feat(registration): allow self-hosted users to disable registration altogether (#2365)

* feat(registration): allow self-hosted users to disable registration altogether * updated tests * fix build
2026-01-09 15:07:55 -05:00 · 2025-12-13 17:34:53 -08:00
parent 746ff68a2e
commit 95b9ca4670
66 changed files with 332 additions and 154 deletions
--- a/apps/sim/.env.example
+++ b/apps/sim/.env.example
@@ -4,10 +4,13 @@ DATABASE_URL="postgresql://postgres:password@localhost:5432/postgres"
 # PostgreSQL Port (Optional) - defaults to 5432 if not specified
 # POSTGRES_PORT=5432
-# Authentication (Required)
+# Authentication (Required unless DISABLE_AUTH=true)
 BETTER_AUTH_SECRET=your_secret_key  # Use `openssl rand -hex 32` to generate, or visit https://www.better-auth.com/docs/installation
 BETTER_AUTH_URL=http://localhost:3000
 # Authentication Bypass (Optional - for self-hosted deployments behind private networks)
 # DISABLE_AUTH=true  # Uncomment to bypass authentication entirely. Creates an anonymous session for all requests.
 # NextJS (Required)
 NEXT_PUBLIC_APP_URL=http://localhost:3000
--- a/apps/sim/app/(auth)/components/oauth-provider-checker.tsx
+++ b/apps/sim/app/(auth)/components/oauth-provider-checker.tsx
@@ -1,7 +1,7 @@
 'use server'
 import { env } from '@/lib/core/config/env'
-import { isProd } from '@/lib/core/config/environment'
+import { isProd } from '@/lib/core/config/feature-flags'
 export async function getOAuthProviderStatus() {
  const githubAvailable = !!(env.GITHUB_CLIENT_ID && env.GITHUB_CLIENT_SECRET)
--- a/apps/sim/app/(auth)/login/page.tsx
+++ b/apps/sim/app/(auth)/login/page.tsx
@@ -1,7 +1,6 @@
 import { getOAuthProviderStatus } from '@/app/(auth)/components/oauth-provider-checker'
 import LoginForm from '@/app/(auth)/login/login-form'
 // Force dynamic rendering to avoid prerender errors with search params
 export const dynamic = 'force-dynamic'
 export default async function LoginPage() {
--- a/apps/sim/app/(auth)/signup/page.tsx
+++ b/apps/sim/app/(auth)/signup/page.tsx
@@ -1,16 +1,16 @@
-import { env, isTruthy } from '@/lib/core/config/env'
+import { isRegistrationDisabled } from '@/lib/core/config/feature-flags'
 import { getOAuthProviderStatus } from '@/app/(auth)/components/oauth-provider-checker'
 import SignupForm from '@/app/(auth)/signup/signup-form'
 export const dynamic = 'force-dynamic'
 export default async function SignupPage() {
-  const { githubAvailable, googleAvailable, isProduction } = await getOAuthProviderStatus()
+  if (isRegistrationDisabled) {
  if (isTruthy(env.DISABLE_REGISTRATION)) {
    return <div>Registration is disabled, please contact your admin.</div>
  }
  const { githubAvailable, googleAvailable, isProduction } = await getOAuthProviderStatus()
  return (
    <SignupForm
      githubAvailable={githubAvailable}
--- a/apps/sim/app/(auth)/verify/page.tsx
+++ b/apps/sim/app/(auth)/verify/page.tsx
@@ -1,4 +1,4 @@
-import { isEmailVerificationEnabled, isProd } from '@/lib/core/config/environment'
+import { isEmailVerificationEnabled, isProd } from '@/lib/core/config/feature-flags'
 import { hasEmailService } from '@/lib/messaging/email/mailer'
 import { VerifyContent } from '@/app/(auth)/verify/verify-content'
--- a/apps/sim/app/(landing)/careers/page.tsx
+++ b/apps/sim/app/(landing)/careers/page.tsx
@@ -13,7 +13,7 @@ import {
  SelectValue,
 } from '@/components/ui/select'
 import { Textarea } from '@/components/ui/textarea'
-import { isHosted } from '@/lib/core/config/environment'
+import { isHosted } from '@/lib/core/config/feature-flags'
 import { cn } from '@/lib/core/utils/cn'
 import { createLogger } from '@/lib/logs/console/logger'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
--- a/apps/sim/app/(landing)/components/legal-layout.tsx
+++ b/apps/sim/app/(landing)/components/legal-layout.tsx
@@ -1,6 +1,6 @@
 'use client'
-import { isHosted } from '@/lib/core/config/environment'
+import { isHosted } from '@/lib/core/config/feature-flags'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
 import Footer from '@/app/(landing)/components/footer/footer'
 import Nav from '@/app/(landing)/components/nav/nav'
--- a/apps/sim/app/(landing)/components/nav/nav.tsx
+++ b/apps/sim/app/(landing)/components/nav/nav.tsx
@@ -7,7 +7,7 @@ import Link from 'next/link'
 import { useRouter } from 'next/navigation'
 import { GithubIcon } from '@/components/icons'
 import { useBrandConfig } from '@/lib/branding/branding'
-import { isHosted } from '@/lib/core/config/environment'
+import { isHosted } from '@/lib/core/config/feature-flags'
 import { createLogger } from '@/lib/logs/console/logger'
 import { soehne } from '@/app/_styles/fonts/soehne/soehne'
 import { getFormattedGitHubStars } from '@/app/(landing)/actions/github'
--- a/apps/sim/app/api/auth/[...all]/route.ts
+++ b/apps/sim/app/api/auth/[...all]/route.ts
@@ -1,6 +1,23 @@
 import { toNextJsHandler } from 'better-auth/next-js'
 import { type NextRequest, NextResponse } from 'next/server'
 import { auth } from '@/lib/auth'
 import { createAnonymousSession, ensureAnonymousUserExists } from '@/lib/auth/anonymous'
 import { isAuthDisabled } from '@/lib/core/config/feature-flags'
 export const dynamic = 'force-dynamic'
-export const { GET, POST } = toNextJsHandler(auth.handler)
+const { GET: betterAuthGET, POST: betterAuthPOST } = toNextJsHandler(auth.handler)
 export async function GET(request: NextRequest) {
  const url = new URL(request.url)
  const path = url.pathname.replace('/api/auth/', '')
  if (path === 'get-session' && isAuthDisabled) {
    await ensureAnonymousUserExists()
    return NextResponse.json(createAnonymousSession())
  }
  return betterAuthGET(request)
 }
 export const POST = betterAuthPOST
--- a/apps/sim/app/api/auth/socket-token/route.ts
+++ b/apps/sim/app/api/auth/socket-token/route.ts
@@ -1,9 +1,14 @@
 import { headers } from 'next/headers'
 import { NextResponse } from 'next/server'
 import { auth } from '@/lib/auth'
 import { isAuthDisabled } from '@/lib/core/config/feature-flags'
 export async function POST() {
  try {
    if (isAuthDisabled) {
      return NextResponse.json({ token: 'anonymous-socket-token' })
    }
    const hdrs = await headers()
    const response = await auth.api.generateOneTimeToken({
      headers: hdrs,
--- a/apps/sim/app/api/auth/sso/providers/route.ts
+++ b/apps/sim/app/api/auth/sso/providers/route.ts
@@ -1,14 +1,14 @@
 import { db, ssoProvider } from '@sim/db'
 import { eq } from 'drizzle-orm'
-import { type NextRequest, NextResponse } from 'next/server'
+import { NextResponse } from 'next/server'
-import { auth } from '@/lib/auth'
+import { getSession } from '@/lib/auth'
 import { createLogger } from '@/lib/logs/console/logger'
 const logger = createLogger('SSO-Providers')
-export async function GET(req: NextRequest) {
+export async function GET() {
  try {
