit: 10, nextCursor: "cursor-1" },
+      {
+        requestId: "req-x",
+      }
+    );
+    expect(res.status).toBe(200);
+    expect(res.headers.get("X-Request-Id")).toBe("req-x");
+    expect(res.headers.get("Cache-Control")).toContain("no-store");
+    expect(await res.json()).toEqual({
+      data: [{ a: 1 }],
+      meta: { limit: 10, nextCursor: "cursor-1" },
+    });
+  });
+
+  test("custom Cache-Control", async () => {
+    const res = successListResponse([], { limit: 5, nextCursor: null }, { cache: "private, max-age=0" });
+    expect(res.headers.get("Cache-Control")).toBe("private, max-age=0");
+  });
+});

apps/web/app/api/v3/lib/response.ts

@@ -0,0 +1,149 @@
+/**
+ * V3 API response helpers — RFC 9457 Problem Details (application/problem+json)
+ * and list envelope for success responses.
+ */
+
+const PROBLEM_JSON = "application/problem+json" as const;
+const CACHE_NO_STORE = "private, no-store" as const;
+
+export type InvalidParam = { name: string; reason: string };
+
+export type ProblemExtension = {
+  code?: string;
+  requestId: string;
+  details?: Record<string, unknown>;
+  invalid_params?: InvalidParam[];
+};
+
+export type ProblemBody = {
+  type?: string;
+  title: string;
+  status: number;
+  detail: string;
+  instance?: string;
+} & ProblemExtension;
+
+function problemResponse(
+  status: number,
+  title: string,
+  detail: string,
+  requestId: string,
+  options?: {
+    type?: string;
+    instance?: string;
+    code?: string;
+    details?: Record<string, unknown>;
+    invalid_params?: InvalidParam[];
+    headers?: Record<string, string>;
+  }
+): Response {
+  const body: ProblemBody = {
+    title,
+    status,
+    detail,
+    requestId,
+    ...(options?.type && { type: options.type }),
+    ...(options?.instance && { instance: options.instance }),
+    ...(options?.code && { code: options.code }),
+    ...(options?.details && { details: options.details }),
+    ...(options?.invalid_params && { invalid_params: options.invalid_params }),
+  };
+
+  const headers: Record<string, string> = {
+    "Content-Type": PROBLEM_JSON,
+    "Cache-Control": CACHE_NO_STORE,
+    "X-Request-Id": requestId,
+    ...options?.headers,
+  };
+
+  return Response.json(body, { status, headers });
+}
+
+export function problemBadRequest(
+  requestId: string,
+  detail: string,
+  options?: { invalid_params?: InvalidParam[]; instance?: string }
+): Response {
+  return problemResponse(400, "Bad Request", detail, requestId, {
+    code: "bad_request",
+    instance: options?.instance,
+    invalid_params: options?.invalid_params,
+  });
+}
+
+export function problemUnauthorized(
+  requestId: string,
+  detail: string = "Not authenticated",
+  instance?: string
+): Response {
+  return problemResponse(401, "Unauthorized", detail, requestId, {
+    code: "not_authenticated",
+    instance,
+  });
+}
+
+export function problemForbidden(
+  requestId: string,
+  detail: string = "You are not authorized to access this resource",
+  instance?: string
+): Response {
+  return problemResponse(403, "Forbidden", detail, requestId, {
+    code: "forbidden",
+    instance,
+  });
+}
+
+/**
+ * 404 with resource details. Do not use for auth-sensitive or existence-sensitive resources:
+ * the body includes resource_type and resource_id, which can leak existence to unauthenticated or unauthorized callers.
+ * Prefer problemForbidden with a generic message for those cases.
+ */
+export function problemNotFound(
+  requestId: string,
+  resourceType: string,
+  resourceId: string | null,
+  instance?: string
+): Response {
+  return problemResponse(404, "Not Found", `${resourceType} not found`, requestId, {
+    code: "not_found",
+    details: { resource_type: resourceType, resource_id: resourceId },
+    instance,
+  });
+}
+
+export function problemInternalError(
+  requestId: string,
+  detail: string = "An unexpected error occurred.",
+  instance?: string
+): Response {
+  return problemResponse(500, "Internal Server Error", detail, requestId, {
+    code: "internal_server_error",
+    instance,
+  });
+}
+
+export function problemTooManyRequests(requestId: string, detail: string, retryAfter?: number): Response {
+  const headers: Record<string, string> = {};
+  if (retryAfter !== undefined) {
+    headers["Retry-After"] = String(retryAfter);
+  }
+  return problemResponse(429, "Too Many Requests", detail, requestId, {
+    code: "too_many_requests",
+    headers,
+  });
+}
+
+export function successListResponse<T, TMeta extends Record<string, unknown>>(
+  data: T[],
+  meta: TMeta,
+  options?: { requestId?: string; cache?: string }
+): Response {
+  const headers: Record<string, string> = {
+    "Content-Type": "application/json",
+    "Cache-Control": options?.cache ?? CACHE_NO_STORE,
+  };
+  if (options?.requestId) {
+    headers["X-Request-Id"] = options.requestId;
+  }
+  return Response.json({ data, meta }, { status: 200, headers });
+}

apps/web/app/api/v3/lib/types.ts

@@ -0,0 +1,4 @@
+import type { Session } from "next-auth";
+import type { TAuthenticationApiKey } from "@formbricks/types/auth";
+
+export type TV3Authentication = TAuthenticationApiKey | Session | null;

apps/web/app/api/v3/lib/workspace-context.test.ts

@@ -0,0 +1,38 @@
+import { describe, expect, test, vi } from "vitest";
+import { ResourceNotFoundError } from "@formbricks/types/errors";
+import { getOrganizationIdFromProjectId } from "@/lib/utils/helper";
+import { getEnvironment } from "@/lib/utils/services";
+import { resolveV3WorkspaceContext } from "./workspace-context";
+
+vi.mock("@/lib/utils/helper", () => ({
+  getOrganizationIdFromProjectId: vi.fn(),
+}));
+
+vi.mock("@/lib/utils/services", () => ({
+  getEnvironment: vi.fn(),
+}));
+
+describe("resolveV3WorkspaceContext", () => {
+  test("returns environmentId, projectId and organizationId when workspace exists (today: workspaceId === environmentId)", async () => {
+    vi.mocked(getEnvironment).mockResolvedValueOnce({
+      id: "env_abc",
+      projectId: "proj_xyz",
+    } as any);
+    vi.mocked(getOrganizationIdFromProjectId).mockResolvedValueOnce("org_123");
+    const result = await resolveV3WorkspaceContext("env_abc");
+    expect(result).toEqual({
+      environmentId: "env_abc",
+      projectId: "proj_xyz",
+      organizationId: "org_123",
+    });
+    expect(getEnvironment).toHaveBeenCalledWith("env_abc");
+    expect(getOrganizationIdFromProjectId).toHaveBeenCalledWith("proj_xyz");
+  });
+
+  test("throws when workspace (environment) does not exist", async () => {
+    vi.mocked(getEnvironment).mockResolvedValueOnce(null);
+    await expect(resolveV3WorkspaceContext("env_nonexistent")).rejects.toThrow(ResourceNotFoundError);
+    expect(getEnvironment).toHaveBeenCalledWith("env_nonexistent");
+    expect(getOrganizationIdFromProjectId).not.toHaveBeenCalled();
+  });
+});

apps/web/app/api/v3/lib/workspace-context.ts

@@ -0,0 +1,50 @@
+/**
+ * V3 API workspace → internal IDs translation layer (retro-compatibility / future-proofing).
+ *
+ * Workspace is the default container for surveys. We are deprecating Environment and making
+ * Workspace that container. In the API, workspaceId refers to that container.
+ *
+ * Today: workspaceId is mapped to environmentId (Environment is the current container for surveys).
+ * When Environment is deprecated and Workspace exists: resolve workspaceId to the Workspace entity
+ * (and derive environmentId or equivalent from it). Change only this file.
+ */
+import { ResourceNotFoundError } from "@formbricks/types/errors";
+import { getOrganizationIdFromProjectId } from "@/lib/utils/helper";
+import { getEnvironment } from "@/lib/utils/services";
+
+/**
+ * Internal IDs derived from a V3 workspace identifier.
+ * Today: environmentId is the workspace (Environment = container for surveys until Workspace exists).
+ */
+export type V3WorkspaceContext = {
+  /** Environment ID — the container for surveys today. Replaced by workspace when Environment is deprecated. */
+  environmentId: string;
+  /** Project ID used for projectTeam auth. */
+  projectId: string;
+  /** Organization ID used for org-level auth. */
+  organizationId: string;
+};
+
+/**
+ * Resolves a V3 API workspaceId to internal environmentId, projectId, and organizationId.
+ * Today: workspaceId is treated as environmentId (workspace = container for surveys = Environment).
+ *
+ * @throws ResourceNotFoundError if the workspace (environment) does not exist.
+ */
+export async function resolveV3WorkspaceContext(workspaceId: string): Promise<V3WorkspaceContext> {
+  // Today: workspaceId is the environment id (survey container). Look it up.
+  const environment = await getEnvironment(workspaceId);
+  if (!environment) {
+    throw new ResourceNotFoundError("environment", workspaceId);
+  }
+
+  // Derive org for auth; project comes from the environment.
+  const organizationId = await getOrganizationIdFromProjectId(environment.projectId);
+
+  // We looked up by workspaceId (as environment id), so the resolved environment id is workspaceId.
+  return {
+    environmentId: workspaceId,
+    projectId: environment.projectId,
+    organizationId,
+  };
+}

apps/web/app/api/v3/surveys/parse-v3-surveys-list-query.test.ts

@@ -0,0 +1,122 @@
+import { describe, expect, test } from "vitest";
+import { collectMultiValueQueryParam, parseV3SurveysListQuery } from "./parse-v3-surveys-list-query";
+
+const wid = "clxx1234567890123456789012";
+
+function params(qs: string): URLSearchParams {
+  return new URLSearchParams(qs);
+}
+
+describe("collectMultiValueQueryParam", () => {
+  test("merges repeated keys and comma-separated values", () => {
+    const sp = params("status=draft&status=inProgress&type=link,app");
+    expect(collectMultiValueQueryParam(sp, "status")).toEqual(["draft", "inProgress"]);
+    expect(collectMultiValueQueryParam(sp, "type")).toEqual(["link", "app"]);
+  });
+
+  test("dedupes", () => {
+    const sp = params("status=draft&status=draft");
+    expect(collectMultiValueQueryParam(sp, "status")).toEqual(["draft"]);
+  });
+});
+
+describe("parseV3SurveysListQuery", () => {
+  test("rejects unsupported query parameters like filterCriteria", () => {
+    const r = parseV3SurveysListQuery(params(`workspaceId=${wid}&filterCriteria={}`));
+    expect(r.ok).toBe(false);
+    if (!r.ok) expect(r.invalid_params[0].name).toBe("filterCriteria");
+  });
+
+  test("rejects unknown query parameters", () => {
+    const r = parseV3SurveysListQuery(params(`workspaceId=${wid}&foo=bar`));
+    expect(r.ok).toBe(false);
+    if (!r.ok)
+      expect(r.invalid_params[0]).toEqual({
+        name: "foo",
+        reason:
+          "Unsupported query parameter. Use only workspaceId, limit, cursor, filter[name][contains], filter[status][in], filter[type][in], sortBy.",
+      });
+  });
+
+  test("rejects the legacy after query parameter", () => {
+    const r = parseV3SurveysListQuery(params(`workspaceId=${wid}&after=legacy-cursor`));
+    expect(r.ok).toBe(false);
+    if (!r.ok) {
+      expect(r.invalid_params[0]).toEqual({
+        name: "after",
+        reason:
+          "Unsupported query parameter. Use only workspaceId, limit, cursor, filter[name][contains], filter[status][in], filter[type][in], sortBy.",
+      });
+    }
+  });
+
+  test("rejects the legacy flat name query parameter", () => {
+    const r = parseV3SurveysListQuery(params(`workspaceId=${wid}&name=Foo`));
+    expect(r.ok).toBe(false);
+    if (!r.ok) {
+      expect(r.invalid_params[0]).toEqual({
+        name: "name",
+        reason:
+          "Unsupported query parameter. Use only workspaceId, limit, cursor, filter[name][contains], filter[status][in], filter[type][in], sortBy.",
+      });
+    }
+  });
+
+  test("parses minimal query", () => {
+    const r = parseV3SurveysListQuery(params(`workspaceId=${wid}`));
+    expect(r.ok).toBe(true);
+    if (r.ok) {
+      expect(r.limit).toBe(20);
+      expect(r.cursor).toBeNull();
+      expect(r.sortBy).toBe("updatedAt");
+      expect(r.filterCriteria).toBeUndefined();
+    }
+  });
+
+  test("builds filter from explicit operator params", () => {
+    const r = parseV3SurveysListQuery(
+      params(
+        `workspaceId=${wid}&filter[name][contains]=Foo&filter[status][in]=inProgress&filter[status][in]=draft&filter[type][in]=link&sortBy=updatedAt`
+      )
+    );
+    expect(r.ok).toBe(true);
+    if (r.ok) {
+      expect(r.filterCriteria).toEqual({
+        name: "Foo",
+        status: ["inProgress", "draft"],
+        type: ["link"],
+      });
+      expect(r.sortBy).toBe("updatedAt");
+    }
+  });
+
+  test("invalid status", () => {
+    const r = parseV3SurveysListQuery(params(`workspaceId=${wid}&filter[status][in]=notastatus`));
+    expect(r.ok).toBe(false);
+  });
+
+  test("rejects the createdBy filter", () => {
+    const r = parseV3SurveysListQuery(params(`workspaceId=${wid}&filter[createdBy][in]=you`));
+    expect(r.ok).toBe(false);
+    if (!r.ok) {
+      expect(r.invalid_params[0]).toEqual({
+        name: "filter[createdBy][in]",
+        reason:
+          "Unsupported query parameter. Use only workspaceId, limit, cursor, filter[name][contains], filter[status][in], filter[type][in], sortBy.",
+      });
+    }
+  });
+
+  test("rejects an invalid cursor", () => {
+    const r = parseV3SurveysListQuery(params(`workspaceId=${wid}&cursor=not-a-real-cursor`));
+    expect(r.ok).toBe(false);
+    if (!r.ok) {
+      expect(r.invalid_params).toEqual([
+        {
+          name: "cursor",
+          reason: "The cursor is invalid.",
+        },
+      ]);
+    }
+  });
+});

