chore(deps): upgrade better-auth from 1.3.12 to 1.4.18

* feat(vercel): add complete Vercel integration with 42 API tools

Add Vercel platform management integration covering deployments, projects,
environment variables, domains, DNS records, aliases, edge configs, and
team/user management. All tools use API key authentication with Bearer tokens.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(vercel): add webhook and deployment check tools

Add 8 new Vercel API tools:
- Webhooks: list, create, delete
- Deployment Checks: create, get, list, update, rerequest

Brings total Vercel tools to 50.

* fix(vercel): expand all object and array output definitions

Expand unexpanded output types:
- get_deployment: meta and gitSource objects now have properties
- list_deployment_files: children array now has items definition
- get_team: teamRoles and teamPermissions arrays now have items

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* update icon size, update docs

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

apps/docs/app/global.css

@@ -59,12 +59,6 @@ body {
   --content-gap: 1.75rem;
 }
 
-/* Remove custom layout variable overrides to fallback to fumadocs defaults */
-
-/* ============================================
-   Navbar Light Mode Styling
-   ============================================ */
-
 /* Light mode navbar and search styling */
 :root:not(.dark) nav {
   background-color: hsla(0, 0%, 96%, 0.85) !important;
@@ -88,10 +82,6 @@ body {
   -webkit-backdrop-filter: blur(25px) saturate(180%) brightness(0.6) !important;
 }
 
-/* ============================================
-   Custom Sidebar Styling (Turborepo-inspired)
-   ============================================ */
-
 /* Floating sidebar appearance - remove background */
 [data-sidebar-container],
 #nd-sidebar {
@@ -468,10 +458,6 @@ aside[data-sidebar],
   writing-mode: horizontal-tb !important;
 }
 
-/* ============================================
-   Code Block Styling (Improved)
-   ============================================ */
-
 /* Apply Geist Mono to code elements */
 code,
 pre,
@@ -532,10 +518,6 @@ pre code .line {
   color: var(--color-fd-primary);
 }
 
-/* ============================================
-   TOC (Table of Contents) Styling
-   ============================================ */
-
 /* Remove the thin border-left on nested TOC items (keeps main indicator only) */
 #nd-toc a[style*="padding-inline-start"] {
   border-left: none !important;
@@ -554,10 +536,6 @@ main article,
   padding-bottom: 4rem;
 }
 
-/* ============================================
-   Center and Constrain Main Content Width
-   ============================================ */
-
 /* Main content area - center and constrain like turborepo/raindrop */
 /* Note: --sidebar-offset and --toc-offset are now applied at #nd-docs-layout level */
 main[data-main] {

apps/docs/components/icons.tsx

@@ -5532,3 +5532,18 @@ export function OnePasswordIcon(props: SVGProps<SVGSVGElement>) {
     </svg>
   )
 }
+
+export function VercelIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg
+      {...props}
+      viewBox='0 0 256 222'
+      xmlns='http://www.w3.org/2000/svg'
+      preserveAspectRatio='xMidYMid'
+    >
+      <g transform='translate(19.2 16.63) scale(0.85)'>
+        <polygon fill='#fafafa' points='128 0 256 221.705007 0 221.705007' />
+      </g>
+    </svg>
+  )
+}

apps/docs/components/ui/icon-mapping.ts

@@ -125,6 +125,7 @@ import {
   TTSIcon,
   TwilioIcon,
   TypeformIcon,
+  VercelIcon,
   VideoIcon,
   WealthboxIcon,
   WebflowIcon,
@@ -262,6 +263,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
   twilio_sms: TwilioIcon,
   twilio_voice: TwilioIcon,
   typeform: TypeformIcon,
+  vercel: VercelIcon,
   video_generator_v2: VideoIcon,
   vision_v2: EyeIcon,
   wealthbox: WealthboxIcon,

apps/docs/content/docs/en/tools/incidentio.mdx

@@ -234,7 +234,6 @@ List actions from incident.io. Optionally filter by incident ID.
 | --------- | ---- | -------- | ----------- |
 | `apiKey` | string | Yes | incident.io API Key |
 | `incident_id` | string | No | Filter actions by incident ID \(e.g., "01FCNDV6P870EA6S7TK1DSYDG0"\) |
-| `page_size` | number | No | Number of actions to return per page \(e.g., 10, 25, 50\) |
 
 #### Output
 
@@ -309,7 +308,6 @@ List follow-ups from incident.io. Optionally filter by incident ID.
 | --------- | ---- | -------- | ----------- |
 | `apiKey` | string | Yes | incident.io API Key |
 | `incident_id` | string | No | Filter follow-ups by incident ID \(e.g., "01FCNDV6P870EA6S7TK1DSYDG0"\) |
-| `page_size` | number | No | Number of follow-ups to return per page \(e.g., 10, 25, 50\) |
 
 #### Output
 
@@ -396,6 +394,7 @@ List all users in your Incident.io workspace. Returns user details including id,
 | --------- | ---- | -------- | ----------- |
 | `apiKey` | string | Yes | Incident.io API Key |
 | `page_size` | number | No | Number of results to return per page \(e.g., 10, 25, 50\). Default: 25 |
+| `after` | string | No | Pagination cursor to fetch the next page of results |
 
 #### Output
 
@@ -406,6 +405,10 @@ List all users in your Incident.io workspace. Returns user details including id,
 |   ↳ `name` | string | Full name of the user |
 |   ↳ `email` | string | Email address of the user |
 |   ↳ `role` | string | Role of the user in the workspace |
+| `pagination_meta` | object | Pagination metadata |
+|   ↳ `after` | string | Cursor for next page |
+|   ↳ `page_size` | number | Number of items per page |
+|   ↳ `total_record_count` | number | Total number of records |
 
 ### `incidentio_users_show`
 
@@ -644,7 +647,6 @@ List all escalation policies in incident.io
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `apiKey` | string | Yes | incident.io API Key |
-| `page_size` | number | No | Number of results per page \(e.g., 10, 25, 50\). Default: 25 |
 
 #### Output
 

apps/docs/content/docs/en/tools/meta.json

@@ -122,6 +122,7 @@
     "twilio_sms",
     "twilio_voice",
     "typeform",
+    "vercel",
     "video_generator",
     "vision",
     "wealthbox",

apps/docs/content/docs/en/tools/pipedrive.mdx

@@ -49,6 +49,7 @@ Retrieve all deals from Pipedrive with optional filters
 | `pipeline_id` | string | No | If supplied, only deals in the specified pipeline are returned \(e.g., "1"\) |
 | `updated_since` | string | No | If set, only deals updated after this time are returned. Format: 2025-01-01T10:20:00Z |
 | `limit` | string | No | Number of results to return \(e.g., "50", default: 100, max: 500\) |
+| `cursor` | string | No | For pagination, the marker representing the first item on the next page |
 
 #### Output
 
@@ -74,6 +75,8 @@ Retrieve all deals from Pipedrive with optional filters
 | `metadata` | object | Pagination metadata for the response |
 |   ↳ `total_items` | number | Total number of items |
 |   ↳ `has_more` | boolean | Whether more items are available |
+|   ↳ `next_cursor` | string | Cursor for fetching the next page \(v2 endpoints\) |
+|   ↳ `next_start` | number | Offset for fetching the next page \(v1 endpoints\) |
 | `success` | boolean | Operation success status |
 
 ### `pipedrive_get_deal`
@@ -148,10 +151,9 @@ Retrieve files from Pipedrive with optional filters
 
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
-| `deal_id` | string | No | Filter files by deal ID \(e.g., "123"\) |
+| `sort` | string | No | Sort files by field \(supported: "id", "update_time"\) |
-| `person_id` | string | No | Filter files by person ID \(e.g., "456"\) |
+| `limit` | string | No | Number of results to return \(e.g., "50", default: 100, max: 100\) |
-| `org_id` | string | No | Filter files by organization ID \(e.g., "789"\) |
+| `start` | string | No | Pagination start offset \(0-based index of the first item to return\) |
-| `limit` | string | No | Number of results to return \(e.g., "50", default: 100, max: 500\) |
 | `downloadFiles` | boolean | No | Download file contents into file outputs |
 
 #### Output
@@ -171,6 +173,8 @@ Retrieve files from Pipedrive with optional filters
 |   ↳ `url` | string | File download URL |
 | `downloadedFiles` | file[] | Downloaded files from Pipedrive |
 | `total_items` | number | Total number of files returned |
+| `has_more` | boolean | Whether more files are available |
+| `next_start` | number | Offset for fetching the next page |
 | `success` | boolean | Operation success status |
 
 ### `pipedrive_get_mail_messages`
@@ -183,6 +187,7 @@ Retrieve mail threads from Pipedrive mailbox
 | --------- | ---- | -------- | ----------- |
 | `folder` | string | No | Filter by folder: inbox, drafts, sent, archive \(default: inbox\) |
 | `limit` | string | No | Number of results to return \(e.g., "25", default: 50\) |
+| `start` | string | No | Pagination start offset \(0-based index of the first item to return\) |
 
 #### Output
 
@@ -190,6 +195,8 @@ Retrieve mail threads from Pipedrive mailbox
 | --------- | ---- | ----------- |
 | `messages` | array | Array of mail thread objects from Pipedrive mailbox |
 | `total_items` | number | Total number of mail threads returned |
+| `has_more` | boolean | Whether more messages are available |
+| `next_start` | number | Offset for fetching the next page |
 | `success` | boolean | Operation success status |
 
 ### `pipedrive_get_mail_thread`
@@ -221,7 +228,7 @@ Retrieve all pipelines from Pipedrive
 | `sort_by` | string | No | Field to sort by: id, update_time, add_time \(default: id\) |
 | `sort_direction` | string | No | Sorting direction: asc, desc \(default: asc\) |
 | `limit` | string | No | Number of results to return \(e.g., "50", default: 100, max: 500\) |
-| `cursor` | string | No | For pagination, the marker representing the first item on the next page |
+| `start` | string | No | Pagination start offset \(0-based index of the first item to return\) |
 
 #### Output
 
@@ -237,6 +244,8 @@ Retrieve all pipelines from Pipedrive
 |   ↳ `add_time` | string | When the pipeline was created |
 |   ↳ `update_time` | string | When the pipeline was last updated |
 | `total_items` | number | Total number of pipelines returned |
+| `has_more` | boolean | Whether more pipelines are available |
+| `next_start` | number | Offset for fetching the next page |
 | `success` | boolean | Operation success status |
 
 ### `pipedrive_get_pipeline_deals`
@@ -249,8 +258,8 @@ Retrieve all deals in a specific pipeline
 | --------- | ---- | -------- | ----------- |
 | `pipeline_id` | string | Yes | The ID of the pipeline \(e.g., "1"\) |
 | `stage_id` | string | No | Filter by specific stage within the pipeline \(e.g., "2"\) |
-| `status` | string | No | Filter by deal status: open, won, lost |
 | `limit` | string | No | Number of results to return \(e.g., "50", default: 100, max: 500\) |
+| `start` | string | No | Pagination start offset \(0-based index of the first item to return\) |
 
 #### Output
 
@@ -271,6 +280,7 @@ Retrieve all projects or a specific project from Pipedrive
 | `project_id` | string | No | Optional: ID of a specific project to retrieve \(e.g., "123"\) |
 | `status` | string | No | Filter by project status: open, completed, deleted \(only for listing all\) |
 | `limit` | string | No | Number of results to return \(e.g., "50", default: 100, max: 500, only for listing all\) |
+| `cursor` | string | No | For pagination, the marker representing the first item on the next page |
 
 #### Output
 
@@ -279,6 +289,8 @@ Retrieve all projects or a specific project from Pipedrive
 | `projects` | array | Array of project objects \(when listing all\) |
 | `project` | object | Single project object \(when project_id is provided\) |
 | `total_items` | number | Total number of projects returned |
+| `has_more` | boolean | Whether more projects are available |
+| `next_cursor` | string | Cursor for fetching the next page |
 | `success` | boolean | Operation success status |
 
