simstudioai
diff --git a/‎.claude/rules/sim-testing.md‎
Lines changed: 1 addition & 1 deletion b/‎.claude/rules/sim-testing.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.cursor/rules/sim-testing.mdc‎
Lines changed: 1 addition & 1 deletion b/‎.cursor/rules/sim-testing.mdc‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/test-build.yml‎
Lines changed: 6 additions & 0 deletions b/‎.github/workflows/test-build.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎AGENTS.md‎
Lines changed: 34 additions & 11 deletions b/‎AGENTS.md‎
Lines changed: 34 additions & 11 deletions
diff --git a/‎apps/realtime/package.json‎
Lines changed: 48 additions & 0 deletions b/‎apps/realtime/package.json‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎apps/realtime/src/auth.ts‎
Lines changed: 17 additions & 0 deletions b/‎apps/realtime/src/auth.ts‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎apps/sim/socket/config/socket.ts‎ ‎apps/realtime/src/config/socket.ts‎apps/sim/socket/config/socket.ts renamed to apps/realtime/src/config/socket.ts
Lines changed: 1 addition & 3 deletions b/‎apps/sim/socket/config/socket.ts‎ ‎apps/realtime/src/config/socket.ts‎apps/sim/socket/config/socket.ts renamed to apps/realtime/src/config/socket.ts
Lines changed: 1 addition & 3 deletions
diff --git a/‎apps/sim/socket/database/operations.ts‎ ‎apps/realtime/src/database/operations.ts‎apps/sim/socket/database/operations.ts renamed to apps/realtime/src/database/operations.ts
Lines changed: 15 additions & 36 deletions b/‎apps/sim/socket/database/operations.ts‎ ‎apps/realtime/src/database/operations.ts‎apps/sim/socket/database/operations.ts renamed to apps/realtime/src/database/operations.ts
Lines changed: 15 additions & 36 deletions
diff --git a/‎apps/realtime/src/env.ts‎
Lines changed: 52 additions & 0 deletions b/‎apps/realtime/src/env.ts‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎apps/sim/socket/handlers/connection.ts‎ ‎apps/realtime/src/handlers/connection.ts‎apps/sim/socket/handlers/connection.ts renamed to apps/realtime/src/handlers/connection.ts
Lines changed: 4 additions & 4 deletions b/‎apps/sim/socket/handlers/connection.ts‎ ‎apps/realtime/src/handlers/connection.ts‎apps/sim/socket/handlers/connection.ts renamed to apps/realtime/src/handlers/connection.ts
Lines changed: 4 additions & 4 deletions
@@ -144,7 +144,7 @@ vi.useFakeTimers()
 | `@/app/api/auth/oauth/utils` | `authOAuthUtilsMock`, `authOAuthUtilsMockFns` | `vi.mock('@/app/api/auth/oauth/utils', () => authOAuthUtilsMock)` |
 | `@/app/api/knowledge/utils` | `knowledgeApiUtilsMock`, `knowledgeApiUtilsMockFns` | `vi.mock('@/app/api/knowledge/utils', () => knowledgeApiUtilsMock)` |
 | `@/app/api/workflows/utils` | `workflowsApiUtilsMock`, `workflowsApiUtilsMockFns` | `vi.mock('@/app/api/workflows/utils', () => workflowsApiUtilsMock)` |
-| `@/lib/audit/log` | `auditMock`, `auditMockFns` | `vi.mock('@/lib/audit/log', () => auditMock)` |
+| `@sim/audit` | `auditMock`, `auditMockFns` | `vi.mock('@sim/audit', () => auditMock)` |
 | `@/lib/auth` | `authMock`, `authMockFns` | `vi.mock('@/lib/auth', () => authMock)` |
 | `@/lib/auth/hybrid` | `hybridAuthMock`, `hybridAuthMockFns` | `vi.mock('@/lib/auth/hybrid', () => hybridAuthMock)` |
 | `@/lib/copilot/request/http` | `copilotHttpMock`, `copilotHttpMockFns` | `vi.mock('@/lib/copilot/request/http', () => copilotHttpMock)` |
 
