simstudioai
diff --git a/‎.agents/skills/add-integration/SKILL.md‎
Lines changed: 42 additions & 18 deletions b/‎.agents/skills/add-integration/SKILL.md‎
Lines changed: 42 additions & 18 deletions
diff --git a/‎.agents/skills/cleanup/SKILL.md‎
Lines changed: 5 additions & 0 deletions b/‎.agents/skills/cleanup/SKILL.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎.agents/skills/ship/SKILL.md‎
Lines changed: 10 additions & 9 deletions b/‎.agents/skills/ship/SKILL.md‎
Lines changed: 10 additions & 9 deletions
diff --git a/‎.claude/commands/ship.md‎
Lines changed: 4 additions & 2 deletions b/‎.claude/commands/ship.md‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎.cursor/commands/ship.md‎
Lines changed: 4 additions & 2 deletions b/‎.cursor/commands/ship.md‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎.cursor/rules/sim-architecture.mdc‎
Lines changed: 13 additions & 0 deletions b/‎.cursor/rules/sim-architecture.mdc‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎.cursor/rules/sim-queries.mdc‎
Lines changed: 17 additions & 5 deletions b/‎.cursor/rules/sim-queries.mdc‎
Lines changed: 17 additions & 5 deletions
diff --git a/‎.devcontainer/docker-compose.yml‎
Lines changed: 1 addition & 1 deletion b/‎.devcontainer/docker-compose.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/test-build.yml‎
Lines changed: 5 additions & 2 deletions b/‎.github/workflows/test-build.yml‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
@@ -578,38 +578,64 @@ tools: {
 
 #### 3. Create Internal API Route
 
-Create `apps/sim/app/api/tools/{service}/{action}/route.ts`:
+Create `apps/sim/app/api/tools/{service}/{action}/route.ts`. Internal tool routes are HTTP boundaries and follow the same contract policy as public routes — define the request/response shape in `apps/sim/lib/api/contracts/{service}-tools.ts` (or an existing `internal-tools.ts` / `communication-tools.ts` aggregate) and validate with canonical helpers from `@/lib/api/server`. Never write a route-local Zod schema.
 
 ```typescript
+// apps/sim/lib/api/contracts/{service}-tools.ts
+import { z } from 'zod'
+import { defineRouteContract } from '@/lib/api/contracts'
+import { FileInputSchema } from '@/lib/uploads/utils/file-schemas'
+
+export const {service}UploadBodySchema = z.object({
+  accessToken: z.string(),
+  file: FileInputSchema.optional().nullable(),
+  fileContent: z.string().optional().nullable(),
+  // ... other params
+})
+
+export const {service}UploadResponseSchema = z.object({
+  success: z.boolean(),
+  output: z.object({ id: z.string(), url: z.string() }).optional(),
+  error: z.string().optional(),
+})
+
+export const {service}UploadContract = defineRouteContract({
+  method: 'POST',
+  path: '/api/tools/{service}/upload',
+  body: {service}UploadBodySchema,
+  response: { mode: 'json', schema: {service}UploadResponseSchema },
+})
+
+export type {Service}UploadBody = z.input<typeof {service}UploadBodySchema>
+export type {Service}UploadResponse = z.output<typeof {service}UploadResponseSchema>
+```
+
+```typescript
+// apps/sim/app/api/tools/{service}/upload/route.ts
 import { createLogger } from '@sim/logger'
 import { NextResponse, type NextRequest } from 'next/server'
-import { z } from 'zod'
+import { {service}UploadContract } from '@/lib/api/contracts/{service}-tools'
+import { parseRequest } from '@/lib/api/server'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { FileInputSchema, type RawFileInput } from '@/lib/uploads/utils/file-schemas'
+import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
+import { type RawFileInput } from '@/lib/uploads/utils/file-schemas'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 
 const logger = createLogger('{Service}UploadAPI')
 
-const RequestSchema = z.object({
-  accessToken: z.string(),
-  file: FileInputSchema.optional().nullable(),
-  // Legacy field for backwards compatibility
-  fileContent: z.string().optional().nullable(),
-  // ... other params
-})
-
-export async function POST(request: NextRequest) {
+export const POST = withRouteHandler(async (request: NextRequest) => {
   const requestId = generateRequestId()
 
   const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
   if (!authResult.success) {
     return NextResponse.json({ success: false, error: 'Unauthorized' }, { status: 401 })
   }
 
-  const body = await request.json()
-  const data = RequestSchema.parse(body)
+  const parsed = await parseRequest({service}UploadContract, request, {})
+  if (!parsed.success) return parsed.response
+  const data = parsed.data.body
 
   let fileBuffer: Buffer
   let fileName: string
@@ -624,22 +650,20 @@ export async function POST(request: NextRequest) {
     fileBuffer = await downloadFileFromStorage(userFile, requestId, logger)
     fileName = userFile.name
   } else if (data.fileContent) {
-    // Legacy: base64 string (backwards compatibility)
     fileBuffer = Buffer.from(data.fileContent, 'base64')
     fileName = 'file'
   } else {
     return NextResponse.json({ success: false, error: 'File required' }, { status: 400 })
   }
 
-  // Now call external API with fileBuffer
   const response = await fetch('https://api.{service}.com/upload', {
     method: 'POST',
     headers: { Authorization: `Bearer ${data.accessToken}` },
-    body: new Uint8Array(fileBuffer),  // Convert Buffer for fetch
+    body: new Uint8Array(fileBuffer),
   })
 
   // ... handle response
-}
+})
 ```
 