-    const session = await auth.api.getSession({ headers: req.headers })
+    const session = await getSession()
    let providers
    if (session?.user?.id) {
@@ -38,8 +38,6 @@ export async function GET(req: NextRequest) {
                : ('oidc' as 'oidc' | 'saml'),
      }))
    } else {
      // Unauthenticated users can only see basic info (domain only)
      // This is needed for SSO login flow to check if a domain has SSO enabled
      const results = await db
        .select({
          domain: ssoProvider.domain,
--- a/apps/sim/app/api/billing/update-cost/route.ts
+++ b/apps/sim/app/api/billing/update-cost/route.ts
@@ -5,7 +5,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkAndBillOverageThreshold } from '@/lib/billing/threshold-billing'
 import { checkInternalApiKey } from '@/lib/copilot/utils'
-import { isBillingEnabled } from '@/lib/core/config/environment'
+import { isBillingEnabled } from '@/lib/core/config/feature-flags'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { createLogger } from '@/lib/logs/console/logger'
--- a/apps/sim/app/api/chat/manage/[id]/route.test.ts
+++ b/apps/sim/app/api/chat/manage/[id]/route.test.ts
@@ -6,6 +6,12 @@ import { NextRequest } from 'next/server'
 */
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 vi.mock('@/lib/core/config/feature-flags', () => ({
  isDev: true,
  isHosted: false,
  isProd: false,
 }))
 describe('Chat Edit API Route', () => {
  const mockSelect = vi.fn()
  const mockFrom = vi.fn()
@@ -24,7 +30,6 @@ describe('Chat Edit API Route', () => {
  beforeEach(() => {
    vi.resetModules()
    // Set default return values
    mockLimit.mockResolvedValue([])
    mockSelect.mockReturnValue({ from: mockFrom })
    mockFrom.mockReturnValue({ where: mockWhere })
@@ -77,10 +82,6 @@ describe('Chat Edit API Route', () => {
      getEmailDomain: vi.fn().mockReturnValue('localhost:3000'),
    }))
    vi.doMock('@/lib/core/config/environment', () => ({
      isDev: true,
    }))
    vi.doMock('@/app/api/chat/utils', () => ({
      checkChatAccess: mockCheckChatAccess,
    }))
@@ -254,7 +255,6 @@ describe('Chat Edit API Route', () => {
      mockCheckChatAccess.mockResolvedValue({ hasAccess: true, chat: mockChat })
      // Reset and reconfigure mockLimit to return the conflict
      mockLimit.mockReset()
      mockLimit.mockResolvedValue([{ id: 'other-chat-id', identifier: 'new-identifier' }])
      mockWhere.mockReturnValue({ limit: mockLimit })
@@ -291,7 +291,7 @@ describe('Chat Edit API Route', () => {
      const req = new NextRequest('http://localhost:3000/api/chat/manage/chat-123', {
        method: 'PATCH',
-        body: JSON.stringify({ authType: 'password' }), // No password provided
+        body: JSON.stringify({ authType: 'password' }),
      })
      const { PATCH } = await import('@/app/api/chat/manage/[id]/route')
      const response = await PATCH(req, { params: Promise.resolve({ id: 'chat-123' }) })
@@ -316,9 +316,8 @@ describe('Chat Edit API Route', () => {
        workflowId: 'workflow-123',
      }
      // User doesn't own chat but has workspace admin access
      mockCheckChatAccess.mockResolvedValue({ hasAccess: true, chat: mockChat })
-      mockLimit.mockResolvedValueOnce([]) // No identifier conflict
+      mockLimit.mockResolvedValueOnce([])
      const req = new NextRequest('http://localhost:3000/api/chat/manage/chat-123', {
        method: 'PATCH',
@@ -399,7 +398,6 @@ describe('Chat Edit API Route', () => {
        }),
      }))
      // User doesn't own chat but has workspace admin access
      mockCheckChatAccess.mockResolvedValue({ hasAccess: true })
      mockWhere.mockResolvedValue(undefined)
--- a/apps/sim/app/api/chat/manage/[id]/route.ts
+++ b/apps/sim/app/api/chat/manage/[id]/route.ts
@@ -4,7 +4,7 @@ import { eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
-import { isDev } from '@/lib/core/config/environment'
+import { isDev } from '@/lib/core/config/feature-flags'
 import { encryptSecret } from '@/lib/core/security/encryption'
 import { getEmailDomain } from '@/lib/core/utils/urls'
 import { createLogger } from '@/lib/logs/console/logger'
--- a/apps/sim/app/api/chat/route.ts
+++ b/apps/sim/app/api/chat/route.ts
@@ -5,7 +5,7 @@ import type { NextRequest } from 'next/server'
 import { v4 as uuidv4 } from 'uuid'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
-import { isDev } from '@/lib/core/config/environment'
+import { isDev } from '@/lib/core/config/feature-flags'
 import { encryptSecret } from '@/lib/core/security/encryption'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { createLogger } from '@/lib/logs/console/logger'
--- a/apps/sim/app/api/chat/utils.test.ts
+++ b/apps/sim/app/api/chat/utils.test.ts
@@ -44,6 +44,12 @@ vi.mock('@/lib/core/utils/request', () => ({
  generateRequestId: vi.fn(),
 }))
 vi.mock('@/lib/core/config/feature-flags', () => ({
  isDev: true,
  isHosted: false,
  isProd: false,
 }))
 describe('Chat API Utils', () => {
  beforeEach(() => {
    vi.doMock('@/lib/logs/console/logger', () => ({
@@ -62,11 +68,6 @@ describe('Chat API Utils', () => {
        NODE_ENV: 'development',
      },
    })
    vi.doMock('@/lib/core/config/environment', () => ({
      isDev: true,
      isHosted: false,
    }))
  })
  afterEach(() => {
--- a/apps/sim/app/api/chat/utils.ts
+++ b/apps/sim/app/api/chat/utils.ts
@@ -3,7 +3,7 @@ import { db } from '@sim/db'
 import { chat, workflow } from '@sim/db/schema'
 import { eq } from 'drizzle-orm'
 import type { NextRequest, NextResponse } from 'next/server'
-import { isDev } from '@/lib/core/config/environment'
+import { isDev } from '@/lib/core/config/feature-flags'
 import { decryptSecret } from '@/lib/core/security/encryption'
 import { createLogger } from '@/lib/logs/console/logger'
 import { hasAdminPermission } from '@/lib/workspaces/permissions/utils'
@@ -282,8 +282,8 @@ export async function validateChatAuth(
        return { authorized: false, error: 'Email not authorized for SSO access' }
      }
-      const { auth } = await import('@/lib/auth')
+      const { getSession } = await import('@/lib/auth')
-      const session = await auth.api.getSession({ headers: request.headers })
+      const session = await getSession()
      if (!session || !session.user) {
        return { authorized: false, error: 'auth_required_sso' }
--- a/apps/sim/app/api/copilot/auto-allowed-tools/route.ts
+++ b/apps/sim/app/api/copilot/auto-allowed-tools/route.ts
@@ -2,7 +2,7 @@ import { db } from '@sim/db'
 import { settings } from '@sim/db/schema'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
-import { auth } from '@/lib/auth'
+import { getSession } from '@/lib/auth'
 import { createLogger } from '@/lib/logs/console/logger'
 const logger = createLogger('CopilotAutoAllowedToolsAPI')
@@ -10,9 +10,9 @@ const logger = createLogger('CopilotAutoAllowedToolsAPI')
 /**