 ### `pipedrive_create_project`
@@ -309,12 +321,11 @@ Retrieve activities (tasks) from Pipedrive with optional filters
 
 | Parameter | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
-| `deal_id` | string | No | Filter activities by deal ID \(e.g., "123"\) |
+| `user_id` | string | No | Filter activities by user ID \(e.g., "123"\) |
-| `person_id` | string | No | Filter activities by person ID \(e.g., "456"\) |
-| `org_id` | string | No | Filter activities by organization ID \(e.g., "789"\) |
 | `type` | string | No | Filter by activity type \(call, meeting, task, deadline, email, lunch\) |
 | `done` | string | No | Filter by completion status: 0 for not done, 1 for done |
 | `limit` | string | No | Number of results to return \(e.g., "50", default: 100, max: 500\) |
+| `start` | string | No | Pagination start offset \(0-based index of the first item to return\) |
 
 #### Output
 
@@ -335,6 +346,8 @@ Retrieve activities (tasks) from Pipedrive with optional filters
 |   ↳ `add_time` | string | When the activity was created |
 |   ↳ `update_time` | string | When the activity was last updated |
 | `total_items` | number | Total number of activities returned |
+| `has_more` | boolean | Whether more activities are available |
+| `next_start` | number | Offset for fetching the next page |
 | `success` | boolean | Operation success status |
 
 ### `pipedrive_create_activity`
@@ -399,6 +412,7 @@ Retrieve all leads or a specific lead from Pipedrive
 | `person_id` | string | No | Filter by person ID \(e.g., "456"\) |
 | `organization_id` | string | No | Filter by organization ID \(e.g., "789"\) |
 | `limit` | string | No | Number of results to return \(e.g., "50", default: 100, max: 500\) |
+| `start` | string | No | Pagination start offset \(0-based index of the first item to return\) |
 
 #### Output
 
@@ -433,6 +447,8 @@ Retrieve all leads or a specific lead from Pipedrive
 |   ↳ `add_time` | string | When the lead was created \(ISO 8601\) |
 |   ↳ `update_time` | string | When the lead was last updated \(ISO 8601\) |
 | `total_items` | number | Total number of leads returned |
+| `has_more` | boolean | Whether more leads are available |
+| `next_start` | number | Offset for fetching the next page |
 | `success` | boolean | Operation success status |
 
 ### `pipedrive_create_lead`

apps/docs/content/docs/en/tools/supabase.mdx

@@ -57,6 +57,7 @@ Query data from a Supabase table
 | `filter` | string | No | PostgREST filter \(e.g., "id=eq.123"\) |
 | `orderBy` | string | No | Column to order by \(add DESC for descending\) |
 | `limit` | number | No | Maximum number of rows to return |
+| `offset` | number | No | Number of rows to skip \(for pagination\) |
 | `apiKey` | string | Yes | Your Supabase service role secret key |
 
 #### Output
@@ -211,6 +212,7 @@ Perform full-text search on a Supabase table
 | `searchType` | string | No | Search type: plain, phrase, or websearch \(default: websearch\) |
 | `language` | string | No | Language for text search configuration \(default: english\) |
 | `limit` | number | No | Maximum number of rows to return |
+| `offset` | number | No | Number of rows to skip \(for pagination\) |
 | `apiKey` | string | Yes | Your Supabase service role secret key |
 
 #### Output

apps/docs/content/docs/en/tools/typeform.mdx

@@ -43,6 +43,8 @@ Retrieve form responses from Typeform
 | `formId` | string | Yes | Typeform form ID \(e.g., "abc123XYZ"\) |
 | `apiKey` | string | Yes | Typeform Personal Access Token |
 | `pageSize` | number | No | Number of responses to retrieve \(e.g., 10, 25, 50\) |
+| `before` | string | No | Cursor token for fetching the next page of older responses |
+| `after` | string | No | Cursor token for fetching the next page of newer responses |
 | `since` | string | No | Retrieve responses submitted after this date \(e.g., "2024-01-01T00:00:00Z"\) |
 | `until` | string | No | Retrieve responses submitted before this date \(e.g., "2024-12-31T23:59:59Z"\) |
 | `completed` | string | No | Filter by completion status \(e.g., "true", "false", "all"\) |

apps/docs/content/docs/en/tools/zendesk.mdx

@@ -67,10 +67,9 @@ Retrieve a list of tickets from Zendesk with optional filtering
 | `type` | string | No | Filter by type: "problem", "incident", "question", or "task" |
 | `assigneeId` | string | No | Filter by assignee user ID as a numeric string \(e.g., "12345"\) |
 | `organizationId` | string | No | Filter by organization ID as a numeric string \(e.g., "67890"\) |
-| `sortBy` | string | No | Sort field: "created_at", "updated_at", "priority", or "status" |
+| `sort` | string | No | Sort field for ticket listing \(only applies without filters\): "updated_at", "id", or "status". Prefix with "-" for descending \(e.g., "-updated_at"\) |
-| `sortOrder` | string | No | Sort order: "asc" or "desc" |
 | `perPage` | string | No | Results per page as a number string \(default: "100", max: "100"\) |
-| `page` | string | No | Page number as a string \(e.g., "1", "2"\) |
+| `pageAfter` | string | No | Cursor from a previous response to fetch the next page of results |
 
 #### Output
 
@@ -129,10 +128,10 @@ Retrieve a list of tickets from Zendesk with optional filtering
 |   ↳ `from_messaging_channel` | boolean | Whether the ticket originated from a messaging channel |
 |   ↳ `ticket_form_id` | number | Ticket form ID |
 |   ↳ `generated_timestamp` | number | Unix timestamp of the ticket generation |
-| `paging` | object | Pagination information |
+| `paging` | object | Cursor-based pagination information |
+|   ↳ `after_cursor` | string | Cursor for fetching the next page of results |
+|   ↳ `has_more` | boolean | Whether more results are available |
 |   ↳ `next_page` | string | URL for next page of results |
-|   ↳ `previous_page` | string | URL for previous page of results |
-|   ↳ `count` | number | Total count of items |
 | `metadata` | object | Response metadata |
 |   ↳ `total_returned` | number | Number of items returned in this response |
 |   ↳ `has_more` | boolean | Whether more items are available |
@@ -515,7 +514,7 @@ Retrieve a list of users from Zendesk with optional filtering
 | `role` | string | No | Filter by role: "end-user", "agent", or "admin" |
 | `permissionSet` | string | No | Filter by permission set ID as a numeric string \(e.g., "12345"\) |
 | `perPage` | string | No | Results per page as a number string \(default: "100", max: "100"\) |
-| `page` | string | No | Page number as a string \(e.g., "1", "2"\) |
+| `pageAfter` | string | No | Cursor from a previous response to fetch the next page of results |
 
 #### Output
 
@@ -563,10 +562,10 @@ Retrieve a list of users from Zendesk with optional filtering
 |   ↳ `shared` | boolean | Whether the user is shared from a different Zendesk |
 |   ↳ `shared_agent` | boolean | Whether the agent is shared from a different Zendesk |
 |   ↳ `remote_photo_url` | string | URL to a remote photo |
-| `paging` | object | Pagination information |
+| `paging` | object | Cursor-based pagination information |
+|   ↳ `after_cursor` | string | Cursor for fetching the next page of results |
+|   ↳ `has_more` | boolean | Whether more results are available |
 |   ↳ `next_page` | string | URL for next page of results |
-|   ↳ `previous_page` | string | URL for previous page of results |
-|   ↳ `count` | number | Total count of items |
 | `metadata` | object | Response metadata |
 |   ↳ `total_returned` | number | Number of items returned in this response |
 |   ↳ `has_more` | boolean | Whether more items are available |
@@ -706,7 +705,7 @@ Search for users in Zendesk using a query string
 | `query` | string | No | Search query string \(e.g., user name or email\) |
 | `externalId` | string | No | External ID to search by \(your system identifier\) |
 | `perPage` | string | No | Results per page as a number string \(default: "100", max: "100"\) |
-| `page` | string | No | Page number as a string \(e.g., "1", "2"\) |
+| `page` | string | No | Page number for pagination \(1-based\) |
 
 #### Output
 
@@ -754,10 +753,10 @@ Search for users in Zendesk using a query string
 |   ↳ `shared` | boolean | Whether the user is shared from a different Zendesk |
 |   ↳ `shared_agent` | boolean | Whether the agent is shared from a different Zendesk |
 |   ↳ `remote_photo_url` | string | URL to a remote photo |
-| `paging` | object | Pagination information |
+| `paging` | object | Cursor-based pagination information |
+|   ↳ `after_cursor` | string | Cursor for fetching the next page of results |
+|   ↳ `has_more` | boolean | Whether more results are available |
 |   ↳ `next_page` | string | URL for next page of results |
-|   ↳ `previous_page` | string | URL for previous page of results |
-|   ↳ `count` | number | Total count of items |
 | `metadata` | object | Response metadata |
 |   ↳ `total_returned` | number | Number of items returned in this response |
 |   ↳ `has_more` | boolean | Whether more items are available |
@@ -999,7 +998,7 @@ Retrieve a list of organizations from Zendesk
 | `apiToken` | string | Yes | Zendesk API token |
 | `subdomain` | string | Yes | Your Zendesk subdomain \(e.g., "mycompany" for mycompany.zendesk.com\) |
 | `perPage` | string | No | Results per page as a number string \(default: "100", max: "100"\) |
-| `page` | string | No | Page number as a string \(e.g., "1", "2"\) |
+| `pageAfter` | string | No | Cursor from a previous response to fetch the next page of results |
 
 #### Output
 
@@ -1020,10 +1019,10 @@ Retrieve a list of organizations from Zendesk
 |   ↳ `created_at` | string | When the organization was created \(ISO 8601 format\) |
 |   ↳ `updated_at` | string | When the organization was last updated \(ISO 8601 format\) |
 |   ↳ `external_id` | string | External ID for linking to external records |
-| `paging` | object | Pagination information |
+| `paging` | object | Cursor-based pagination information |
+|   ↳ `after_cursor` | string | Cursor for fetching the next page of results |
+|   ↳ `has_more` | boolean | Whether more results are available |
 |   ↳ `next_page` | string | URL for next page of results |
-|   ↳ `previous_page` | string | URL for previous page of results |
-|   ↳ `count` | number | Total count of items |
 | `metadata` | object | Response metadata |
 |   ↳ `total_returned` | number | Number of items returned in this response |
 |   ↳ `has_more` | boolean | Whether more items are available |
@@ -1075,7 +1074,7 @@ Autocomplete organizations in Zendesk by name prefix (for name matching/autocomp
 | `subdomain` | string | Yes | Your Zendesk subdomain |
 | `name` | string | Yes | Organization name prefix to search for \(e.g., "Acme"\) |
 | `perPage` | string | No | Results per page as a number string \(default: "100", max: "100"\) |
-| `page` | string | No | Page number as a string \(e.g., "1", "2"\) |
+| `page` | string | No | Page number for pagination \(1-based\) |
 