 #### 4. Update Tool to Use Internal Route
 
@@ -23,3 +23,8 @@ Run each of these skills in order on the specified scope, passing through the sc
 6. `/emcn-design-review $ARGUMENTS`
 
 After all skills have run, output a summary of what was found and fixed (or proposed) across all six passes.
+
+## Boundary Audit Guidance
+
+- When removing route-local Zod schemas, replacing raw `fetch(` calls in hooks, or removing `as unknown as X` casts, do not introduce `// boundary-raw-fetch: <reason>` or `// double-cast-allowed: <reason>` annotations to silence the audit. Fix the underlying call instead — adopt a contract from `@/lib/api/contracts/**` and use `requestJson(contract, ...)` from `@/lib/api/client/request`, or refine the type so the double cast is unnecessary.
+- Annotations are reserved for legitimate exceptions only: streaming responses, binary downloads, multipart uploads, signed-URL flows, OAuth redirects, external-origin requests, and double casts where no narrower type is available. Each annotation requires a non-empty reason; empty reasons fail `bun run check:api-validation:strict`.
@@ -13,21 +13,20 @@ When the user runs `/ship`:
 
 1. **Check git status** - See what files have changed
 2. **Generate a commit message** following this format: `type(scope): description`
-   - Types: `fix`, `feat`, `improvement`, `chore`
-   - Scope: short identifier (e.g., `undo-redo`, `api`, `ui`)
-   - Keep it concise
-
-3. **Run lint** - Run `bun run lint` from the repo root to fix formatting issues before staging
-
+  - Types: `fix`, `feat`, `improvement`, `chore`
+  - Scope: short identifier (e.g., `undo-redo`, `api`, `ui`)
+  - Keep it concise
+3. **Run pre-ship checks** from the repo root before staging:
+  - `bun run lint` to fix formatting issues
+  - `bun run check:api-validation:strict` to catch boundary contract failures before CI
 4. **Stage and commit** the changes with the generated message
-
 5. **Push to origin** using the current branch name
-
 6. **Create a PR** to staging with a description in the user's voice
 