 * GET - Fetch user's auto-allowed integration tools
 */
-export async function GET(request: NextRequest) {
+export async function GET() {
  try {
-    const session = await auth.api.getSession({ headers: request.headers })
+    const session = await getSession()
    if (!session?.user?.id) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
@@ -31,7 +31,6 @@ export async function GET(request: NextRequest) {
      return NextResponse.json({ autoAllowedTools })
    }
    // If no settings record exists, create one with empty array
    await db.insert(settings).values({
      id: userId,
      userId,
@@ -50,7 +49,7 @@ export async function GET(request: NextRequest) {
 */
 export async function POST(request: NextRequest) {
  try {
-    const session = await auth.api.getSession({ headers: request.headers })
+    const session = await getSession()
    if (!session?.user?.id) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
@@ -65,13 +64,11 @@ export async function POST(request: NextRequest) {
    const toolId = body.toolId
    // Get existing settings
    const [existing] = await db.select().from(settings).where(eq(settings.userId, userId)).limit(1)
    if (existing) {
      const currentTools = (existing.copilotAutoAllowedTools as string[]) || []
      // Add tool if not already present
      if (!currentTools.includes(toolId)) {
        const updatedTools = [...currentTools, toolId]
        await db
@@ -89,7 +86,6 @@ export async function POST(request: NextRequest) {
      return NextResponse.json({ success: true, autoAllowedTools: currentTools })
    }
    // Create new settings record with the tool
    await db.insert(settings).values({
      id: userId,
      userId,
@@ -109,7 +105,7 @@ export async function POST(request: NextRequest) {
 */
 export async function DELETE(request: NextRequest) {
  try {
-    const session = await auth.api.getSession({ headers: request.headers })
+    const session = await getSession()
    if (!session?.user?.id) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
@@ -123,7 +119,6 @@ export async function DELETE(request: NextRequest) {
      return NextResponse.json({ error: 'toolId query parameter is required' }, { status: 400 })
    }
    // Get existing settings
    const [existing] = await db.select().from(settings).where(eq(settings.userId, userId)).limit(1)
    if (existing) {
--- a/apps/sim/app/api/copilot/user-models/route.ts
+++ b/apps/sim/app/api/copilot/user-models/route.ts
@@ -1,6 +1,6 @@
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
-import { auth } from '@/lib/auth'
+import { getSession } from '@/lib/auth'
 import { createLogger } from '@/lib/logs/console/logger'
 import { db } from '@/../../packages/db'
 import { settings } from '@/../../packages/db/schema'
@@ -32,7 +32,7 @@ const DEFAULT_ENABLED_MODELS: Record<string, boolean> = {
 // GET - Fetch user's enabled models
 export async function GET(request: NextRequest) {
  try {
-    const session = await auth.api.getSession({ headers: request.headers })
+    const session = await getSession()
    if (!session?.user?.id) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
@@ -40,7 +40,6 @@ export async function GET(request: NextRequest) {
    const userId = session.user.id
    // Try to fetch existing settings record
    const [userSettings] = await db
      .select()
      .from(settings)
@@ -50,13 +49,11 @@ export async function GET(request: NextRequest) {
    if (userSettings) {
      const userModelsMap = (userSettings.copilotEnabledModels as Record<string, boolean>) || {}
      // Merge: start with defaults, then override with user's existing preferences
      const mergedModels = { ...DEFAULT_ENABLED_MODELS }
      for (const [modelId, enabled] of Object.entries(userModelsMap)) {
        mergedModels[modelId] = enabled
      }
      // If we added any new models, update the database
      const hasNewModels = Object.keys(DEFAULT_ENABLED_MODELS).some(
        (key) => !(key in userModelsMap)
      )
@@ -76,7 +73,6 @@ export async function GET(request: NextRequest) {
      })
    }
    // If no settings record exists, create one with defaults
    await db.insert(settings).values({
      id: userId,
      userId,
@@ -97,7 +93,7 @@ export async function GET(request: NextRequest) {
 // PUT - Update user's enabled models
 export async function PUT(request: NextRequest) {
  try {
-    const session = await auth.api.getSession({ headers: request.headers })
+    const session = await getSession()
    if (!session?.user?.id) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
@@ -110,11 +106,9 @@ export async function PUT(request: NextRequest) {
      return NextResponse.json({ error: 'enabledModels must be an object' }, { status: 400 })
    }
    // Check if settings record exists
    const [existing] = await db.select().from(settings).where(eq(settings.userId, userId)).limit(1)
    if (existing) {
      // Update existing record
      await db
        .update(settings)
        .set({
@@ -123,7 +117,6 @@ export async function PUT(request: NextRequest) {
        })
        .where(eq(settings.userId, userId))
    } else {
      // Create new settings record
      await db.insert(settings).values({
        id: userId,
        userId,
--- a/apps/sim/app/api/function/execute/route.ts
+++ b/apps/sim/app/api/function/execute/route.ts
@@ -1,6 +1,6 @@
 import { createContext, Script } from 'vm'
 import { type NextRequest, NextResponse } from 'next/server'
-import { env, isTruthy } from '@/lib/core/config/env'
+import { isE2bEnabled } from '@/lib/core/config/feature-flags'
 import { validateProxyUrl } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { executeInE2B } from '@/lib/execution/e2b'
@@ -701,7 +701,6 @@ export async function POST(req: NextRequest) {
    resolvedCode = codeResolution.resolvedCode
    const contextVariables = codeResolution.contextVariables
    const e2bEnabled = isTruthy(env.E2B_ENABLED)
    const lang = isValidCodeLanguage(language) ? language : DEFAULT_CODE_LANGUAGE
    // Extract imports once for JavaScript code (reuse later to avoid double extraction)
@@ -722,14 +721,14 @@ export async function POST(req: NextRequest) {
    }
    // Python always requires E2B
-    if (lang === CodeLanguage.Python && !e2bEnabled) {
+    if (lang === CodeLanguage.Python && !isE2bEnabled) {
      throw new Error(
        'Python execution requires E2B to be enabled. Please contact your administrator to enable E2B, or use JavaScript instead.'
      )
    }
    // JavaScript with imports requires E2B
-    if (lang === CodeLanguage.JavaScript && hasImports && !e2bEnabled) {
+    if (lang === CodeLanguage.JavaScript && hasImports && !isE2bEnabled) {
      throw new Error(
        'JavaScript code with import statements requires E2B to be enabled. Please remove the import statements, or contact your administrator to enable E2B.'