@@ -144,7 +144,7 @@ vi.useFakeTimers()
 | `@/app/api/auth/oauth/utils` | `authOAuthUtilsMock`, `authOAuthUtilsMockFns` | `vi.mock('@/app/api/auth/oauth/utils', () => authOAuthUtilsMock)` |
 | `@/app/api/knowledge/utils` | `knowledgeApiUtilsMock`, `knowledgeApiUtilsMockFns` | `vi.mock('@/app/api/knowledge/utils', () => knowledgeApiUtilsMock)` |
 | `@/app/api/workflows/utils` | `workflowsApiUtilsMock`, `workflowsApiUtilsMockFns` | `vi.mock('@/app/api/workflows/utils', () => workflowsApiUtilsMock)` |
-| `@/lib/audit/log` | `auditMock`, `auditMockFns` | `vi.mock('@/lib/audit/log', () => auditMock)` |
+| `@sim/audit` | `auditMock`, `auditMockFns` | `vi.mock('@sim/audit', () => auditMock)` |
 | `@/lib/auth` | `authMock`, `authMockFns` | `vi.mock('@/lib/auth', () => authMock)` |
 | `@/lib/auth/hybrid` | `hybridAuthMock`, `hybridAuthMockFns` | `vi.mock('@/lib/auth/hybrid', () => hybridAuthMock)` |
 | `@/lib/copilot/request/http` | `copilotHttpMock`, `copilotHttpMockFns` | `vi.mock('@/lib/copilot/request/http', () => copilotHttpMock)` |
 
@@ -103,6 +103,12 @@ jobs:
       - name: Lint code
         run: bun run lint:check
 
+      - name: Enforce monorepo boundaries
+        run: bun run scripts/check-monorepo-boundaries.ts
+
+      - name: Verify realtime prune graph
+        run: bun run scripts/check-realtime-prune-graph.ts
+
       - name: Run tests with coverage
         env:
           NODE_OPTIONS: '--no-warnings --max-old-space-size=8192'
 
@@ -20,19 +20,42 @@ You are a professional software engineer. All code must follow best practices: a
 
 ### Root Structure
 ```
-apps/sim/
-├── app/           # Next.js app router (pages, API routes)
-├── blocks/        # Block definitions and registry
-├── components/    # Shared UI (emcn/, ui/)
-├── executor/      # Workflow execution engine
-├── hooks/         # Shared hooks (queries/, selectors/)
-├── lib/           # App-wide utilities
-├── providers/     # LLM provider integrations
-├── stores/        # Zustand stores
-├── tools/         # Tool definitions
-└── triggers/      # Trigger definitions
+apps/
+├── sim/                    # Next.js app (UI + API routes + workflow editor)
+│   ├── app/                # Next.js app router (pages, API routes)
+│   ├── blocks/             # Block definitions and registry
+│   ├── components/         # Shared UI (emcn/, ui/)
+│   ├── executor/           # Workflow execution engine
+│   ├── hooks/              # Shared hooks (queries/, selectors/)
+│   ├── lib/                # App-wide utilities
+│   ├── providers/          # LLM provider integrations
+│   ├── stores/             # Zustand stores
+│   ├── tools/              # Tool definitions
+│   └── triggers/           # Trigger definitions
+└── realtime/               # Bun Socket.IO server (collaborative canvas)
+    └── src/                # auth, config, database, handlers, middleware,
+                            # rooms, routes, internal/webhook-cleanup.ts
+
+packages/
+├── audit/                  # @sim/audit — recordAudit + AuditAction + AuditResourceType
+├── auth/                   # @sim/auth — @sim/auth/verify (shared Better Auth verifier)
+├── db/                     # @sim/db — drizzle schema + client
+├── logger/                 # @sim/logger
+├── realtime-protocol/      # @sim/realtime-protocol — socket operation constants + zod schemas
+├── security/               # @sim/security — safeCompare
+├── tsconfig/               # shared tsconfig presets
+├── utils/                  # @sim/utils
+├── workflow-authz/         # @sim/workflow-authz — authorizeWorkflowByWorkspacePermission
+├── workflow-persistence/   # @sim/workflow-persistence — raw load/save + subflow helpers
+└── workflow-types/         # @sim/workflow-types — pure BlockState/Loop/Parallel/... types
 ```
 
+### Package boundaries
+- `apps/* → packages/*` only. Packages never import from `apps/*`.
+- Each package has explicit subpath `exports` maps; no barrels that accidentally pull in heavy halves.
+- `apps/realtime` intentionally avoids Next.js, React, the block/tool registry, provider SDKs, and the executor. CI enforces this via `scripts/check-monorepo-boundaries.ts` and `scripts/check-realtime-image-size.ts`.
+- Auth is shared across services via the Better Auth "Shared Database Session" pattern: both apps read the same `BETTER_AUTH_SECRET` and point at the same DB via `@sim/db`.
+
 ### Naming Conventions
 - Components: PascalCase (`WorkflowList`)
 - Hooks: `use` prefix (`useWorkflowOperations`)
 