 ## Commit Message Format
 
 Based on the repo's commit history:
+
 ```
 fix(scope): description for bug fixes
 feat(scope): description for new features
@@ -61,6 +60,7 @@ Tested manually (or describe testing)
 ## PR Creation Command
 
 Use this command structure:
+
 ```bash
 gh pr create --base staging --title "COMMIT_MESSAGE" --body "PR_BODY"
 ```
@@ -77,6 +77,7 @@ gh pr create --base staging --title "COMMIT_MESSAGE" --body "PR_BODY"
 
 - Short, direct bullet points
 - No unnecessary explanation
-- "Tested manually" is acceptable for testing section
+- "Tested manually" is acceptable for testing section; include lint and boundary validation results when run
 - Checkboxes filled in appropriately
 - No screenshots section unless UI changes
+
@@ -17,7 +17,9 @@ When the user runs `/ship`:
    - Scope: short identifier (e.g., `undo-redo`, `api`, `ui`)
    - Keep it concise
 
-3. **Run lint** - Run `bun run lint` from the repo root to fix formatting issues before staging
+3. **Run pre-ship checks** from the repo root before staging:
+   - `bun run lint` to fix formatting issues
+   - `bun run check:api-validation:strict` to catch boundary contract failures before CI
 
 4. **Stage and commit** the changes with the generated message
 
@@ -77,6 +79,6 @@ gh pr create --base staging --title "COMMIT_MESSAGE" --body "PR_BODY"
 
 - Short, direct bullet points
 - No unnecessary explanation
-- "Tested manually" is acceptable for testing section
+- "Tested manually" is acceptable for testing section; include lint and boundary validation results when run
 - Checkboxes filled in appropriately
 - No screenshots section unless UI changes
@@ -12,7 +12,9 @@ When the user runs `/ship`:
    - Scope: short identifier (e.g., `undo-redo`, `api`, `ui`)
    - Keep it concise
 
-3. **Run lint** - Run `bun run lint` from the repo root to fix formatting issues before staging
+3. **Run pre-ship checks** from the repo root before staging:
+   - `bun run lint` to fix formatting issues
+   - `bun run check:api-validation:strict` to catch boundary contract failures before CI
 
 4. **Stage and commit** the changes with the generated message
 
@@ -72,6 +74,6 @@ gh pr create --base staging --title "COMMIT_MESSAGE" --body "PR_BODY"
 
 - Short, direct bullet points
 - No unnecessary explanation
-- "Tested manually" is acceptable for testing section
+- "Tested manually" is acceptable for testing section; include lint and boundary validation results when run
 - Checkboxes filled in appropriately
 - No screenshots section unless UI changes
@@ -54,3 +54,16 @@ feature/
 - **Create `utils.ts` when** 2+ files need the same helper
 - **Check existing sources** before duplicating (`lib/` has many utilities)
 - **Location**: `lib/` (app-wide) → `feature/utils/` (feature-scoped) → inline (single-use)
+
+## API Contracts
+
+Boundary HTTP request and response shapes for all routes under `apps/sim/app/api/**` live in `apps/sim/lib/api/contracts/` (one file per resource family). Routes and clients consume the same contract — routes never define route-local boundary Zod schemas, and clients never define ad-hoc wire types. Domain validators that are not HTTP boundaries (tools, blocks, triggers, connectors, realtime handlers, internal helpers) may still use Zod directly; the contract rule is boundary-only.
+
+- Each contract is built with `defineRouteContract({ method, path, params?, query?, body?, headers?, response: { mode: 'json', schema } })` and exports both schemas and named TypeScript type aliases (e.g., `export type CreateFolderBody = z.input<typeof createFolderBodySchema>`).
+- Shared identifier schemas live in `apps/sim/lib/api/contracts/primitives.ts`.
+- Routes validate via canonical helpers in `apps/sim/lib/api/server/validation.ts` (`parseRequest`, `validationErrorResponse`, `getValidationErrorMessage`, `isZodError`). Routes never `import { z } from 'zod'` and never use `instanceof z.ZodError`.
+- Clients call `requestJson(contract, ...)` from `apps/sim/lib/api/client/request.ts`; hooks import named type aliases from contracts, never `z.input/z.output`.
+- Routes under `apps/sim/app/api/v1/**` use `apps/sim/app/api/v1/middleware.ts` for shared auth, rate-limit, and workspace access. Compose contract validation inside that middleware.
+- `bun run check:api-validation` enforces this policy and must pass on PRs.
+
+`bun run check:api-validation:strict` is the strict CI gate and additionally fails on annotations with empty reasons. Four per-line opt-out forms are recognized: `// boundary-raw-fetch: <reason>` (placed immediately above a legitimate raw `fetch(` call in `apps/sim/hooks/queries/**` or `apps/sim/hooks/selectors/**` for stream/binary/multipart/signed-URL/OAuth-redirect/external-origin cases), `// double-cast-allowed: <reason>` (placed immediately above an `as unknown as X` cast outside test files), `// boundary-raw-json: <reason>` (placed immediately above a raw `await request.json()` / `await req.json()` read in a route handler that cannot go through `parseRequest` — JSON-RPC envelopes, tolerant `.catch(() => ({}))` parses), and `// untyped-response: <reason>` (placed immediately above a `schema: z.unknown()` response declaration in a contract file when the response body is genuinely opaque). The reason must be non-empty. Whole-file allowlists for routes that legitimately import Zod for non-boundary reasons go through `INDIRECT_ZOD_ROUTES` in `scripts/check-api-validation-contracts.ts`, not per-line annotations.
@@ -37,12 +37,18 @@ Never use inline query keys — always use the factory.
 - Every `queryFn` must destructure and forward `signal` for request cancellation
 - Every query must have an explicit `staleTime`
 - Use `keepPreviousData` only on variable-key queries (where params change), never on static keys
+- Same-origin JSON calls must go through `requestJson(contract, ...)` from `@/lib/api/client/request` against the contract in `@/lib/api/contracts/**`
 