      )
@@ -740,13 +739,13 @@ export async function POST(req: NextRequest) {
    // - Not a custom tool AND
    // - (Python OR JavaScript with imports)
    const useE2B =
-      e2bEnabled &&
+      isE2bEnabled &&
      !isCustomTool &&
      (lang === CodeLanguage.Python || (lang === CodeLanguage.JavaScript && hasImports))
    if (useE2B) {
      logger.info(`[${requestId}] E2B status`, {
-        enabled: e2bEnabled,
+        enabled: isE2bEnabled,
        hasApiKey: Boolean(process.env.E2B_API_KEY),
        language: lang,
      })
--- a/apps/sim/app/api/organizations/[id]/seats/route.ts
+++ b/apps/sim/app/api/organizations/[id]/seats/route.ts
@@ -6,7 +6,7 @@ import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { getPlanPricing } from '@/lib/billing/core/billing'
 import { requireStripeClient } from '@/lib/billing/stripe-client'
-import { isBillingEnabled } from '@/lib/core/config/environment'
+import { isBillingEnabled } from '@/lib/core/config/feature-flags'
 import { createLogger } from '@/lib/logs/console/logger'
 const logger = createLogger('OrganizationSeatsAPI')
--- a/apps/sim/app/api/proxy/route.ts
+++ b/apps/sim/app/api/proxy/route.ts
@@ -3,7 +3,7 @@ import { NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateInternalToken } from '@/lib/auth/internal'
-import { isDev } from '@/lib/core/config/environment'
+import { isDev } from '@/lib/core/config/feature-flags'
 import { createPinnedUrl, validateUrlWithDNS } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
--- a/apps/sim/app/api/schedules/execute/route.test.ts
+++ b/apps/sim/app/api/schedules/execute/route.test.ts
@@ -42,11 +42,11 @@ describe('Scheduled Workflow Execution API Route', () => {
      executeScheduleJob: mockExecuteScheduleJob,
    }))
-    vi.doMock('@/lib/core/config/env', () => ({
+    vi.doMock('@/lib/core/config/feature-flags', () => ({
-      env: {
+      isTriggerDevEnabled: false,
-        TRIGGER_DEV_ENABLED: false,
+      isHosted: false,
-      },
+      isProd: false,
-      isTruthy: vi.fn(() => false),
+      isDev: true,
    }))
    vi.doMock('drizzle-orm', () => ({
@@ -119,11 +119,11 @@ describe('Scheduled Workflow Execution API Route', () => {
      },
    }))
-    vi.doMock('@/lib/core/config/env', () => ({
+    vi.doMock('@/lib/core/config/feature-flags', () => ({
-      env: {
+      isTriggerDevEnabled: true,
-        TRIGGER_DEV_ENABLED: true,
+      isHosted: false,
-      },
+      isProd: false,
-      isTruthy: vi.fn(() => true),
+      isDev: true,
    }))
    vi.doMock('drizzle-orm', () => ({
@@ -191,11 +191,11 @@ describe('Scheduled Workflow Execution API Route', () => {
      executeScheduleJob: vi.fn().mockResolvedValue(undefined),
    }))
-    vi.doMock('@/lib/core/config/env', () => ({
+    vi.doMock('@/lib/core/config/feature-flags', () => ({
-      env: {
+      isTriggerDevEnabled: false,
-        TRIGGER_DEV_ENABLED: false,
+      isHosted: false,
-      },
+      isProd: false,
-      isTruthy: vi.fn(() => false),
+      isDev: true,
    }))
    vi.doMock('drizzle-orm', () => ({
@@ -250,11 +250,11 @@ describe('Scheduled Workflow Execution API Route', () => {
      executeScheduleJob: vi.fn().mockResolvedValue(undefined),
    }))
-    vi.doMock('@/lib/core/config/env', () => ({
+    vi.doMock('@/lib/core/config/feature-flags', () => ({
-      env: {
+      isTriggerDevEnabled: false,
-        TRIGGER_DEV_ENABLED: false,
+      isHosted: false,
-      },
+      isProd: false,
-      isTruthy: vi.fn(() => false),
+      isDev: true,
    }))
    vi.doMock('drizzle-orm', () => ({
--- a/apps/sim/app/api/schedules/execute/route.ts
+++ b/apps/sim/app/api/schedules/execute/route.ts
@@ -3,7 +3,7 @@ import { tasks } from '@trigger.dev/sdk'
 import { and, eq, isNull, lt, lte, not, or } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { verifyCronAuth } from '@/lib/auth/internal'
-import { env, isTruthy } from '@/lib/core/config/env'
+import { isTriggerDevEnabled } from '@/lib/core/config/feature-flags'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { createLogger } from '@/lib/logs/console/logger'
 import { executeScheduleJob } from '@/background/schedule-execution'
@@ -54,9 +54,7 @@ export async function GET(request: NextRequest) {
    logger.debug(`[${requestId}] Successfully queried schedules: ${dueSchedules.length} found`)
    logger.info(`[${requestId}] Processing ${dueSchedules.length} due scheduled workflows`)
-    const useTrigger = isTruthy(env.TRIGGER_DEV_ENABLED)
+    if (isTriggerDevEnabled) {
    if (useTrigger) {
      const triggerPromises = dueSchedules.map(async (schedule) => {
        const queueTime = schedule.lastQueuedAt ?? queuedAt
--- a/apps/sim/app/api/telemetry/route.ts
+++ b/apps/sim/app/api/telemetry/route.ts
@@ -1,6 +1,6 @@
 import { type NextRequest, NextResponse } from 'next/server'
 import { env } from '@/lib/core/config/env'
-import { isProd } from '@/lib/core/config/environment'
+import { isProd } from '@/lib/core/config/feature-flags'
 import { createLogger } from '@/lib/logs/console/logger'
 const logger = createLogger('TelemetryAPI')
--- a/apps/sim/app/api/v1/auth.ts
+++ b/apps/sim/app/api/v1/auth.ts
@@ -1,5 +1,7 @@
 import type { NextRequest } from 'next/server'
 import { authenticateApiKeyFromHeader, updateApiKeyLastUsed } from '@/lib/api-key/service'
 import { ANONYMOUS_USER_ID } from '@/lib/auth/constants'
 import { isAuthDisabled } from '@/lib/core/config/feature-flags'
 import { createLogger } from '@/lib/logs/console/logger'
 const logger = createLogger('V1Auth')
@@ -13,6 +15,14 @@ export interface AuthResult {
 }
 export async function authenticateV1Request(request: NextRequest): Promise<AuthResult> {
  if (isAuthDisabled) {
    return {
      authenticated: true,
      userId: ANONYMOUS_USER_ID,
      keyType: 'personal',
    }
  }
  const apiKey = request.headers.get('x-api-key')
  if (!apiKey) {
--- a/apps/sim/app/api/wand/route.ts
+++ b/apps/sim/app/api/wand/route.ts
@@ -5,7 +5,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import OpenAI, { AzureOpenAI } from 'openai'
 import { checkAndBillOverageThreshold } from '@/lib/billing/threshold-billing'
 import { env } from '@/lib/core/config/env'
-import { getCostMultiplier, isBillingEnabled } from '@/lib/core/config/environment'
+import { getCostMultiplier, isBillingEnabled } from '@/lib/core/config/feature-flags'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { createLogger } from '@/lib/logs/console/logger'
 import { getModelPricing } from '@/providers/utils'
--- a/apps/sim/app/api/workflows/[id]/execute/route.ts
+++ b/apps/sim/app/api/workflows/[id]/execute/route.ts
@@ -3,7 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { validate as uuidValidate, v4 as uuidv4 } from 'uuid'
 import { z } from 'zod'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
-import { env, isTruthy } from '@/lib/core/config/env'
+import { isTriggerDevEnabled } from '@/lib/core/config/feature-flags'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { SSE_HEADERS } from '@/lib/core/utils/sse'
 import { getBaseUrl } from '@/lib/core/utils/urls'
@@ -236,9 +236,8 @@ type AsyncExecutionParams = {
 */
 async function handleAsyncExecution(params: AsyncExecutionParams): Promise<NextResponse> {
  const { requestId, workflowId, userId, input, triggerType } = params
  const useTrigger = isTruthy(env.TRIGGER_DEV_ENABLED)
-  if (!useTrigger) {
+  if (!isTriggerDevEnabled) {
    logger.warn(`[${requestId}] Async mode requested but TRIGGER_DEV_ENABLED is false`)
    return NextResponse.json(
      { error: 'Async execution is not enabled. Set TRIGGER_DEV_ENABLED=true to use async mode.' },
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/general/general.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/general/general.tsx
@@ -16,6 +16,7 @@ import {
 } from '@/components/emcn'
 import { Input, Skeleton } from '@/components/ui'
 import { signOut, useSession } from '@/lib/auth/auth-client'
 import { ANONYMOUS_USER_ID } from '@/lib/auth/constants'