 #### Output
 
@@ -1096,10 +1095,10 @@ Autocomplete organizations in Zendesk by name prefix (for name matching/autocomp
 |   ↳ `created_at` | string | When the organization was created \(ISO 8601 format\) |
 |   ↳ `updated_at` | string | When the organization was last updated \(ISO 8601 format\) |
 |   ↳ `external_id` | string | External ID for linking to external records |
-| `paging` | object | Pagination information |
+| `paging` | object | Cursor-based pagination information |
+|   ↳ `after_cursor` | string | Cursor for fetching the next page of results |
+|   ↳ `has_more` | boolean | Whether more results are available |
 |   ↳ `next_page` | string | URL for next page of results |
-|   ↳ `previous_page` | string | URL for previous page of results |
-|   ↳ `count` | number | Total count of items |
 | `metadata` | object | Response metadata |
 |   ↳ `total_returned` | number | Number of items returned in this response |
 |   ↳ `has_more` | boolean | Whether more items are available |
@@ -1249,19 +1248,18 @@ Unified search across tickets, users, and organizations in Zendesk
 | `apiToken` | string | Yes | Zendesk API token |
 | `subdomain` | string | Yes | Your Zendesk subdomain |
 | `query` | string | Yes | Search query string using Zendesk search syntax \(e.g., "type:ticket status:open"\) |
-| `sortBy` | string | No | Sort field: "relevance", "created_at", "updated_at", "priority", "status", or "ticket_type" |
+| `filterType` | string | Yes | Resource type to search for: "ticket", "user", "organization", or "group" |
-| `sortOrder` | string | No | Sort order: "asc" or "desc" |
 | `perPage` | string | No | Results per page as a number string \(default: "100", max: "100"\) |
-| `page` | string | No | Page number as a string \(e.g., "1", "2"\) |
+| `pageAfter` | string | No | Cursor from a previous response to fetch the next page of results |
 
 #### Output
 
 | Parameter | Type | Description |
 | --------- | ---- | ----------- |
-| `paging` | object | Pagination information |
+| `paging` | object | Cursor-based pagination information |
+|   ↳ `after_cursor` | string | Cursor for fetching the next page of results |
+|   ↳ `has_more` | boolean | Whether more results are available |
 |   ↳ `next_page` | string | URL for next page of results |
-|   ↳ `previous_page` | string | URL for previous page of results |
-|   ↳ `count` | number | Total count of items |
 | `metadata` | object | Response metadata |
 |   ↳ `total_returned` | number | Number of items returned in this response |
 |   ↳ `has_more` | boolean | Whether more items are available |

apps/docs/package.json

@@ -21,7 +21,7 @@
     "fumadocs-mdx": "14.1.0",
     "fumadocs-ui": "16.2.3",
     "lucide-react": "^0.511.0",
-    "next": "16.1.0-canary.21",
+    "next": "16.1.6",
     "next-themes": "^0.4.6",
     "postgres": "^3.4.5",
     "react": "19.2.1",

apps/sim/app/(auth)/components/oauth-provider-checker.tsx

@@ -1,5 +1,3 @@
-'use server'
-
 import { env } from '@/lib/core/config/env'
 import { isProd } from '@/lib/core/config/feature-flags'
 

apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-block/landing-node.tsx

@@ -85,7 +85,7 @@ export const LandingNode = React.memo(function LandingNode({ data }: { data: Lan
           transform: isAnimated ? 'translateY(0) scale(1)' : 'translateY(8px) scale(0.98)',
           transition:
             'opacity 0.6s cubic-bezier(0.22, 1, 0.36, 1), transform 0.6s cubic-bezier(0.22, 1, 0.36, 1)',
-          willChange: 'transform, opacity',
+          willChange: isAnimated ? 'auto' : 'transform, opacity',
         }}
       >
         <LandingBlock icon={data.icon} color={data.color} name={data.name} tags={data.tags} />

apps/sim/app/(landing)/components/hero/components/landing-canvas/landing-edge/landing-edge.tsx

@@ -67,7 +67,6 @@ export const LandingEdge = React.memo(function LandingEdge(props: EdgeProps) {
           strokeLinejoin: 'round',
           pointerEvents: 'none',
           animation: `landing-edge-dash-${id} 1s linear infinite`,
-          willChange: 'stroke-dashoffset',
           ...style,
         }}
       />

apps/sim/app/_styles/globals.css

@@ -754,3 +754,100 @@ input[type="search"]::-ms-clear {
   text-decoration: none !important;
   color: inherit !important;
 }
+
+/**
+ * Respect user's prefers-reduced-motion setting (WCAG 2.3.3)
+ * Disables animations and transitions for users who prefer reduced motion.
+ */
+@media (prefers-reduced-motion: reduce) {
+  *,
+  *::before,
+  *::after {
+    animation-duration: 0.01ms !important;
+    animation-iteration-count: 1 !important;
+    transition-duration: 0.01ms !important;
+    scroll-behavior: auto !important;
+  }
+}
+
+/* WandPromptBar status indicator */
+@keyframes smoke-pulse {
+  0%,
+  100% {
+    transform: scale(0.8);
+    opacity: 0.4;
+  }
+  50% {
+    transform: scale(1.1);
+    opacity: 0.8;
+  }
+}
+
+.status-indicator {
+  position: relative;
+  width: 12px;
+  height: 12px;
+  border-radius: 50%;
+  overflow: hidden;
+  background-color: hsl(var(--muted-foreground) / 0.5);
+  transition: background-color 0.3s ease;
+}
+
+.status-indicator.streaming {
+  background-color: transparent;
+}
+
+.status-indicator.streaming::before {
+  content: "";
+  position: absolute;
+  inset: 0;
+  border-radius: 50%;
+  background: radial-gradient(
+    circle,
+    hsl(var(--primary) / 0.9) 0%,
+    hsl(var(--primary) / 0.4) 60%,
+    transparent 80%
+  );
+  animation: smoke-pulse 1.8s ease-in-out infinite;
+  opacity: 0.9;
+}
+
+.dark .status-indicator.streaming::before {
+  background: #6b7280;
+  opacity: 0.9;
+  animation: smoke-pulse 1.8s ease-in-out infinite;
+}
+
+/* MessageContainer loading dot */
+@keyframes growShrink {
+  0%,
+  100% {
+    transform: scale(0.9);
+  }
+  50% {
+    transform: scale(1.1);
+  }
+}
+
+.loading-dot {
+  animation: growShrink 1.5s infinite ease-in-out;
+}
+
+/* Subflow node z-index and drag-over styles */
+.workflow-container .react-flow__node-subflowNode {
+  z-index: -1 !important;
+}
+
+.workflow-container .react-flow__node-subflowNode:has([data-subflow-selected="true"]) {
+  z-index: 10 !important;
+}
+
+.loop-node-drag-over,
+.parallel-node-drag-over {
+  box-shadow: 0 0 0 1.75px var(--brand-secondary) !important;
+  border-radius: 8px !important;
+}
+
+.react-flow__node[data-parent-node-id] .react-flow__handle {
+  z-index: 30;
+}

apps/sim/app/api/auth/forget-password/route.test.ts

@@ -21,7 +21,7 @@ vi.mock('@/lib/core/utils/urls', () => ({
 function setupAuthApiMocks(
   options: {
     operations?: {
-      forgetPassword?: { success?: boolean; error?: string }
+      requestPasswordReset?: { success?: boolean; error?: string }
       resetPassword?: { success?: boolean; error?: string }
     }
   } = {}
@@ -34,7 +34,11 @@ function setupAuthApiMocks(
 
   const { operations = {} } = options
   const defaultOperations = {
-    forgetPassword: { success: true, error: 'Forget password error', ...operations.forgetPassword },
+    requestPasswordReset: {
+      success: true,
+      error: 'Forget password error',
+      ...operations.requestPasswordReset,
+    },
     resetPassword: { success: true, error: 'Reset password error', ...operations.resetPassword },
   }
 
@@ -50,7 +54,7 @@ function setupAuthApiMocks(
   vi.doMock('@/lib/auth', () => ({
     auth: {
       api: {
-        forgetPassword: createAuthMethod(defaultOperations.forgetPassword),
+        requestPasswordReset: createAuthMethod(defaultOperations.requestPasswordReset),
         resetPassword: createAuthMethod(defaultOperations.resetPassword),
       },
     },
@@ -69,7 +73,7 @@ describe('Forget Password API Route', () => {
   it('should send password reset email successfully with same-origin redirectTo', async () => {
     setupAuthApiMocks({
       operations: {
-        forgetPassword: { success: true },
+        requestPasswordReset: { success: true },
       },
     })
 
@@ -87,7 +91,7 @@ describe('Forget Password API Route', () => {
     expect(data.success).toBe(true)
 
     const auth = await import('@/lib/auth')
-    expect(auth.auth.api.forgetPassword).toHaveBeenCalledWith({
+    expect(auth.auth.api.requestPasswordReset).toHaveBeenCalledWith({
       body: {
         email: 'test@example.com',
         redirectTo: 'https://app.example.com/reset',
@@ -99,7 +103,7 @@ describe('Forget Password API Route', () => {
   it('should reject external redirectTo URL', async () => {
     setupAuthApiMocks({
       operations: {
-        forgetPassword: { success: true },
+        requestPasswordReset: { success: true },
       },
     })
 
@@ -117,13 +121,13 @@ describe('Forget Password API Route', () => {
     expect(data.message).toBe('Redirect URL must be a valid same-origin URL')
 
     const auth = await import('@/lib/auth')
-    expect(auth.auth.api.forgetPassword).not.toHaveBeenCalled()
+    expect(auth.auth.api.requestPasswordReset).not.toHaveBeenCalled()
   })
 
   it('should send password reset email without redirectTo', async () => {
     setupAuthApiMocks({
       operations: {
-        forgetPassword: { success: true },
+        requestPasswordReset: { success: true },
       },
     })
 
@@ -140,7 +144,7 @@ describe('Forget Password API Route', () => {
     expect(data.success).toBe(true)
 
     const auth = await import('@/lib/auth')
-    expect(auth.auth.api.forgetPassword).toHaveBeenCalledWith({
+    expect(auth.auth.api.requestPasswordReset).toHaveBeenCalledWith({
       body: {
         email: 'test@example.com',
         redirectTo: undefined,
@@ -163,7 +167,7 @@ describe('Forget Password API Route', () => {
     expect(data.message).toBe('Email is required')
 
     const auth = await import('@/lib/auth')
-    expect(auth.auth.api.forgetPassword).not.toHaveBeenCalled()
+    expect(auth.auth.api.requestPasswordReset).not.toHaveBeenCalled()
   })
 
   it('should handle empty email', async () => {
@@ -182,7 +186,7 @@ describe('Forget Password API Route', () => {
     expect(data.message).toBe('Please provide a valid email address')
 
     const auth = await import('@/lib/auth')
-    expect(auth.auth.api.forgetPassword).not.toHaveBeenCalled()
+    expect(auth.auth.api.requestPasswordReset).not.toHaveBeenCalled()
   })
 
   it('should handle auth service error with message', async () => {
@@ -190,7 +194,7 @@ describe('Forget Password API Route', () => {
 
     setupAuthApiMocks({
       operations: {
-        forgetPassword: {
+        requestPasswordReset: {
           success: false,
           error: errorMessage,
         },
@@ -222,7 +226,7 @@ describe('Forget Password API Route', () => {
     vi.doMock('@/lib/auth', () => ({
       auth: {
         api: {
-          forgetPassword: vi.fn().mockRejectedValue('Unknown error'),
+          requestPasswordReset: vi.fn().mockRejectedValue('Unknown error'),
         },
       },
     }))

apps/sim/app/api/auth/forget-password/route.ts

@@ -43,7 +43,7 @@ export async function POST(request: NextRequest) {
 
     const { email, redirectTo } = validationResult.data
 
-    await auth.api.forgetPassword({
+    await auth.api.requestPasswordReset({
       body: {
         email,
         redirectTo,

apps/sim/app/api/auth/oauth/disconnect/route.test.ts

@@ -3,7 +3,7 @@
  *
  * @vitest-environment node
  */
-import { createMockLogger, createMockRequest } from '@sim/testing'
+import { auditMock, createMockLogger, createMockRequest } from '@sim/testing'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
 describe('OAuth Disconnect API Route', () => {
@@ -67,6 +67,8 @@ describe('OAuth Disconnect API Route', () => {
     vi.doMock('@/lib/webhooks/utils.server', () => ({
       syncAllWebhooksForCredentialSet: mockSyncAllWebhooksForCredentialSet,
     }))
+
+    vi.doMock('@/lib/audit/log', () => auditMock)
   })
 
   afterEach(() => {

apps/sim/app/api/auth/oauth/disconnect/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq, like, or } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { syncAllWebhooksForCredentialSet } from '@/lib/webhooks/utils.server'
@@ -118,6 +119,20 @@ export async function POST(request: NextRequest) {
       }
     }
 
