Merge branch 'staging' into feat/org-improv-big

Author: icecrasher321

.claude/rules/sim-testing.md

@@ -13,8 +13,12 @@ Use Vitest. Test files: `feature.ts` → `feature.test.ts`
 These modules are mocked globally — do NOT re-mock them in test files unless you need to override behavior:
 
 - `@sim/db` → `databaseMock`
+- `@sim/db/schema` → `schemaMock`
 - `drizzle-orm` → `drizzleOrmMock`
 - `@sim/logger` → `loggerMock`
+- `@/lib/auth` → `authMock`
+- `@/lib/auth/hybrid` → `hybridAuthMock` (with default session-delegating behavior)
+- `@/lib/core/utils/request` → `requestUtilsMock`
 - `@/stores/console/store`, `@/stores/terminal`, `@/stores/execution/store`
 - `@/blocks/registry`
 - `@trigger.dev/sdk`
@@ -192,24 +196,38 @@ hybridAuthMockFns.mockCheckSessionOrInternalAuth.mockResolvedValue({
 
 ### Database chain mocking
 
+Use the centralized `dbChainMock` + `dbChainMockFns` helpers — no `vi.hoisted()` or chain-wiring boilerplate needed.
+
 ```typescript
-const { mockSelect, mockFrom, mockWhere } = vi.hoisted(() => ({
-  mockSelect: vi.fn(),
-  mockFrom: vi.fn(),
-  mockWhere: vi.fn(),
-}))
+import { dbChainMock, dbChainMockFns, resetDbChainMock } from '@sim/testing'
 
-vi.mock('@sim/db', () => ({
-  db: { select: mockSelect },
-}))
+vi.mock('@sim/db', () => dbChainMock)
+// Spread for custom exports: vi.mock('@sim/db', () => ({ ...dbChainMock, myTable: {...} }))
 
 beforeEach(() => {
-  mockSelect.mockReturnValue({ from: mockFrom })
-  mockFrom.mockReturnValue({ where: mockWhere })
-  mockWhere.mockResolvedValue([{ id: '1', name: 'test' }])
+  vi.clearAllMocks()
+  resetDbChainMock() // only needed if tests use permanent (non-`Once`) overrides
+})
+
+it('reads a row', async () => {
+  dbChainMockFns.limit.mockResolvedValueOnce([{ id: '1', name: 'test' }])
+  // exercise code that hits db.select().from().where().limit()
+  expect(dbChainMockFns.where).toHaveBeenCalled()
 })
 ```
 
+**Default chains supported:**
+- `select()/selectDistinct()/selectDistinctOn() → from() → where()/innerJoin()/leftJoin() → where() → limit()/orderBy()/returning()/groupBy()`
+- `insert() → values() → returning()/onConflictDoUpdate()/onConflictDoNothing()`
+- `update() → set() → where() → limit()/orderBy()/returning()`
+- `delete() → where() → limit()/orderBy()/returning()`
+- `db.execute()` resolves `[]`
+- `db.transaction(cb)` calls cb with `dbChainMock.db`
+
+All terminals default to `Promise.resolve([])`. Override per-test with `dbChainMockFns.<terminal>.mockResolvedValueOnce(...)`.
+
+Use `resetDbChainMock()` in `beforeEach` only when tests replace wiring with `.mockReturnValue` / `.mockResolvedValue` (permanent). Tests using only `...Once` variants don't need it.
+
 ## @sim/testing Package
 
 Always prefer over local test data.

.cursor/rules/sim-testing.mdc

@@ -13,8 +13,12 @@ Use Vitest. Test files: `feature.ts` → `feature.test.ts`
 These modules are mocked globally — do NOT re-mock them in test files unless you need to override behavior:
 
 - `@sim/db` → `databaseMock`
+- `@sim/db/schema` → `schemaMock`
 - `drizzle-orm` → `drizzleOrmMock`
 - `@sim/logger` → `loggerMock`
+- `@/lib/auth` → `authMock`
+- `@/lib/auth/hybrid` → `hybridAuthMock` (with default session-delegating behavior)
+- `@/lib/core/utils/request` → `requestUtilsMock`
 - `@/stores/console/store`, `@/stores/terminal`, `@/stores/execution/store`
 - `@/blocks/registry`
 - `@trigger.dev/sdk`

apps/sim/app/(auth)/signup/signup-form.tsx

@@ -10,6 +10,7 @@ import { usePostHog } from 'posthog-js/react'
 import { Input, Label } from '@/components/emcn'
 import { client, useSession } from '@/lib/auth/auth-client'
 import { getEnv, isFalsy, isTruthy } from '@/lib/core/config/env'
+import { validateCallbackUrl } from '@/lib/core/security/input-validation'
 import { cn } from '@/lib/core/utils/cn'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
 import { captureClientEvent, captureEvent } from '@/lib/posthog/client'
@@ -102,10 +103,14 @@ function SignupFormContent({ githubAvailable, googleAvailable, isProduction }: S
   useEffect(() => {
     setTurnstileSiteKey(getEnv('NEXT_PUBLIC_TURNSTILE_SITE_KEY'))
   }, [])
-  const redirectUrl = useMemo(
-    () => searchParams.get('redirect') || searchParams.get('callbackUrl') || '',
-    [searchParams]
-  )
+  const rawRedirectUrl = searchParams.get('redirect') || searchParams.get('callbackUrl') || ''
+  const isValidRedirectUrl = rawRedirectUrl ? validateCallbackUrl(rawRedirectUrl) : false
+  const invalidCallbackRef = useRef(false)
+  if (rawRedirectUrl && !isValidRedirectUrl && !invalidCallbackRef.current) {
+    invalidCallbackRef.current = true
+    logger.warn('Invalid callback URL detected and blocked:', { url: rawRedirectUrl })
+  }
+  const redirectUrl = isValidRedirectUrl ? rawRedirectUrl : ''
   const isInviteFlow = useMemo(
     () =>
       searchParams.get('invite_flow') === 'true' ||

apps/sim/app/(auth)/verify/use-verification.ts

@@ -4,6 +4,7 @@ import { useEffect, useState } from 'react'
 import { createLogger } from '@sim/logger'
 import { useRouter, useSearchParams } from 'next/navigation'
 import { client, useSession } from '@/lib/auth/auth-client'
+import { validateCallbackUrl } from '@/lib/core/security/input-validation'
 
 const logger = createLogger('useVerification')
 