 import { useBrandConfig } from '@/lib/branding/branding'
 import { getEnv, isTruthy } from '@/lib/core/config/env'
 import { getBaseUrl } from '@/lib/core/utils/urls'
@@ -59,6 +60,7 @@ export function General({ onOpenChange }: GeneralProps) {
  const isLoading = isProfileLoading || isSettingsLoading
  const isTrainingEnabled = isTruthy(getEnv('NEXT_PUBLIC_COPILOT_TRAINING_ENABLED'))
  const isAuthDisabled = session?.user?.id === ANONYMOUS_USER_ID
  const [isSuperUser, setIsSuperUser] = useState(false)
  const [loadingSuperUser, setLoadingSuperUser] = useState(true)
@@ -461,10 +463,12 @@ export function General({ onOpenChange }: GeneralProps) {
        </div>
      )}
-      <div className='mt-auto flex items-center gap-[8px]'>
+      {!isAuthDisabled && (
-        <Button onClick={handleSignOut}>Sign out</Button>
+        <div className='mt-auto flex items-center gap-[8px]'>
-        <Button onClick={() => setShowResetPasswordModal(true)}>Reset password</Button>
+          <Button onClick={handleSignOut}>Sign out</Button>
-      </div>
+          <Button onClick={() => setShowResetPasswordModal(true)}>Reset password</Button>
        </div>
      )}
      {/* Password Reset Confirmation Modal */}
      <Modal open={showResetPasswordModal} onOpenChange={setShowResetPasswordModal}>
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/sso/sso.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/sso/sso.tsx
@@ -6,7 +6,7 @@ import { Button, Combobox, Input, Switch, Textarea } from '@/components/emcn'
 import { Skeleton } from '@/components/ui'
 import { useSession } from '@/lib/auth/auth-client'
 import { getSubscriptionStatus } from '@/lib/billing/client/utils'
-import { isBillingEnabled } from '@/lib/core/config/environment'
+import { isBillingEnabled } from '@/lib/core/config/feature-flags'
 import { cn } from '@/lib/core/utils/cn'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { createLogger } from '@/lib/logs/console/logger'
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/settings-modal.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/settings-modal.tsx
@@ -26,7 +26,7 @@ import { McpIcon } from '@/components/icons'
 import { useSession } from '@/lib/auth/auth-client'
 import { getSubscriptionStatus } from '@/lib/billing/client'
 import { getEnv, isTruthy } from '@/lib/core/config/env'
-import { isHosted } from '@/lib/core/config/environment'
+import { isHosted } from '@/lib/core/config/feature-flags'
 import { getUserRole } from '@/lib/workspaces/organization'
 import {
  ApiKeys,
--- a/apps/sim/blocks/blocks/agent.ts
+++ b/apps/sim/blocks/blocks/agent.ts
@@ -1,5 +1,5 @@
 import { AgentIcon } from '@/components/icons'
-import { isHosted } from '@/lib/core/config/environment'
+import { isHosted } from '@/lib/core/config/feature-flags'
 import { createLogger } from '@/lib/logs/console/logger'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode } from '@/blocks/types'
--- a/apps/sim/blocks/blocks/evaluator.ts
+++ b/apps/sim/blocks/blocks/evaluator.ts
@@ -1,5 +1,5 @@
 import { ChartBarIcon } from '@/components/icons'
-import { isHosted } from '@/lib/core/config/environment'
+import { isHosted } from '@/lib/core/config/feature-flags'
 import { createLogger } from '@/lib/logs/console/logger'
 import type { BlockConfig, ParamType } from '@/blocks/types'
 import type { ProviderId } from '@/providers/types'
--- a/apps/sim/blocks/blocks/guardrails.ts
+++ b/apps/sim/blocks/blocks/guardrails.ts
@@ -1,5 +1,5 @@
 import { ShieldCheckIcon } from '@/components/icons'
-import { isHosted } from '@/lib/core/config/environment'
+import { isHosted } from '@/lib/core/config/feature-flags'
 import type { BlockConfig } from '@/blocks/types'
 import { getHostedModels, getProviderIcon } from '@/providers/utils'
 import { useProvidersStore } from '@/stores/providers/store'
--- a/apps/sim/blocks/blocks/router.ts
+++ b/apps/sim/blocks/blocks/router.ts
@@ -1,5 +1,5 @@
 import { ConnectIcon } from '@/components/icons'
-import { isHosted } from '@/lib/core/config/environment'
+import { isHosted } from '@/lib/core/config/feature-flags'
 import { AuthMode, type BlockConfig } from '@/blocks/types'
 import type { ProviderId } from '@/providers/types'
 import {
--- a/apps/sim/blocks/blocks/translate.ts
+++ b/apps/sim/blocks/blocks/translate.ts
@@ -1,5 +1,5 @@
 import { TranslateIcon } from '@/components/icons'
-import { isHosted } from '@/lib/core/config/environment'
+import { isHosted } from '@/lib/core/config/feature-flags'
 import { AuthMode, type BlockConfig } from '@/blocks/types'
 import { getHostedModels, getProviderIcon, providers } from '@/providers/utils'
 import { useProvidersStore } from '@/stores/providers/store'
--- a/apps/sim/components/emails/footer.tsx
+++ b/apps/sim/components/emails/footer.tsx
@@ -1,6 +1,6 @@
 import { Container, Img, Link, Section, Text } from '@react-email/components'
 import { getBrandConfig } from '@/lib/branding/branding'
-import { isHosted } from '@/lib/core/config/environment'
+import { isHosted } from '@/lib/core/config/feature-flags'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 interface UnsubscribeOptions {
--- a/apps/sim/executor/handlers/agent/agent-handler.test.ts
+++ b/apps/sim/executor/handlers/agent/agent-handler.test.ts
@@ -1,5 +1,4 @@
 import { afterEach, beforeEach, describe, expect, it, type Mock, vi } from 'vitest'
 import { isHosted } from '@/lib/core/config/environment'
 import { getAllBlocks } from '@/blocks'
 import { BlockType } from '@/executor/constants'
 import { AgentBlockHandler } from '@/executor/handlers/agent/agent-handler'
@@ -11,11 +10,11 @@ import { executeTool } from '@/tools'
 process.env.NEXT_PUBLIC_APP_URL = 'http://localhost:3000'
-vi.mock('@/lib/core/config/environment', () => ({
+vi.mock('@/lib/core/config/feature-flags', () => ({
-  isHosted: vi.fn().mockReturnValue(false),
+  isHosted: false,
-  isProd: vi.fn().mockReturnValue(false),
+  isProd: false,
-  isDev: vi.fn().mockReturnValue(true),
+  isDev: true,
-  isTest: vi.fn().mockReturnValue(false),
+  isTest: false,
  getCostMultiplier: vi.fn().mockReturnValue(1),
  isEmailVerificationEnabled: false,
  isBillingEnabled: false,
@@ -65,7 +64,6 @@ global.fetch = Object.assign(vi.fn(), { preconnect: vi.fn() }) as typeof fetch
 const mockGetAllBlocks = getAllBlocks as Mock
 const mockExecuteTool = executeTool as Mock
 const mockIsHosted = isHosted as unknown as Mock
 const mockGetProviderFromModel = getProviderFromModel as Mock
 const mockTransformBlockTool = transformBlockTool as Mock
 const mockFetch = global.fetch as unknown as Mock
@@ -120,7 +118,6 @@ describe('AgentBlockHandler', () => {
        loops: {},
      } as SerializedWorkflow,
    }
    mockIsHosted.mockReturnValue(false)
    mockGetProviderFromModel.mockReturnValue('mock-provider')
    mockFetch.mockImplementation(() => {
@@ -552,8 +549,6 @@ describe('AgentBlockHandler', () => {
    })
    it('should not require API key for gpt-4o on hosted version', async () => {
      mockIsHosted.mockReturnValue(true)
      const inputs = {
        model: 'gpt-4o',
        systemPrompt: 'You are a helpful assistant.',
--- a/apps/sim/hooks/queries/copilot-keys.ts
+++ b/apps/sim/hooks/queries/copilot-keys.ts
@@ -1,5 +1,5 @@
 import { keepPreviousData, useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
-import { isHosted } from '@/lib/core/config/environment'
+import { isHosted } from '@/lib/core/config/feature-flags'
 import { createLogger } from '@/lib/logs/console/logger'
 const logger = createLogger('CopilotKeysQuery')
--- a/apps/sim/lib/auth/anonymous.ts
+++ b/apps/sim/lib/auth/anonymous.ts
@@ -0,0 +1,104 @@
 import { db } from '@sim/db'
 import * as schema from '@sim/db/schema'
 import { eq } from 'drizzle-orm'
 import { createLogger } from '@/lib/logs/console/logger'
 import { ANONYMOUS_USER, ANONYMOUS_USER_ID } from './constants'
 const logger = createLogger('AnonymousAuth')
 let anonymousUserEnsured = false
 /**
 * Ensures the anonymous user and their stats record exist in the database.