apps/web/app/api/v3/surveys/parse-v3-surveys-list-query.ts

@@ -0,0 +1,159 @@
+/**
+ * Validates GET /api/v3/surveys query string and builds {@link TSurveyFilterCriteria} for list/count.
+ * Keeps HTTP parsing separate from the route handler and shared survey list service.
+ */
+import { z } from "zod";
+import { ZId } from "@formbricks/types/common";
+import {
+  type TSurveyFilterCriteria,
+  ZSurveyFilters,
+  ZSurveyStatus,
+  ZSurveyType,
+} from "@formbricks/types/surveys/types";
+import {
+  type TSurveyListPageCursor,
+  type TSurveyListSort,
+  decodeSurveyListPageCursor,
+  normalizeSurveyListSort,
+} from "@/modules/survey/list/lib/survey-page";
+
+const V3_SURVEYS_DEFAULT_LIMIT = 20;
+const V3_SURVEYS_MAX_LIMIT = 100;
+
+const FILTER_NAME_CONTAINS_QUERY_PARAM = "filter[name][contains]" as const;
+const FILTER_STATUS_IN_QUERY_PARAM = "filter[status][in]" as const;
+const FILTER_TYPE_IN_QUERY_PARAM = "filter[type][in]" as const;
+
+const SUPPORTED_QUERY_PARAMS = [
+  "workspaceId",
+  "limit",
+  "cursor",
+  FILTER_NAME_CONTAINS_QUERY_PARAM,
+  FILTER_STATUS_IN_QUERY_PARAM,
+  FILTER_TYPE_IN_QUERY_PARAM,
+  "sortBy",
+] as const;
+const SUPPORTED_QUERY_PARAM_SET = new Set<string>(SUPPORTED_QUERY_PARAMS);
+
+type InvalidParam = { name: string; reason: string };
+
+/** Collect repeated query keys and comma-separated values for operator-style filters. */
+export function collectMultiValueQueryParam(searchParams: URLSearchParams, key: string): string[] {
+  const acc: string[] = [];
+  for (const raw of searchParams.getAll(key)) {
+    for (const part of raw.split(",")) {
+      const t = part.trim();
+      if (t) acc.push(t);
+    }
+  }
+  return [...new Set(acc)];
+}
+
+const ZV3SurveysListQuery = z.object({
+  workspaceId: ZId,
+  limit: z.coerce.number().int().min(1).max(V3_SURVEYS_MAX_LIMIT).default(V3_SURVEYS_DEFAULT_LIMIT),
+  cursor: z.string().min(1).optional(),
+  [FILTER_NAME_CONTAINS_QUERY_PARAM]: z
+    .string()
+    .max(512)
+    .optional()
+    .transform((s) => (s === undefined || s.trim() === "" ? undefined : s.trim())),
+  [FILTER_STATUS_IN_QUERY_PARAM]: z.array(ZSurveyStatus).optional(),
+  [FILTER_TYPE_IN_QUERY_PARAM]: z.array(ZSurveyType).optional(),
+  sortBy: ZSurveyFilters.shape.sortBy.optional(),
+});
+
+export type TV3SurveysListQuery = z.infer<typeof ZV3SurveysListQuery>;
+
+export type TV3SurveysListQueryParseResult =
+  | {
+      ok: true;
+      workspaceId: string;
+      limit: number;
+      cursor: TSurveyListPageCursor | null;
+      sortBy: TSurveyListSort;
+      filterCriteria: TSurveyFilterCriteria | undefined;
+    }
+  | { ok: false; invalid_params: InvalidParam[] };
+
+function getUnsupportedQueryParams(searchParams: URLSearchParams): InvalidParam[] {
+  const unsupportedParams = [
+    ...new Set(Array.from(searchParams.keys()).filter((key) => !SUPPORTED_QUERY_PARAM_SET.has(key))),
+  ];
+
+  return unsupportedParams.map((name) => ({
+    name,
+    reason: `Unsupported query parameter. Use only ${SUPPORTED_QUERY_PARAMS.join(", ")}.`,
+  }));
+}
+
+function buildFilterCriteria(q: TV3SurveysListQuery): TSurveyFilterCriteria | undefined {
+  const f: TSurveyFilterCriteria = {};
+  if (q[FILTER_NAME_CONTAINS_QUERY_PARAM]) f.name = q[FILTER_NAME_CONTAINS_QUERY_PARAM];
+  if (q[FILTER_STATUS_IN_QUERY_PARAM]?.length) f.status = q[FILTER_STATUS_IN_QUERY_PARAM];
+  if (q[FILTER_TYPE_IN_QUERY_PARAM]?.length) f.type = q[FILTER_TYPE_IN_QUERY_PARAM];
+  return Object.keys(f).length > 0 ? f : undefined;
+}
+
+export function parseV3SurveysListQuery(searchParams: URLSearchParams): TV3SurveysListQueryParseResult {
+  const unsupportedQueryParams = getUnsupportedQueryParams(searchParams);
+  if (unsupportedQueryParams.length > 0) {
+    return {
+      ok: false,
+      invalid_params: unsupportedQueryParams,
+    };
+  }
+
+  const statusVals = collectMultiValueQueryParam(searchParams, FILTER_STATUS_IN_QUERY_PARAM);
+  const typeVals = collectMultiValueQueryParam(searchParams, FILTER_TYPE_IN_QUERY_PARAM);
+
+  const raw = {
+    workspaceId: searchParams.get("workspaceId"),
+    limit: searchParams.get("limit") ?? undefined,
+    cursor: searchParams.get("cursor")?.trim() || undefined,
+    [FILTER_NAME_CONTAINS_QUERY_PARAM]: searchParams.get(FILTER_NAME_CONTAINS_QUERY_PARAM) ?? undefined,
+    [FILTER_STATUS_IN_QUERY_PARAM]: statusVals.length > 0 ? statusVals : undefined,
+    [FILTER_TYPE_IN_QUERY_PARAM]: typeVals.length > 0 ? typeVals : undefined,
+    sortBy: searchParams.get("sortBy")?.trim() || undefined,
+  };
+
+  const result = ZV3SurveysListQuery.safeParse(raw);
+  if (!result.success) {
+    return {
+      ok: false,
+      invalid_params: result.error.issues.map((issue) => ({
+        name: issue.path.join(".") || "query",
+        reason: issue.message,
+      })),
+    };
+  }
+
+  const q = result.data;
+  const sortBy = normalizeSurveyListSort(q.sortBy);
+  let cursor: TSurveyListPageCursor | null = null;
+
+  if (q.cursor) {
+    try {
+      cursor = decodeSurveyListPageCursor(q.cursor, sortBy);
+    } catch (error) {
+      return {
+        ok: false,
+        invalid_params: [
+          {
+            name: "cursor",
+            reason: error instanceof Error ? error.message : "The cursor is invalid.",
+          },
+        ],
+      };
+    }
+  }
+
+  return {
+    ok: true,
+    workspaceId: q.workspaceId,
+    limit: q.limit,
+    cursor,
+    sortBy,
+    filterCriteria: buildFilterCriteria(q),
+  };
+}

apps/web/app/api/v3/surveys/route.test.ts

@@ -0,0 +1,357 @@
+import { ApiKeyPermission, EnvironmentType } from "@prisma/client";
+import { NextRequest } from "next/server";
+import { afterEach, beforeEach, describe, expect, test, vi } from "vitest";
+import { DatabaseError, ResourceNotFoundError } from "@formbricks/types/errors";
+import { requireV3WorkspaceAccess } from "@/app/api/v3/lib/auth";
+import { getSurveyCount } from "@/modules/survey/list/lib/survey";
+import { getSurveyListPage } from "@/modules/survey/list/lib/survey-page";
+import { GET } from "./route";
+
+const { mockAuthenticateRequest } = vi.hoisted(() => ({
+  mockAuthenticateRequest: vi.fn(),
+}));
+
+vi.mock("next-auth", () => ({
+  getServerSession: vi.fn(),
+}));
+
+vi.mock("@/app/api/v1/auth", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("@/app/api/v1/auth")>();
+  return { ...actual, authenticateRequest: mockAuthenticateRequest };
+});
+
+vi.mock("@/modules/core/rate-limit/helpers", () => ({
+  applyRateLimit: vi.fn().mockResolvedValue(undefined),
+  applyIPRateLimit: vi.fn().mockResolvedValue(undefined),
+}));
+
+vi.mock("@/lib/constants", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("@/lib/constants")>();
+  return { ...actual, AUDIT_LOG_ENABLED: false };
+});
+
+vi.mock("@/app/api/v3/lib/auth", () => ({
+  requireV3WorkspaceAccess: vi.fn(),
+}));
+
+vi.mock("@/modules/survey/list/lib/survey-page", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("@/modules/survey/list/lib/survey-page")>();
+  return {
+    ...actual,
+    getSurveyListPage: vi.fn(),
+  };
+});
+
+vi.mock("@/modules/survey/list/lib/survey", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("@/modules/survey/list/lib/survey")>();
+  return {
+    ...actual,
+    getSurveyCount: vi.fn(),
+  };
+});
+
+vi.mock("@formbricks/logger", () => ({
+  logger: {
+    withContext: vi.fn(() => ({
+      warn: vi.fn(),
+      error: vi.fn(),
+    })),
+  },
+}));
+
+const getServerSession = vi.mocked((await import("next-auth")).getServerSession);
+
+const validWorkspaceId = "clxx1234567890123456789012";
+const resolvedEnvironmentId = "clzz9876543210987654321098";
+
+function createRequest(url: string, requestId?: string, extraHeaders?: Record<string, string>): NextRequest {
+  const headers: Record<string, string> = { ...extraHeaders };
+  if (requestId) headers["x-request-id"] = requestId;
+  return new NextRequest(url, { headers });
+}
+
+const apiKeyAuth = {
+  type: "apiKey" as const,
+  apiKeyId: "key_1",
+  organizationId: "org_1",
+  organizationAccess: {
+    accessControl: { read: true, write: false },
+  },
+  environmentPermissions: [
+    {
+      environmentId: validWorkspaceId,
+      environmentType: EnvironmentType.development,
+      projectId: "proj_1",
+      projectName: "P",
+      permission: ApiKeyPermission.read,
+    },
+  ],
+};
+
+describe("GET /api/v3/surveys", () => {
+  beforeEach(() => {
+    vi.resetAllMocks();
+    getServerSession.mockResolvedValue({
+      user: { id: "user_1", name: "User", email: "u@example.com" },
+      expires: "2026-01-01",
+    } as any);
+    mockAuthenticateRequest.mockResolvedValue(null);
+    vi.mocked(requireV3WorkspaceAccess).mockImplementation(async (auth, workspaceId) => {
+      if (auth && "apiKeyId" in auth) {
+        const p = auth.environmentPermissions.find((e) => e.environmentId === workspaceId);
+        if (!p) {
+          return new Response(
+            JSON.stringify({
+              title: "Forbidden",
+              status: 403,
+              detail: "You are not authorized to access this resource",
+              requestId: "req",
+            }),
+            { status: 403, headers: { "Content-Type": "application/problem+json" } }
+          );
+        }
+        return {
+          environmentId: workspaceId,
+          projectId: p.projectId,
+          organizationId: auth.organizationId,
+        };
+      }
+      return {
+        environmentId: resolvedEnvironmentId,
+        projectId: "proj_1",
+        organizationId: "org_1",
+      };
+    });
+    vi.mocked(getSurveyListPage).mockResolvedValue({ surveys: [], nextCursor: null });
+    vi.mocked(getSurveyCount).mockResolvedValue(0);
+  });
+
+  afterEach(() => {
+    vi.clearAllMocks();
+  });
+
+  test("returns 401 when no session and no API key", async () => {
+    getServerSession.mockResolvedValue(null);
+    mockAuthenticateRequest.mockResolvedValue(null);
+    const req = createRequest(`http://localhost/api/v3/surveys?workspaceId=${validWorkspaceId}`);
+    const res = await GET(req, {} as any);
+    expect(res.status).toBe(401);
+    expect(res.headers.get("Content-Type")).toBe("application/problem+json");
+    expect(requireV3WorkspaceAccess).not.toHaveBeenCalled();
+  });
+
+  test("returns 200 with session and valid workspaceId", async () => {
+    const req = createRequest(`http://localhost/api/v3/surveys?workspaceId=${validWorkspaceId}`, "req-456");
+    const res = await GET(req, {} as any);
+    expect(res.status).toBe(200);
+    expect(res.headers.get("Content-Type")).toBe("application/json");
+    expect(res.headers.get("X-Request-Id")).toBe("req-456");
+    expect(requireV3WorkspaceAccess).toHaveBeenCalledWith(
+      expect.objectContaining({ user: expect.any(Object) }),
+      validWorkspaceId,
+      "read",
+      "req-456",
+      "/api/v3/surveys"
+    );
+    expect(getSurveyListPage).toHaveBeenCalledWith(resolvedEnvironmentId, {
+      limit: 20,
+      cursor: null,
+      sortBy: "updatedAt",
+      filterCriteria: undefined,
+    });
+    expect(getSurveyCount).toHaveBeenCalledWith(resolvedEnvironmentId, undefined);
+  });
+
+  test("returns 200 with x-api-key when workspace is on the key", async () => {
+    getServerSession.mockResolvedValue(null);
+    mockAuthenticateRequest.mockResolvedValue(apiKeyAuth as any);
+    const req = createRequest(`http://localhost/api/v3/surveys?workspaceId=${validWorkspaceId}`, "req-k", {
+      "x-api-key": "fbk_test",
+    });
+    const res = await GET(req, {} as any);
+    expect(res.status).toBe(200);
+    expect(requireV3WorkspaceAccess).toHaveBeenCalledWith(
+      expect.objectContaining({ apiKeyId: "key_1" }),
+      validWorkspaceId,
+      "read",
+      "req-k",
+      "/api/v3/surveys"
+    );
+    expect(getSurveyListPage).toHaveBeenCalledWith(validWorkspaceId, {
+      limit: 20,
+      cursor: null,
+      sortBy: "updatedAt",
+      filterCriteria: undefined,
+    });
+    expect(getSurveyCount).toHaveBeenCalledWith(validWorkspaceId, undefined);
+  });
+
+  test("returns 403 when API key does not include workspace", async () => {
+    getServerSession.mockResolvedValue(null);
+    mockAuthenticateRequest.mockResolvedValue({
+      ...apiKeyAuth,
+      environmentPermissions: [
+        {
+          environmentId: "claa1111111111111111111111",
+          environmentType: EnvironmentType.development,
+          projectId: "proj_x",
+          projectName: "X",
+          permission: ApiKeyPermission.read,
+        },
+      ],
+    } as any);
+    const req = createRequest(`http://localhost/api/v3/surveys?workspaceId=${validWorkspaceId}`, undefined, {
+      "x-api-key": "fbk_test",
+    });
+    const res = await GET(req, {} as any);
+    expect(res.status).toBe(403);
+  });
+
+  test("returns 400 when the createdBy filter is used", async () => {
+    const req = createRequest(
+      `http://localhost/api/v3/surveys?workspaceId=${validWorkspaceId}&filter[createdBy][in]=you`
+    );
+    const res = await GET(req, {} as any);
+    expect(res.status).toBe(400);
+    const body = await res.json();
+    expect(body.invalid_params?.some((p: { name: string }) => p.name === "filter[createdBy][in]")).toBe(true);
+    expect(requireV3WorkspaceAccess).not.toHaveBeenCalled();
+  });
+
+  test("returns 400 when workspaceId is missing", async () => {
+    const req = createRequest("http://localhost/api/v3/surveys");
+    const res = await GET(req, {} as any);
+    expect(res.status).toBe(400);
+    expect(requireV3WorkspaceAccess).not.toHaveBeenCalled();
+  });
+
+  test("returns 400 when workspaceId is not cuid2", async () => {
+    const req = createRequest("http://localhost/api/v3/surveys?workspaceId=not-a-cuid");
+    const res = await GET(req, {} as any);
+    expect(res.status).toBe(400);
+  });
+
+  test("returns 400 when limit exceeds max", async () => {
+    const req = createRequest(`http://localhost/api/v3/surveys?workspaceId=${validWorkspaceId}&limit=101`);
+    const res = await GET(req, {} as any);
+    expect(res.status).toBe(400);
+  });
+
+  test("reflects limit, nextCursor, and totalCount in meta", async () => {
+    vi.mocked(getSurveyListPage).mockResolvedValue({
+      surveys: [],
+      nextCursor: "cursor-123",
+    });
+    vi.mocked(getSurveyCount).mockResolvedValue(42);
+    const req = createRequest(`http://localhost/api/v3/surveys?workspaceId=${validWorkspaceId}&limit=10`);
+    const res = await GET(req, {} as any);
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.meta).toEqual({ limit: 10, nextCursor: "cursor-123", totalCount: 42 });
+    expect(getSurveyListPage).toHaveBeenCalledWith(resolvedEnvironmentId, {
+      limit: 10,
+      cursor: null,
+      sortBy: "updatedAt",
+      filterCriteria: undefined,
+    });
+    expect(getSurveyCount).toHaveBeenCalledWith(resolvedEnvironmentId, undefined);
+  });
+
+  test("passes filter query to getSurveyListPage", async () => {
+    const filterCriteria = { status: ["inProgress"] };
+    const req = createRequest(
+      `http://localhost/api/v3/surveys?workspaceId=${validWorkspaceId}&filter[status][in]=inProgress&sortBy=updatedAt`
+    );
+    const res = await GET(req, {} as any);
+    expect(res.status).toBe(200);
+    expect(getSurveyListPage).toHaveBeenCalledWith(resolvedEnvironmentId, {
+      limit: 20,
+      cursor: null,
+      sortBy: "updatedAt",
+      filterCriteria,
+    });
+    expect(getSurveyCount).toHaveBeenCalledWith(resolvedEnvironmentId, filterCriteria);
+  });
+
+  test("returns 400 when filterCriteria is used", async () => {
+    const req = createRequest(
+      `http://localhost/api/v3/surveys?workspaceId=${validWorkspaceId}&filterCriteria=${encodeURIComponent("{}")}`
+    );
+    const res = await GET(req, {} as any);
+    expect(res.status).toBe(400);
+    expect(requireV3WorkspaceAccess).not.toHaveBeenCalled();
+  });
+
+  test("returns 403 when auth returns 403", async () => {
+    vi.mocked(requireV3WorkspaceAccess).mockResolvedValueOnce(
+      new Response(
+        JSON.stringify({
+          title: "Forbidden",
+          status: 403,
+          detail: "You are not authorized to access this resource",
+          requestId: "req-789",
+        }),
+        { status: 403, headers: { "Content-Type": "application/problem+json" } }
+      )
+    );
+    const req = createRequest(`http://localhost/api/v3/surveys?workspaceId=${validWorkspaceId}`);
+    const res = await GET(req, {} as any);
+    expect(res.status).toBe(403);
+  });
+
+  test("list items expose workspaceId instead of environmentId and omit internal fields", async () => {
+    vi.mocked(getSurveyListPage).mockResolvedValue({
+      surveys: [
+        {
+          id: "s1",
+          name: "Survey 1",
+          environmentId: "env_1",
+          type: "link",
+          status: "draft",
+          createdAt: new Date(),
+          updatedAt: new Date(),
+          responseCount: 0,
+          creator: { name: "Test" },
+          singleUse: null,
+        } as any,
+      ],
+      nextCursor: null,
+    });
+    const req = createRequest(`http://localhost/api/v3/surveys?workspaceId=${validWorkspaceId}`);
+    const res = await GET(req, {} as any);
+    const body = await res.json();
+    expect(body.data[0]).not.toHaveProperty("blocks");
+    expect(body.data[0]).not.toHaveProperty("singleUse");
+    expect(body.data[0]).not.toHaveProperty("_count");
+    expect(body.data[0]).not.toHaveProperty("environmentId");
+    expect(body.data[0].id).toBe("s1");
+    expect(body.data[0].workspaceId).toBe("env_1");
+  });
+
+  test("returns 403 when getSurveyListPage throws ResourceNotFoundError", async () => {
+    vi.mocked(getSurveyListPage).mockRejectedValueOnce(new ResourceNotFoundError("survey", "s1"));
+    const req = createRequest(`http://localhost/api/v3/surveys?workspaceId=${validWorkspaceId}`, "req-nf");
+    const res = await GET(req, {} as any);
+    expect(res.status).toBe(403);
+    const body = await res.json();
+    expect(body.code).toBe("forbidden");
+  });
+
+  test("returns 500 when getSurveyListPage throws DatabaseError", async () => {
+    vi.mocked(getSurveyListPage).mockRejectedValueOnce(new DatabaseError("db down"));
+    const req = createRequest(`http://localhost/api/v3/surveys?workspaceId=${validWorkspaceId}`, "req-db");
+    const res = await GET(req, {} as any);
+    expect(res.status).toBe(500);
+    const body = await res.json();
+    expect(body.code).toBe("internal_server_error");
+  });
+
+  test("returns 500 on unexpected error from getSurveyListPage", async () => {
+    vi.mocked(getSurveyListPage).mockRejectedValueOnce(new Error("boom"));
+    const req = createRequest(`http://localhost/api/v3/surveys?workspaceId=${validWorkspaceId}`, "req-err");
+    const res = await GET(req, {} as any);
+    expect(res.status).toBe(500);
+    const body = await res.json();
+    expect(body.code).toBe("internal_server_error");
+  });
+});

