simstudioai
diff --git a/‎.claude/rules/sim-testing.md‎
Lines changed: 1 addition & 1 deletion b/‎.claude/rules/sim-testing.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.cursor/rules/sim-testing.mdc‎
Lines changed: 1 addition & 1 deletion b/‎.cursor/rules/sim-testing.mdc‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.devcontainer/post-create.sh‎
Lines changed: 13 additions & 1 deletion b/‎.devcontainer/post-create.sh‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎.github/workflows/test-build.yml‎
Lines changed: 9 additions & 0 deletions b/‎.github/workflows/test-build.yml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎AGENTS.md‎
Lines changed: 34 additions & 11 deletions b/‎AGENTS.md‎
Lines changed: 34 additions & 11 deletions
diff --git a/‎apps/realtime/.env.example‎
Lines changed: 30 additions & 0 deletions b/‎apps/realtime/.env.example‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎apps/realtime/package.json‎
Lines changed: 48 additions & 0 deletions b/‎apps/realtime/package.json‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎apps/realtime/src/auth.ts‎
Lines changed: 17 additions & 0 deletions b/‎apps/realtime/src/auth.ts‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎apps/sim/socket/config/socket.ts‎ ‎apps/realtime/src/config/socket.ts‎apps/sim/socket/config/socket.ts renamed to apps/realtime/src/config/socket.ts
Lines changed: 1 addition & 3 deletions b/‎apps/sim/socket/config/socket.ts‎ ‎apps/realtime/src/config/socket.ts‎apps/sim/socket/config/socket.ts renamed to apps/realtime/src/config/socket.ts
Lines changed: 1 addition & 3 deletions
diff --git a/‎apps/sim/socket/database/operations.ts‎ ‎apps/realtime/src/database/operations.ts‎apps/sim/socket/database/operations.ts renamed to apps/realtime/src/database/operations.ts
Lines changed: 15 additions & 36 deletions b/‎apps/sim/socket/database/operations.ts‎ ‎apps/realtime/src/database/operations.ts‎apps/sim/socket/database/operations.ts renamed to apps/realtime/src/database/operations.ts
Lines changed: 15 additions & 36 deletions
@@ -144,7 +144,7 @@ vi.useFakeTimers()
 | `@/app/api/auth/oauth/utils` | `authOAuthUtilsMock`, `authOAuthUtilsMockFns` | `vi.mock('@/app/api/auth/oauth/utils', () => authOAuthUtilsMock)` |
 | `@/app/api/knowledge/utils` | `knowledgeApiUtilsMock`, `knowledgeApiUtilsMockFns` | `vi.mock('@/app/api/knowledge/utils', () => knowledgeApiUtilsMock)` |
 | `@/app/api/workflows/utils` | `workflowsApiUtilsMock`, `workflowsApiUtilsMockFns` | `vi.mock('@/app/api/workflows/utils', () => workflowsApiUtilsMock)` |
-| `@/lib/audit/log` | `auditMock`, `auditMockFns` | `vi.mock('@/lib/audit/log', () => auditMock)` |
+| `@sim/audit` | `auditMock`, `auditMockFns` | `vi.mock('@sim/audit', () => auditMock)` |
 | `@/lib/auth` | `authMock`, `authMockFns` | `vi.mock('@/lib/auth', () => authMock)` |
 | `@/lib/auth/hybrid` | `hybridAuthMock`, `hybridAuthMockFns` | `vi.mock('@/lib/auth/hybrid', () => hybridAuthMock)` |
 | `@/lib/copilot/request/http` | `copilotHttpMock`, `copilotHttpMockFns` | `vi.mock('@/lib/copilot/request/http', () => copilotHttpMock)` |
 
@@ -144,7 +144,7 @@ vi.useFakeTimers()
 | `@/app/api/auth/oauth/utils` | `authOAuthUtilsMock`, `authOAuthUtilsMockFns` | `vi.mock('@/app/api/auth/oauth/utils', () => authOAuthUtilsMock)` |
 | `@/app/api/knowledge/utils` | `knowledgeApiUtilsMock`, `knowledgeApiUtilsMockFns` | `vi.mock('@/app/api/knowledge/utils', () => knowledgeApiUtilsMock)` |
 | `@/app/api/workflows/utils` | `workflowsApiUtilsMock`, `workflowsApiUtilsMockFns` | `vi.mock('@/app/api/workflows/utils', () => workflowsApiUtilsMock)` |
-| `@/lib/audit/log` | `auditMock`, `auditMockFns` | `vi.mock('@/lib/audit/log', () => auditMock)` |
+| `@sim/audit` | `auditMock`, `auditMockFns` | `vi.mock('@sim/audit', () => auditMock)` |
 | `@/lib/auth` | `authMock`, `authMockFns` | `vi.mock('@/lib/auth', () => authMock)` |
 | `@/lib/auth/hybrid` | `hybridAuthMock`, `hybridAuthMockFns` | `vi.mock('@/lib/auth/hybrid', () => hybridAuthMock)` |
 | `@/lib/copilot/request/http` | `copilotHttpMock`, `copilotHttpMockFns` | `vi.mock('@/lib/copilot/request/http', () => copilotHttpMock)` |
 