 * Called when DISABLE_AUTH is enabled to ensure DB operations work.
 */
 export async function ensureAnonymousUserExists(): Promise<void> {
  if (anonymousUserEnsured) return
  try {
    const existingUser = await db.query.user.findFirst({
      where: eq(schema.user.id, ANONYMOUS_USER_ID),
    })
    if (!existingUser) {
      const now = new Date()
      await db.insert(schema.user).values({
        ...ANONYMOUS_USER,
        createdAt: now,
        updatedAt: now,
      })
      logger.info('Created anonymous user for DISABLE_AUTH mode')
    }
    const existingStats = await db.query.userStats.findFirst({
      where: eq(schema.userStats.userId, ANONYMOUS_USER_ID),
    })
    if (!existingStats) {
      await db.insert(schema.userStats).values({
        id: crypto.randomUUID(),
        userId: ANONYMOUS_USER_ID,
        currentUsageLimit: '10000000000',
      })
      logger.info('Created anonymous user stats for DISABLE_AUTH mode')
    }
    anonymousUserEnsured = true
  } catch (error) {
    if (
      error instanceof Error &&
      (error.message.includes('unique') || error.message.includes('duplicate'))
    ) {
      anonymousUserEnsured = true
      return
    }
    logger.error('Failed to ensure anonymous user exists', { error })
    throw error
  }
 }
 export interface AnonymousSession {
  user: {
    id: string
    name: string
    email: string
    emailVerified: boolean
    image: null
    createdAt: Date
    updatedAt: Date
  }
  session: {
    id: string
    userId: string
    expiresAt: Date
    createdAt: Date
    updatedAt: Date
    token: string
    ipAddress: null
    userAgent: null
  }
 }
 /**
 * Creates an anonymous session for when auth is disabled.
 */
 export function createAnonymousSession(): AnonymousSession {
  const now = new Date()
  return {
    user: {
      ...ANONYMOUS_USER,
      createdAt: now,
      updatedAt: now,
    },
    session: {
      id: 'anonymous-session',
      userId: ANONYMOUS_USER_ID,
      expiresAt: new Date(Date.now() + 365 * 24 * 60 * 60 * 1000), // 1 year
      createdAt: now,
      updatedAt: now,
      token: 'anonymous-token',
      ipAddress: null,
      userAgent: null,
    },
  }
 }
--- a/apps/sim/lib/auth/auth-client.ts
+++ b/apps/sim/lib/auth/auth-client.ts
@@ -10,7 +10,7 @@ import {
 import { createAuthClient } from 'better-auth/react'
 import type { auth } from '@/lib/auth'
 import { env } from '@/lib/core/config/env'
-import { isBillingEnabled } from '@/lib/core/config/environment'
+import { isBillingEnabled } from '@/lib/core/config/feature-flags'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { SessionContext, type SessionHookResult } from '@/app/_shell/providers/session-provider'
--- a/apps/sim/lib/auth/auth.ts
+++ b/apps/sim/lib/auth/auth.ts
@@ -38,13 +38,19 @@ import {
  handleSubscriptionCreated,
  handleSubscriptionDeleted,
 } from '@/lib/billing/webhooks/subscription'
-import { env, isTruthy } from '@/lib/core/config/env'
+import { env } from '@/lib/core/config/env'
-import { isBillingEnabled, isEmailVerificationEnabled } from '@/lib/core/config/environment'
+import {
  isAuthDisabled,
  isBillingEnabled,
  isEmailVerificationEnabled,
  isRegistrationDisabled,
 } from '@/lib/core/config/feature-flags'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { createLogger } from '@/lib/logs/console/logger'
 import { sendEmail } from '@/lib/messaging/email/mailer'
 import { getFromEmailAddress } from '@/lib/messaging/email/utils'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
 import { createAnonymousSession, ensureAnonymousUserExists } from './anonymous'
 import { SSO_TRUSTED_PROVIDERS } from './sso/constants'
 const logger = createLogger('Auth')
@@ -270,7 +276,7 @@ export const auth = betterAuth({
  },
  hooks: {
    before: createAuthMiddleware(async (ctx) => {
-      if (ctx.path.startsWith('/sign-up') && isTruthy(env.DISABLE_REGISTRATION))
+      if (ctx.path.startsWith('/sign-up') && isRegistrationDisabled)
        throw new Error('Registration is disabled, please contact your admin.')