apps/web/app/api/v3/surveys/route.ts

@@ -0,0 +1,81 @@
+/**
+ * GET /api/v3/surveys — list surveys for a workspace.
+ * Session cookie or x-api-key; scope by workspaceId only.
+ */
+import { logger } from "@formbricks/logger";
+import { DatabaseError, ResourceNotFoundError } from "@formbricks/types/errors";
+import { withV3ApiWrapper } from "@/app/api/v3/lib/api-wrapper";
+import { requireV3WorkspaceAccess } from "@/app/api/v3/lib/auth";
+import {
+  problemBadRequest,
+  problemForbidden,
+  problemInternalError,
+  successListResponse,
+} from "@/app/api/v3/lib/response";
+import { getSurveyCount } from "@/modules/survey/list/lib/survey";
+import { getSurveyListPage } from "@/modules/survey/list/lib/survey-page";
+import { parseV3SurveysListQuery } from "./parse-v3-surveys-list-query";
+import { serializeV3SurveyListItem } from "./serializers";
+
+export const GET = withV3ApiWrapper({
+  auth: "both",
+  handler: async ({ req, authentication, requestId, instance }) => {
+    const log = logger.withContext({ requestId });
+
+    try {
+      const searchParams = new URL(req.url).searchParams;
+      const parsed = parseV3SurveysListQuery(searchParams);
+      if (!parsed.ok) {
+        log.warn({ statusCode: 400, invalidParams: parsed.invalid_params }, "Validation failed");
+        return problemBadRequest(requestId, "Invalid query parameters", {
+          invalid_params: parsed.invalid_params,
+          instance,
+        });
+      }
+
+      const authResult = await requireV3WorkspaceAccess(
+        authentication,
+        parsed.workspaceId,
+        "read",
+        requestId,
+        instance
+      );
+      if (authResult instanceof Response) {
+        return authResult;
+      }
+
+      const { environmentId } = authResult;
+
+      const [{ surveys, nextCursor }, totalCount] = await Promise.all([
+        getSurveyListPage(environmentId, {
+          limit: parsed.limit,
+          cursor: parsed.cursor,
+          sortBy: parsed.sortBy,
+          filterCriteria: parsed.filterCriteria,
+        }),
+        getSurveyCount(environmentId, parsed.filterCriteria),
+      ]);
+
+      return successListResponse(
+        surveys.map(serializeV3SurveyListItem),
+        {
+          limit: parsed.limit,
+          nextCursor,
+          totalCount,
+        },
+        { requestId, cache: "private, no-store" }
+      );
+    } catch (err) {
+      if (err instanceof ResourceNotFoundError) {
+        log.warn({ statusCode: 403, errorCode: err.name }, "Resource not found");
+        return problemForbidden(requestId, "You are not authorized to access this resource", instance);
+      }
+      if (err instanceof DatabaseError) {
+        log.error({ error: err, statusCode: 500 }, "Database error");
+        return problemInternalError(requestId, "An unexpected error occurred.", instance);
+      }
+      log.error({ error: err, statusCode: 500 }, "V3 surveys list unexpected error");
+      return problemInternalError(requestId, "An unexpected error occurred.", instance);
+    }
+  },
+});

apps/web/app/api/v3/surveys/serializers.ts

@@ -0,0 +1,18 @@
+import type { TSurvey } from "@/modules/survey/list/types/surveys";
+
+export type TV3SurveyListItem = Omit<TSurvey, "environmentId" | "singleUse"> & {
+  workspaceId: string;
+};
+
+/**
+ * Keep the v3 API contract isolated from internal persistence naming.
+ * Internally surveys are still scoped by environmentId; externally v3 exposes workspaceId.
+ */
+export function serializeV3SurveyListItem(survey: TSurvey): TV3SurveyListItem {
+  const { environmentId, singleUse: _omitSingleUse, ...rest } = survey;
+
+  return {
+    ...rest,
+    workspaceId: environmentId,
+  };
+}

apps/web/app/chatwoot/ChatwootWidget.tsx

@@ -1,6 +1,7 @@
 "use client";
 
 import { useCallback, useEffect, useRef } from "react";
+import { getIsActiveCustomerAction } from "./actions";
 
 interface ChatwootWidgetProps {
   chatwootBaseUrl: string;
@@ -12,6 +13,18 @@ interface ChatwootWidgetProps {
 
 const CHATWOOT_SCRIPT_ID = "chatwoot-script";
 
+interface ChatwootInstance {
+  setUser: (
+    userId: string,
+    userInfo: {
+      email?: string | null;
+      name?: string | null;
+    }
+  ) => void;
+  setCustomAttributes: (attributes: Record<string, unknown>) => void;
+  reset: () => void;
+}
+
 export const ChatwootWidget = ({
   userEmail,
   userName,
@@ -20,15 +33,14 @@ export const ChatwootWidget = ({
   chatwootBaseUrl,
 }: ChatwootWidgetProps) => {
   const userSetRef = useRef(false);
+  const customerStatusSetRef = useRef(false);
+
+  const getChatwoot = useCallback((): ChatwootInstance | null => {
+    return (globalThis as unknown as { $chatwoot: ChatwootInstance }).$chatwoot ?? null;
+  }, []);
 
   const setUserInfo = useCallback(() => {
-    const $chatwoot = (
-      globalThis as unknown as {
-        $chatwoot: {
-          setUser: (userId: string, userInfo: { email?: string | null; name?: string | null }) => void;
-        };
-      }
-    ).$chatwoot;
+    const $chatwoot = getChatwoot();
     if (userId && $chatwoot && !userSetRef.current) {
       $chatwoot.setUser(userId, {
         email: userEmail,
@@ -36,7 +48,19 @@ export const ChatwootWidget = ({
       });
       userSetRef.current = true;
     }
-  }, [userId, userEmail, userName]);
+  }, [userId, userEmail, userName, getChatwoot]);
+
+  const setCustomerStatus = useCallback(async () => {
+    if (customerStatusSetRef.current) return;
+    const $chatwoot = getChatwoot();
+    if (!$chatwoot) return;
+
+    const response = await getIsActiveCustomerAction();
+    if (response?.data !== undefined) {
+      $chatwoot.setCustomAttributes({ isActiveCustomer: response.data });
+    }
+    customerStatusSetRef.current = true;
+  }, [getChatwoot]);
 
   useEffect(() => {
     if (!chatwootWebsiteToken) return;
@@ -65,23 +89,19 @@ export const ChatwootWidget = ({
     const handleChatwootReady = () => setUserInfo();
     globalThis.addEventListener("chatwoot:ready", handleChatwootReady);
 
+    const handleChatwootOpen = () => setCustomerStatus();
+    globalThis.addEventListener("chatwoot:open", handleChatwootOpen);
+
     // Check if Chatwoot is already ready
-    if (
-      (
-        globalThis as unknown as {
-          $chatwoot: {
-            setUser: (userId: string, userInfo: { email?: string | null; name?: string | null }) => void;
-          };
-        }
-      ).$chatwoot
-    ) {
+    if (getChatwoot()) {
       setUserInfo();
     }
 
     return () => {
       globalThis.removeEventListener("chatwoot:ready", handleChatwootReady);
+      globalThis.removeEventListener("chatwoot:open", handleChatwootOpen);
 
-      const $chatwoot = (globalThis as unknown as { $chatwoot: { reset: () => void } }).$chatwoot;
+      const $chatwoot = getChatwoot();
       if ($chatwoot) {
         $chatwoot.reset();
       }
@@ -90,8 +110,18 @@ export const ChatwootWidget = ({
       scriptElement?.remove();
 
       userSetRef.current = false;
+      customerStatusSetRef.current = false;
     };
-  }, [chatwootBaseUrl, chatwootWebsiteToken, userId, userEmail, userName, setUserInfo]);
+  }, [
+    chatwootBaseUrl,
+    chatwootWebsiteToken,
+    userId,
+    userEmail,
+    userName,
+    setUserInfo,
+    setCustomerStatus,
+    getChatwoot,
+  ]);
 
   return null;
 };

apps/web/app/chatwoot/actions.ts

@@ -0,0 +1,18 @@
+"use server";
+
+import { TCloudBillingPlan } from "@formbricks/types/organizations";
+import { getOrganizationsByUserId } from "@/lib/organization/service";
+import { authenticatedActionClient } from "@/lib/utils/action-client";
+
+export const getIsActiveCustomerAction = authenticatedActionClient.action(async ({ ctx }) => {
+  const paidBillingPlans = new Set<TCloudBillingPlan>(["pro", "scale", "custom"]);
+
+  const organizations = await getOrganizationsByUserId(ctx.user.id);
+  return organizations.some((organization) => {
+    const stripe = organization.billing.stripe;
+    const isPaidPlan = stripe?.plan ? paidBillingPlans.has(stripe.plan) : false;
+    const isActiveSubscription =
+      stripe?.subscriptionStatus === "active" || stripe?.subscriptionStatus === "trialing";
+    return isPaidPlan && isActiveSubscription;
+  });
+});

apps/web/app/components/NoScriptWarning.tsx

@@ -0,0 +1,21 @@
+import type { TUserLocale } from "@formbricks/types/user";
+import { getTranslate } from "@/lingodotdev/server";
+
+interface NoScriptWarningProps {
+  locale: TUserLocale;
+}
+
+export const NoScriptWarning = async ({ locale }: NoScriptWarningProps) => {
+  const t = await getTranslate(locale);
+
+  return (
+    <noscript>
+      <div className="fixed inset-0 z-[9999] flex h-dvh w-full items-center justify-center bg-slate-50">
+        <div className="rounded-xl border border-slate-200 bg-white p-8 text-center shadow-lg">
+          <h1 className="mb-4 text-2xl font-bold text-slate-800">{t("common.javascript_required")}</h1>
+          <p className="text-slate-600">{t("common.javascript_required_description")}</p>
+        </div>
+      </div>
+    </noscript>
+  );
+};

apps/web/app/layout.tsx

@@ -1,5 +1,6 @@
 import { Metadata } from "next";
 import React from "react";
+import { NoScriptWarning } from "@/app/components/NoScriptWarning";
 import { SentryProvider } from "@/app/sentry/SentryProvider";
 import {
   DEFAULT_LOCALE,
@@ -26,6 +27,7 @@ const RootLayout = async ({ children }: { children: React.ReactNode }) => {
   return (
     <html lang={locale} translate="no">
       <body className="flex h-dvh flex-col transition-all ease-in-out">
+        <NoScriptWarning locale={locale} />
         <SentryProvider
           sentryDsn={SENTRY_DSN}
           sentryRelease={SENTRY_RELEASE}

apps/web/app/lib/api/api-error-reporter.test.ts

@@ -0,0 +1,221 @@
+import * as Sentry from "@sentry/nextjs";
+import { beforeEach, describe, expect, test, vi } from "vitest";
+import { reportApiError } from "./api-error-reporter";
+
+const loggerMocks = vi.hoisted(() => {
+  const contextualError = vi.fn();
+  const rootError = vi.fn();
+  const withContext = vi.fn(() => ({
+    error: contextualError,
+  }));
+
+  return {
+    contextualError,
+    rootError,
+    withContext,
+  };
+});
+
+vi.mock("@sentry/nextjs", () => ({
+  captureException: vi.fn(),
+  withScope: vi.fn(),
+}));
+
+vi.mock("@formbricks/logger", () => ({
+  logger: {
+    withContext: loggerMocks.withContext,
+    error: loggerMocks.rootError,
+    warn: vi.fn(),
+    info: vi.fn(),
+  },
+}));
+
+vi.mock("@/lib/constants", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("@/lib/constants")>();
+
+  return {
+    ...actual,
+    IS_PRODUCTION: true,
+    SENTRY_DSN: "dsn",
+  };
+});
+
+describe("reportApiError", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  test("captures real errors directly with structured context", () => {
+    const request = new Request("https://app.test/api/v2/client/environment", {
+      method: "POST",
+      headers: {
+        "x-request-id": "req-1",
+      },
+    });
+    const error = new Error("boom");
+
+    reportApiError({
+      request,
+      status: 500,
+      error,
+    });
+
+    expect(loggerMocks.withContext).toHaveBeenCalledWith(
+      expect.objectContaining({
+        apiVersion: "v2",
+        correlationId: "req-1",
+        method: "POST",
+        path: "/api/v2/client/environment",
+        status: 500,
+        error: expect.objectContaining({
+          name: "Error",
+          message: "boom",
+        }),
+      })
+    );
+    expect(Sentry.withScope).not.toHaveBeenCalled();
+    expect(Sentry.captureException).toHaveBeenCalledWith(
+      error,
+      expect.objectContaining({
+        tags: expect.objectContaining({
+          apiVersion: "v2",
+          correlationId: "req-1",
+          method: "POST",
+          path: "/api/v2/client/environment",
+        }),
+        extra: expect.objectContaining({
+          error: expect.objectContaining({
+            name: "Error",
+            message: "boom",
+          }),
+          originalError: expect.objectContaining({
+            name: "Error",
+            message: "boom",
+          }),
+        }),
+        contexts: expect.objectContaining({
+          apiRequest: expect.objectContaining({
+            apiVersion: "v2",
+            correlationId: "req-1",
+            method: "POST",
+            path: "/api/v2/client/environment",
+            status: 500,
+          }),
+        }),
+      })
+    );
+  });
+
+  test("captures non-error payloads with a synthetic error while preserving additional data", () => {
+    const request = new Request("https://app.test/api/v1/management/surveys", {
+      headers: {
+        "x-request-id": "req-2",
+      },
+    });
+    const payload = {
+      type: "internal_server_error",
+      details: [{ field: "server", issue: "error occurred" }],
+    };
+
+    reportApiError({
+      request,
+      status: 500,
+      error: payload,
+      originalError: payload,
+    });
+
+    expect(Sentry.withScope).not.toHaveBeenCalled();
+    expect(Sentry.captureException).toHaveBeenCalledWith(
+      expect.objectContaining({
+        message: "API V1 error, id: req-2",
+      }),
+      expect.objectContaining({
+        tags: expect.objectContaining({
+          apiVersion: "v1",
+          correlationId: "req-2",
+          method: "GET",
+          path: "/api/v1/management/surveys",
+        }),
+        extra: expect.objectContaining({
+          error: payload,
+          originalError: payload,
+        }),
+      })
+    );
+  });
+
+  test("swallows Sentry failures after logging a fallback reporter error", () => {
+    vi.mocked(Sentry.captureException).mockImplementation(() => {
+      throw new Error("sentry down");
+    });
+
+    const request = new Request("https://app.test/api/v2/client/displays", {
+      headers: {
+        "x-request-id": "req-3",
+      },
+    });
+
+    expect(() =>
+      reportApiError({
+        request,
+        status: 500,
+        error: new Error("boom"),
+      })
+    ).not.toThrow();
+
+    expect(loggerMocks.rootError).toHaveBeenCalledWith(
+      expect.objectContaining({
+        apiVersion: "v2",
+        correlationId: "req-3",
+        method: "GET",
+        path: "/api/v2/client/displays",
+        status: 500,
+        reportingError: expect.objectContaining({
+          name: "Error",
+          message: "sentry down",
+        }),
+      }),
+      "Failed to report API error"
+    );
+  });
+
+  test("serializes cyclic payloads without throwing", () => {
+    const request = new Request("https://app.test/api/v2/client/responses", {
+      headers: {
+        "x-request-id": "req-4",
+      },
+    });
+    const payload: Record<string, unknown> = {
+      type: "internal_server_error",
+    };
+
+    payload.self = payload;
+
+    expect(() =>
+      reportApiError({
+        request,
+        status: 500,
+        error: payload,
+        originalError: payload,
+      })
+    ).not.toThrow();
+
+    expect(Sentry.captureException).toHaveBeenCalledWith(
+      expect.objectContaining({
+        message: "API V2 error, id: req-4",
+      }),
+      expect.objectContaining({
+        extra: expect.objectContaining({
+          error: {
+            type: "internal_server_error",
+            self: "[Circular]",
+          },
+          originalError: {
+            type: "internal_server_error",
+            self: "[Circular]",
+          },
+        }),
+      })
+    );
+  });
+});