@@ -71,14 +71,26 @@ fi
 
 # Set up environment variables if .env doesn't exist for the sim app
 if [ ! -f "apps/sim/.env" ]; then
-  echo "📄 Creating .env file from template..."
+  echo "📄 Creating apps/sim/.env from template..."
   if [ -f "apps/sim/.env.example" ]; then
     cp apps/sim/.env.example apps/sim/.env
   else
     echo "DATABASE_URL=postgresql://postgres:postgres@db:5432/simstudio" > apps/sim/.env
   fi
 fi
 
+# Set up env for the realtime server (must match the shared values in apps/sim/.env)
+if [ ! -f "apps/realtime/.env" ] && [ -f "apps/realtime/.env.example" ]; then
+  echo "📄 Creating apps/realtime/.env from template..."
+  cp apps/realtime/.env.example apps/realtime/.env
+fi
+
+# Set up packages/db/.env for drizzle-kit and migration scripts
+if [ ! -f "packages/db/.env" ] && [ -f "packages/db/.env.example" ]; then
+  echo "📄 Creating packages/db/.env from template..."
+  cp packages/db/.env.example packages/db/.env
+fi
+
 # Generate schema and run database migrations
 echo "🗃️ Running database schema generation and migrations..."
 echo "Generating schema..."
 
@@ -103,6 +103,15 @@ jobs:
       - name: Lint code
         run: bun run lint:check
 
+      - name: Enforce monorepo boundaries
+        run: bun run check:boundaries
+
+      - name: Verify realtime prune graph
+        run: bun run check:realtime-prune
+
+      - name: Type-check realtime server
+        run: bunx turbo run type-check --filter=@sim/realtime
+
       - name: Run tests with coverage
         env:
           NODE_OPTIONS: '--no-warnings --max-old-space-size=8192'
 
@@ -20,19 +20,42 @@ You are a professional software engineer. All code must follow best practices: a
 
 ### Root Structure
 ```
-apps/sim/
-├── app/           # Next.js app router (pages, API routes)
-├── blocks/        # Block definitions and registry
-├── components/    # Shared UI (emcn/, ui/)
-├── executor/      # Workflow execution engine
-├── hooks/         # Shared hooks (queries/, selectors/)
-├── lib/           # App-wide utilities
-├── providers/     # LLM provider integrations
-├── stores/        # Zustand stores
-├── tools/         # Tool definitions
-└── triggers/      # Trigger definitions
+apps/
+├── sim/                    # Next.js app (UI + API routes + workflow editor)
+│   ├── app/                # Next.js app router (pages, API routes)
+│   ├── blocks/             # Block definitions and registry
+│   ├── components/         # Shared UI (emcn/, ui/)
+│   ├── executor/           # Workflow execution engine
+│   ├── hooks/              # Shared hooks (queries/, selectors/)
+│   ├── lib/                # App-wide utilities
+│   ├── providers/          # LLM provider integrations
+│   ├── stores/             # Zustand stores
+│   ├── tools/              # Tool definitions
+│   └── triggers/           # Trigger definitions
+└── realtime/               # Bun Socket.IO server (collaborative canvas)
+    └── src/                # auth, config, database, handlers, middleware,
+                            # rooms, routes, internal/webhook-cleanup.ts
+
+packages/
+├── audit/                  # @sim/audit — recordAudit + AuditAction + AuditResourceType
+├── auth/                   # @sim/auth — @sim/auth/verify (shared Better Auth verifier)
+├── db/                     # @sim/db — drizzle schema + client
+├── logger/                 # @sim/logger
+├── realtime-protocol/      # @sim/realtime-protocol — socket operation constants + zod schemas
+├── security/               # @sim/security — safeCompare
+├── tsconfig/               # shared tsconfig presets
+├── utils/                  # @sim/utils
+├── workflow-authz/         # @sim/workflow-authz — authorizeWorkflowByWorkspacePermission
+├── workflow-persistence/   # @sim/workflow-persistence — raw load/save + subflow helpers
+└── workflow-types/         # @sim/workflow-types — pure BlockState/Loop/Parallel/... types
 ```
 