@@ -0,0 +1,48 @@
+{
+  "name": "@sim/realtime",
+  "version": "0.1.0",
+  "private": true,
+  "license": "Apache-2.0",
+  "type": "module",
+  "engines": {
+    "bun": ">=1.2.13",
+    "node": ">=20.0.0"
+  },
+  "scripts": {
+    "dev": "bun --watch src/index.ts",
+    "start": "bun src/index.ts",
+    "type-check": "tsc --noEmit",
+    "lint": "biome check --write --unsafe .",
+    "lint:check": "biome check .",
+    "format": "biome format --write .",
+    "format:check": "biome format .",
+    "test": "vitest run",
+    "test:watch": "vitest"
+  },
+  "dependencies": {
+    "@sim/audit": "workspace:*",
+    "@sim/auth": "workspace:*",
+    "@sim/db": "workspace:*",
+    "@sim/logger": "workspace:*",
+    "@sim/realtime-protocol": "workspace:*",
+    "@sim/security": "workspace:*",
+    "@sim/utils": "workspace:*",
+    "@sim/workflow-authz": "workspace:*",
+    "@sim/workflow-persistence": "workspace:*",
+    "@sim/workflow-types": "workspace:*",
+    "@socket.io/redis-adapter": "8.3.0",
+    "drizzle-orm": "^0.45.2",
+    "postgres": "^3.4.5",
+    "redis": "5.10.0",
+    "socket.io": "^4.8.1",
+    "socket.io-client": "4.8.1",
+    "zod": "^3.24.2"
+  },
+  "devDependencies": {
+    "@sim/testing": "workspace:*",
+    "@sim/tsconfig": "workspace:*",
+    "@types/node": "24.2.1",
+    "typescript": "^5.7.3",
+    "vitest": "^3.0.8"
+  }
+}
@@ -0,0 +1,17 @@
+import { createVerifyAuth } from '@sim/auth/verify'
+import { env } from '@/env'
+
+export const ANONYMOUS_USER_ID = '00000000-0000-0000-0000-000000000000'
+
+export const ANONYMOUS_USER = {
+  id: ANONYMOUS_USER_ID,
+  name: 'Anonymous',
+  email: 'anonymous@localhost',
+  emailVerified: true,
+  image: null,
+} as const
+
+export const auth = createVerifyAuth({
+  secret: env.BETTER_AUTH_SECRET,
+  baseURL: env.BETTER_AUTH_URL,
+})
@@ -3,9 +3,7 @@ import { createLogger } from '@sim/logger'
 import { createAdapter } from '@socket.io/redis-adapter'
 import { createClient, type RedisClientType } from 'redis'
 import { Server } from 'socket.io'
-import { env } from '@/lib/core/config/env'
-import { isProd } from '@/lib/core/config/feature-flags'
-import { getBaseUrl } from '@/lib/core/utils/urls'
+import { env, getBaseUrl, isProd } from '@/env'
 
 const logger = createLogger('SocketIOConfig')
 
 
@@ -1,15 +1,7 @@
+import { AuditAction, AuditResourceType, recordAudit } from '@sim/audit'
 import * as schema from '@sim/db'
-import { webhook, workflow, workflowBlocks, workflowEdges, workflowSubflows } from '@sim/db'
+import { workflow, workflowBlocks, workflowEdges, workflowSubflows } from '@sim/db'
 import { createLogger } from '@sim/logger'
-import { and, eq, inArray, isNull, or, sql } from 'drizzle-orm'
-import { drizzle } from 'drizzle-orm/postgres-js'
-import postgres from 'postgres'
-import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
-import { env } from '@/lib/core/config/env'
-import { cleanupExternalWebhook } from '@/lib/webhooks/provider-subscriptions'
-import { getActiveWorkflowContext } from '@/lib/workflows/active-context'
-import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
-import { mergeSubBlockValues } from '@/lib/workflows/subblocks'
 import {
   BLOCK_OPERATIONS,
   BLOCKS_OPERATIONS,
@@ -19,7 +11,14 @@ import {
   SUBFLOW_OPERATIONS,
   VARIABLE_OPERATIONS,
   WORKFLOW_OPERATIONS,
-} from '@/socket/constants'
+} from '@sim/realtime-protocol/constants'
+import { getActiveWorkflowContext } from '@sim/workflow-authz'
+import { loadWorkflowFromNormalizedTablesRaw } from '@sim/workflow-persistence/load'
+import { mergeSubBlockValues } from '@sim/workflow-persistence/subblocks'
+import { and, eq, inArray, isNull, or, sql } from 'drizzle-orm'
+import { drizzle } from 'drizzle-orm/postgres-js'
+import postgres from 'postgres'
+import { env } from '@/env'
 
 const logger = createLogger('SocketDatabase')
 
@@ -182,7 +181,7 @@ export async function getWorkflowState(workflowId: string) {
       throw new Error(`Workflow ${workflowId} not found`)
     }
 