apps/web/app/lib/api/api-error-reporter.ts

@@ -0,0 +1,282 @@
+import * as Sentry from "@sentry/nextjs";
+import { logger } from "@formbricks/logger";
+import { IS_PRODUCTION, SENTRY_DSN } from "@/lib/constants";
+
+type TRequestLike = Pick<Request, "method" | "url" | "headers">;
+
+type TApiErrorContext = {
+  apiVersion: TApiVersion;
+  correlationId: string;
+  method: string;
+  path: string;
+  status: number;
+};
+
+type TSentryCaptureContext = NonNullable<Parameters<typeof Sentry.captureException>[1]>;
+
+export type TApiVersion = "v1" | "v2" | "v3" | "unknown";
+
+const getPathname = (url: string): string => {
+  if (url.startsWith("/")) {
+    return url;
+  }
+
+  try {
+    return new URL(url).pathname;
+  } catch {
+    return url;
+  }
+};
+
+export const getApiVersionFromPath = (pathname: string): TApiVersion => {
+  const match = /^\/api\/(v\d+)(?:\/|$)/.exec(pathname);
+
+  if (!match) {
+    return "unknown";
+  }
+
+  switch (match[1]) {
+    case "v1":
+    case "v2":
+    case "v3":
+      return match[1];
+    default:
+      return "unknown";
+  }
+};
+
+const serializeError = (value: unknown, seen = new WeakSet<object>()): unknown => {
+  if (value === null || value === undefined) {
+    return value;
+  }
+
+  if (typeof value !== "object") {
+    return value;
+  }
+
+  if (seen.has(value)) {
+    return "[Circular]";
+  }
+
+  seen.add(value);
+
+  if (value instanceof Error) {
+    const serializedError: Record<string, unknown> = {
+      name: value.name,
+      message: value.message,
+    };
+
+    if (value.stack) {
+      serializedError.stack = value.stack;
+    }
+
+    if ("cause" in value && value.cause !== undefined) {
+      serializedError.cause = serializeError(value.cause, seen);
+    }
+
+    for (const [key, entryValue] of Object.entries(value as unknown as Record<string, unknown>)) {
+      serializedError[key] = serializeError(entryValue, seen);
+    }
+
+    return serializedError;
+  }
+
+  if (Array.isArray(value)) {
+    return value.map((item) => serializeError(item, seen));
+  }
+
+  return Object.fromEntries(
+    Object.entries(value as Record<string, unknown>).map(([key, entryValue]) => [
+      key,
+      serializeError(entryValue, seen),
+    ])
+  );
+};
+
+const getSerializedValueType = (value: unknown): string => {
+  if (value === null) {
+    return "null";
+  }
+
+  if (Array.isArray(value)) {
+    return "array";
+  }
+
+  if (value instanceof Error) {
+    return value.name;
+  }
+
+  return typeof value;
+};
+
+export const serializeErrorSafely = (value: unknown): unknown => {
+  try {
+    return serializeError(value);
+  } catch (serializationError) {
+    return {
+      name: "ErrorSerializationFailed",
+      message: "Failed to serialize API error payload",
+      originalType: getSerializedValueType(value),
+      serializationError:
+        serializationError instanceof Error ? serializationError.message : String(serializationError),
+    };
+  }
+};
+
+const getSyntheticError = (apiVersion: TApiVersion, correlationId: string): Error => {
+  if (apiVersion === "unknown") {
+    return new Error(`API error, id: ${correlationId}`);
+  }
+
+  return new Error(`API ${apiVersion.toUpperCase()} error, id: ${correlationId}`);
+};
+
+const getLogMessage = (apiVersion: TApiVersion): string => {
+  switch (apiVersion) {
+    case "v1":
+      return "API V1 Error Details";
+    case "v2":
+      return "API V2 Error Details";
+    case "v3":
+      return "API V3 Error Details";
+    default:
+      return "API Error Details";
+  }
+};
+
+const buildApiErrorContext = ({
+  request,
+  status,
+  apiVersion,
+}: {
+  request: TRequestLike;
+  status: number;
+  apiVersion?: TApiVersion;
+}): TApiErrorContext => {
+  const path = getPathname(request.url);
+
+  return {
+    apiVersion: apiVersion ?? getApiVersionFromPath(path),
+    correlationId: request.headers.get("x-request-id") ?? "",
+    method: request.method,
+    path,
+    status,
+  };
+};
+
+export const buildSentryCaptureContext = ({
+  context,
+  errorPayload,
+  originalErrorPayload,
+}: {
+  context: TApiErrorContext;
+  errorPayload: unknown;
+  originalErrorPayload: unknown;
+}): TSentryCaptureContext => ({
+  level: "error",
+  tags: {
+    apiVersion: context.apiVersion,
+    correlationId: context.correlationId,
+    method: context.method,
+    path: context.path,
+  },
+  extra: {
+    error: errorPayload,
+    originalError: originalErrorPayload,
+  },
+  contexts: {
+    apiRequest: {
+      apiVersion: context.apiVersion,
+      correlationId: context.correlationId,
+      method: context.method,
+      path: context.path,
+      status: context.status,
+    },
+  },
+});
+
+export const emitApiErrorLog = (context: TApiErrorContext, errorPayload?: unknown): void => {
+  const logContext =
+    errorPayload === undefined
+      ? context
+      : {
+          ...context,
+          error: errorPayload,
+        };
+
+  logger.withContext(logContext).error(getLogMessage(context.apiVersion));
+};
+
+export const emitApiErrorToSentry = ({
+  error,
+  captureContext,
+}: {
+  error: Error;
+  captureContext: TSentryCaptureContext;
+}): void => {
+  Sentry.captureException(error, captureContext);
+};
+
+const logReporterFailure = (context: TApiErrorContext, reportingError: unknown): void => {
+  try {
+    logger.error(
+      {
+        apiVersion: context.apiVersion,
+        correlationId: context.correlationId,
+        method: context.method,
+        path: context.path,
+        status: context.status,
+        reportingError: serializeErrorSafely(reportingError),
+      },
+      "Failed to report API error"
+    );
+  } catch {
+    // Swallow reporter failures so API responses are never affected by observability issues.
+  }
+};
+
+export const reportApiError = ({
+  request,
+  status,
+  error,
+  apiVersion,
+  originalError,
+}: {
+  request: TRequestLike;
+  status: number;
+  error?: unknown;
+  apiVersion?: TApiVersion;
+  originalError?: unknown;
+}): void => {
+  const context = buildApiErrorContext({
+    request,
+    status,
+    apiVersion,
+  });
+  const capturedError =
+    error instanceof Error ? error : getSyntheticError(context.apiVersion, context.correlationId);
+  const logErrorPayload = error === undefined ? undefined : serializeErrorSafely(error);
+  const errorPayload = serializeErrorSafely(error ?? capturedError);
+  const originalErrorPayload = serializeErrorSafely(originalError ?? error);
+
+  try {
+    emitApiErrorLog(context, logErrorPayload);
+  } catch (reportingError) {
+    logReporterFailure(context, reportingError);
+  }
+
+  if (SENTRY_DSN && IS_PRODUCTION && status >= 500) {
+    try {
+      emitApiErrorToSentry({
+        error: capturedError,
+        captureContext: buildSentryCaptureContext({
+          context,
+          errorPayload,
+          originalErrorPayload,
+        }),
+      });
+    } catch (reportingError) {
+      logReporterFailure(context, reportingError);
+    }
+  }
+};

apps/web/app/lib/api/parse-and-validate-json-body.test.ts

@@ -0,0 +1,111 @@
+import { describe, expect, test } from "vitest";
+import { z } from "zod";
+import { parseAndValidateJsonBody } from "./parse-and-validate-json-body";
+
+describe("parseAndValidateJsonBody", () => {
+  test("returns a malformed JSON response when request parsing fails", async () => {
+    const request = new Request("http://localhost/api/test", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+      },
+      body: "{invalid-json",
+    });
+
+    const result = await parseAndValidateJsonBody({
+      request,
+      schema: z.object({
+        finished: z.boolean(),
+      }),
+      malformedJsonMessage: "Malformed JSON in request body",
+    });
+
+    expect("response" in result).toBe(true);
+
+    if (!("response" in result)) {
+      throw new Error("Expected a response result");
+    }
+
+    expect(result.issue).toBe("invalid_json");
+    expect(result.details).toEqual({
+      error: expect.any(String),
+    });
+    await expect(result.response.json()).resolves.toEqual({
+      code: "bad_request",
+      message: "Malformed JSON in request body",
+      details: {
+        error: expect.any(String),
+      },
+    });
+  });
+
+  test("returns a validation response when the parsed JSON does not match the schema", async () => {
+    const request = new Request("http://localhost/api/test", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({
+        finished: "not-boolean",
+      }),
+    });
+
+    const result = await parseAndValidateJsonBody({
+      request,
+      schema: z.object({
+        finished: z.boolean(),
+      }),
+    });
+
+    expect("response" in result).toBe(true);
+
+    if (!("response" in result)) {
+      throw new Error("Expected a response result");
+    }
+
+    expect(result.issue).toBe("invalid_body");
+    expect(result.details).toEqual(
+      expect.objectContaining({
+        finished: expect.any(String),
+      })
+    );
+    await expect(result.response.json()).resolves.toEqual({
+      code: "bad_request",
+      message: "Fields are missing or incorrectly formatted",
+      details: expect.objectContaining({
+        finished: expect.any(String),
+      }),
+    });
+  });
+
+  test("returns parsed data when JSON parsing and schema validation succeed", async () => {
+    const request = new Request("http://localhost/api/test", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({
+        finished: true,
+      }),
+    });
+
+    const result = await parseAndValidateJsonBody({
+      request,
+      schema: z.object({
+        finished: z.boolean(),
+        environmentId: z.string(),
+      }),
+      buildInput: (jsonInput) => ({
+        ...(jsonInput as Record<string, unknown>),
+        environmentId: "env_123",
+      }),
+    });
+
+    expect(result).toEqual({
+      data: {
+        environmentId: "env_123",
+        finished: true,
+      },
+    });
+  });
+});

apps/web/app/lib/api/parse-and-validate-json-body.ts

@@ -0,0 +1,71 @@
+import { z } from "zod";
+import { responses } from "@/app/lib/api/response";
+import { transformErrorToDetails } from "@/app/lib/api/validator";
+
+type TJsonBodyValidationIssue = "invalid_json" | "invalid_body";
+
+type TJsonBodyValidationError = {
+  details: Record<string, string> | { error: string };
+  issue: TJsonBodyValidationIssue;
+  response: Response;
+};
+
+type TJsonBodyValidationSuccess<TData> = {
+  data: TData;
+};
+
+export type TParseAndValidateJsonBodyResult<TData> =
+  | TJsonBodyValidationError
+  | TJsonBodyValidationSuccess<TData>;
+
+type TParseAndValidateJsonBodyOptions<TSchema extends z.ZodTypeAny> = {
+  request: Request;
+  schema: TSchema;
+  buildInput?: (jsonInput: unknown) => unknown;
+  malformedJsonMessage?: string;
+  validationMessage?: string;
+};
+
+const DEFAULT_MALFORMED_JSON_MESSAGE = "Malformed JSON input, please check your request body";
+const DEFAULT_VALIDATION_MESSAGE = "Fields are missing or incorrectly formatted";
+
+const getErrorMessage = (error: unknown): string =>
+  error instanceof Error ? error.message : "Unknown error occurred";
+
+export const parseAndValidateJsonBody = async <TSchema extends z.ZodTypeAny>({
+  request,
+  schema,
+  buildInput,
+  malformedJsonMessage = DEFAULT_MALFORMED_JSON_MESSAGE,
+  validationMessage = DEFAULT_VALIDATION_MESSAGE,
+}: TParseAndValidateJsonBodyOptions<TSchema>): Promise<
+  TParseAndValidateJsonBodyResult<z.output<TSchema>>
+> => {
+  let jsonInput: unknown;
+
+  try {
+    jsonInput = await request.json();
+  } catch (error) {
+    const details = { error: getErrorMessage(error) };
+
+    return {
+      details,
+      issue: "invalid_json",
+      response: responses.badRequestResponse(malformedJsonMessage, details, true),
+    };
+  }
+
+  const inputValidation = schema.safeParse(buildInput ? buildInput(jsonInput) : jsonInput);
+
+  if (!inputValidation.success) {
+    const details = transformErrorToDetails(inputValidation.error);
+
+    return {
+      details,
+      issue: "invalid_body",
+      response: responses.badRequestResponse(validationMessage, details, true),
+    };
+  }
+
+  return { data: inputValidation.data };
+};

apps/web/app/lib/api/with-api-logging.test.ts

@@ -6,7 +6,6 @@ import { TAuthenticationApiKey } from "@formbricks/types/auth";
 import { AuthenticationMethod } from "@/app/middleware/endpoint-validator";
 import { responses } from "./response";
 
-// Mocks
 vi.mock("@/modules/ee/audit-logs/lib/handler", () => ({
   __esModule: true,
   queueAuditEvent: vi.fn(),
@@ -14,24 +13,13 @@ vi.mock("@/modules/ee/audit-logs/lib/handler", () => ({
 
 vi.mock("@sentry/nextjs", () => ({
   captureException: vi.fn(),
-  withScope: vi.fn((callback) => {
-    callback(mockSentryScope);
-    return mockSentryScope;
-  }),
+  withScope: vi.fn(),
 }));
 
-// Define these outside the mock factory so they can be referenced in tests and reset by clearAllMocks.
 const mockContextualLoggerError = vi.fn();
 const mockContextualLoggerWarn = vi.fn();
 const mockContextualLoggerInfo = vi.fn();
-
-// Mock Sentry scope that can be referenced in tests
-const mockSentryScope = {
-  setTag: vi.fn(),
-  setExtra: vi.fn(),
-  setContext: vi.fn(),
-  setLevel: vi.fn(),
-};
+const V1_MANAGEMENT_SURVEYS_URL = "https://api.test/api/v1/management/surveys";
 
 vi.mock("@formbricks/logger", () => {
   const mockWithContextInstance = vi.fn(() => ({
@@ -86,7 +74,6 @@ vi.mock("@/modules/core/rate-limit/rate-limit-configs", () => ({
 }));
 
 function createMockRequest({ method = "GET", url = "https://api.test/endpoint", headers = new Map() } = {}) {
-  // Parse the URL to get the pathname
   const parsedUrl = url.startsWith("/") ? new URL(url, "http://localhost:3000") : new URL(url);
 
   return {
@@ -122,12 +109,6 @@ describe("withV1ApiWrapper", () => {
     }));
 
     vi.clearAllMocks();
-
-    // Reset mock Sentry scope calls
-    mockSentryScope.setTag.mockClear();
-    mockSentryScope.setExtra.mockClear();
-    mockSentryScope.setContext.mockClear();
-    mockSentryScope.setLevel.mockClear();
   });
 
   test("logs and audits on error response with API key authentication", async () => {
@@ -155,7 +136,7 @@ describe("withV1ApiWrapper", () => {
     });
 
     const req = createMockRequest({
-      url: "https://api.test/v1/management/surveys",
+      url: V1_MANAGEMENT_SURVEYS_URL,
       headers: new Map([["x-request-id", "abc-123"]]),
     });
     const { withV1ApiWrapper } = await import("./with-api-logging");
@@ -177,9 +158,33 @@ describe("withV1ApiWrapper", () => {
         organizationId: "org-1",
       })
     );
-    expect(Sentry.withScope).toHaveBeenCalled();
-    expect(mockSentryScope.setExtra).toHaveBeenCalledWith("originalError", undefined);
-    expect(Sentry.captureException).toHaveBeenCalledWith(expect.any(Error));
+    expect(Sentry.withScope).not.toHaveBeenCalled();
+    expect(Sentry.captureException).toHaveBeenCalledWith(
+      expect.any(Error),
+      expect.objectContaining({
+        tags: expect.objectContaining({
+          apiVersion: "v1",
+          correlationId: "abc-123",
+          method: "GET",
+          path: "/api/v1/management/surveys",
+        }),
+        extra: expect.objectContaining({
+          error: expect.objectContaining({
+            message: "API V1 error, id: abc-123",
+          }),
+          originalError: undefined,
+        }),
+        contexts: expect.objectContaining({
+          apiRequest: expect.objectContaining({
+            apiVersion: "v1",
+            correlationId: "abc-123",
+            method: "GET",
+            path: "/api/v1/management/surveys",
+            status: 500,
+          }),
+        }),
+      })
+    );
   });
 
   test("does not log Sentry if not 500", async () => {
@@ -206,7 +211,7 @@ describe("withV1ApiWrapper", () => {
       };
     });
 
-    const req = createMockRequest({ url: "https://api.test/v1/management/surveys" });
+    const req = createMockRequest({ url: V1_MANAGEMENT_SURVEYS_URL });
     const { withV1ApiWrapper } = await import("./with-api-logging");
     const wrapped = withV1ApiWrapper({ handler, action: "created", targetType: "survey" });
     await wrapped(req, undefined);
@@ -251,7 +256,7 @@ describe("withV1ApiWrapper", () => {
     });
 
     const req = createMockRequest({
-      url: "https://api.test/v1/management/surveys",
+      url: V1_MANAGEMENT_SURVEYS_URL,
       headers: new Map([["x-request-id", "err-1"]]),
     });
     const { withV1ApiWrapper } = await import("./with-api-logging");
@@ -280,8 +285,78 @@ describe("withV1ApiWrapper", () => {
         organizationId: "org-1",
       })
     );
-    expect(Sentry.withScope).toHaveBeenCalled();
-    expect(Sentry.captureException).toHaveBeenCalledWith(expect.any(Error));
+    expect(Sentry.withScope).not.toHaveBeenCalled();
+    expect(Sentry.captureException).toHaveBeenCalledWith(
+      expect.objectContaining({
+        message: "fail!",
+      }),
+      expect.objectContaining({
+        tags: expect.objectContaining({
+          apiVersion: "v1",
+          correlationId: "err-1",
+          method: "GET",
+          path: "/api/v1/management/surveys",
+        }),
+        extra: expect.objectContaining({
+          error: expect.objectContaining({
+            message: "fail!",
+          }),
+          originalError: expect.objectContaining({
+            message: "fail!",
+          }),
+        }),
+      })
+    );
+  });
+
+  test("uses handler result error for handled 500 responses", async () => {
+    const { authenticateRequest } = await import("@/app/api/v1/auth");
+    const { isClientSideApiRoute, isManagementApiRoute, isIntegrationRoute } =
+      await import("@/app/middleware/endpoint-validator");
+
+    vi.mocked(authenticateRequest).mockResolvedValue(mockApiAuthentication);
+    vi.mocked(isClientSideApiRoute).mockReturnValue({ isClientSideApi: false, isRateLimited: true });
+    vi.mocked(isManagementApiRoute).mockReturnValue({
+      isManagementApi: true,
+      authenticationMethod: AuthenticationMethod.ApiKey,
+    });
+    vi.mocked(isIntegrationRoute).mockReturnValue(false);
+
+    const handledError = new Error("handled failure");
+    const handler = vi.fn().mockResolvedValue({
+      response: responses.internalServerErrorResponse("fail"),
+      error: handledError,
+    });
+
+    const req = createMockRequest({
+      url: "https://api.test/api/v2/client/environment",
+      headers: new Map([["x-request-id", "handled-1"]]),
+    });
+    const { withV1ApiWrapper } = await import("./with-api-logging");
+    const wrapped = withV1ApiWrapper({ handler });
+    const res = await wrapped(req, undefined);
+
+    expect(res.status).toBe(500);
+    expect(Sentry.withScope).not.toHaveBeenCalled();
+    expect(Sentry.captureException).toHaveBeenCalledWith(
+      handledError,
+      expect.objectContaining({
+        tags: expect.objectContaining({
+          apiVersion: "v2",
+          correlationId: "handled-1",
+          method: "GET",
+          path: "/api/v2/client/environment",
+        }),
+        extra: expect.objectContaining({
+          error: expect.objectContaining({
+            message: "handled failure",
+          }),
+          originalError: expect.objectContaining({
+            message: "handled failure",
+          }),
+        }),
+      })
+    );
   });
 
   test("does not log on success response but still audits", async () => {
@@ -308,7 +383,7 @@ describe("withV1ApiWrapper", () => {
       };
     });
 