+    recordAudit({
+      workspaceId: null,
+      actorId: session.user.id,
+      action: AuditAction.OAUTH_DISCONNECTED,
+      resourceType: AuditResourceType.OAUTH,
+      resourceId: providerId ?? provider,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      resourceName: provider,
+      description: `Disconnected OAuth provider: ${provider}`,
+      metadata: { provider, providerId },
+      request,
+    })
+
     return NextResponse.json({ success: true }, { status: 200 })
   } catch (error) {
     logger.error(`[${requestId}] Error disconnecting OAuth provider`, error)

apps/sim/app/api/auth/reset-password/route.test.ts

@@ -17,7 +17,7 @@ import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 function setupAuthApiMocks(
   options: {
     operations?: {
-      forgetPassword?: { success?: boolean; error?: string }
+      requestPasswordReset?: { success?: boolean; error?: string }
       resetPassword?: { success?: boolean; error?: string }
     }
   } = {}
@@ -30,7 +30,11 @@ function setupAuthApiMocks(
 
   const { operations = {} } = options
   const defaultOperations = {
-    forgetPassword: { success: true, error: 'Forget password error', ...operations.forgetPassword },
+    requestPasswordReset: {
+      success: true,
+      error: 'Forget password error',
+      ...operations.requestPasswordReset,
+    },
     resetPassword: { success: true, error: 'Reset password error', ...operations.resetPassword },
   }
 
@@ -46,7 +50,7 @@ function setupAuthApiMocks(
   vi.doMock('@/lib/auth', () => ({
     auth: {
       api: {
-        forgetPassword: createAuthMethod(defaultOperations.forgetPassword),
+        requestPasswordReset: createAuthMethod(defaultOperations.requestPasswordReset),
         resetPassword: createAuthMethod(defaultOperations.resetPassword),
       },
     },

apps/sim/app/api/billing/credits/route.ts

@@ -1,6 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { getCreditBalance } from '@/lib/billing/credits/balance'
 import { purchaseCredits } from '@/lib/billing/credits/purchase'
@@ -57,6 +58,17 @@ export async function POST(request: NextRequest) {
       return NextResponse.json({ error: result.error }, { status: 400 })
     }
 
+    recordAudit({
+      actorId: session.user.id,
+      actorName: session.user.name,
+      actorEmail: session.user.email,
+      action: AuditAction.CREDIT_PURCHASED,
+      resourceType: AuditResourceType.BILLING,
+      description: `Purchased $${validation.data.amount} in credits`,
+      metadata: { amount: validation.data.amount, requestId: validation.data.requestId },
+      request,
+    })
+
     return NextResponse.json({ success: true })
   } catch (error) {
     logger.error('Failed to purchase credits', { error, userId: session.user.id })

apps/sim/app/api/chat/manage/[id]/route.test.ts

@@ -3,10 +3,12 @@
  *
  * @vitest-environment node
  */
-import { loggerMock } from '@sim/testing'
+import { auditMock, loggerMock } from '@sim/testing'
 import { NextRequest } from 'next/server'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
+vi.mock('@/lib/audit/log', () => auditMock)
+
 vi.mock('@/lib/core/config/feature-flags', () => ({
   isDev: true,
   isHosted: false,
@@ -216,8 +218,11 @@ describe('Chat Edit API Route', () => {
         workflowId: 'workflow-123',
       }
 
-      mockCheckChatAccess.mockResolvedValue({ hasAccess: true, chat: mockChat })
+      mockCheckChatAccess.mockResolvedValue({
-      mockLimit.mockResolvedValueOnce([]) // No identifier conflict
+        hasAccess: true,
+        chat: mockChat,
+        workspaceId: 'workspace-123',
+      })
 
       const req = new NextRequest('http://localhost:3000/api/chat/manage/chat-123', {
         method: 'PATCH',
@@ -311,8 +316,11 @@ describe('Chat Edit API Route', () => {
         workflowId: 'workflow-123',
       }
 
-      mockCheckChatAccess.mockResolvedValue({ hasAccess: true, chat: mockChat })
+      mockCheckChatAccess.mockResolvedValue({
-      mockLimit.mockResolvedValueOnce([])
+        hasAccess: true,
+        chat: mockChat,
+        workspaceId: 'workspace-123',
+      })
 
       const req = new NextRequest('http://localhost:3000/api/chat/manage/chat-123', {
         method: 'PATCH',
@@ -371,8 +379,11 @@ describe('Chat Edit API Route', () => {
         }),
       }))
 
-      mockCheckChatAccess.mockResolvedValue({ hasAccess: true })
+      mockCheckChatAccess.mockResolvedValue({
-      mockWhere.mockResolvedValue(undefined)
+        hasAccess: true,
+        chat: { title: 'Test Chat', workflowId: 'workflow-123' },
+        workspaceId: 'workspace-123',
+      })
 
       const req = new NextRequest('http://localhost:3000/api/chat/manage/chat-123', {
         method: 'DELETE',
@@ -393,8 +404,11 @@ describe('Chat Edit API Route', () => {
         }),
       }))
 
-      mockCheckChatAccess.mockResolvedValue({ hasAccess: true })
+      mockCheckChatAccess.mockResolvedValue({
-      mockWhere.mockResolvedValue(undefined)
+        hasAccess: true,
+        chat: { title: 'Test Chat', workflowId: 'workflow-123' },
+        workspaceId: 'workspace-123',
+      })
 
       const req = new NextRequest('http://localhost:3000/api/chat/manage/chat-123', {
         method: 'DELETE',

apps/sim/app/api/chat/manage/[id]/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { isDev } from '@/lib/core/config/feature-flags'
 import { encryptSecret } from '@/lib/core/security/encryption'
@@ -103,7 +104,11 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
     try {
       const validatedData = chatUpdateSchema.parse(body)
 
-      const { hasAccess, chat: existingChatRecord } = await checkChatAccess(chatId, session.user.id)
+      const {
+        hasAccess,
+        chat: existingChatRecord,
+        workspaceId: chatWorkspaceId,
+      } = await checkChatAccess(chatId, session.user.id)
 
       if (!hasAccess || !existingChatRecord) {
         return createErrorResponse('Chat not found or access denied', 404)
@@ -217,6 +222,19 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
 
       logger.info(`Chat "${chatId}" updated successfully`)
 
+      recordAudit({
+        workspaceId: chatWorkspaceId || null,
+        actorId: session.user.id,
+        actorName: session.user.name,
+        actorEmail: session.user.email,
+        action: AuditAction.CHAT_UPDATED,
+        resourceType: AuditResourceType.CHAT,
+        resourceId: chatId,
+        resourceName: title || existingChatRecord.title,
+        description: `Updated chat deployment "${title || existingChatRecord.title}"`,
+        request,
+      })
+
       return createSuccessResponse({
         id: chatId,
         chatUrl,
@@ -252,7 +270,11 @@ export async function DELETE(
       return createErrorResponse('Unauthorized', 401)
     }
 
-    const { hasAccess } = await checkChatAccess(chatId, session.user.id)
+    const {
+      hasAccess,
+      chat: chatRecord,
+      workspaceId: chatWorkspaceId,
+    } = await checkChatAccess(chatId, session.user.id)
 
     if (!hasAccess) {
       return createErrorResponse('Chat not found or access denied', 404)
@@ -262,6 +284,19 @@ export async function DELETE(
 
     logger.info(`Chat "${chatId}" deleted successfully`)
 
+    recordAudit({
+      workspaceId: chatWorkspaceId || null,
+      actorId: session.user.id,
+      actorName: session.user.name,
+      actorEmail: session.user.email,
+      action: AuditAction.CHAT_DELETED,
+      resourceType: AuditResourceType.CHAT,
+      resourceId: chatId,
+      resourceName: chatRecord?.title || chatId,
+      description: `Deleted chat deployment "${chatRecord?.title || chatId}"`,
+      request: _request,
+    })
+
     return createSuccessResponse({
       message: 'Chat deployment deleted successfully',
     })

apps/sim/app/api/chat/route.test.ts

@@ -1,9 +1,10 @@
-import { NextRequest } from 'next/server'
 /**
  * Tests for chat API route
  *
  * @vitest-environment node
  */
+import { auditMock } from '@sim/testing'
+import { NextRequest } from 'next/server'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
 describe('Chat API Route', () => {
@@ -30,6 +31,8 @@ describe('Chat API Route', () => {
     mockInsert.mockReturnValue({ values: mockValues })
     mockValues.mockReturnValue({ returning: mockReturning })
 
+    vi.doMock('@/lib/audit/log', () => auditMock)
+
     vi.doMock('@sim/db', () => ({
       db: {
         select: mockSelect,

apps/sim/app/api/chat/route.ts

@@ -5,6 +5,7 @@ import { eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { v4 as uuidv4 } from 'uuid'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { isDev } from '@/lib/core/config/feature-flags'
 import { encryptSecret } from '@/lib/core/security/encryption'
@@ -42,7 +43,7 @@ const chatSchema = z.object({
     .default([]),
 })
 
-export async function GET(request: NextRequest) {
+export async function GET(_request: NextRequest) {
   try {
     const session = await getSession()
 
@@ -174,7 +175,7 @@ export async function POST(request: NextRequest) {
         userId: session.user.id,
         identifier,
         title,
-        description: description || '',
+        description: description || null,
         customizations: mergedCustomizations,
         isActive: true,
         authType,
@@ -224,6 +225,20 @@ export async function POST(request: NextRequest) {
         // Silently fail
       }
 
+      recordAudit({
+        workspaceId: workflowRecord.workspaceId || null,
+        actorId: session.user.id,
+        actorName: session.user.name,
+        actorEmail: session.user.email,
+        action: AuditAction.CHAT_DEPLOYED,
+        resourceType: AuditResourceType.CHAT,
+        resourceId: id,
+        resourceName: title,
+        description: `Deployed chat "${title}"`,
+        metadata: { workflowId, identifier, authType },
+        request,
+      })
+
       return createSuccessResponse({
         id,
         chatUrl,

apps/sim/app/api/chat/utils.ts

@@ -52,7 +52,7 @@ export async function checkWorkflowAccessForChatCreation(
 export async function checkChatAccess(
   chatId: string,
   userId: string
-): Promise<{ hasAccess: boolean; chat?: any }> {
+): Promise<{ hasAccess: boolean; chat?: any; workspaceId?: string }> {
   const chatData = await db
     .select({
       chat: chat,
@@ -78,7 +78,9 @@ export async function checkChatAccess(
     action: 'admin',
   })
 
-  return authorization.allowed ? { hasAccess: true, chat: chatRecord } : { hasAccess: false }
+  return authorization.allowed
+    ? { hasAccess: true, chat: chatRecord, workspaceId: workflowWorkspaceId }
+    : { hasAccess: false }
 }
 
 export async function validateChatAuth(

apps/sim/app/api/credential-sets/[id]/invite/[invitationId]/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getEmailSubject, renderPollingGroupInvitationEmail } from '@/components/emails'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { hasCredentialSetsAccess } from '@/lib/billing'
 import { getBaseUrl } from '@/lib/core/utils/urls'
@@ -148,6 +149,19 @@ export async function POST(
       userId: session.user.id,
     })
 