-    const normalizedData = await loadWorkflowFromNormalizedTables(workflowId)
+    const normalizedData = await loadWorkflowFromNormalizedTablesRaw(workflowId)
 
     if (normalizedData) {
       const finalState = {
@@ -915,30 +914,10 @@ async function handleBlocksOperationTx(
         }
       }
 
-      // Clean up external webhooks
-      const webhooksToCleanup = await tx
-        .select({
-          webhook: webhook,
-          workflow: {
-            id: workflow.id,
-            userId: workflow.userId,
-            workspaceId: workflow.workspaceId,
-          },
-        })
-        .from(webhook)
-        .innerJoin(workflow, eq(webhook.workflowId, workflow.id))
-        .where(and(eq(webhook.workflowId, workflowId), inArray(webhook.blockId, blockIdsArray)))
-
-      if (webhooksToCleanup.length > 0) {
-        const requestId = `socket-batch-${workflowId}-${Date.now()}`
-        for (const { webhook: wh, workflow: wf } of webhooksToCleanup) {
-          try {
-            await cleanupExternalWebhook(wh, wf, requestId)
-          } catch (error) {
-            logger.error(`Failed to cleanup webhook ${wh.id}:`, error)
-          }
-        }
-      }
+      // Webhook rows are only created at deploy time (saveTriggerWebhooksForDeploy in
+      // lib/webhooks/deploy.ts) with deploymentVersionId set; their external-subscription
+      // lifecycle is managed by deploy.ts, lifecycle.ts, and the /api/webhooks/[id] route.
+      // Removing a trigger block from the draft canvas does not touch any webhook rows.
 
       // Delete edges connected to any of the blocks
       await tx
 
@@ -0,0 +1,52 @@
+import { z } from 'zod'
+
+const EnvSchema = z.object({
+  NODE_ENV: z.enum(['development', 'test', 'production']).default('development'),
+  DATABASE_URL: z.string().url(),
+  REDIS_URL: z.string().url().optional(),
+  BETTER_AUTH_URL: z.string().url(),
+  BETTER_AUTH_SECRET: z.string().min(32),
+  INTERNAL_API_SECRET: z.string().min(32),
+  NEXT_PUBLIC_APP_URL: z.string().url(),
+  INTERNAL_API_BASE_URL: z.string().url().optional(),
+  ALLOWED_ORIGINS: z.string().optional(),
+  SOCKET_SERVER_URL: z.string().url().optional(),
+  PORT: z.coerce.number().int().positive().default(3002),
+  SOCKET_PORT: z.coerce.number().int().positive().optional(),
+  HOSTNAME: z.string().default('0.0.0.0'),
+  DISABLE_AUTH: z
+    .string()
+    .optional()
+    .transform((value) => value === 'true' || value === '1'),
+})
+
+function parseEnv() {
+  const parsed = EnvSchema.safeParse(process.env)
+  if (!parsed.success) {
+    const formatted = parsed.error.format()
+    throw new Error(`Invalid realtime server environment: ${JSON.stringify(formatted, null, 2)}`)
+  }
+  return parsed.data
+}
+
+export const env = parseEnv()
+
+export const isProd = env.NODE_ENV === 'production'
+export const isDev = env.NODE_ENV === 'development'
+export const isTest = env.NODE_ENV === 'test'
+
+let appHostname = ''
+try {
+  appHostname = new URL(env.NEXT_PUBLIC_APP_URL).hostname
+} catch {}
+export const isHosted = appHostname === 'sim.ai' || appHostname.endsWith('.sim.ai')
+
+export const isAuthDisabled = env.DISABLE_AUTH === true && !isHosted
+
+export function getBaseUrl(): string {
+  return env.NEXT_PUBLIC_APP_URL
+}
+
+export function getInternalApiBaseUrl(): string {
+  return env.INTERNAL_API_BASE_URL ?? env.NEXT_PUBLIC_APP_URL
+}
@@ -1,8 +1,8 @@
 import { createLogger } from '@sim/logger'
-import { cleanupPendingSubblocksForSocket } from '@/socket/handlers/subblocks'
-import { cleanupPendingVariablesForSocket } from '@/socket/handlers/variables'
-import type { AuthenticatedSocket } from '@/socket/middleware/auth'
-import type { IRoomManager } from '@/socket/rooms'
+import { cleanupPendingSubblocksForSocket } from '@/handlers/subblocks'
+import { cleanupPendingVariablesForSocket } from '@/handlers/variables'
+import type { AuthenticatedSocket } from '@/middleware/auth'
+import type { IRoomManager } from '@/rooms'
 
 const logger = createLogger('ConnectionHandlers')