-    const req = createMockRequest({ url: "https://api.test/v1/management/surveys" });
+    const req = createMockRequest({ url: V1_MANAGEMENT_SURVEYS_URL });
     const { withV1ApiWrapper } = await import("./with-api-logging");
     const wrapped = withV1ApiWrapper({ handler, action: "created", targetType: "survey" });
     await wrapped(req, undefined);
@@ -358,7 +433,7 @@ describe("withV1ApiWrapper", () => {
       response: responses.internalServerErrorResponse("fail"),
     });
 
-    const req = createMockRequest({ url: "https://api.test/v1/management/surveys" });
+    const req = createMockRequest({ url: V1_MANAGEMENT_SURVEYS_URL });
     const wrapped = withV1ApiWrapper({ handler, action: "created", targetType: "survey" });
     await wrapped(req, undefined);
 
@@ -378,7 +453,7 @@ describe("withV1ApiWrapper", () => {
     });
     vi.mocked(isIntegrationRoute).mockReturnValue(false);
     vi.mocked(authenticateRequest).mockResolvedValue(null);
-    vi.mocked(applyIPRateLimit).mockResolvedValue(undefined);
+    vi.mocked(applyIPRateLimit).mockResolvedValue({ allowed: true });
 
     const handler = vi.fn().mockResolvedValue({
       response: responses.successResponse({ data: "test" }),
@@ -412,7 +487,7 @@ describe("withV1ApiWrapper", () => {
     vi.mocked(authenticateRequest).mockResolvedValue(null);
 
     const handler = vi.fn();
-    const req = createMockRequest({ url: "https://api.test/v1/management/surveys" });
+    const req = createMockRequest({ url: V1_MANAGEMENT_SURVEYS_URL });
     const { withV1ApiWrapper } = await import("./with-api-logging");
     const wrapped = withV1ApiWrapper({ handler });
     const res = await wrapped(req, undefined);
@@ -421,6 +496,38 @@ describe("withV1ApiWrapper", () => {
     expect(handler).not.toHaveBeenCalled();
   });
 
+  test("uses unauthenticatedResponse when provided instead of default 401", async () => {
+    const { isClientSideApiRoute, isManagementApiRoute, isIntegrationRoute } =
+      await import("@/app/middleware/endpoint-validator");
+    const { getServerSession } = await import("next-auth");
+
+    vi.mocked(isClientSideApiRoute).mockReturnValue({ isClientSideApi: false, isRateLimited: true });
+    vi.mocked(isManagementApiRoute).mockReturnValue({
+      isManagementApi: true,
+      authenticationMethod: AuthenticationMethod.Session,
+    });
+    vi.mocked(isIntegrationRoute).mockReturnValue(false);
+    vi.mocked(getServerSession).mockResolvedValue(null);
+
+    const custom401 = new Response(JSON.stringify({ title: "Custom", status: 401 }), {
+      status: 401,
+      headers: { "Content-Type": "application/problem+json" },
+    });
+
+    const handler = vi.fn();
+    const req = createMockRequest({ url: "https://api.test/api/v3/surveys" });
+    const { withV1ApiWrapper } = await import("./with-api-logging");
+    const wrapped = withV1ApiWrapper({
+      handler,
+      unauthenticatedResponse: () => custom401,
+    });
+    const res = await wrapped(req, undefined);
+
+    expect(res).toBe(custom401);
+    expect(handler).not.toHaveBeenCalled();
+    expect(mockContextualLoggerError).toHaveBeenCalled();
+  });
+
   test("handles rate limiting errors", async () => {
     const { applyRateLimit } = await import("@/modules/core/rate-limit/helpers");
     const { isClientSideApiRoute, isManagementApiRoute, isIntegrationRoute } =
@@ -439,7 +546,7 @@ describe("withV1ApiWrapper", () => {
     vi.mocked(applyRateLimit).mockRejectedValue(rateLimitError);
 
     const handler = vi.fn();
-    const req = createMockRequest({ url: "https://api.test/v1/management/surveys" });
+    const req = createMockRequest({ url: V1_MANAGEMENT_SURVEYS_URL });
     const { withV1ApiWrapper } = await import("./with-api-logging");
     const wrapped = withV1ApiWrapper({ handler });
     const res = await wrapped(req, undefined);
@@ -467,7 +574,7 @@ describe("withV1ApiWrapper", () => {
       response: responses.successResponse({ data: "test" }),
     });
 
-    const req = createMockRequest({ url: "https://api.test/v1/management/surveys" });
+    const req = createMockRequest({ url: V1_MANAGEMENT_SURVEYS_URL });
     const { withV1ApiWrapper } = await import("./with-api-logging");
     const wrapped = withV1ApiWrapper({ handler });
     await wrapped(req, undefined);
@@ -486,7 +593,7 @@ describe("buildAuditLogBaseObject", () => {
   test("creates audit log base object with correct structure", async () => {
     const { buildAuditLogBaseObject } = await import("./with-api-logging");
 
-    const result = buildAuditLogBaseObject("created", "survey", "https://api.test/v1/management/surveys");
+    const result = buildAuditLogBaseObject("created", "survey", V1_MANAGEMENT_SURVEYS_URL);
 
     expect(result).toEqual({
       action: "created",
@@ -498,7 +605,7 @@ describe("buildAuditLogBaseObject", () => {
       oldObject: undefined,
       newObject: undefined,
       userType: "api",
-      apiUrl: "https://api.test/v1/management/surveys",
+      apiUrl: V1_MANAGEMENT_SURVEYS_URL,
     });
   });
 });

apps/web/app/lib/api/with-api-logging.ts

@@ -1,9 +1,9 @@
-import * as Sentry from "@sentry/nextjs";
 import { Session, getServerSession } from "next-auth";
 import { NextRequest } from "next/server";
 import { logger } from "@formbricks/logger";
 import { TAuthenticationApiKey } from "@formbricks/types/auth";
 import { authenticateRequest } from "@/app/api/v1/auth";
+import { reportApiError } from "@/app/lib/api/api-error-reporter";
 import { responses } from "@/app/lib/api/response";
 import {
   AuthenticationMethod,
@@ -11,7 +11,7 @@ import {
   isIntegrationRoute,
   isManagementApiRoute,
 } from "@/app/middleware/endpoint-validator";
-import { AUDIT_LOG_ENABLED, IS_PRODUCTION, SENTRY_DSN } from "@/lib/constants";
+import { AUDIT_LOG_ENABLED } from "@/lib/constants";
 import { authOptions } from "@/modules/auth/lib/authOptions";
 import { applyIPRateLimit, applyRateLimit } from "@/modules/core/rate-limit/helpers";
 import { rateLimitConfigs } from "@/modules/core/rate-limit/rate-limit-configs";
@@ -33,11 +33,19 @@ export interface THandlerParams<TProps = unknown> {
 }
 
 // Interface for wrapper function parameters
-export interface TWithV1ApiWrapperParams<TResult extends { response: Response }, TProps = unknown> {
+export interface TWithV1ApiWrapperParams<
+  TResult extends { response: Response; error?: unknown },
+  TProps = unknown,
+> {
   handler: (params: THandlerParams<TProps>) => Promise<TResult>;
   action?: TAuditAction;
   targetType?: TAuditTarget;
   customRateLimitConfig?: TRateLimitConfig;
+  /**
+   * When the route requires auth but the client is unauthenticated, the wrapper normally returns
+   * the legacy JSON 401. Use this to return a custom response (e.g. RFC 9457 problem+json for V3).
+   */
+  unauthenticatedResponse?: (req: NextRequest) => Response;
 }
 
 enum ApiV1RouteTypeEnum {
@@ -88,7 +96,7 @@ const handleRateLimiting = async (
 /**
  * Execute handler with error handling
  */
-const executeHandler = async <TResult extends { response: Response }, TProps>(
+const executeHandler = async <TResult extends { response: Response; error?: unknown }, TProps>(
   handler: (params: THandlerParams<TProps>) => Promise<TResult>,
   req: NextRequest,
   props: TProps,
@@ -153,34 +161,12 @@ const handleAuthentication = async (
 /**
  * Log error details to system logger and Sentry
  */
-const logErrorDetails = (res: Response, req: NextRequest, correlationId: string, error?: any): void => {
-  const logContext = {
-    correlationId,
-    method: req.method,
-    path: req.url,
+const logErrorDetails = (res: Response, req: NextRequest, error?: unknown): void => {
+  reportApiError({
+    request: req,
     status: res.status,
-    ...(error && { error }),
-  };
-
-  logger.withContext(logContext).error("V1 API Error Details");
-
-  if (SENTRY_DSN && IS_PRODUCTION && res.status >= 500) {
-    // Set correlation ID as a tag for easy filtering
-    Sentry.withScope((scope) => {
-      scope.setTag("correlationId", correlationId);
-      scope.setLevel("error");
-
-      // If we have an actual error, capture it with full stacktrace
-      // Otherwise, create a generic error with context
-      if (error instanceof Error) {
-        Sentry.captureException(error);
-      } else {
-        scope.setExtra("originalError", error);
-        const genericError = new Error(`API V1 error, id: ${correlationId}`);
-        Sentry.captureException(genericError);
-      }
-    });
-  }
+    error,
+  });
 };
 
 /**
@@ -190,7 +176,7 @@ const processResponse = async (
   res: Response,
   req: NextRequest,
   auditLog?: TApiAuditLog,
-  error?: any
+  error?: unknown
 ): Promise<void> => {
   const correlationId = req.headers.get("x-request-id") ?? "";
 
@@ -205,7 +191,7 @@ const processResponse = async (
 
   // Handle error logging
   if (!res.ok) {
-    logErrorDetails(res, req, correlationId, error);
+    logErrorDetails(res, req, error);
   }
 
   // Queue audit event if enabled and audit log exists
@@ -262,10 +248,10 @@ const getRouteType = (
  * @returns Wrapped handler function that returns the final HTTP response
  *
  */
-export const withV1ApiWrapper = <TResult extends { response: Response }, TProps = unknown>(
+export const withV1ApiWrapper = <TResult extends { response: Response; error?: unknown }, TProps = unknown>(
   params: TWithV1ApiWrapperParams<TResult, TProps>
 ): ((req: NextRequest, props: TProps) => Promise<Response>) => {
-  const { handler, action, targetType, customRateLimitConfig } = params;
+  const { handler, action, targetType, customRateLimitConfig, unauthenticatedResponse } = params;
   return async (req: NextRequest, props: TProps): Promise<Response> => {
     // === Audit Log Setup ===
     const saveAuditLog = action && targetType;
@@ -287,6 +273,11 @@ export const withV1ApiWrapper = <TResult extends { response: Response }, TProps
     const authentication = await handleAuthentication(authenticationMethod, req);
 
     if (!authentication && routeType !== ApiV1RouteTypeEnum.Client) {
+      if (unauthenticatedResponse) {
+        const res = unauthenticatedResponse(req);
+        await processResponse(res, req, auditLog);
+        return res;
+      }
       return responses.notAuthenticatedResponse();
     }
 
@@ -302,9 +293,10 @@ export const withV1ApiWrapper = <TResult extends { response: Response }, TProps
     // === Handler Execution ===
     const { result, error } = await executeHandler(handler, req, props, auditLog, authentication);
     const res = result.response;
+    const reportedError = result.error ?? error;
 
     // === Response Processing & Logging ===
-    await processResponse(res, req, auditLog, error);
+    await processResponse(res, req, auditLog, reportedError);
 
     return res;
   };

apps/web/app/middleware/endpoint-validator.test.ts

@@ -90,6 +90,17 @@ describe("endpoint-validator", () => {
   });
 
   describe("isManagementApiRoute", () => {
+    test("should return Both for v3 surveys routes", () => {
+      expect(isManagementApiRoute("/api/v3/surveys")).toEqual({
+        isManagementApi: true,
+        authenticationMethod: AuthenticationMethod.Both,
+      });
+      expect(isManagementApiRoute("/api/v3/surveys/clxxxxxxxxxxxxxxxxxxxxxxxx")).toEqual({
+        isManagementApi: true,
+        authenticationMethod: AuthenticationMethod.Both,
+      });
+    });
+
     test("should return correct object for management API routes with API key authentication", () => {
       expect(isManagementApiRoute("/api/v1/management/something")).toEqual({
         isManagementApi: true,

apps/web/app/middleware/endpoint-validator.ts

@@ -22,6 +22,9 @@ export const isClientSideApiRoute = (url: string): { isClientSideApi: boolean; i
 export const isManagementApiRoute = (
   url: string
 ): { isManagementApi: boolean; authenticationMethod: AuthenticationMethod } => {
+  // V3 surveys: session cookie or x-api-key (same pattern as management storage)
+  if (/^\/api\/v3\/surveys(?:\/|$)/.test(url))
+    return { isManagementApi: true, authenticationMethod: AuthenticationMethod.Both };
   if (url.includes("/api/v1/management/storage"))
     return { isManagementApi: true, authenticationMethod: AuthenticationMethod.Both };
   if (url.includes("/api/v1/webhooks"))