+    recordAudit({
+      actorId: session.user.id,
+      actorName: session.user.name,
+      actorEmail: session.user.email,
+      action: AuditAction.CREDENTIAL_SET_INVITATION_RESENT,
+      resourceType: AuditResourceType.CREDENTIAL_SET,
+      resourceId: id,
+      resourceName: result.set.name,
+      description: `Resent credential set invitation to ${invitation.email}`,
+      metadata: { invitationId, email: invitation.email },
+      request: req,
+    })
+
     return NextResponse.json({ success: true })
   } catch (error) {
     logger.error('Error resending invitation', error)

apps/sim/app/api/credential-sets/[id]/invite/route.ts

@@ -5,6 +5,7 @@ import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getEmailSubject, renderPollingGroupInvitationEmail } from '@/components/emails'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { hasCredentialSetsAccess } from '@/lib/billing'
 import { getBaseUrl } from '@/lib/core/utils/urls'
@@ -175,6 +176,19 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       emailSent: !!email,
     })
 
+    recordAudit({
+      workspaceId: null,
+      actorId: session.user.id,
+      action: AuditAction.CREDENTIAL_SET_INVITATION_CREATED,
+      resourceType: AuditResourceType.CREDENTIAL_SET,
+      resourceId: id,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      resourceName: result.set.name,
+      description: `Created invitation for credential set "${result.set.name}"${email ? ` to ${email}` : ''}`,
+      request: req,
+    })
+
     return NextResponse.json({
       invitation: {
         ...invitation,
@@ -235,6 +249,19 @@ export async function DELETE(req: NextRequest, { params }: { params: Promise<{ i
         )
       )
 
+    recordAudit({
+      workspaceId: null,
+      actorId: session.user.id,
+      action: AuditAction.CREDENTIAL_SET_INVITATION_REVOKED,
+      resourceType: AuditResourceType.CREDENTIAL_SET,
+      resourceId: id,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      resourceName: result.set.name,
+      description: `Revoked invitation "${invitationId}" for credential set "${result.set.name}"`,
+      request: req,
+    })
+
     return NextResponse.json({ success: true })
   } catch (error) {
     logger.error('Error cancelling invitation', error)

apps/sim/app/api/credential-sets/[id]/members/route.ts

@@ -3,6 +3,7 @@ import { account, credentialSet, credentialSetMember, member, user } from '@sim/
 import { createLogger } from '@sim/logger'
 import { and, eq, inArray } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { hasCredentialSetsAccess } from '@/lib/billing'
 import { syncAllWebhooksForCredentialSet } from '@/lib/webhooks/utils.server'
@@ -13,6 +14,7 @@ async function getCredentialSetWithAccess(credentialSetId: string, userId: strin
   const [set] = await db
     .select({
       id: credentialSet.id,
+      name: credentialSet.name,
       organizationId: credentialSet.organizationId,
       providerId: credentialSet.providerId,
     })
@@ -177,6 +179,19 @@ export async function DELETE(req: NextRequest, { params }: { params: Promise<{ i
       userId: session.user.id,
     })
 
+    recordAudit({
+      workspaceId: null,
+      actorId: session.user.id,
+      action: AuditAction.CREDENTIAL_SET_MEMBER_REMOVED,
+      resourceType: AuditResourceType.CREDENTIAL_SET,
+      resourceId: id,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      resourceName: result.set.name,
+      description: `Removed member from credential set "${result.set.name}"`,
+      request: req,
+    })
+
     return NextResponse.json({ success: true })
   } catch (error) {
     logger.error('Error removing member from credential set', error)

apps/sim/app/api/credential-sets/[id]/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { hasCredentialSetsAccess } from '@/lib/billing'
 
@@ -131,6 +132,19 @@ export async function PUT(req: NextRequest, { params }: { params: Promise<{ id:
 
     const [updated] = await db.select().from(credentialSet).where(eq(credentialSet.id, id)).limit(1)
 
+    recordAudit({
+      workspaceId: null,
+      actorId: session.user.id,
+      action: AuditAction.CREDENTIAL_SET_UPDATED,
+      resourceType: AuditResourceType.CREDENTIAL_SET,
+      resourceId: id,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      resourceName: updated?.name ?? result.set.name,
+      description: `Updated credential set "${updated?.name ?? result.set.name}"`,
+      request: req,
+    })
+
     return NextResponse.json({ credentialSet: updated })
   } catch (error) {
     if (error instanceof z.ZodError) {
@@ -175,6 +189,19 @@ export async function DELETE(req: NextRequest, { params }: { params: Promise<{ i
 
     logger.info('Deleted credential set', { credentialSetId: id, userId: session.user.id })
 
+    recordAudit({
+      workspaceId: null,
+      actorId: session.user.id,
+      action: AuditAction.CREDENTIAL_SET_DELETED,
+      resourceType: AuditResourceType.CREDENTIAL_SET,
+      resourceId: id,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      resourceName: result.set.name,
+      description: `Deleted credential set "${result.set.name}"`,
+      request: req,
+    })
+
     return NextResponse.json({ success: true })
   } catch (error) {
     logger.error('Error deleting credential set', error)

apps/sim/app/api/credential-sets/invite/[token]/route.ts

@@ -8,6 +8,7 @@ import {
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { syncAllWebhooksForCredentialSet } from '@/lib/webhooks/utils.server'
 
@@ -78,6 +79,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ tok
         status: credentialSetInvitation.status,
         expiresAt: credentialSetInvitation.expiresAt,
         invitedBy: credentialSetInvitation.invitedBy,
+        credentialSetName: credentialSet.name,
         providerId: credentialSet.providerId,
       })
       .from(credentialSetInvitation)
@@ -125,7 +127,6 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ tok
     const now = new Date()
     const requestId = crypto.randomUUID().slice(0, 8)
 
-    // Use transaction to ensure membership + invitation update + webhook sync are atomic
     await db.transaction(async (tx) => {
       await tx.insert(credentialSetMember).values({
         id: crypto.randomUUID(),
@@ -147,8 +148,6 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ tok
         })
         .where(eq(credentialSetInvitation.id, invitation.id))
 
-      // Clean up all other pending invitations for the same credential set and email
-      // This prevents duplicate invites from showing up after accepting one
       if (invitation.email) {
         await tx
           .update(credentialSetInvitation)
@@ -166,7 +165,6 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ tok
           )
       }
 
-      // Sync webhooks within the transaction
       const syncResult = await syncAllWebhooksForCredentialSet(
         invitation.credentialSetId,
         requestId,
@@ -184,6 +182,19 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ tok
       userId: session.user.id,
     })
 
+    recordAudit({
+      actorId: session.user.id,
+      actorName: session.user.name,
+      actorEmail: session.user.email,
+      action: AuditAction.CREDENTIAL_SET_INVITATION_ACCEPTED,
+      resourceType: AuditResourceType.CREDENTIAL_SET,
+      resourceId: invitation.credentialSetId,
+      resourceName: invitation.credentialSetName,
+      description: `Accepted credential set invitation`,
+      metadata: { invitationId: invitation.id },
+      request: req,
+    })
+
     return NextResponse.json({
       success: true,
       credentialSetId: invitation.credentialSetId,

apps/sim/app/api/credential-sets/memberships/route.ts

@@ -3,6 +3,7 @@ import { credentialSet, credentialSetMember, organization } from '@sim/db/schema
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { syncAllWebhooksForCredentialSet } from '@/lib/webhooks/utils.server'
 
@@ -106,6 +107,17 @@ export async function DELETE(req: NextRequest) {
       userId: session.user.id,
     })
 
+    recordAudit({
+      actorId: session.user.id,
+      actorName: session.user.name,
+      actorEmail: session.user.email,
+      action: AuditAction.CREDENTIAL_SET_MEMBER_LEFT,
+      resourceType: AuditResourceType.CREDENTIAL_SET,
+      resourceId: credentialSetId,
+      description: `Left credential set`,
+      request: req,
+    })
+
     return NextResponse.json({ success: true })
   } catch (error) {
     const message = error instanceof Error ? error.message : 'Failed to leave credential set'

apps/sim/app/api/credential-sets/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, count, desc, eq } from 'drizzle-orm'
 import { NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { hasCredentialSetsAccess } from '@/lib/billing'
 
@@ -165,6 +166,19 @@ export async function POST(req: Request) {
       userId: session.user.id,
     })
 
+    recordAudit({
+      workspaceId: null,
+      actorId: session.user.id,
+      action: AuditAction.CREDENTIAL_SET_CREATED,
+      resourceType: AuditResourceType.CREDENTIAL_SET,
+      resourceId: newCredentialSet.id,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      resourceName: name,
+      description: `Created credential set "${name}"`,
+      request: req,
+    })
+
     return NextResponse.json({ credentialSet: newCredentialSet }, { status: 201 })
   } catch (error) {
     if (error instanceof z.ZodError) {

apps/sim/app/api/environment/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
 import { generateRequestId } from '@/lib/core/utils/request'
@@ -53,6 +54,17 @@ export async function POST(req: NextRequest) {
           },
         })
 
+      recordAudit({
+        actorId: session.user.id,
+        actorName: session.user.name,
+        actorEmail: session.user.email,
+        action: AuditAction.ENVIRONMENT_UPDATED,
+        resourceType: AuditResourceType.ENVIRONMENT,
+        description: 'Updated global environment variables',
+        metadata: { variableCount: Object.keys(variables).length },
+        request: req,
+      })
+
       return NextResponse.json({ success: true })
     } catch (validationError) {
       if (validationError instanceof z.ZodError) {

apps/sim/app/api/folders/[id]/duplicate/route.ts

@@ -1,9 +1,10 @@
 import { db } from '@sim/db'
 import { workflow, workflowFolder } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, eq } from 'drizzle-orm'
+import { and, eq, isNull, min } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { duplicateWorkflow } from '@/lib/workflows/persistence/duplicate'
@@ -36,7 +37,6 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
 
     logger.info(`[${requestId}] Duplicating folder ${sourceFolderId} for user ${session.user.id}`)
 
-    // Verify the source folder exists
     const sourceFolder = await db
       .select()
       .from(workflowFolder)
@@ -47,7 +47,6 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       throw new Error('Source folder not found')
     }
 
-    // Check if user has permission to access the source folder
     const userPermission = await getUserEntityPermissions(
       session.user.id,
       'workspace',
@@ -60,26 +59,51 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
 
     const targetWorkspaceId = workspaceId || sourceFolder.workspaceId
 
-    // Step 1: Duplicate folder structure
     const { newFolderId, folderMapping } = await db.transaction(async (tx) => {
       const newFolderId = crypto.randomUUID()
       const now = new Date()
+      const targetParentId = parentId ?? sourceFolder.parentId
+
+      const folderParentCondition = targetParentId
+        ? eq(workflowFolder.parentId, targetParentId)
+        : isNull(workflowFolder.parentId)
+      const workflowParentCondition = targetParentId
+        ? eq(workflow.folderId, targetParentId)
+        : isNull(workflow.folderId)
+
+      const [[folderResult], [workflowResult]] = await Promise.all([
+        tx
+          .select({ minSortOrder: min(workflowFolder.sortOrder) })
+          .from(workflowFolder)
+          .where(and(eq(workflowFolder.workspaceId, targetWorkspaceId), folderParentCondition)),
+        tx
+          .select({ minSortOrder: min(workflow.sortOrder) })
+          .from(workflow)
+          .where(and(eq(workflow.workspaceId, targetWorkspaceId), workflowParentCondition)),
+      ])
+
+      const minSortOrder = [folderResult?.minSortOrder, workflowResult?.minSortOrder].reduce<
+        number | null
+      >((currentMin, candidate) => {
+        if (candidate == null) return currentMin
+        if (currentMin == null) return candidate
+        return Math.min(currentMin, candidate)
+      }, null)
+      const sortOrder = minSortOrder != null ? minSortOrder - 1 : 0
 