+### Package boundaries
+- `apps/* → packages/*` only. Packages never import from `apps/*`.
+- Each package has explicit subpath `exports` maps; no barrels that accidentally pull in heavy halves.
+- `apps/realtime` intentionally avoids Next.js, React, the block/tool registry, provider SDKs, and the executor. CI enforces this via `scripts/check-monorepo-boundaries.ts` and `scripts/check-realtime-prune-graph.ts`.
+- Auth is shared across services via the Better Auth "Shared Database Session" pattern: both apps read the same `BETTER_AUTH_SECRET` and point at the same DB via `@sim/db`.
+
 ### Naming Conventions
 - Components: PascalCase (`WorkflowList`)
 - Hooks: `use` prefix (`useWorkflowOperations`)
 
@@ -0,0 +1,30 @@
+# Environment variables required by the @sim/realtime (Socket.IO) server.
+# These MUST match the corresponding values in apps/sim/.env for auth to work.
+# See apps/realtime/src/env.ts for the full zod schema.
+
+# Core
+NODE_ENV=development
+PORT=3002
+
+# Database — must point at the same Postgres as the main app
+DATABASE_URL=postgresql://postgres:postgres@localhost:5432/simstudio
+
+# Auth — shared with apps/sim (Better Auth "Shared Database Session" pattern)
+BETTER_AUTH_URL=http://localhost:3000
+BETTER_AUTH_SECRET=your_better_auth_secret_min_32_chars
+
+# Internal RPC — shared with apps/sim
+INTERNAL_API_SECRET=your_internal_api_secret_min_32_chars
+
+# Public app URL — used for CORS allow-list and base URL resolution
+NEXT_PUBLIC_APP_URL=http://localhost:3000
+
+# Optional: Redis for cross-pod room management
+# Leave unset for single-pod / in-memory rooms
+# REDIS_URL=redis://localhost:6379
+
+# Optional: extra Socket.IO CORS allow-list (comma-separated)
+# ALLOWED_ORIGINS=https://embed.example.com,https://admin.example.com
+
+# Optional: disable auth entirely for trusted private networks
+# DISABLE_AUTH=true
@@ -0,0 +1,48 @@
+{
+  "name": "@sim/realtime",
+  "version": "0.1.0",
+  "private": true,
+  "license": "Apache-2.0",
+  "type": "module",
+  "engines": {
+    "bun": ">=1.2.13",
+    "node": ">=20.0.0"
+  },
+  "scripts": {
+    "dev": "bun --watch src/index.ts",
+    "start": "bun src/index.ts",
+    "type-check": "tsc --noEmit",
+    "lint": "biome check --write --unsafe .",
+    "lint:check": "biome check .",
+    "format": "biome format --write .",
+    "format:check": "biome format .",
+    "test": "vitest run",
+    "test:watch": "vitest"
+  },
+  "dependencies": {
+    "@sim/audit": "workspace:*",
+    "@sim/auth": "workspace:*",
+    "@sim/db": "workspace:*",
+    "@sim/logger": "workspace:*",
+    "@sim/realtime-protocol": "workspace:*",
+    "@sim/security": "workspace:*",
+    "@sim/utils": "workspace:*",
+    "@sim/workflow-authz": "workspace:*",
+    "@sim/workflow-persistence": "workspace:*",
+    "@sim/workflow-types": "workspace:*",
+    "@socket.io/redis-adapter": "8.3.0",
+    "drizzle-orm": "^0.45.2",
+    "postgres": "^3.4.5",
+    "redis": "5.10.0",
+    "socket.io": "^4.8.1",
+    "zod": "^3.24.2"
+  },
+  "devDependencies": {
+    "@sim/testing": "workspace:*",
+    "@sim/tsconfig": "workspace:*",
+    "@types/node": "24.2.1",
+    "socket.io-client": "4.8.1",
+    "typescript": "^5.7.3",
+    "vitest": "^3.0.8"
+  }
+}
@@ -0,0 +1,17 @@
+import { createVerifyAuth } from '@sim/auth/verify'
+import { env } from '@/env'
+
+export const ANONYMOUS_USER_ID = '00000000-0000-0000-0000-000000000000'
+
+export const ANONYMOUS_USER = {
+  id: ANONYMOUS_USER_ID,
+  name: 'Anonymous',
+  email: 'anonymous@localhost',
+  emailVerified: true,
+  image: null,
+} as const
+
+export const auth = createVerifyAuth({
+  secret: env.BETTER_AUTH_SECRET,
+  baseURL: env.BETTER_AUTH_URL,
+})
@@ -3,9 +3,7 @@ import { createLogger } from '@sim/logger'
 import { createAdapter } from '@socket.io/redis-adapter'
 import { createClient, type RedisClientType } from 'redis'
 import { Server } from 'socket.io'
-import { env } from '@/lib/core/config/env'
-import { isProd } from '@/lib/core/config/feature-flags'
-import { getBaseUrl } from '@/lib/core/utils/urls'
+import { env, getBaseUrl, isProd } from '@/env'
 