apps/web/i18n.lock

@@ -140,6 +140,7 @@ checksums:
     common/connect: 8778ee245078a8be4a2ce855c8c56edc
     common/connect_formbricks: a9dd747575e7e035da69251366df6f95
     common/connected: aa0ceca574641de34c74b9e590664230
+    common/contact: 9afa39bc47019ee6dec6c74b6273967c
     common/contacts: d5b6c3f890b3904eaf5754081945c03d
     common/continue: 3cfba90b4600131e82fc4260c568d044
     common/copied: 29208e06d704c4fc4b8b534dc7acc4ef
@@ -147,6 +148,7 @@ checksums:
     common/copy: 627c00d2c850b9b45f7341a6ac01b6bb
     common/copy_code: 704c13d9bc01caad29a1cf3179baa111
     common/copy_link: 57a37acfe6d7ed71d00fbbc8079fbb35
+    common/copy_to_environment: c482d26b8fd4962af6542bbf49e49a32
     common/count_attributes: 48805e836a9b50f9635ad00fed953058
     common/count_contacts: 9f71d503455264f1eec1ae58894cf143
     common/count_members: 31ce64ca63fdf95e02ab5543b6e2f717
@@ -186,12 +188,12 @@ checksums:
     common/duplicate_copy_number: 083cfffd294672043dcbcc4c3dfeac6a
     common/e_commerce: b9584e7d0449a6d1b0c182d7ff14061e
     common/edit: eee7f39ff90b18852afc1671f21fbaa9
+    common/elements: 8cb054d952b341e5965284860d532bc7
     common/email: e7f34943a0c2fb849db1839ff6ef5cb5
     common/ending_card: 16d30d3a36472159da8c2dbd374dfe22
     common/enter_url: 468c2276d0f2cb971ff5a47a20fa4b97
     common/enterprise_license: e81bf506f47968870c7bd07245648a0d
     common/environment: 0844e8dc1485339c8de066dc0a9bb6a1
-    common/environment_not_found: 4d7610bdb55a8b5e6131bb5b08ce04c5
     common/environment_notice: 228a8668be1812e031f438d166861729
     common/error: 3c95bcb32c2104b99a46f5b3dd015248
     common/error_component_description: fa9eee04f864c3fe6e6681f716caa015
@@ -228,11 +230,13 @@ checksums:
     common/inactive_surveys: 324b8e1844739cdc2a3bc71aef143a76
     common/integration: 40d02f65c4356003e0e90ffb944907d2
     common/integrations: 0ccce343287704cd90150c32e2fcad36
-    common/invalid_date: 4c18c82f7317d4a02f8d5fef611e82b7
+    common/invalid_date_with_value: f7f9dbe99f25f1724367ee57572b52bf
     common/invalid_file_name: 8243c91b898110fb15ebb24aa6a7d313
     common/invalid_file_type: f0c83e7d61dbad8250abb59869af4b9e
     common/invite: 181884cea804cbde665f160811ee7ad0
     common/invite_them: d4b7aadbd3c924b04ad4fce419709f10
+    common/javascript_required: d7988e5934af4d0df54fda369c0e4fb6
+    common/javascript_required_description: 4b65f456db79af4898888a3dd034fe2f
     common/key: 3d1065ab98a1c2f1210507fd5c7bf515
     common/label: a5c71bf158481233f8215dbd38cc196b
     common/language: 277fd1a41cc237a437cd1d5e4a80463b
@@ -253,7 +257,9 @@ checksums:
     common/marketing: fcf0f06f8b64b458c7ca6d95541a3cc8
     common/members: 0932e80cba1e3e0a7f52bb67ff31da32
     common/members_and_teams: bf5c3fadcb9fc23533ec1532b805ac08
+    common/membership: 83c856bbc2af99d8c3d860959d1d2a85
     common/membership_not_found: 7ac63584af23396aace9992ad919ffd4
+    common/meta: 842eac888f134f3525f8ea613d933687
     common/metadata: 695d4f7da261ba76e3be4de495491028
     common/mobile_overlay_app_works_best_on_desktop: 4509f7bfbb4edbd42e534042d6cb7e72
     common/mobile_overlay_surveys_look_good: d85169e86077738b9837647bf6d1c7d2
@@ -267,6 +273,7 @@ checksums:
     common/new: 126d036fae5fb6b629728ecb97e6195b
     common/new_version_available: 399ddfc4232712e18ddab2587356b3dc
     common/next: 89ddbcf710eba274963494f312bdc8a9
+    common/no_actions_found: 4d92b789eb121fc76cd6868136dcbcd4
     common/no_background_image_found: 4108a781a9022c65671a826d4e299d5b
     common/no_code: f602144ab7d28a5b19a446bf74b4dcc4
     common/no_files_uploaded: c97be829e195a41b2f6b6717b87a232b
@@ -292,10 +299,9 @@ checksums:
     common/or: 7b133c38bec0d5ee23cc6bcf9a8de50b
     common/organization: 3dc8489af7e74121f65ce6d9677bc94d
     common/organization_id: ef09b71c84a25b5da02a23c77e68a335
-    common/organization_not_found: 4cb8c07ec2c599b6f48750e06ffa182b
     common/organization_settings: 11528aa89ae9935e55dcb54478058775
-    common/organization_teams_not_found: ce29fcb7a4e8b4582f92b65dea9b7d4e
     common/other: 79acaa6cd481262bea4e743a422529d2
+    common/other_filters: 20b09213c131db47eb8b23e72d0c4bea
     common/others: 39160224ce0e35eb4eb252c997edf4d8
     common/overlay_color: 4b72073285d13fff93d094aabffe05ac
     common/overview: 30c54e4dc4ce599b87d94be34a8617f5
@@ -312,6 +318,7 @@ checksums:
     common/please_select_at_least_one_survey: fb1cbeb670480115305e23444c347e50
     common/please_select_at_least_one_trigger: e88e64a1010a039745e80ed2e30951fe
     common/please_upgrade_your_plan: 03d54a21ecd27723c72a13644837e5ed
+    common/powered_by_formbricks: 1c3e19894583292bfaf686cac84a4960
     common/preview: 3173ee1f0f1d4e50665ca4a84c38e15d
     common/preview_survey: 7409e9c118e3e5d5f2a86201c2b354f2
     common/privacy: 7459744a63ef8af4e517a09024bd7c08
@@ -353,6 +360,7 @@ checksums:
     common/select: 5ac04c47a98deb85906bc02e0de91ab0
     common/select_all: eedc7cdb02de467c15dc418a066a77f2
     common/select_filter: c50082c3981f1161022f9787a19aed71
+    common/select_language: d75cf5fbce8a4c7a9055e2210af74480
     common/select_survey: bac52e59c7847417bef6fe7b7096b475
     common/select_teams: ae5d451929846ae6367562bc671a1af9
     common/selected: 9f09e059ba20c88ed34e2b4e8e032d56
@@ -365,7 +373,6 @@ checksums:
     common/show_response_count: 609e5dc7c074d57e711a728fa2f8eb79
     common/shown: 63e4ffb245c05e04b636446c3dbdd8df
     common/size: 227fadeeff951e041ff42031a11a4626
-    common/skip: b7f28dfa2f58b80b149bb82b392d0291
     common/skipped: d496f0f667e1b4364b954db71335d4ef
     common/skips: 99de7579122a3fa6ec5e2a47f3fd8b34
     common/some_files_failed_to_upload: a0e26efeb29ae905257ecf93b112dff0
@@ -385,7 +392,6 @@ checksums:
     common/survey_id: 08303e98b3d4134947256e494b0c829e
     common/survey_languages: 93e4a10ab190e6b1e1f7fe5f702df249
     common/survey_live: d1f370505c67509e7b2759952daba20d
-    common/survey_not_found: 0485ea98d13a414eeefc8f1118b9c293
     common/survey_paused: c770d174d6b57e8425a54906a09c8b39
     common/survey_type: 417fcfecf8eaedefc4f11172426811f9
     common/surveys: 33f68ad4111b32a6361beb9d5c184533
@@ -400,7 +406,6 @@ checksums:
     common/team_name: 549d949de4b9adad4afd6427a60a329e
     common/team_role: 66db395781aef64ef3791417b3b67c0b
     common/teams: b63448c05270497973ac4407047dae02
-    common/teams_not_found: 02f333a64a83c1c014d8900ec9666345
     common/text: 4ddccc1974775ed7357f9beaf9361cec
     common/time: b504a03d52e8001bfdc5cb6205364f42
     common/time_to_finish: c8f6abdb886bee3619bb50b08fada5fa
@@ -424,7 +429,6 @@ checksums:
     common/url: ca97457614226960d41dd18c3c29c86b
     common/user: 61073457a5c3901084b557d065f876be
     common/user_id: 37f5ba37f71cb50607af32a6a203b1d4
-    common/user_not_found: 5903581136ac6c1c1351a482a6d8fdf7
     common/variable: c13db5775ba9791b1522cc55c9c7acce
     common/variable_ids: 44bf93b70703b7699fa9f21bc6c8eed4
     common/variables: ffd3eec5497af36d7b4e4185bad1313a
@@ -439,15 +443,13 @@ checksums:
     common/website_survey: 17513d25a07b6361768a15ec622b021b
     common/weeks: 545de30df4f44d3f6d1d344af6a10815
     common/welcome_card: 76081ebd5b2e35da9b0f080323704ae7
-    common/workflows: b0c9c8615a9ba7d9cb73e767290a7f72
+    common/workspace: b63ef0e99ee6f7fef6cbe4971ca6cf0f
     common/workspace_configuration: d0a5812d6a97d7724d565b1017c34387
     common/workspace_created_successfully: bf401ae83da954f1db48724e2a8e40f1
     common/workspace_creation_description: aea2f480ba0c54c5cabac72c9c900ddf
     common/workspace_id: bafef925e1b57b52a69844fdf47aac3c
     common/workspace_name: 14c04a902a874ab5ddbe9cf369ef0414
     common/workspace_name_placeholder: 8a9e30ab01666af13c44a73b82c37ec1
-    common/workspace_not_found: 038fb0aaf3570610f4377b9eaed13752
-    common/workspace_permission_not_found: e94bdff8af51175c5767714f82bb4833
     common/workspaces: 8ba082a84aa35cf851af1cf874b853e2
     common/years: eb4f5fdd2b320bf13e200fd6a6c1abff
     common/you: db2a4a796b70cc1430d1b21f6ffb6dcb
@@ -623,7 +625,6 @@ checksums:
     environments/contacts/attributes_msg_new_attribute_created: 5cba6158c4305c05104814ec1479267c
     environments/contacts/attributes_msg_userid_already_exists: 9c695538befc152806c460f52a73821a
     environments/contacts/contact_deleted_successfully: c5b64a42a50e055f9e27ec49e20e03fa
-    environments/contacts/contact_not_found: 045396f0b13fafd43612a286263737c0
     environments/contacts/contacts_table_refresh: 6a959475991dd4ab28ad881bae569a09
     environments/contacts/contacts_table_refresh_success: 40951396e88e5c8fdafa0b3bb4fadca8
     environments/contacts/create_attribute: 87320615901f95b4f35ee83c290a3a6c
@@ -803,9 +804,16 @@ checksums:
     environments/integrations/webhooks/created_by_third_party: b40197eabbbce500b80b44268b8b1ee9
     environments/integrations/webhooks/discord_webhook_not_supported: 23432534f908b2ba63a517fb1f9bbe0e
     environments/integrations/webhooks/empty_webhook_message: 4c4d8709576a38cb8eb59866331d2405
+    environments/integrations/webhooks/endpoint_bad_gateway_error: 48ab17e9a77030b289ec22f497f50b63
+    environments/integrations/webhooks/endpoint_gateway_timeout_error: 5da45e2f6933927d1f8b0aaa9566e6a6
+    environments/integrations/webhooks/endpoint_internal_server_error: 6773fc34349febf95475cde88d8ee072
+    environments/integrations/webhooks/endpoint_method_not_allowed_error: 9963b503311393f4d7bffae9df46d422
+    environments/integrations/webhooks/endpoint_not_found_error: 607b75b7b7aa92ca81fe44e466f7c318
     environments/integrations/webhooks/endpoint_pinged: 3b1fce00e61d4b9d2bdca390649c58b6
     environments/integrations/webhooks/endpoint_pinged_error: 96c312fe8214757c4a934cdfbe177027
+    environments/integrations/webhooks/endpoint_service_unavailable_error: f9d4874c322f2963f5afaede354c9416
     environments/integrations/webhooks/learn_to_verify: 25b2a035e2109170b28f4e16db76ad39
+    environments/integrations/webhooks/no_triggers: 6b68cddfc45b3f7e20644a24a1bbea69
     environments/integrations/webhooks/please_check_console: 7b1787e82a0d762df02c011ebb1650ea
     environments/integrations/webhooks/please_enter_a_url: c24c74d0ce7ed3a6b858aadbc82108fe
     environments/integrations/webhooks/response_created: 8c43b1b6d748f6096f6f8d9232a3c469
@@ -1060,6 +1068,13 @@ checksums:
     environments/settings/enterprise/sso: 95e98e279bb89233d63549b202bd9112
     environments/settings/enterprise/teams: 21ab78abcba0f16c3029741563f789ea
     environments/settings/enterprise/unlock_the_full_power_of_formbricks_free_for_30_days: 104d07b63a42911c9673ceb08a4dbd43
+    environments/settings/general/ai_data_analysis_enabled: 45fabb594da6851f73fef50ca40fe525
+    environments/settings/general/ai_data_analysis_enabled_description: 46d4f0bdf4ebf89e78f79cc961a2de83
+    environments/settings/general/ai_enabled: 3cb1fce89c525e754448d5bd143eb6b5
+    environments/settings/general/ai_enabled_description: e8c3e9f362588898a6cea85e18c013a1
+    environments/settings/general/ai_settings_updated_successfully: 2a6f534dc3a246ced46becd8a4a9543d
+    environments/settings/general/ai_smart_tools_enabled: 1dda984f5262c5f9120ee9a409236758
+    environments/settings/general/ai_smart_tools_enabled_description: 1ceca6707746d3ab4a530712a06d91da
     environments/settings/general/bulk_invite_warning_description: e8737a2fbd5ff353db5580d17b4b5a37
     environments/settings/general/cannot_delete_only_organization: 833cc6848b28f2694a4552b4de91a6ba
     environments/settings/general/cannot_leave_only_organization: dd8463262e4299fef7ad73512225c55b
@@ -1340,7 +1355,6 @@ checksums:
     environments/surveys/edit/custom_hostname: bc2b1c8de3f9b8ef145b45aeba6ab429
     environments/surveys/edit/customize_survey_logo: 7f7e26026c88a727228f2d7a00d914e2
     environments/surveys/edit/darken_or_lighten_background_of_your_choice: 304a64a8050ebf501d195e948cd25b6f
-    environments/surveys/edit/date_format: e95dfc41ac944874868487457ddc057a
     environments/surveys/edit/days_before_showing_this_survey_again: 9ee757e5c3a07844b12ceb406dc65b04
     environments/surveys/edit/delete_anyways: cc8683ab625280eefc9776bd381dc2e8
     environments/surveys/edit/delete_block: c00617cb0724557e486304276063807a
@@ -1378,6 +1392,7 @@ checksums:
     environments/surveys/edit/error_saving_changes: b75aa9e4e42e1d43c8f9c33c2b7dc9a7
     environments/surveys/edit/even_after_they_submitted_a_response_e_g_feedback_box: 7b99f30397dcde76f65e1ab64bdbd113
     environments/surveys/edit/everyone: 2112aa71b568773e8e8a792c63f4d413
+    environments/surveys/edit/expand_preview: 6b694829e05432b9b54e7da53bc5be2f
     environments/surveys/edit/external_urls_paywall_tooltip: 427f29bbbec18ebf8b3ea8d0253ddd66
     environments/surveys/edit/fallback_missing: 43dbedbe1a178d455e5f80783a7b6722
     environments/surveys/edit/fieldId_is_used_in_logic_of_question_please_remove_it_from_logic_first: ad4afe2980e1dfeffb20aa78eb892350
@@ -1601,6 +1616,8 @@ checksums:
     environments/surveys/edit/response_limit_needs_to_exceed_number_of_received_responses: 9a9c223c0918ded716ddfaa84fbaa8d9
     environments/surveys/edit/response_limits_redirections_and_more: e4f1cf94e56ad0e1b08701158d688802
     environments/surveys/edit/response_options: 2988136d5248d7726583108992dcbaee
+    environments/surveys/edit/reverse_order_occasionally: 170fd50de940f382fa2e605228e4e088
+    environments/surveys/edit/reverse_order_occasionally_except_last: 1c833001b940f1419dd7534b199a0b4a
     environments/surveys/edit/roundness: 5a161c8f5f258defb57ed1d551737cc4
     environments/surveys/edit/roundness_description: 03940a6871ae43efa4810cba7cadb74b
     environments/surveys/edit/row_used_in_logic_error: f89453ff1b6db77ad84af840fedd9813
@@ -1629,6 +1646,7 @@ checksums:
     environments/surveys/edit/show_survey_maximum_of: 721ed61b01a9fc8ce4becb72823bb72e
     environments/surveys/edit/show_survey_to_users: d5e90fd17babfea978fce826e9df89b0
     environments/surveys/edit/show_to_x_percentage_of_targeted_users: b745169011fa7e8ca475baa5500c5197
+    environments/surveys/edit/shrink_preview: 42567389520b226f211f94f052197ad8
     environments/surveys/edit/simple: 65575bd903091299bc4a94b7517a6288
     environments/surveys/edit/six_points: c6c09b3f07171dc388cb5a610ea79af7
     environments/surveys/edit/smiley: e68e3b28fc3c04255e236c6a0feb662b
@@ -1649,6 +1667,7 @@ checksums:
     environments/surveys/edit/survey_completed_subheading: db537c356c3ab6564d24de0d11a0fee2
     environments/surveys/edit/survey_display_settings: 8ed19e6a8e1376f7a1ba037d82c4ae11
     environments/surveys/edit/survey_placement: 083c10f257337f9648bf9d435b18ec2c
+    environments/surveys/edit/survey_preview: 33644451073149383d3ace08be930739
     environments/surveys/edit/survey_styling: 7f96d6563e934e65687b74374a33b1dc
     environments/surveys/edit/survey_trigger: f0c7014a684ca566698b87074fad5579
     environments/surveys/edit/switch_multi_language_on_to_get_started: cca0ef91ee49095da30cd1e3f26c406f
@@ -2445,8 +2464,8 @@ checksums:
     templates/csat_question_1_headline: bd4894e95695ce5bc9fc5d326c79bc90
     templates/csat_question_1_lower_label: 54d464343c0bc17231fd51aa2d73623f
     templates/csat_question_1_upper_label: 9f000f63949d875ae628fc354a2a7f6a
-    templates/csat_question_2_choice_1: a0cf57bc571c95c43924a3c641d1355e
-    templates/csat_question_2_choice_2: a3a49eb9cc86972bce6dc41a107f472d
+    templates/csat_question_2_choice_1: 0cb1260dd25e94f56c2da7ab21b0e0ae
+    templates/csat_question_2_choice_2: f12ed9d98c7965ab949efcc25f8ca85e
     templates/csat_question_2_choice_3: a7c58d9b8afdaefadeb1f5fdf4d5ad3f
     templates/csat_question_2_choice_4: d09723c4bc1d85d99c2a9248ed0d4578
     templates/csat_question_2_choice_5: a89ca2602a3322e89adf17b3349e03ab
@@ -2917,7 +2936,7 @@ checksums:
     templates/preview_survey_question_2_choice_2_label: 1af148222f327f28cf0db6513de5989e
     templates/preview_survey_question_2_headline: 5cfb173d156555227fbc2c97ad921e72
     templates/preview_survey_question_2_subheader: 2e652d8acd68d072e5a0ae686c4011c0
-    templates/preview_survey_question_open_text_headline: a9509a47e0456ae98ec3ddac3d6fad2c
+    templates/preview_survey_question_open_text_headline: 573f1b04b79f672ad42ba5e54320a940
     templates/preview_survey_question_open_text_placeholder: 37ee9c84f3777b9220d4faec1e1c78ee
     templates/preview_survey_question_open_text_subheader: 3c7bf09f3f17b02bc2fbbbdb347a5830
     templates/preview_survey_welcome_card_headline: 8778dc41547a2778d0f9482da989fc00
@@ -3168,14 +3187,3 @@ checksums:
     templates/usability_question_9_headline: 5850229e97ae97698ce90b330ea49682
     templates/usability_rating_description: 8c4f3818fe830ae544611f816265f1a1
     templates/usability_score_name: 5cbf1172d24dfcb17d979dff6dfdf7e2
-    workflows/coming_soon_description: 1e0621d287924d84fb539afab7372b23
-    workflows/coming_soon_title: d79be80559c70c828cf20811d2ed5039
-    workflows/follow_up_label: 8cafe669370271035aeac8e8cab0f123
-    workflows/follow_up_placeholder: f680918bec28192282e229c3d4b5e80a
-    workflows/generate_button: b194b6172a49af8374a19dd2cf39cfdc
-    workflows/heading: a98a6b14d3e955f38cc16386df9a4111
-    workflows/placeholder: f5d943582bf25e8734930844e598457b
-    workflows/subheading: ebf5e3b3aeb85e13e843358cc5476f42
-    workflows/submit_button: 7a062f2de02ce60b1d73e510ff1ca094
-    workflows/thank_you_description: 7623c1ba4f059c8d9e68aae3360b20b1
-    workflows/thank_you_title: 07edd8c50685a52c0969d711df26d768

apps/web/instrumentation.ts

@@ -1,7 +1,19 @@
 import * as Sentry from "@sentry/nextjs";
+import { type Instrumentation } from "next";
+import { isExpectedError } from "@formbricks/types/errors";
 import { IS_PRODUCTION, PROMETHEUS_ENABLED, SENTRY_DSN } from "@/lib/constants";
 