-      // Create the new root folder
       await tx.insert(workflowFolder).values({
         id: newFolderId,
         userId: session.user.id,
         workspaceId: targetWorkspaceId,
         name,
         color: color || sourceFolder.color,
-        parentId: parentId || sourceFolder.parentId,
+        parentId: targetParentId,
-        sortOrder: sourceFolder.sortOrder,
+        sortOrder,
         isExpanded: false,
         createdAt: now,
         updatedAt: now,
       })
 
-      // Recursively duplicate child folders
       const folderMapping = new Map<string, string>([[sourceFolderId, newFolderId]])
       await duplicateFolderStructure(
         tx,
@@ -95,7 +119,6 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       return { newFolderId, folderMapping }
     })
 
-    // Step 2: Duplicate workflows
     const workflowStats = await duplicateWorkflowsInFolderTree(
       sourceFolder.workspaceId,
       targetWorkspaceId,
@@ -115,6 +138,19 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       }
     )
 
+    recordAudit({
+      workspaceId: targetWorkspaceId,
+      actorId: session.user.id,
+      action: AuditAction.FOLDER_DUPLICATED,
+      resourceType: AuditResourceType.FOLDER,
+      resourceId: newFolderId,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      resourceName: name,
+      description: `Duplicated folder "${sourceFolder.name}" as "${name}"`,
+      request: req,
+    })
+
     return NextResponse.json(
       {
         id: newFolderId,
@@ -159,7 +195,6 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
   }
 }
 
-// Helper to recursively duplicate folder structure
 async function duplicateFolderStructure(
   tx: any,
   sourceFolderId: string,
@@ -170,7 +205,6 @@ async function duplicateFolderStructure(
   timestamp: Date,
   folderMapping: Map<string, string>
 ): Promise<void> {
-  // Get all child folders
   const childFolders = await tx
     .select()
     .from(workflowFolder)
@@ -181,7 +215,6 @@ async function duplicateFolderStructure(
       )
     )
 
-  // Create each child folder and recurse
   for (const childFolder of childFolders) {
     const newChildFolderId = crypto.randomUUID()
     folderMapping.set(childFolder.id, newChildFolderId)
@@ -199,7 +232,6 @@ async function duplicateFolderStructure(
       updatedAt: timestamp,
     })
 
-    // Recurse for this child's children
     await duplicateFolderStructure(
       tx,
       childFolder.id,
@@ -213,7 +245,6 @@ async function duplicateFolderStructure(
   }
 }
 
-// Helper to duplicate all workflows in a folder tree
 async function duplicateWorkflowsInFolderTree(
   sourceWorkspaceId: string,
   targetWorkspaceId: string,
@@ -223,9 +254,7 @@ async function duplicateWorkflowsInFolderTree(
 ): Promise<{ total: number; succeeded: number; failed: number }> {
   const stats = { total: 0, succeeded: 0, failed: 0 }
 
-  // Process each folder in the mapping
   for (const [oldFolderId, newFolderId] of folderMapping.entries()) {
-    // Get workflows in this folder
     const workflowsInFolder = await db
       .select()
       .from(workflow)
@@ -233,7 +262,6 @@ async function duplicateWorkflowsInFolderTree(
 
     stats.total += workflowsInFolder.length
 
-    // Duplicate each workflow
     for (const sourceWorkflow of workflowsInFolder) {
       try {
         await duplicateWorkflow({

apps/sim/app/api/folders/[id]/route.test.ts

@@ -4,6 +4,7 @@
  * @vitest-environment node
  */
 import {
+  auditMock,
   createMockRequest,
   type MockUser,
   mockAuth,
@@ -12,6 +13,8 @@ import {
 } from '@sim/testing'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
+vi.mock('@/lib/audit/log', () => auditMock)
+
 /** Type for captured folder values in tests */
 interface CapturedFolderValues {
   name?: string

apps/sim/app/api/folders/[id]/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 
@@ -167,6 +168,19 @@ export async function DELETE(
       deletionStats,
     })
 
+    recordAudit({
+      workspaceId: existingFolder.workspaceId,
+      actorId: session.user.id,
+      actorName: session.user.name,
+      actorEmail: session.user.email,
+      action: AuditAction.FOLDER_DELETED,
+      resourceType: AuditResourceType.FOLDER,
+      resourceId: id,
+      resourceName: existingFolder.name,
+      description: `Deleted folder "${existingFolder.name}"`,
+      request,
+    })
+
     return NextResponse.json({
       success: true,
       deletedItems: deletionStats,

apps/sim/app/api/folders/route.test.ts

@@ -3,9 +3,22 @@
  *
  * @vitest-environment node
  */
-import { createMockRequest, mockAuth, mockConsoleLogger, setupCommonApiMocks } from '@sim/testing'
+import {
+  auditMock,
+  createMockRequest,
+  mockAuth,
+  mockConsoleLogger,
+  setupCommonApiMocks,
+} from '@sim/testing'
+import { drizzleOrmMock } from '@sim/testing/mocks'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
+vi.mock('@/lib/audit/log', () => auditMock)
+vi.mock('drizzle-orm', () => ({
+  ...drizzleOrmMock,
+  min: vi.fn((field) => ({ type: 'min', field })),
+}))
+
 interface CapturedFolderValues {
   name?: string
   color?: string
@@ -16,29 +29,35 @@ interface CapturedFolderValues {
 }
 
 function createMockTransaction(mockData: {
-  selectData?: Array<{ id: string; [key: string]: unknown }>
+  selectResults?: Array<Array<{ [key: string]: unknown }>>
   insertResult?: Array<{ id: string; [key: string]: unknown }>
+  onInsertValues?: (values: CapturedFolderValues) => void
 }) {
-  const { selectData = [], insertResult = [] } = mockData
+  const { selectResults = [[], []], insertResult = [], onInsertValues } = mockData
-  return vi.fn().mockImplementation(async (callback: (tx: unknown) => Promise<unknown>) => {
+  return async (callback: (tx: unknown) => Promise<unknown>) => {
+    const where = vi.fn()
+    for (const result of selectResults) {
+      where.mockReturnValueOnce(result)
+    }
+    where.mockReturnValue([])
+
     const tx = {
       select: vi.fn().mockReturnValue({
         from: vi.fn().mockReturnValue({
-          where: vi.fn().mockReturnValue({
+          where,
-            orderBy: vi.fn().mockReturnValue({
-              limit: vi.fn().mockReturnValue(selectData),
-            }),
-          }),
         }),
       }),
       insert: vi.fn().mockReturnValue({
-        values: vi.fn().mockReturnValue({
+        values: vi.fn().mockImplementation((values: CapturedFolderValues) => {
-          returning: vi.fn().mockReturnValue(insertResult),
+          onInsertValues?.(values)
+          return {
+            returning: vi.fn().mockReturnValue(insertResult),
+          }
         }),
       }),
     }
     return await callback(tx)
-  })
+  }
 }
 
 describe('Folders API Route', () => {
@@ -249,25 +268,12 @@ describe('Folders API Route', () => {
     it('should create a new folder successfully', async () => {
       mockAuthenticatedUser()
 
-      mockTransaction.mockImplementationOnce(async (callback: any) => {
+      mockTransaction.mockImplementationOnce(
-        const tx = {
+        createMockTransaction({
-          select: vi.fn().mockReturnValue({
+          selectResults: [[], []],
-            from: vi.fn().mockReturnValue({
+          insertResult: [mockFolders[0]],
-              where: vi.fn().mockReturnValue({
+        })
-                orderBy: vi.fn().mockReturnValue({
+      )
-                  limit: vi.fn().mockReturnValue([]), // No existing folders
-                }),
-              }),
-            }),
-          }),
-          insert: vi.fn().mockReturnValue({
-            values: vi.fn().mockReturnValue({
-              returning: vi.fn().mockReturnValue([mockFolders[0]]),
-            }),
-          }),
-        }
-        return await callback(tx)
-      })
 
       const req = createMockRequest('POST', {
         name: 'New Test Folder',
@@ -277,12 +283,11 @@ describe('Folders API Route', () => {
 
       const { POST } = await import('@/app/api/folders/route')
       const response = await POST(req)
+      const responseBody = await response.json()
 
       expect(response.status).toBe(200)
-
+      expect(responseBody).toHaveProperty('folder')
-      const data = await response.json()
+      expect(responseBody.folder).toMatchObject({
-      expect(data).toHaveProperty('folder')
-      expect(data.folder).toMatchObject({
         id: 'folder-1',
         name: 'Test Folder 1',
         workspaceId: 'workspace-123',
@@ -291,26 +296,17 @@ describe('Folders API Route', () => {
 
     it('should create folder with correct sort order', async () => {
       mockAuthenticatedUser()
+      let capturedValues: CapturedFolderValues | null = null
 
-      mockTransaction.mockImplementationOnce(async (callback: any) => {
+      mockTransaction.mockImplementationOnce(
-        const tx = {
+        createMockTransaction({
-          select: vi.fn().mockReturnValue({
+          selectResults: [[{ minSortOrder: 5 }], [{ minSortOrder: 2 }]],
-            from: vi.fn().mockReturnValue({
+          insertResult: [{ ...mockFolders[0], sortOrder: 1 }],
-              where: vi.fn().mockReturnValue({
+          onInsertValues: (values) => {
-                orderBy: vi.fn().mockReturnValue({
+            capturedValues = values
-                  limit: vi.fn().mockReturnValue([{ sortOrder: 5 }]), // Existing folder with sort order 5
+          },
-                }),
+        })
-              }),
+      )
-            }),
-          }),
-          insert: vi.fn().mockReturnValue({
-            values: vi.fn().mockReturnValue({
-              returning: vi.fn().mockReturnValue([{ ...mockFolders[0], sortOrder: 6 }]),
-            }),
-          }),
-        }
-        return await callback(tx)
-      })
 
       const req = createMockRequest('POST', {
         name: 'New Test Folder',
@@ -324,8 +320,10 @@ describe('Folders API Route', () => {
 
       const data = await response.json()
       expect(data.folder).toMatchObject({
-        sortOrder: 6,
+        sortOrder: 1,
       })
+      expect(capturedValues).not.toBeNull()
+      expect(capturedValues!.sortOrder).toBe(1)
     })
 
     it('should create subfolder with parent reference', async () => {
@@ -333,7 +331,7 @@ describe('Folders API Route', () => {
 
       mockTransaction.mockImplementationOnce(
         createMockTransaction({
-          selectData: [], // No existing folders
+          selectResults: [[], []],
           insertResult: [{ ...mockFolders[1] }],
         })
       )
@@ -394,25 +392,12 @@ describe('Folders API Route', () => {
       mockAuthenticatedUser()
       mockGetUserEntityPermissions.mockResolvedValue('write') // Write permissions
 
-      mockTransaction.mockImplementationOnce(async (callback: any) => {
+      mockTransaction.mockImplementationOnce(
-        const tx = {
+        createMockTransaction({
-          select: vi.fn().mockReturnValue({
+          selectResults: [[], []],
-            from: vi.fn().mockReturnValue({
+          insertResult: [mockFolders[0]],
-              where: vi.fn().mockReturnValue({
+        })
-                orderBy: vi.fn().mockReturnValue({
+      )
-                  limit: vi.fn().mockReturnValue([]), // No existing folders
-                }),
-              }),
-            }),
-          }),
-          insert: vi.fn().mockReturnValue({
-            values: vi.fn().mockReturnValue({
-              returning: vi.fn().mockReturnValue([mockFolders[0]]),
-            }),
-          }),
-        }
-        return await callback(tx)
-      })
 
       const req = createMockRequest('POST', {
         name: 'Test Folder',
@@ -432,25 +417,12 @@ describe('Folders API Route', () => {
       mockAuthenticatedUser()
       mockGetUserEntityPermissions.mockResolvedValue('admin') // Admin permissions
 