@@ -55,8 +56,11 @@ export function useVerification({
       }
 
       const storedRedirectUrl = sessionStorage.getItem('inviteRedirectUrl')
-      if (storedRedirectUrl) {
+      if (storedRedirectUrl && validateCallbackUrl(storedRedirectUrl)) {
         setRedirectUrl(storedRedirectUrl)
+      } else if (storedRedirectUrl) {
+        logger.warn('Ignoring unsafe stored invite redirect URL', { url: storedRedirectUrl })
+        sessionStorage.removeItem('inviteRedirectUrl')
       }
 
       const storedIsInviteFlow = sessionStorage.getItem('isInviteFlow')
@@ -67,7 +71,11 @@ export function useVerification({
 
     const redirectParam = searchParams.get('redirectAfter')
     if (redirectParam) {
-      setRedirectUrl(redirectParam)
+      if (validateCallbackUrl(redirectParam)) {
+        setRedirectUrl(redirectParam)
+      } else {
+        logger.warn('Ignoring unsafe redirectAfter parameter', { url: redirectParam })
+      }
     }
 
     const inviteFlowParam = searchParams.get('invite_flow')

apps/sim/app/(landing)/actions/github.ts

@@ -1,13 +1,7 @@
 'use client'
 
-import { useEffect, useState } from 'react'
-import { createLogger } from '@sim/logger'
 import { GithubOutlineIcon } from '@/components/icons'
-import { getFormattedGitHubStars } from '@/app/(landing)/actions/github'
-
-const logger = createLogger('github-stars')
-
-const INITIAL_STARS = '27.7k'
+import { useGitHubStars } from '@/hooks/queries/github-stars'
 
 /**
  * Client component that displays GitHub stars count.
@@ -16,15 +10,7 @@ const INITIAL_STARS = '27.7k'
  * a Server Component for optimal SEO/GEO crawlability.
  */
 export function GitHubStars() {
-  const [stars, setStars] = useState(INITIAL_STARS)
-
-  useEffect(() => {
-    getFormattedGitHubStars()
-      .then(setStars)
-      .catch((error) => {
-        logger.warn('Failed to fetch GitHub stars', error)
-      })
-  }, [])
+  const { data: stars } = useGitHubStars()
 
   return (
     <a

apps/sim/app/(landing)/components/navbar/components/github-stars.tsx

@@ -0,0 +1,28 @@
+import type { Metadata } from 'next'
+import Link from 'next/link'
+import { AUTH_PRIMARY_CTA_BASE } from '@/app/(auth)/components/auth-button-classes'
+
+export const metadata: Metadata = {
+  title: 'Page Not Found',
+  robots: { index: false, follow: true },
+}
+
+export default function IntegrationsNotFound() {
+  return (
+    <div className='flex min-h-[60vh] items-center justify-center px-4 py-24'>
+      <div className='flex flex-col items-center gap-3'>
+        <h1 className='text-balance font-[430] font-season text-[40px] text-white leading-[110%] tracking-[-0.02em]'>
+          Page not found
+        </h1>
+        <p className='font-[430] font-season text-[color-mix(in_srgb,var(--landing-text-subtle)_60%,transparent)] text-lg leading-[125%] tracking-[0.02em]'>
+          The page you&apos;re looking for doesn&apos;t exist or has been moved.
+        </p>
+        <div className='mt-3 flex items-center gap-2'>
+          <Link href='/' className={AUTH_PRIMARY_CTA_BASE}>
+            Return to Home
+          </Link>
+        </div>
+      </div>
+    </div>
+  )
+}

apps/sim/app/(landing)/integrations/not-found.tsx

@@ -0,0 +1,28 @@
+import type { Metadata } from 'next'
+import Link from 'next/link'
+import { AUTH_PRIMARY_CTA_BASE } from '@/app/(auth)/components/auth-button-classes'
+
+export const metadata: Metadata = {
+  title: 'Page Not Found',
+  robots: { index: false, follow: true },
+}
+
+export default function ModelsNotFound() {
+  return (
+    <div className='flex min-h-[60vh] items-center justify-center px-4 py-24'>
+      <div className='flex flex-col items-center gap-3'>
+        <h1 className='text-balance font-[430] font-season text-[40px] text-white leading-[110%] tracking-[-0.02em]'>
+          Page not found
+        </h1>
+        <p className='font-[430] font-season text-[color-mix(in_srgb,var(--landing-text-subtle)_60%,transparent)] text-lg leading-[125%] tracking-[0.02em]'>
+          The page you&apos;re looking for doesn&apos;t exist or has been moved.
+        </p>
+        <div className='mt-3 flex items-center gap-2'>
+          <Link href='/' className={AUTH_PRIMARY_CTA_BASE}>
+            Return to Home
+          </Link>
+        </div>
+      </div>
+    </div>
+  )
+}