      if (
@@ -2185,6 +2191,11 @@ export const auth = betterAuth({
 })
 export async function getSession() {
  if (isAuthDisabled) {
    await ensureAnonymousUserExists()
    return createAnonymousSession()
  }
  const hdrs = await headers()
  return await auth.api.getSession({
    headers: hdrs,
--- a/apps/sim/lib/auth/constants.ts
+++ b/apps/sim/lib/auth/constants.ts
@@ -0,0 +1,10 @@
 /** Anonymous user ID used when DISABLE_AUTH is enabled */
 export const ANONYMOUS_USER_ID = '00000000-0000-0000-0000-000000000000'
 export const ANONYMOUS_USER = {
  id: ANONYMOUS_USER_ID,
  name: 'Anonymous',
  email: 'anonymous@localhost',
  emailVerified: true,
  image: null,
 } as const
--- a/apps/sim/lib/auth/index.ts
+++ b/apps/sim/lib/auth/index.ts
@@ -1 +1,4 @@
 export type { AnonymousSession } from './anonymous'
 export { createAnonymousSession, ensureAnonymousUserExists } from './anonymous'
 export { auth, getSession, signIn, signUp } from './auth'
 export { ANONYMOUS_USER, ANONYMOUS_USER_ID } from './constants'
--- a/apps/sim/lib/billing/calculations/usage-monitor.ts
+++ b/apps/sim/lib/billing/calculations/usage-monitor.ts
@@ -2,7 +2,7 @@ import { db } from '@sim/db'
 import { member, organization, userStats } from '@sim/db/schema'
 import { and, eq, inArray } from 'drizzle-orm'
 import { getUserUsageLimit } from '@/lib/billing/core/usage'
-import { isBillingEnabled } from '@/lib/core/config/environment'
+import { isBillingEnabled } from '@/lib/core/config/feature-flags'
 import { createLogger } from '@/lib/logs/console/logger'
 const logger = createLogger('UsageMonitor')
--- a/apps/sim/lib/billing/core/subscription.ts
+++ b/apps/sim/lib/billing/core/subscription.ts
@@ -9,7 +9,7 @@ import {
  getPerUserMinimumLimit,
 } from '@/lib/billing/subscriptions/utils'
 import type { UserSubscriptionState } from '@/lib/billing/types'
-import { isProd } from '@/lib/core/config/environment'
+import { isProd } from '@/lib/core/config/feature-flags'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { createLogger } from '@/lib/logs/console/logger'
--- a/apps/sim/lib/billing/core/usage.ts
+++ b/apps/sim/lib/billing/core/usage.ts
@@ -14,7 +14,7 @@ import {
  getPlanPricing,
 } from '@/lib/billing/subscriptions/utils'
 import type { BillingData, UsageData, UsageLimitInfo } from '@/lib/billing/types'
-import { isBillingEnabled } from '@/lib/core/config/environment'
+import { isBillingEnabled } from '@/lib/core/config/feature-flags'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { createLogger } from '@/lib/logs/console/logger'
 import { sendEmail } from '@/lib/messaging/email/mailer'
--- a/apps/sim/lib/billing/storage/limits.ts
+++ b/apps/sim/lib/billing/storage/limits.ts
@@ -13,7 +13,7 @@ import {
 import { organization, subscription, userStats } from '@sim/db/schema'
 import { eq } from 'drizzle-orm'
 import { getEnv } from '@/lib/core/config/env'
-import { isBillingEnabled } from '@/lib/core/config/environment'
+import { isBillingEnabled } from '@/lib/core/config/feature-flags'
 import { createLogger } from '@/lib/logs/console/logger'
 const logger = createLogger('StorageLimits')
--- a/apps/sim/lib/billing/storage/tracking.ts
+++ b/apps/sim/lib/billing/storage/tracking.ts
@@ -7,7 +7,7 @@
 import { db } from '@sim/db'
 import { organization, userStats } from '@sim/db/schema'
 import { eq, sql } from 'drizzle-orm'
-import { isBillingEnabled } from '@/lib/core/config/environment'
+import { isBillingEnabled } from '@/lib/core/config/feature-flags'
 import { createLogger } from '@/lib/logs/console/logger'
 const logger = createLogger('StorageTracking')
--- a/apps/sim/lib/core/config/env.ts
+++ b/apps/sim/lib/core/config/env.ts
@@ -20,6 +20,7 @@ export const env = createEnv({
    BETTER_AUTH_URL:                       z.string().url(),                       // Base URL for Better Auth service
    BETTER_AUTH_SECRET:                    z.string().min(32),                     // Secret key for Better Auth JWT signing
    DISABLE_REGISTRATION:                  z.boolean().optional(),                 // Flag to disable new user registration
    DISABLE_AUTH:                          z.boolean().optional(),                 // Bypass authentication entirely (self-hosted only, creates anonymous session)
    ALLOWED_LOGIN_EMAILS:                  z.string().optional(),                  // Comma-separated list of allowed email addresses for login
    ALLOWED_LOGIN_DOMAINS:                 z.string().optional(),                  // Comma-separated list of allowed email domains for login
    ENCRYPTION_KEY:                        z.string().min(32),                     // Key for encrypting sensitive data
--- a/apps/sim/lib/core/config/feature-flags.ts
+++ b/apps/sim/lib/core/config/feature-flags.ts
@@ -35,6 +35,31 @@ export const isBillingEnabled = isTruthy(env.BILLING_ENABLED)
 */
 export const isEmailVerificationEnabled = isTruthy(env.EMAIL_VERIFICATION_ENABLED)
 /**
 * Is authentication disabled (for self-hosted deployments behind private networks)
 */
 export const isAuthDisabled = isTruthy(env.DISABLE_AUTH)
 /**
 * Is user registration disabled
 */
 export const isRegistrationDisabled = isTruthy(env.DISABLE_REGISTRATION)
 /**
 * Is Trigger.dev enabled for async job processing
 */
 export const isTriggerDevEnabled = isTruthy(env.TRIGGER_DEV_ENABLED)
 /**
 * Is SSO enabled for enterprise authentication
 */
 export const isSsoEnabled = isTruthy(env.SSO_ENABLED)
 /**
 * Is E2B enabled for remote code execution
 */
 export const isE2bEnabled = isTruthy(env.E2B_ENABLED)
 /**
 * Get cost multiplier based on environment
 */
--- a/apps/sim/lib/core/utils/urls.ts
+++ b/apps/sim/lib/core/utils/urls.ts
@@ -1,5 +1,5 @@
 import { getEnv } from '@/lib/core/config/env'
-import { isProd } from '@/lib/core/config/environment'
+import { isProd } from '@/lib/core/config/feature-flags'
 /**
 * Returns the base URL of the application from NEXT_PUBLIC_APP_URL
--- a/apps/sim/lib/logs/events.ts
+++ b/apps/sim/lib/logs/events.ts
@@ -6,7 +6,7 @@ import {
 } from '@sim/db/schema'
 import { and, eq, or, sql } from 'drizzle-orm'
 import { v4 as uuidv4 } from 'uuid'
-import { env, isTruthy } from '@/lib/core/config/env'
+import { isTriggerDevEnabled } from '@/lib/core/config/feature-flags'
 import { createLogger } from '@/lib/logs/console/logger'
 import type { WorkflowExecutionLog } from '@/lib/logs/types'
 import {
@@ -140,9 +140,7 @@ export async function emitWorkflowExecutionCompleted(log: WorkflowExecutionLog):
        alertConfig: alertConfig || undefined,
      }
-      const useTrigger = isTruthy(env.TRIGGER_DEV_ENABLED)
+      if (isTriggerDevEnabled) {
      if (useTrigger) {
        await workspaceNotificationDeliveryTask.trigger(payload)
        logger.info(
          `Enqueued ${subscription.notificationType} notification ${deliveryId} via Trigger.dev`
--- a/apps/sim/lib/logs/execution/logger.ts
+++ b/apps/sim/lib/logs/execution/logger.ts
@@ -15,7 +15,7 @@ import {
  maybeSendUsageThresholdEmail,
 } from '@/lib/billing/core/usage'
 import { checkAndBillOverageThreshold } from '@/lib/billing/threshold-billing'
-import { isBillingEnabled } from '@/lib/core/config/environment'
+import { isBillingEnabled } from '@/lib/core/config/feature-flags'
 import { redactApiKeys } from '@/lib/core/security/redaction'
 import { filterForDisplay } from '@/lib/core/utils/display-filters'
 import { createLogger } from '@/lib/logs/console/logger'