-export const onRequestError = Sentry.captureRequestError;
+export const onRequestError: Instrumentation.onRequestError = (...args) => {
+  const [error] = args;
+
+  // Skip expected business-logic errors (AuthorizationError, ResourceNotFoundError, etc.)
+  // These are handled gracefully in the UI and don't need server-side Sentry reporting
+  if (error instanceof Error && isExpectedError(error)) {
+    return;
+  }
+
+  Sentry.captureRequestError(...args);
+};
 
 export const register = async () => {
   if (process.env.NEXT_RUNTIME === "nodejs") {

apps/web/lib/account/service.test.ts

@@ -0,0 +1,97 @@
+import { Prisma } from "@prisma/client";
+import { beforeEach, describe, expect, test, vi } from "vitest";
+import { upsertAccount } from "./service";
+
+const { mockUpsert } = vi.hoisted(() => ({
+  mockUpsert: vi.fn(),
+}));
+
+vi.mock("@formbricks/database", () => ({
+  prisma: {
+    account: {
+      upsert: mockUpsert,
+    },
+  },
+}));
+
+describe("account service", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  test("upsertAccount keeps user ownership immutable on update", async () => {
+    const accountData = {
+      userId: "user-1",
+      type: "oauth",
+      provider: "google",
+      providerAccountId: "provider-1",
+      access_token: "access-token",
+      refresh_token: "refresh-token",
+      expires_at: 123,
+      scope: "openid email",
+      token_type: "Bearer",
+      id_token: "id-token",
+    };
+
+    mockUpsert.mockResolvedValue({
+      id: "account-1",
+      createdAt: new Date(),
+      updatedAt: new Date(),
+      ...accountData,
+    });
+
+    await upsertAccount(accountData);
+
+    expect(mockUpsert).toHaveBeenCalledWith({
+      where: {
+        provider_providerAccountId: {
+          provider: "google",
+          providerAccountId: "provider-1",
+        },
+      },
+      create: accountData,
+      update: {
+        access_token: "access-token",
+        refresh_token: "refresh-token",
+        expires_at: 123,
+        scope: "openid email",
+        token_type: "Bearer",
+        id_token: "id-token",
+      },
+    });
+  });
+
+  test("upsertAccount wraps Prisma known request errors", async () => {
+    const prismaError = Object.assign(Object.create(Prisma.PrismaClientKnownRequestError.prototype), {
+      message: "duplicate account",
+    });
+
+    mockUpsert.mockRejectedValue(prismaError);
+
+    await expect(
+      upsertAccount({
+        userId: "user-1",
+        type: "oauth",
+        provider: "google",
+        providerAccountId: "provider-1",
+      })
+    ).rejects.toMatchObject({
+      name: "DatabaseError",
+      message: "duplicate account",
+    });
+  });
+
+  test("upsertAccount rethrows non-Prisma errors", async () => {
+    const error = new Error("unexpected failure");
+    mockUpsert.mockRejectedValue(error);
+
+    await expect(
+      upsertAccount({
+        userId: "user-1",
+        type: "oauth",
+        provider: "google",
+        providerAccountId: "provider-1",
+      })
+    ).rejects.toThrow("unexpected failure");
+  });
+});

apps/web/lib/account/service.ts

@@ -20,3 +20,36 @@ export const createAccount = async (accountData: TAccountInput): Promise<TAccoun
     throw error;
   }
 };
+
+export const upsertAccount = async (accountData: TAccountInput): Promise<TAccount> => {
+  const [validatedAccountData] = validateInputs([accountData, ZAccountInput]);
+  const updateAccountData: Omit<TAccountInput, "userId" | "type" | "provider" | "providerAccountId"> = {
+    access_token: validatedAccountData.access_token,
+    refresh_token: validatedAccountData.refresh_token,
+    expires_at: validatedAccountData.expires_at,
+    scope: validatedAccountData.scope,
+    token_type: validatedAccountData.token_type,
+    id_token: validatedAccountData.id_token,
+  };
+
+  try {
+    const account = await prisma.account.upsert({
+      where: {
+        provider_providerAccountId: {
+          provider: validatedAccountData.provider,
+          providerAccountId: validatedAccountData.providerAccountId,
+        },
+      },
+      create: validatedAccountData,
+      update: updateAccountData,
+    });
+
+    return account;
+  } catch (error) {
+    if (error instanceof Prisma.PrismaClientKnownRequestError) {
+      throw new DatabaseError(error.message);
+    }
+
+    throw error;
+  }
+};

apps/web/lib/ai/service.test.ts

@@ -0,0 +1,184 @@
+import { beforeEach, describe, expect, test, vi } from "vitest";
+import { OperationNotAllowedError, ResourceNotFoundError } from "@formbricks/types/errors";
+import {
+  assertOrganizationAIConfigured,
+  generateOrganizationAIText,
+  getOrganizationAIConfig,
+  isInstanceAIConfigured,
+} from "./service";
+
+const mocks = vi.hoisted(() => ({
+  generateText: vi.fn(),
+  isAiConfigured: vi.fn(),
+  getOrganization: vi.fn(),
+  getIsAIDataAnalysisEnabled: vi.fn(),
+  getIsAISmartToolsEnabled: vi.fn(),
+  getTranslate: vi.fn(),
+  loggerError: vi.fn(),
+}));
+
+vi.mock("server-only", () => ({}));
+
+vi.mock("@formbricks/ai", () => ({
+  AIConfigurationError: class AIConfigurationError extends Error {
+    code: string;
+
+    constructor(code: string, message: string) {
+      super(message);
+      this.code = code;
+    }
+  },
+  generateText: mocks.generateText,
+  isAiConfigured: mocks.isAiConfigured,
+}));
+
+vi.mock("@formbricks/logger", () => ({
+  logger: {
+    error: mocks.loggerError,
+  },
+}));
+
+vi.mock("@/lib/env", () => ({
+  env: {
+    AI_PROVIDER: "gcp",
+    AI_MODEL: "gemini-2.5-flash",
+    AI_GCP_PROJECT: "vertex-project",
+    AI_GCP_LOCATION: "us-central1",
+    AI_GCP_CREDENTIALS_JSON: undefined,
+    AI_GCP_APPLICATION_CREDENTIALS: "/tmp/vertex.json",
+    AI_AWS_REGION: "us-east-1",
+    AI_AWS_ACCESS_KEY_ID: "aws-access-key-id",
+    AI_AWS_SECRET_ACCESS_KEY: "aws-secret-access-key",
+    AI_AWS_SESSION_TOKEN: undefined,
+    AI_AZURE_BASE_URL: "https://example-resource.openai.azure.com/openai",
+    AI_AZURE_RESOURCE_NAME: undefined,
+    AI_AZURE_API_KEY: "azure-api-key",
+    AI_AZURE_API_VERSION: "v1",
+  },
+}));
+
+vi.mock("@/lib/organization/service", () => ({
+  getOrganization: mocks.getOrganization,
+}));
+
+vi.mock("@/modules/ee/license-check/lib/utils", () => ({
+  getIsAIDataAnalysisEnabled: mocks.getIsAIDataAnalysisEnabled,
+  getIsAISmartToolsEnabled: mocks.getIsAISmartToolsEnabled,
+}));
+
+vi.mock("@/lingodotdev/server", () => ({
+  getTranslate: mocks.getTranslate,
+}));
+
+describe("AI organization service", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+
+    mocks.isAiConfigured.mockReturnValue(true);
+    mocks.getOrganization.mockResolvedValue({
+      id: "org_1",
+      isAISmartToolsEnabled: true,
+      isAIDataAnalysisEnabled: false,
+    });
+    mocks.getIsAISmartToolsEnabled.mockResolvedValue(true);
+    mocks.getIsAIDataAnalysisEnabled.mockResolvedValue(true);
+    mocks.getTranslate.mockResolvedValue((key: string, values?: Record<string, string>) =>
+      values ? `${key}:${JSON.stringify(values)}` : key
+    );
+  });
+
+  test("returns the instance AI status and organization settings", async () => {
+    const configured = isInstanceAIConfigured();
+    const result = await getOrganizationAIConfig("org_1");
+
+    expect(configured).toBe(true);
+    expect(result).toMatchObject({
+      organizationId: "org_1",
+      isAISmartToolsEnabled: true,
+      isAIDataAnalysisEnabled: false,
+      isAISmartToolsEntitled: true,
+      isAIDataAnalysisEntitled: true,
+      isInstanceConfigured: true,
+    });
+  });
+
+  test("throws when the organization cannot be found", async () => {
+    mocks.getOrganization.mockResolvedValueOnce(null);
+
+    await expect(getOrganizationAIConfig("org_missing")).rejects.toThrow(ResourceNotFoundError);
+  });
+
+  test("fails closed when the organization is not entitled to AI", async () => {
+    mocks.getIsAISmartToolsEnabled.mockResolvedValueOnce(false);
+
+    await expect(assertOrganizationAIConfigured("org_1", "smartTools")).rejects.toThrow(
+      OperationNotAllowedError
+    );
+  });
+
+  test("fails closed when the requested AI capability is disabled", async () => {
+    mocks.getOrganization.mockResolvedValueOnce({
+      id: "org_1",
+      isAISmartToolsEnabled: false,
+      isAIDataAnalysisEnabled: true,
+    });
+
+    await expect(assertOrganizationAIConfigured("org_1", "smartTools")).rejects.toThrow(
+      OperationNotAllowedError
+    );
+  });
+
+  test("fails closed when the instance AI configuration is incomplete", async () => {
+    mocks.isAiConfigured.mockReturnValueOnce(false);
+
+    await expect(assertOrganizationAIConfigured("org_1", "smartTools")).rejects.toThrow(
+      OperationNotAllowedError
+    );
+  });
+
+  test("generates organization AI text with the configured package abstraction", async () => {
+    const generatedText = { text: "Translated text" };
+    mocks.generateText.mockResolvedValueOnce(generatedText);
+
+    const result = await generateOrganizationAIText({
+      organizationId: "org_1",
+      capability: "smartTools",
+      prompt: "Translate this survey",
+    });
+
+    expect(result).toBe(generatedText);
+    expect(mocks.generateText).toHaveBeenCalledWith(
+      {
+        prompt: "Translate this survey",
+      },
+      expect.objectContaining({
+        AI_PROVIDER: "gcp",
+        AI_MODEL: "gemini-2.5-flash",
+        AI_GCP_PROJECT: "vertex-project",
+      })
+    );
+  });
+
+  test("logs and rethrows generation errors", async () => {
+    const modelError = new Error("provider boom");
+    mocks.generateText.mockRejectedValueOnce(modelError);
+
+    await expect(
+      generateOrganizationAIText({
+        organizationId: "org_1",
+        capability: "smartTools",
+        prompt: "Translate this survey",
+      })
+    ).rejects.toThrow(modelError);
+    expect(mocks.loggerError).toHaveBeenCalledWith(
+      {
+        organizationId: "org_1",
+        capability: "smartTools",
+        isInstanceConfigured: true,
+        errorCode: undefined,
+        err: modelError,
+      },
+      "Failed to generate organization AI text"
+    );
+  });
+});

apps/web/lib/ai/service.ts

@@ -0,0 +1,104 @@
+import "server-only";
+import { AIConfigurationError, generateText, isAiConfigured } from "@formbricks/ai";
+import { logger } from "@formbricks/logger";
+import { OperationNotAllowedError, ResourceNotFoundError } from "@formbricks/types/errors";
+import { env } from "@/lib/env";
+import { getOrganization } from "@/lib/organization/service";
+import { getTranslate } from "@/lingodotdev/server";
+import { getIsAIDataAnalysisEnabled, getIsAISmartToolsEnabled } from "@/modules/ee/license-check/lib/utils";
+
+export interface TOrganizationAIConfig {
+  organizationId: string;
+  isAISmartToolsEnabled: boolean;
+  isAIDataAnalysisEnabled: boolean;
+  isAISmartToolsEntitled: boolean;
+  isAIDataAnalysisEntitled: boolean;
+  isInstanceConfigured: boolean;
+}
+
+export const isInstanceAIConfigured = (): boolean => isAiConfigured(env);
+
+export const getOrganizationAIConfig = async (organizationId: string): Promise<TOrganizationAIConfig> => {
+  const organization = await getOrganization(organizationId);
+
+  if (!organization) {
+    throw new ResourceNotFoundError("Organization", organizationId);
+  }
+
+  const [isAISmartToolsEntitled, isAIDataAnalysisEntitled] = await Promise.all([
+    getIsAISmartToolsEnabled(organizationId),
+    getIsAIDataAnalysisEnabled(organizationId),
+  ]);
+
+  return {
+    organizationId,
+    isAISmartToolsEnabled: organization.isAISmartToolsEnabled,
+    isAIDataAnalysisEnabled: organization.isAIDataAnalysisEnabled,
+    isAISmartToolsEntitled,
+    isAIDataAnalysisEntitled,
+    isInstanceConfigured: isInstanceAIConfigured(),
+  };
+};
+
+export const assertOrganizationAIConfigured = async (
+  organizationId: string,
+  capability: "smartTools" | "dataAnalysis"
+): Promise<TOrganizationAIConfig> => {
+  const t = await getTranslate();
+  const aiConfig = await getOrganizationAIConfig(organizationId);
+  const isCapabilityEntitled =
+    capability === "smartTools" ? aiConfig.isAISmartToolsEntitled : aiConfig.isAIDataAnalysisEntitled;
+
+  if (!isCapabilityEntitled) {
+    throw new OperationNotAllowedError(
+      t("environments.settings.general.ai_features_not_enabled_for_organization")
+    );
+  }
+
+  if (capability === "smartTools" && !aiConfig.isAISmartToolsEnabled) {
+    throw new OperationNotAllowedError(
+      t("environments.settings.general.ai_smart_tools_disabled_for_organization")
+    );
+  }
+
+  if (capability === "dataAnalysis" && !aiConfig.isAIDataAnalysisEnabled) {
+    throw new OperationNotAllowedError(
+      t("environments.settings.general.ai_data_analysis_disabled_for_organization")
+    );
+  }
+
+  if (!aiConfig.isInstanceConfigured) {
+    throw new OperationNotAllowedError(t("environments.settings.general.ai_instance_not_configured"));
+  }
+
+  return aiConfig;
+};
+
+type TGenerateOrganizationAITextInput = {
+  organizationId: string;
+  capability: "smartTools" | "dataAnalysis";
+} & Parameters<typeof generateText>[0];
+
+export const generateOrganizationAIText = async ({
+  organizationId,
+  capability,
+  ...options
+}: TGenerateOrganizationAITextInput): Promise<Awaited<ReturnType<typeof generateText>>> => {
+  const aiConfig = await assertOrganizationAIConfigured(organizationId, capability);
+
+  try {
+    return await generateText(options, env);
+  } catch (error) {
+    logger.error(
+      {
+        organizationId,
+        capability,
+        isInstanceConfigured: aiConfig.isInstanceConfigured,
+        errorCode: error instanceof AIConfigurationError ? error.code : undefined,
+        err: error,
+      },
+      "Failed to generate organization AI text"
+    );
+    throw error;
+  }
+};

apps/web/lib/ai/utils.test.ts

@@ -0,0 +1,54 @@
+import { describe, expect, test } from "vitest";
+import { getDisplayedOrganizationAISettingValue, getOrganizationAIEnablementState } from "./utils";
+
+describe("getOrganizationAIEnablementState", () => {
+  test("blocks enabling when instance AI is not configured", () => {
+    expect(
+      getOrganizationAIEnablementState({
+        isInstanceConfigured: false,
+      })
+    ).toMatchObject({
+      canEnableFeatures: false,
+      blockReason: "instanceNotConfigured",
+    });
+  });
+
+  test("allows enabling when instance AI is configured", () => {
+    expect(
+      getOrganizationAIEnablementState({
+        isInstanceConfigured: true,
+      })
+    ).toMatchObject({
+      canEnableFeatures: true,
+    });
+  });
+});
+
+describe("getDisplayedOrganizationAISettingValue", () => {
+  test("renders enabled settings as off when instance AI is not configured", () => {
+    expect(
+      getDisplayedOrganizationAISettingValue({
+        currentValue: true,
+        isInstanceConfigured: false,
+      })
+    ).toBe(false);
+  });
+
+  test("renders the stored setting value when instance AI is configured", () => {
+    expect(
+      getDisplayedOrganizationAISettingValue({
+        currentValue: true,
+        isInstanceConfigured: true,
+      })
+    ).toBe(true);
+  });
+
+  test("renders false when the stored setting is false and instance AI is configured", () => {
+    expect(
+      getDisplayedOrganizationAISettingValue({
+        currentValue: false,
+        isInstanceConfigured: true,
+      })
+    ).toBe(false);
+  });
+});

apps/web/lib/ai/utils.ts

@@ -0,0 +1,31 @@
+export type TAIEnablementBlockReason = "instanceNotConfigured";
+
+interface TOrganizationAIEnablementState {
+  canEnableFeatures: boolean;
+  blockReason?: TAIEnablementBlockReason;
+}
+
+export const getDisplayedOrganizationAISettingValue = ({
+  currentValue,
+  isInstanceConfigured,
+}: {
+  currentValue: boolean;
+  isInstanceConfigured: boolean;
+}): boolean => isInstanceConfigured && currentValue;
+
+export const getOrganizationAIEnablementState = ({
+  isInstanceConfigured,
+}: {
+  isInstanceConfigured: boolean;
+}): TOrganizationAIEnablementState => {
+  if (!isInstanceConfigured) {
+    return {
+      canEnableFeatures: false,
+      blockReason: "instanceNotConfigured",
+    };
+  }
+
+  return {
+    canEnableFeatures: true,
+  };
+};

apps/web/lib/constants.ts

@@ -26,7 +26,10 @@ export const TERMS_URL = env.TERMS_URL;
 export const IMPRINT_URL = env.IMPRINT_URL;
 export const IMPRINT_ADDRESS = env.IMPRINT_ADDRESS;
 