-      mockTransaction.mockImplementationOnce(async (callback: any) => {
+      mockTransaction.mockImplementationOnce(
-        const tx = {
+        createMockTransaction({
-          select: vi.fn().mockReturnValue({
+          selectResults: [[], []],
-            from: vi.fn().mockReturnValue({
+          insertResult: [mockFolders[0]],
-              where: vi.fn().mockReturnValue({
+        })
-                orderBy: vi.fn().mockReturnValue({
+      )
-                  limit: vi.fn().mockReturnValue([]), // No existing folders
-                }),
-              }),
-            }),
-          }),
-          insert: vi.fn().mockReturnValue({
-            values: vi.fn().mockReturnValue({
-              returning: vi.fn().mockReturnValue([mockFolders[0]]),
-            }),
-          }),
-        }
-        return await callback(tx)
-      })
 
       const req = createMockRequest('POST', {
         name: 'Test Folder',
@@ -519,28 +491,15 @@ describe('Folders API Route', () => {
 
       let capturedValues: CapturedFolderValues | null = null
 
-      mockTransaction.mockImplementationOnce(async (callback: any) => {
+      mockTransaction.mockImplementationOnce(
-        const tx = {
+        createMockTransaction({
-          select: vi.fn().mockReturnValue({
+          selectResults: [[], []],
-            from: vi.fn().mockReturnValue({
+          insertResult: [mockFolders[0]],
-              where: vi.fn().mockReturnValue({
+          onInsertValues: (values) => {
-                orderBy: vi.fn().mockReturnValue({
+            capturedValues = values
-                  limit: vi.fn().mockReturnValue([]),
+          },
-                }),
+        })
-              }),
+      )
-            }),
-          }),
-          insert: vi.fn().mockReturnValue({
-            values: vi.fn().mockImplementation((values) => {
-              capturedValues = values
-              return {
-                returning: vi.fn().mockReturnValue([mockFolders[0]]),
-              }
-            }),
-          }),
-        }
-        return await callback(tx)
-      })
 
       const req = createMockRequest('POST', {
         name: '  Test Folder With Spaces  ',
@@ -559,28 +518,15 @@ describe('Folders API Route', () => {
 
       let capturedValues: CapturedFolderValues | null = null
 
-      mockTransaction.mockImplementationOnce(async (callback: any) => {
+      mockTransaction.mockImplementationOnce(
-        const tx = {
+        createMockTransaction({
-          select: vi.fn().mockReturnValue({
+          selectResults: [[], []],
-            from: vi.fn().mockReturnValue({
+          insertResult: [mockFolders[0]],
-              where: vi.fn().mockReturnValue({
+          onInsertValues: (values) => {
-                orderBy: vi.fn().mockReturnValue({
+            capturedValues = values
-                  limit: vi.fn().mockReturnValue([]),
+          },
-                }),
+        })
-              }),
+      )
-            }),
-          }),
-          insert: vi.fn().mockReturnValue({
-            values: vi.fn().mockImplementation((values) => {
-              capturedValues = values
-              return {
-                returning: vi.fn().mockReturnValue([mockFolders[0]]),
-              }
-            }),
-          }),
-        }
-        return await callback(tx)
-      })
 
       const req = createMockRequest('POST', {
         name: 'Test Folder',

apps/sim/app/api/folders/route.ts

@@ -1,8 +1,9 @@
 import { db } from '@sim/db'
-import { workflowFolder } from '@sim/db/schema'
+import { workflow, workflowFolder } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, asc, desc, eq, isNull } from 'drizzle-orm'
+import { and, asc, eq, isNull, min } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 
@@ -86,19 +87,33 @@ export async function POST(request: NextRequest) {
       if (providedSortOrder !== undefined) {
         sortOrder = providedSortOrder
       } else {
-        const existingFolders = await tx
+        const folderParentCondition = parentId
-          .select({ sortOrder: workflowFolder.sortOrder })
+          ? eq(workflowFolder.parentId, parentId)
-          .from(workflowFolder)
+          : isNull(workflowFolder.parentId)
-          .where(
+        const workflowParentCondition = parentId
-            and(
+          ? eq(workflow.folderId, parentId)
-              eq(workflowFolder.workspaceId, workspaceId),
+          : isNull(workflow.folderId)
-              parentId ? eq(workflowFolder.parentId, parentId) : isNull(workflowFolder.parentId)
-            )
-          )
-          .orderBy(desc(workflowFolder.sortOrder))
-          .limit(1)
 
-        sortOrder = existingFolders.length > 0 ? existingFolders[0].sortOrder + 1 : 0
+        const [[folderResult], [workflowResult]] = await Promise.all([
+          tx
+            .select({ minSortOrder: min(workflowFolder.sortOrder) })
+            .from(workflowFolder)
+            .where(and(eq(workflowFolder.workspaceId, workspaceId), folderParentCondition)),
+          tx
+            .select({ minSortOrder: min(workflow.sortOrder) })
+            .from(workflow)
+            .where(and(eq(workflow.workspaceId, workspaceId), workflowParentCondition)),
+        ])
+
+        const minSortOrder = [folderResult?.minSortOrder, workflowResult?.minSortOrder].reduce<
+          number | null
+        >((currentMin, candidate) => {
+          if (candidate == null) return currentMin
+          if (currentMin == null) return candidate
+          return Math.min(currentMin, candidate)
+        }, null)
+
+        sortOrder = minSortOrder != null ? minSortOrder - 1 : 0
       }
 
       const [folder] = await tx
@@ -119,6 +134,20 @@ export async function POST(request: NextRequest) {
 
     logger.info('Created new folder:', { id, name, workspaceId, parentId })
 
+    recordAudit({
+      workspaceId,
+      actorId: session.user.id,
+      actorName: session.user.name,
+      actorEmail: session.user.email,
+      action: AuditAction.FOLDER_CREATED,
+      resourceType: AuditResourceType.FOLDER,
+      resourceId: id,
+      resourceName: name.trim(),
+      description: `Created folder "${name.trim()}"`,
+      metadata: { name: name.trim() },
+      request,
+    })
+
     return NextResponse.json({ folder: newFolder })
   } catch (error) {
     logger.error('Error creating folder:', { error })

apps/sim/app/api/form/manage/[id]/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { encryptSecret } from '@/lib/core/security/encryption'
 import { checkFormAccess, DEFAULT_FORM_CUSTOMIZATIONS } from '@/app/api/form/utils'
@@ -102,7 +103,11 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
 
     const { id } = await params
 
-    const { hasAccess, form: formRecord } = await checkFormAccess(id, session.user.id)
+    const {
+      hasAccess,
+      form: formRecord,
+      workspaceId: formWorkspaceId,
+    } = await checkFormAccess(id, session.user.id)
 
     if (!hasAccess || !formRecord) {
       return createErrorResponse('Form not found or access denied', 404)
@@ -184,6 +189,19 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
 
       logger.info(`Form ${id} updated successfully`)
 
+      recordAudit({
+        workspaceId: formWorkspaceId ?? null,
+        actorId: session.user.id,
+        action: AuditAction.FORM_UPDATED,
+        resourceType: AuditResourceType.FORM,
+        resourceId: id,
+        actorName: session.user.name ?? undefined,
+        actorEmail: session.user.email ?? undefined,
+        resourceName: formRecord.title ?? undefined,
+        description: `Updated form "${formRecord.title}"`,
+        request,
+      })
+
       return createSuccessResponse({
         message: 'Form updated successfully',
       })
@@ -213,7 +231,11 @@ export async function DELETE(
 
     const { id } = await params
 
-    const { hasAccess, form: formRecord } = await checkFormAccess(id, session.user.id)
+    const {
+      hasAccess,
+      form: formRecord,
+      workspaceId: formWorkspaceId,
+    } = await checkFormAccess(id, session.user.id)
 
     if (!hasAccess || !formRecord) {
       return createErrorResponse('Form not found or access denied', 404)
@@ -223,6 +245,19 @@ export async function DELETE(
 
     logger.info(`Form ${id} deleted (soft delete)`)
 
+    recordAudit({
+      workspaceId: formWorkspaceId ?? null,
+      actorId: session.user.id,
+      action: AuditAction.FORM_DELETED,
+      resourceType: AuditResourceType.FORM,
+      resourceId: id,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      resourceName: formRecord.title ?? undefined,
+      description: `Deleted form "${formRecord.title}"`,
+      request,
+    })
+
     return createSuccessResponse({
       message: 'Form deleted successfully',
     })

apps/sim/app/api/form/route.ts

@@ -5,6 +5,7 @@ import { eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { v4 as uuidv4 } from 'uuid'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { isDev } from '@/lib/core/config/feature-flags'
 import { encryptSecret } from '@/lib/core/security/encryption'
@@ -178,7 +179,7 @@ export async function POST(request: NextRequest) {
         userId: session.user.id,
         identifier,
         title,
-        description: description || '',
+        description: description || null,
         customizations: mergedCustomizations,
         isActive: true,
         authType,
@@ -195,6 +196,19 @@ export async function POST(request: NextRequest) {
 
       logger.info(`Form "${title}" deployed successfully at ${formUrl}`)
 
+      recordAudit({
+        workspaceId: workflowRecord.workspaceId ?? null,
+        actorId: session.user.id,
+        action: AuditAction.FORM_CREATED,
+        resourceType: AuditResourceType.FORM,
+        resourceId: id,
+        actorName: session.user.name ?? undefined,
+        actorEmail: session.user.email ?? undefined,
+        resourceName: title,
+        description: `Created form "${title}" for workflow ${workflowId}`,
+        request,
+      })
+
       return createSuccessResponse({
         id,
         formUrl,

apps/sim/app/api/form/utils.ts

@@ -52,7 +52,7 @@ export async function checkWorkflowAccessForFormCreation(
 export async function checkFormAccess(
   formId: string,
   userId: string
-): Promise<{ hasAccess: boolean; form?: any }> {
+): Promise<{ hasAccess: boolean; form?: any; workspaceId?: string }> {
   const formData = await db
     .select({ form: form, workflowWorkspaceId: workflow.workspaceId })
     .from(form)
@@ -75,7 +75,9 @@ export async function checkFormAccess(
     action: 'admin',
   })
 
-  return authorization.allowed ? { hasAccess: true, form: formRecord } : { hasAccess: false }
+  return authorization.allowed
+    ? { hasAccess: true, form: formRecord, workspaceId: workflowWorkspaceId }
+    : { hasAccess: false }
 }
 
 export async function validateFormAuth(

apps/sim/app/api/knowledge/[id]/documents/[documentId]/route.test.ts

@@ -4,6 +4,7 @@
  * @vitest-environment node
  */
 import {
+  auditMock,
   createMockRequest,
   mockAuth,
   mockConsoleLogger,
@@ -35,6 +36,8 @@ vi.mock('@/lib/knowledge/documents/service', () => ({
 mockDrizzleOrm()
 mockConsoleLogger()
 
+vi.mock('@/lib/audit/log', () => auditMock)
+
 describe('Document By ID API Route', () => {
   const mockAuth$ = mockAuth()
 

apps/sim/app/api/knowledge/[id]/documents/[documentId]/route.ts

@@ -1,6 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
@@ -197,6 +198,19 @@ export async function PUT(
           `[${requestId}] Document updated: ${documentId} in knowledge base ${knowledgeBaseId}`
         )
 
+        recordAudit({
+          workspaceId: accessCheck.knowledgeBase?.workspaceId ?? null,
+          actorId: userId,
+          actorName: auth.userName,
+          actorEmail: auth.userEmail,
+          action: AuditAction.DOCUMENT_UPDATED,
+          resourceType: AuditResourceType.DOCUMENT,
+          resourceId: documentId,
+          resourceName: validatedData.filename ?? accessCheck.document?.filename,
+          description: `Updated document "${documentId}" in knowledge base "${knowledgeBaseId}"`,
+          request: req,
+        })
+
         return NextResponse.json({
           success: true,
           data: updatedDocument,
@@ -257,6 +271,19 @@ export async function DELETE(
       `[${requestId}] Document deleted: ${documentId} from knowledge base ${knowledgeBaseId}`
     )
 