--- a/apps/sim/lib/mcp/service.ts
+++ b/apps/sim/lib/mcp/service.ts
@@ -5,7 +5,7 @@
 import { db } from '@sim/db'
 import { mcpServers } from '@sim/db/schema'
 import { and, eq, isNull } from 'drizzle-orm'
-import { isTest } from '@/lib/core/config/environment'
+import { isTest } from '@/lib/core/config/feature-flags'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getEffectiveDecryptedEnv } from '@/lib/environment/utils'
 import { createLogger } from '@/lib/logs/console/logger'
--- a/apps/sim/lib/notifications/inactivity-polling.ts
+++ b/apps/sim/lib/notifications/inactivity-polling.ts
@@ -7,7 +7,7 @@ import {
 } from '@sim/db/schema'
 import { and, eq, gte, sql } from 'drizzle-orm'
 import { v4 as uuidv4 } from 'uuid'
-import { env, isTruthy } from '@/lib/core/config/env'
+import { isTriggerDevEnabled } from '@/lib/core/config/feature-flags'
 import { createLogger } from '@/lib/logs/console/logger'
 import {
  executeNotificationDelivery,
@@ -118,9 +118,7 @@ async function checkWorkflowInactivity(
    alertConfig,
  }
-  const useTrigger = isTruthy(env.TRIGGER_DEV_ENABLED)
+  if (isTriggerDevEnabled) {
  if (useTrigger) {
    await workspaceNotificationDeliveryTask.trigger(payload)
  } else {
    void executeNotificationDelivery(payload).catch((error) => {
--- a/apps/sim/lib/webhooks/processor.ts
+++ b/apps/sim/lib/webhooks/processor.ts
@@ -3,7 +3,7 @@ import { tasks } from '@trigger.dev/sdk'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { v4 as uuidv4 } from 'uuid'
-import { env, isTruthy } from '@/lib/core/config/env'
+import { isTriggerDevEnabled } from '@/lib/core/config/feature-flags'
 import { preprocessExecution } from '@/lib/execution/preprocessing'
 import { createLogger } from '@/lib/logs/console/logger'
 import { convertSquareBracketsToTwiML } from '@/lib/webhooks/utils'
@@ -707,9 +707,7 @@ export async function queueWebhookExecution(
      ...(credentialId ? { credentialId } : {}),
    }
-    const useTrigger = isTruthy(env.TRIGGER_DEV_ENABLED)
+    if (isTriggerDevEnabled) {
    if (useTrigger) {
      const handle = await tasks.trigger('webhook-execution', payload)
      logger.info(
        `[${options.requestId}] Queued ${options.testMode ? 'TEST ' : ''}webhook execution task ${
--- a/apps/sim/next.config.ts
+++ b/apps/sim/next.config.ts
@@ -1,6 +1,6 @@
 import type { NextConfig } from 'next'
 import { env, getEnv, isTruthy } from './lib/core/config/env'
-import { isDev, isHosted } from './lib/core/config/environment'
+import { isDev, isHosted } from './lib/core/config/feature-flags'
 import { getMainCSPPolicy, getWorkflowExecutionCSPPolicy } from './lib/core/security/csp'
 const nextConfig: NextConfig = {
--- a/apps/sim/providers/index.ts
+++ b/apps/sim/providers/index.ts
@@ -1,4 +1,4 @@
-import { getCostMultiplier } from '@/lib/core/config/environment'
+import { getCostMultiplier } from '@/lib/core/config/feature-flags'
 import { createLogger } from '@/lib/logs/console/logger'
 import type { StreamingExecution } from '@/executor/types'
 import type { ProviderRequest, ProviderResponse } from '@/providers/types'
--- a/apps/sim/providers/utils.test.ts
+++ b/apps/sim/providers/utils.test.ts
@@ -1,5 +1,5 @@
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
-import * as environmentModule from '@/lib/core/config/environment'
+import * as environmentModule from '@/lib/core/config/feature-flags'
 import {
  calculateCost,
  extractAndParseJSON,
--- a/apps/sim/providers/utils.ts
+++ b/apps/sim/providers/utils.ts
@@ -1,5 +1,5 @@
 import { getEnv, isTruthy } from '@/lib/core/config/env'
-import { isHosted } from '@/lib/core/config/environment'
+import { isHosted } from '@/lib/core/config/feature-flags'
 import { createLogger } from '@/lib/logs/console/logger'
 import { anthropicProvider } from '@/providers/anthropic'
 import { azureOpenAIProvider } from '@/providers/azure-openai'
--- a/apps/sim/proxy.ts
+++ b/apps/sim/proxy.ts
@@ -1,6 +1,6 @@
 import { getSessionCookie } from 'better-auth/cookies'
 import { type NextRequest, NextResponse } from 'next/server'
-import { isHosted } from './lib/core/config/environment'
+import { isAuthDisabled, isHosted } from './lib/core/config/feature-flags'
 import { generateRuntimeCSP } from './lib/core/security/csp'
 import { createLogger } from './lib/logs/console/logger'
@@ -135,7 +135,7 @@ export async function proxy(request: NextRequest) {
  const url = request.nextUrl
  const sessionCookie = getSessionCookie(request)
-  const hasActiveSession = !!sessionCookie
+  const hasActiveSession = isAuthDisabled || !!sessionCookie
  const redirect = handleRootPathRedirects(request, hasActiveSession)
  if (redirect) return redirect
--- a/apps/sim/scripts/process-docs.ts
+++ b/apps/sim/scripts/process-docs.ts
@@ -5,7 +5,7 @@ import { db } from '@sim/db'
 import { docsEmbeddings } from '@sim/db/schema'
 import { sql } from 'drizzle-orm'
 import { type DocChunk, DocsChunker } from '@/lib/chunkers'
-import { isDev } from '@/lib/core/config/environment'
+import { isDev } from '@/lib/core/config/feature-flags'
 import { createLogger } from '@/lib/logs/console/logger'
 const logger = createLogger('ProcessDocs')
--- a/apps/sim/socket-server/config/socket.ts
+++ b/apps/sim/socket-server/config/socket.ts
@@ -1,7 +1,7 @@
 import type { Server as HttpServer } from 'http'
 import { Server } from 'socket.io'
 import { env } from '@/lib/core/config/env'
-import { isProd } from '@/lib/core/config/environment'
+import { isProd } from '@/lib/core/config/feature-flags'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { createLogger } from '@/lib/logs/console/logger'
--- a/apps/sim/socket-server/middleware/auth.ts
+++ b/apps/sim/socket-server/middleware/auth.ts
@@ -1,10 +1,14 @@
 import type { Socket } from 'socket.io'
 import { auth } from '@/lib/auth'
 import { ANONYMOUS_USER, ANONYMOUS_USER_ID } from '@/lib/auth/constants'
 import { isAuthDisabled } from '@/lib/core/config/feature-flags'
 import { createLogger } from '@/lib/logs/console/logger'
 const logger = createLogger('SocketAuth')
-// Extend Socket interface to include user data
+/**
 * Authenticated socket with user data attached.
 */
 export interface AuthenticatedSocket extends Socket {
  userId?: string
  userName?: string
@@ -13,9 +17,21 @@ export interface AuthenticatedSocket extends Socket {
  userImage?: string | null
 }
-// Enhanced authentication middleware
+/**
 * Socket.IO authentication middleware.
 * Handles both anonymous mode (DISABLE_AUTH=true) and normal token-based auth.
 */
 export async function authenticateSocket(socket: AuthenticatedSocket, next: any) {
  try {
    if (isAuthDisabled) {
      socket.userId = ANONYMOUS_USER_ID
      socket.userName = ANONYMOUS_USER.name
      socket.userEmail = ANONYMOUS_USER.email
      socket.userImage = ANONYMOUS_USER.image
      logger.debug(`Socket ${socket.id} authenticated as anonymous`)
      return next()
    }
    // Extract authentication data from socket handshake
    const token = socket.handshake.auth?.token
    const origin = socket.handshake.headers.origin
--- a/apps/sim/tools/http/utils.ts
+++ b/apps/sim/tools/http/utils.ts
@@ -1,4 +1,4 @@
-import { isTest } from '@/lib/core/config/environment'
+import { isTest } from '@/lib/core/config/feature-flags'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { createLogger } from '@/lib/logs/console/logger'
 import type { TableRow } from '@/tools/types'