+export const DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS = env.DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS === "1";
+export const DEBUG_SHOW_RESET_LINK = !IS_PRODUCTION && env.DEBUG_SHOW_RESET_LINK === "1";
 export const PASSWORD_RESET_DISABLED = env.PASSWORD_RESET_DISABLED === "1";
+export const PASSWORD_RESET_TOKEN_LIFETIME_MINUTES = env.PASSWORD_RESET_TOKEN_LIFETIME_MINUTES;
 export const EMAIL_VERIFICATION_DISABLED = env.EMAIL_VERIFICATION_DISABLED === "1";
 
 export const GOOGLE_OAUTH_ENABLED = !!(env.GOOGLE_CLIENT_ID && env.GOOGLE_CLIENT_SECRET);
@@ -152,6 +155,7 @@ export const ENTERPRISE_LICENSE_KEY = env.ENTERPRISE_LICENSE_KEY;
 
 export const REDIS_URL = env.REDIS_URL;
 export const RATE_LIMITING_DISABLED = env.RATE_LIMITING_DISABLED === "1";
+export const TELEMETRY_DISABLED = env.TELEMETRY_DISABLED === "1";
 
 export const BREVO_API_KEY = env.BREVO_API_KEY;
 export const BREVO_LIST_ID = env.BREVO_LIST_ID;

apps/web/lib/env.test.ts

@@ -0,0 +1,77 @@
+import { afterEach, beforeEach, describe, expect, test, vi } from "vitest";
+
+const ORIGINAL_ENV = process.env;
+
+const setTestEnv = (overrides: Record<string, string | undefined> = {}) => {
+  process.env = {
+    ...ORIGINAL_ENV,
+    NODE_ENV: "test",
+    DATABASE_URL: "https://example.com/db",
+    ENCRYPTION_KEY: "12345678901234567890123456789012",
+    ...overrides,
+  };
+};
+
+describe("env", () => {
+  beforeEach(() => {
+    vi.resetModules();
+  });
+
+  afterEach(() => {
+    process.env = ORIGINAL_ENV;
+  });
+
+  test("uses the default password reset token lifetime when env var is not set", async () => {
+    setTestEnv({
+      PASSWORD_RESET_TOKEN_LIFETIME_MINUTES: undefined,
+    });
+
+    const { env } = await import("./env");
+
+    expect(env.PASSWORD_RESET_TOKEN_LIFETIME_MINUTES).toBe(30);
+  });
+
+  test("uses the configured password reset token lifetime", async () => {
+    setTestEnv({
+      PASSWORD_RESET_TOKEN_LIFETIME_MINUTES: "45",
+    });
+
+    const { env } = await import("./env");
+
+    expect(env.PASSWORD_RESET_TOKEN_LIFETIME_MINUTES).toBe(45);
+  });
+
+  test("fails to load when the password reset token lifetime is not an integer", async () => {
+    setTestEnv({
+      PASSWORD_RESET_TOKEN_LIFETIME_MINUTES: "30minutes",
+    });
+
+    await expect(import("./env")).rejects.toThrow("Invalid environment variables");
+  });
+
+  test("fails to load when the password reset token lifetime is out of range", async () => {
+    setTestEnv({
+      PASSWORD_RESET_TOKEN_LIFETIME_MINUTES: "121",
+    });
+
+    await expect(import("./env")).rejects.toThrow("Invalid environment variables");
+  });
+
+  test("allows enabling DEBUG_SHOW_RESET_LINK", async () => {
+    setTestEnv({
+      DEBUG_SHOW_RESET_LINK: "1",
+    });
+
+    const { env } = await import("./env");
+
+    expect(env.DEBUG_SHOW_RESET_LINK).toBe("1");
+  });
+
+  test("fails to load when DEBUG_SHOW_RESET_LINK is invalid", async () => {
+    setTestEnv({
+      DEBUG_SHOW_RESET_LINK: "true",
+    });
+
+    await expect(import("./env")).rejects.toThrow("Invalid environment variables");
+  });
+});

apps/web/lib/env.ts

@@ -1,12 +1,120 @@
 import { createEnv } from "@t3-oss/env-nextjs";
 import { z } from "zod";
+import { AI_PROVIDERS } from "@formbricks/types/ai";
 
-export const env = createEnv({
+const ZActiveAIProvider = z.enum(AI_PROVIDERS);
+const ZAIConfigurationEnv = z.object({
+  AI_PROVIDER: ZActiveAIProvider.optional(),
+  AI_MODEL: z.string().optional(),
+  AI_GCP_PROJECT: z.string().optional(),
+  AI_GCP_LOCATION: z.string().optional(),
+  AI_GCP_CREDENTIALS_JSON: z.string().optional(),
+  AI_GCP_APPLICATION_CREDENTIALS: z.string().optional(),
+  AI_AWS_REGION: z.string().optional(),
+  AI_AWS_ACCESS_KEY_ID: z.string().optional(),
+  AI_AWS_SECRET_ACCESS_KEY: z.string().optional(),
+  AI_AZURE_API_KEY: z.string().optional(),
+  AI_AZURE_BASE_URL: z.url().optional(),
+  AI_AZURE_RESOURCE_NAME: z.string().optional(),
+});
+
+type TAIConfigurationEnv = z.infer<typeof ZAIConfigurationEnv>;
+
+const addEnvIssue = (ctx: z.RefinementCtx, path: keyof TAIConfigurationEnv, message: string): void => {
+  ctx.addIssue({
+    code: "custom",
+    path: [path],
+    message,
+  });
+};
+
+const validateActiveAIModel = (values: TAIConfigurationEnv, ctx: z.RefinementCtx): void => {
+  if (values.AI_PROVIDER && !values.AI_MODEL) {
+    addEnvIssue(ctx, "AI_MODEL", "AI_MODEL is required when AI_PROVIDER is set");
+  }
+};
+
+const validateAwsAIConfiguration = (values: TAIConfigurationEnv, ctx: z.RefinementCtx): void => {
+  if (!values.AI_AWS_REGION) {
+    addEnvIssue(ctx, "AI_AWS_REGION", "AI_AWS_REGION is required when AI_PROVIDER=aws");
+  }
+
+  if (!values.AI_AWS_ACCESS_KEY_ID) {
+    addEnvIssue(ctx, "AI_AWS_ACCESS_KEY_ID", "AI_AWS_ACCESS_KEY_ID is required when AI_PROVIDER=aws");
+  }
+
+  if (!values.AI_AWS_SECRET_ACCESS_KEY) {
+    addEnvIssue(ctx, "AI_AWS_SECRET_ACCESS_KEY", "AI_AWS_SECRET_ACCESS_KEY is required when AI_PROVIDER=aws");
+  }
+};
+
+const validateGcpAIConfiguration = (values: TAIConfigurationEnv, ctx: z.RefinementCtx): void => {
+  if (!values.AI_GCP_PROJECT) {
+    addEnvIssue(ctx, "AI_GCP_PROJECT", "AI_GCP_PROJECT is required when AI_PROVIDER=gcp");
+  }
+
+  if (!values.AI_GCP_LOCATION) {
+    addEnvIssue(ctx, "AI_GCP_LOCATION", "AI_GCP_LOCATION is required when AI_PROVIDER=gcp");
+  }
+
+  if (!values.AI_GCP_CREDENTIALS_JSON && !values.AI_GCP_APPLICATION_CREDENTIALS) {
+    addEnvIssue(
+      ctx,
+      "AI_GCP_CREDENTIALS_JSON",
+      "AI_GCP_CREDENTIALS_JSON or AI_GCP_APPLICATION_CREDENTIALS is required when AI_PROVIDER=gcp"
+    );
+  }
+
+  if (values.AI_GCP_CREDENTIALS_JSON) {
+    try {
+      JSON.parse(values.AI_GCP_CREDENTIALS_JSON);
+    } catch {
+      addEnvIssue(ctx, "AI_GCP_CREDENTIALS_JSON", "AI_GCP_CREDENTIALS_JSON must be valid JSON");
+    }
+  }
+};
+
+const validateAzureAIConfiguration = (values: TAIConfigurationEnv, ctx: z.RefinementCtx): void => {
+  if (!values.AI_AZURE_API_KEY) {
+    addEnvIssue(ctx, "AI_AZURE_API_KEY", "AI_AZURE_API_KEY is required when AI_PROVIDER=azure");
+  }
+
+  if (!values.AI_AZURE_BASE_URL && !values.AI_AZURE_RESOURCE_NAME) {
+    addEnvIssue(
+      ctx,
+      "AI_AZURE_BASE_URL",
+      "AI_AZURE_BASE_URL or AI_AZURE_RESOURCE_NAME is required when AI_PROVIDER=azure"
+    );
+  }
+};
+
+const validateActiveAIProviderConfiguration = (values: TAIConfigurationEnv, ctx: z.RefinementCtx): void => {
+  validateActiveAIModel(values, ctx);
+
+  if (!values.AI_PROVIDER) {
+    return;
+  }
+
+  const providerValidators: Record<
+    z.infer<typeof ZActiveAIProvider>,
+    (values: TAIConfigurationEnv, ctx: z.RefinementCtx) => void
+  > = {
+    aws: validateAwsAIConfiguration,
+    gcp: validateGcpAIConfiguration,
+    azure: validateAzureAIConfiguration,
+  };
+
+  providerValidators[values.AI_PROVIDER](values, ctx);
+};
+
+const parsedEnv = createEnv({
   /*
    * Serverside Environment variables, not available on the client.
    * Will throw if you access these variables on the client.
    */
   server: {
+    AI_PROVIDER: ZActiveAIProvider.optional(),
+    AI_MODEL: z.string().optional(),
     AIRTABLE_CLIENT_ID: z.string().optional(),
     AZUREAD_CLIENT_ID: z.string().optional(),
     AZUREAD_CLIENT_SECRET: z.string().optional(),
@@ -15,7 +123,9 @@ export const env = createEnv({
     BREVO_API_KEY: z.string().optional(),
     BREVO_LIST_ID: z.string().optional(),
     DATABASE_URL: z.url(),
+    DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS: z.enum(["1", "0"]).optional(),
     DEBUG: z.enum(["1", "0"]).optional(),
+    DEBUG_SHOW_RESET_LINK: z.enum(["1", "0"]).optional(),
     AUTH_DEFAULT_TEAM_ID: z.string().optional(),
     AUTH_SKIP_INVITE_FOR_SSO: z.enum(["1", "0"]).optional(),
     E2E_TESTING: z.enum(["1", "0"]).optional(),
@@ -28,9 +138,21 @@ export const env = createEnv({
     GITHUB_SECRET: z.string().optional(),
     GOOGLE_CLIENT_ID: z.string().optional(),
     GOOGLE_CLIENT_SECRET: z.string().optional(),
+    AI_GCP_PROJECT: z.string().optional(),
+    AI_GCP_LOCATION: z.string().optional(),
+    AI_GCP_CREDENTIALS_JSON: z.string().optional(),
+    AI_GCP_APPLICATION_CREDENTIALS: z.string().optional(),
     GOOGLE_SHEETS_CLIENT_ID: z.string().optional(),
     GOOGLE_SHEETS_CLIENT_SECRET: z.string().optional(),
     GOOGLE_SHEETS_REDIRECT_URL: z.string().optional(),
+    AI_AWS_REGION: z.string().optional(),
+    AI_AWS_ACCESS_KEY_ID: z.string().optional(),
+    AI_AWS_SECRET_ACCESS_KEY: z.string().optional(),
+    AI_AWS_SESSION_TOKEN: z.string().optional(),
+    AI_AZURE_BASE_URL: z.url().optional(),
+    AI_AZURE_API_KEY: z.string().optional(),
+    AI_AZURE_API_VERSION: z.string().optional(),
+    AI_AZURE_RESOURCE_NAME: z.string().optional(),
     HTTP_PROXY: z.url().optional(),
     HTTPS_PROXY: z.url().optional(),
     IMPRINT_URL: z
@@ -60,11 +182,13 @@ export const env = createEnv({
         ? z.string().optional()
         : z.url("REDIS_URL is required for caching, rate limiting, and audit logging"),
     PASSWORD_RESET_DISABLED: z.enum(["1", "0"]).optional(),
+    PASSWORD_RESET_TOKEN_LIFETIME_MINUTES: z.coerce.number().int().min(5).max(120).optional().default(30),
     PRIVACY_URL: z
       .url()
       .optional()
       .or(z.string().refine((str) => str === "")),
     RATE_LIMITING_DISABLED: z.enum(["1", "0"]).optional(),
+    TELEMETRY_DISABLED: z.enum(["1", "0"]).optional(),
     S3_ACCESS_KEY: z.string().optional(),
     S3_BUCKET_NAME: z.string().optional(),
     S3_REGION: z.string().optional(),
@@ -121,7 +245,7 @@ export const env = createEnv({
     AUDIT_LOG_GET_USER_IP: z.enum(["1", "0"]).optional(),
     SESSION_MAX_AGE: z
       .string()
-      .transform((val) => parseInt(val))
+      .transform((val) => Number.parseInt(val, 10))
       .optional(),
     SENTRY_ENVIRONMENT: z.string().optional(),
   },
@@ -133,6 +257,8 @@ export const env = createEnv({
    * 💡 You'll get type errors if not all variables from `server` & `client` are included here.
    */
   runtimeEnv: {
+    AI_PROVIDER: process.env.AI_PROVIDER,
+    AI_MODEL: process.env.AI_MODEL,
     AIRTABLE_CLIENT_ID: process.env.AIRTABLE_CLIENT_ID,
     AZUREAD_CLIENT_ID: process.env.AZUREAD_CLIENT_ID,
     AZUREAD_CLIENT_SECRET: process.env.AZUREAD_CLIENT_SECRET,
@@ -141,7 +267,9 @@ export const env = createEnv({
     BREVO_LIST_ID: process.env.BREVO_LIST_ID,
     CRON_SECRET: process.env.CRON_SECRET,
     DATABASE_URL: process.env.DATABASE_URL,
+    DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS: process.env.DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLS,
     DEBUG: process.env.DEBUG,
+    DEBUG_SHOW_RESET_LINK: process.env.DEBUG_SHOW_RESET_LINK,
     AUTH_DEFAULT_TEAM_ID: process.env.AUTH_SSO_DEFAULT_TEAM_ID,
     AUTH_SKIP_INVITE_FOR_SSO: process.env.AUTH_SKIP_INVITE_FOR_SSO,
     E2E_TESTING: process.env.E2E_TESTING,
@@ -154,9 +282,21 @@ export const env = createEnv({
     GITHUB_SECRET: process.env.GITHUB_SECRET,
     GOOGLE_CLIENT_ID: process.env.GOOGLE_CLIENT_ID,
     GOOGLE_CLIENT_SECRET: process.env.GOOGLE_CLIENT_SECRET,
+    AI_GCP_PROJECT: process.env.AI_GCP_PROJECT,
+    AI_GCP_LOCATION: process.env.AI_GCP_LOCATION,
+    AI_GCP_CREDENTIALS_JSON: process.env.AI_GCP_CREDENTIALS_JSON,
+    AI_GCP_APPLICATION_CREDENTIALS: process.env.AI_GCP_APPLICATION_CREDENTIALS,
     GOOGLE_SHEETS_CLIENT_ID: process.env.GOOGLE_SHEETS_CLIENT_ID,
     GOOGLE_SHEETS_CLIENT_SECRET: process.env.GOOGLE_SHEETS_CLIENT_SECRET,
     GOOGLE_SHEETS_REDIRECT_URL: process.env.GOOGLE_SHEETS_REDIRECT_URL,
+    AI_AWS_REGION: process.env.AI_AWS_REGION,
+    AI_AWS_ACCESS_KEY_ID: process.env.AI_AWS_ACCESS_KEY_ID,
+    AI_AWS_SECRET_ACCESS_KEY: process.env.AI_AWS_SECRET_ACCESS_KEY,
+    AI_AWS_SESSION_TOKEN: process.env.AI_AWS_SESSION_TOKEN,
+    AI_AZURE_BASE_URL: process.env.AI_AZURE_BASE_URL,
+    AI_AZURE_API_KEY: process.env.AI_AZURE_API_KEY,
+    AI_AZURE_API_VERSION: process.env.AI_AZURE_API_VERSION,
+    AI_AZURE_RESOURCE_NAME: process.env.AI_AZURE_RESOURCE_NAME,
     HTTP_PROXY: process.env.HTTP_PROXY,
     HTTPS_PROXY: process.env.HTTPS_PROXY,
     IMPRINT_URL: process.env.IMPRINT_URL,
@@ -181,8 +321,10 @@ export const env = createEnv({
     OIDC_SIGNING_ALGORITHM: process.env.OIDC_SIGNING_ALGORITHM,
     REDIS_URL: process.env.REDIS_URL,
     PASSWORD_RESET_DISABLED: process.env.PASSWORD_RESET_DISABLED,
+    PASSWORD_RESET_TOKEN_LIFETIME_MINUTES: process.env.PASSWORD_RESET_TOKEN_LIFETIME_MINUTES,
     PRIVACY_URL: process.env.PRIVACY_URL,
     RATE_LIMITING_DISABLED: process.env.RATE_LIMITING_DISABLED,
+    TELEMETRY_DISABLED: process.env.TELEMETRY_DISABLED,
     S3_ACCESS_KEY: process.env.S3_ACCESS_KEY,
     S3_BUCKET_NAME: process.env.S3_BUCKET_NAME,
     S3_REGION: process.env.S3_REGION,
@@ -221,3 +363,7 @@ export const env = createEnv({
     SENTRY_ENVIRONMENT: process.env.SENTRY_ENVIRONMENT,
   },
 });
+
+export const env = ZAIConfigurationEnv.superRefine(validateActiveAIProviderConfiguration)
+  .transform(() => parsedEnv)
+  .parse(parsedEnv);