 const logger = createLogger('SocketIOConfig')
 
 
@@ -1,15 +1,7 @@
+import { AuditAction, AuditResourceType, recordAudit } from '@sim/audit'
 import * as schema from '@sim/db'
-import { webhook, workflow, workflowBlocks, workflowEdges, workflowSubflows } from '@sim/db'
+import { workflow, workflowBlocks, workflowEdges, workflowSubflows } from '@sim/db'
 import { createLogger } from '@sim/logger'
-import { and, eq, inArray, isNull, or, sql } from 'drizzle-orm'
-import { drizzle } from 'drizzle-orm/postgres-js'
-import postgres from 'postgres'
-import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
-import { env } from '@/lib/core/config/env'
-import { cleanupExternalWebhook } from '@/lib/webhooks/provider-subscriptions'
-import { getActiveWorkflowContext } from '@/lib/workflows/active-context'
-import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
-import { mergeSubBlockValues } from '@/lib/workflows/subblocks'
 import {
   BLOCK_OPERATIONS,
   BLOCKS_OPERATIONS,
@@ -19,7 +11,14 @@ import {
   SUBFLOW_OPERATIONS,
   VARIABLE_OPERATIONS,
   WORKFLOW_OPERATIONS,
-} from '@/socket/constants'
+} from '@sim/realtime-protocol/constants'
+import { getActiveWorkflowContext } from '@sim/workflow-authz'
+import { loadWorkflowFromNormalizedTablesRaw } from '@sim/workflow-persistence/load'
+import { mergeSubBlockValues } from '@sim/workflow-persistence/subblocks'
+import { and, eq, inArray, isNull, or, sql } from 'drizzle-orm'
+import { drizzle } from 'drizzle-orm/postgres-js'
+import postgres from 'postgres'
+import { env } from '@/env'
 
 const logger = createLogger('SocketDatabase')
 
@@ -182,7 +181,7 @@ export async function getWorkflowState(workflowId: string) {
       throw new Error(`Workflow ${workflowId} not found`)
     }
 
-    const normalizedData = await loadWorkflowFromNormalizedTables(workflowId)
+    const normalizedData = await loadWorkflowFromNormalizedTablesRaw(workflowId)
 
     if (normalizedData) {
       const finalState = {
@@ -915,30 +914,10 @@ async function handleBlocksOperationTx(
         }
       }
 
-      // Clean up external webhooks
-      const webhooksToCleanup = await tx
-        .select({
-          webhook: webhook,
-          workflow: {
-            id: workflow.id,
-            userId: workflow.userId,
-            workspaceId: workflow.workspaceId,
-          },
-        })
-        .from(webhook)
-        .innerJoin(workflow, eq(webhook.workflowId, workflow.id))
-        .where(and(eq(webhook.workflowId, workflowId), inArray(webhook.blockId, blockIdsArray)))
-
-      if (webhooksToCleanup.length > 0) {
-        const requestId = `socket-batch-${workflowId}-${Date.now()}`
-        for (const { webhook: wh, workflow: wf } of webhooksToCleanup) {
-          try {
-            await cleanupExternalWebhook(wh, wf, requestId)
-          } catch (error) {
-            logger.error(`Failed to cleanup webhook ${wh.id}:`, error)
-          }
-        }
-      }
+      // Webhook rows are only created at deploy time (saveTriggerWebhooksForDeploy in
+      // lib/webhooks/deploy.ts) with deploymentVersionId set; their external-subscription
+      // lifecycle is managed by deploy.ts, lifecycle.ts, and the /api/webhooks/[id] route.
+      // Removing a trigger block from the draft canvas does not touch any webhook rows.
 
       // Delete edges connected to any of the blocks
       await tx