 ```typescript
-async function fetchEntities(workspaceId: string, signal?: AbortSignal) {
-  const response = await fetch(`/api/entities?workspaceId=${workspaceId}`, { signal })
-  if (!response.ok) throw new Error('Failed to fetch entities')
-  return response.json()
+import { requestJson } from '@/lib/api/client/request'
+import { listEntitiesContract, type EntityList } from '@/lib/api/contracts/entities'
+
+async function fetchEntities(workspaceId: string, signal?: AbortSignal): Promise<EntityList> {
+  const data = await requestJson(listEntitiesContract, {
+    query: { workspaceId },
+    signal,
+  })
+  return data.entities
 }
 
 export function useEntityList(workspaceId?: string, options?: { enabled?: boolean }) {
@@ -51,7 +57,7 @@ export function useEntityList(workspaceId?: string, options?: { enabled?: boolea
     queryFn: ({ signal }) => fetchEntities(workspaceId as string, signal),
     enabled: Boolean(workspaceId) && (options?.enabled ?? true),
     staleTime: 60 * 1000,
-    placeholderData: keepPreviousData, // OK: workspaceId varies
+    placeholderData: keepPreviousData,
   })
 }
 ```
@@ -118,6 +124,12 @@ const handler = useCallback(() => {
 }, [data])
 ```
 
+## Boundary Types
+
+- Hooks must import named type aliases from `@/lib/api/contracts/**` (e.g., `import { listEntitiesContract, type EntityList } from '@/lib/api/contracts/entities'`). Never write `z.input<...>` or `z.output<...>` in hooks.
+- Hooks must not `import { z } from 'zod'`. Boundary types come from contract aliases; non-boundary helpers can stay in plain TypeScript.
+- For non-contract endpoints (multipart uploads, binary downloads, streaming responses, signed-URL flows, OAuth redirects, external origins), it is OK to keep raw `fetch`. Each legitimate raw `fetch(` call inside `apps/sim/hooks/queries/**` or `apps/sim/hooks/selectors/**` must be preceded by a `// boundary-raw-fetch: <reason>` annotation on the immediately preceding line (up to three non-empty preceding comment lines are tolerated). The reason must be non-empty — empty reasons fail strict mode. The audit script `scripts/check-api-validation-contracts.ts` (`bun run check:api-validation` / `bun run check:api-validation:strict`) enforces this.
+
 ## Naming
 
 - **Keys**: `entityKeys`
 
@@ -21,7 +21,7 @@ services:
       - COPILOT_API_KEY=${COPILOT_API_KEY}
       - SIM_AGENT_API_URL=${SIM_AGENT_API_URL}
       - OLLAMA_URL=${OLLAMA_URL:-http://localhost:11434}
-      - NEXT_PUBLIC_SOCKET_URL=${NEXT_PUBLIC_SOCKET_URL:-http://localhost:3002}
+      - NEXT_PUBLIC_SOCKET_URL=${NEXT_PUBLIC_SOCKET_URL:-}
       - BUN_INSTALL_CACHE_DIR=/home/bun/.bun/cache
     depends_on:
       db:
 
@@ -90,22 +90,25 @@ jobs:
 
           echo "✅ All feature flags are properly configured"
 
-      - name: Check subblock ID stability
+      - name: Check block registry invariants
         run: |
           if [ "${{ github.event_name }}" = "pull_request" ]; then
             BASE_REF="origin/${{ github.base_ref }}"
             git fetch --depth=1 origin "${{ github.base_ref }}" 2>/dev/null || true
           else
             BASE_REF="HEAD~1"
           fi
-          bun run apps/sim/scripts/check-subblock-id-stability.ts "$BASE_REF"
+          bun run apps/sim/scripts/check-block-registry.ts "$BASE_REF"
 
       - name: Lint code
         run: bun run lint:check
 
       - name: Enforce monorepo boundaries
         run: bun run check:boundaries
 
+      - name: API contract boundary audit
+        run: bun run check:api-validation:strict
+
       - name: Verify realtime prune graph
         run: bun run check:realtime-prune
 
 
@@ -80,3 +80,4 @@ i18n.cache
 ## Claude Code
 .claude/launch.json
 .claude/worktrees/
+.claude/scheduled_tasks.lock