+    recordAudit({
+      workspaceId: accessCheck.knowledgeBase?.workspaceId ?? null,
+      actorId: userId,
+      actorName: auth.userName,
+      actorEmail: auth.userEmail,
+      action: AuditAction.DOCUMENT_DELETED,
+      resourceType: AuditResourceType.DOCUMENT,
+      resourceId: documentId,
+      resourceName: accessCheck.document?.filename,
+      description: `Deleted document "${documentId}" from knowledge base "${knowledgeBaseId}"`,
+      request: req,
+    })
+
     return NextResponse.json({
       success: true,
       data: result,

apps/sim/app/api/knowledge/[id]/documents/route.test.ts

@@ -4,6 +4,7 @@
  * @vitest-environment node
  */
 import {
+  auditMock,
   createMockRequest,
   mockAuth,
   mockConsoleLogger,
@@ -40,6 +41,8 @@ vi.mock('@/lib/knowledge/documents/service', () => ({
 mockDrizzleOrm()
 mockConsoleLogger()
 
+vi.mock('@/lib/audit/log', () => auditMock)
+
 describe('Knowledge Base Documents API Route', () => {
   const mockAuth$ = mockAuth()
 

apps/sim/app/api/knowledge/[id]/documents/route.ts

@@ -2,6 +2,7 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import {
@@ -244,6 +245,19 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
           logger.error(`[${requestId}] Critical error in document processing pipeline:`, error)
         })
 
+        recordAudit({
+          workspaceId: accessCheck.knowledgeBase?.workspaceId ?? null,
+          actorId: userId,
+          actorName: auth.userName,
+          actorEmail: auth.userEmail,
+          action: AuditAction.DOCUMENT_UPLOADED,
+          resourceType: AuditResourceType.DOCUMENT,
+          resourceId: knowledgeBaseId,
+          resourceName: `${createdDocuments.length} document(s)`,
+          description: `Uploaded ${createdDocuments.length} document(s) to knowledge base "${knowledgeBaseId}"`,
+          request: req,
+        })
+
         return NextResponse.json({
           success: true,
           data: {
@@ -292,6 +306,19 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
           // Silently fail
         }
 
+        recordAudit({
+          workspaceId: accessCheck.knowledgeBase?.workspaceId ?? null,
+          actorId: userId,
+          actorName: auth.userName,
+          actorEmail: auth.userEmail,
+          action: AuditAction.DOCUMENT_UPLOADED,
+          resourceType: AuditResourceType.DOCUMENT,
+          resourceId: knowledgeBaseId,
+          resourceName: validatedData.filename,
+          description: `Uploaded document "${validatedData.filename}" to knowledge base "${knowledgeBaseId}"`,
+          request: req,
+        })
+
         return NextResponse.json({
           success: true,
           data: newDocument,

apps/sim/app/api/knowledge/[id]/route.test.ts

@@ -4,6 +4,7 @@
  * @vitest-environment node
  */
 import {
+  auditMock,
   createMockRequest,
   mockAuth,
   mockConsoleLogger,
@@ -16,6 +17,8 @@ mockKnowledgeSchemas()
 mockDrizzleOrm()
 mockConsoleLogger()
 
+vi.mock('@/lib/audit/log', () => auditMock)
+
 vi.mock('@/lib/knowledge/service', () => ({
   getKnowledgeBaseById: vi.fn(),
   updateKnowledgeBase: vi.fn(),

apps/sim/app/api/knowledge/[id]/route.ts

@@ -1,6 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { generateRequestId } from '@/lib/core/utils/request'
@@ -135,6 +136,19 @@ export async function PUT(req: NextRequest, { params }: { params: Promise<{ id:
 
       logger.info(`[${requestId}] Knowledge base updated: ${id} for user ${userId}`)
 
+      recordAudit({
+        workspaceId: accessCheck.knowledgeBase.workspaceId ?? null,
+        actorId: userId,
+        actorName: auth.userName,
+        actorEmail: auth.userEmail,
+        action: AuditAction.KNOWLEDGE_BASE_UPDATED,
+        resourceType: AuditResourceType.KNOWLEDGE_BASE,
+        resourceId: id,
+        resourceName: validatedData.name ?? updatedKnowledgeBase.name,
+        description: `Updated knowledge base "${validatedData.name ?? updatedKnowledgeBase.name}"`,
+        request: req,
+      })
+
       return NextResponse.json({
         success: true,
         data: updatedKnowledgeBase,
@@ -197,6 +211,19 @@ export async function DELETE(
 
     logger.info(`[${requestId}] Knowledge base deleted: ${id} for user ${userId}`)
 
+    recordAudit({
+      workspaceId: accessCheck.knowledgeBase.workspaceId ?? null,
+      actorId: userId,
+      actorName: auth.userName,
+      actorEmail: auth.userEmail,
+      action: AuditAction.KNOWLEDGE_BASE_DELETED,
+      resourceType: AuditResourceType.KNOWLEDGE_BASE,
+      resourceId: id,
+      resourceName: accessCheck.knowledgeBase.name,
+      description: `Deleted knowledge base "${accessCheck.knowledgeBase.name || id}"`,
+      request: _request,
+    })
+
     return NextResponse.json({
       success: true,
       data: { message: 'Knowledge base deleted successfully' },

apps/sim/app/api/knowledge/route.test.ts

@@ -4,6 +4,7 @@
  * @vitest-environment node
  */
 import {
+  auditMock,
   createMockRequest,
   mockAuth,
   mockConsoleLogger,
@@ -16,6 +17,8 @@ mockKnowledgeSchemas()
 mockDrizzleOrm()
 mockConsoleLogger()
 
+vi.mock('@/lib/audit/log', () => auditMock)
+
 vi.mock('@/lib/workspaces/permissions/utils', () => ({
   getUserEntityPermissions: vi.fn().mockResolvedValue('admin'),
 }))

apps/sim/app/api/knowledge/route.ts

@@ -1,6 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { generateRequestId } from '@/lib/core/utils/request'
@@ -109,6 +110,20 @@ export async function POST(req: NextRequest) {
         `[${requestId}] Knowledge base created: ${newKnowledgeBase.id} for user ${session.user.id}`
       )
 
+      recordAudit({
+        workspaceId: validatedData.workspaceId,
+        actorId: session.user.id,
+        actorName: session.user.name,
+        actorEmail: session.user.email,
+        action: AuditAction.KNOWLEDGE_BASE_CREATED,
+        resourceType: AuditResourceType.KNOWLEDGE_BASE,
+        resourceId: newKnowledgeBase.id,
+        resourceName: validatedData.name,
+        description: `Created knowledge base "${validatedData.name}"`,
+        metadata: { name: validatedData.name },
+        request: req,
+      })
+
       return NextResponse.json({
         success: true,
         data: newKnowledgeBase,

apps/sim/app/api/knowledge/utils.ts

@@ -99,7 +99,7 @@ export interface EmbeddingData {
 
 export interface KnowledgeBaseAccessResult {
   hasAccess: true
-  knowledgeBase: Pick<KnowledgeBaseData, 'id' | 'userId' | 'workspaceId'>
+  knowledgeBase: Pick<KnowledgeBaseData, 'id' | 'userId' | 'workspaceId' | 'name'>
 }
 
 export interface KnowledgeBaseAccessDenied {
@@ -113,7 +113,7 @@ export type KnowledgeBaseAccessCheck = KnowledgeBaseAccessResult | KnowledgeBase
 export interface DocumentAccessResult {
   hasAccess: true
   document: DocumentData
-  knowledgeBase: Pick<KnowledgeBaseData, 'id' | 'userId' | 'workspaceId'>
+  knowledgeBase: Pick<KnowledgeBaseData, 'id' | 'userId' | 'workspaceId' | 'name'>
 }
 
 export interface DocumentAccessDenied {
@@ -128,7 +128,7 @@ export interface ChunkAccessResult {
   hasAccess: true
   chunk: EmbeddingData
   document: DocumentData
-  knowledgeBase: Pick<KnowledgeBaseData, 'id' | 'userId' | 'workspaceId'>
+  knowledgeBase: Pick<KnowledgeBaseData, 'id' | 'userId' | 'workspaceId' | 'name'>
 }
 
 export interface ChunkAccessDenied {
@@ -151,6 +151,7 @@ export async function checkKnowledgeBaseAccess(
       id: knowledgeBase.id,
       userId: knowledgeBase.userId,
       workspaceId: knowledgeBase.workspaceId,
+      name: knowledgeBase.name,
     })
     .from(knowledgeBase)
     .where(and(eq(knowledgeBase.id, knowledgeBaseId), isNull(knowledgeBase.deletedAt)))
@@ -193,6 +194,7 @@ export async function checkKnowledgeBaseWriteAccess(
       id: knowledgeBase.id,
       userId: knowledgeBase.userId,
       workspaceId: knowledgeBase.workspaceId,
+      name: knowledgeBase.name,
     })
     .from(knowledgeBase)
     .where(and(eq(knowledgeBase.id, knowledgeBaseId), isNull(knowledgeBase.deletedAt)))

apps/sim/app/api/mcp/servers/[id]/route.ts

@@ -3,6 +3,8 @@ import { mcpServers } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq, isNull } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
+import { McpDomainNotAllowedError, validateMcpDomain } from '@/lib/mcp/domain-check'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
 import { mcpService } from '@/lib/mcp/service'
 import { createMcpErrorResponse, createMcpSuccessResponse } from '@/lib/mcp/utils'
@@ -15,7 +17,11 @@ export const dynamic = 'force-dynamic'
  * PATCH - Update an MCP server in the workspace (requires write or admin permission)
  */
 export const PATCH = withMcpAuth<{ id: string }>('write')(
-  async (request: NextRequest, { userId, workspaceId, requestId }, { params }) => {
+  async (
+    request: NextRequest,
+    { userId, userName, userEmail, workspaceId, requestId },
+    { params }
+  ) => {
     const { id: serverId } = await params
 
     try {
@@ -29,6 +35,17 @@ export const PATCH = withMcpAuth<{ id: string }>('write')(
       // Remove workspaceId from body to prevent it from being updated
       const { workspaceId: _, ...updateData } = body
 
+      if (updateData.url) {
+        try {
+          validateMcpDomain(updateData.url)
+        } catch (e) {
+          if (e instanceof McpDomainNotAllowedError) {
+            return createMcpErrorResponse(e, e.message, 403)
+          }
+          throw e
+        }
+      }
+
       // Get the current server to check if URL is changing
       const [currentServer] = await db
         .select({ url: mcpServers.url })
@@ -73,6 +90,20 @@ export const PATCH = withMcpAuth<{ id: string }>('write')(
       }
 
       logger.info(`[${requestId}] Successfully updated MCP server: ${serverId}`)
+
+      recordAudit({
+        workspaceId,
+        actorId: userId,
+        actorName: userName,
+        actorEmail: userEmail,
+        action: AuditAction.MCP_SERVER_UPDATED,
+        resourceType: AuditResourceType.MCP_SERVER,
+        resourceId: serverId,
+        resourceName: updatedServer.name || serverId,
+        description: `Updated MCP server "${updatedServer.name || serverId}"`,
+        request,
+      })
+
       return createMcpSuccessResponse({ server: updatedServer })
     } catch (error) {
       logger.error(`[${requestId}] Error updating MCP server:`, error)

apps/sim/app/api/mcp/servers/route.ts

@@ -3,6 +3,8 @@ import { mcpServers } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq, isNull } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
+import { McpDomainNotAllowedError, validateMcpDomain } from '@/lib/mcp/domain-check'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
 import { mcpService } from '@/lib/mcp/service'
 import {
@@ -54,7 +56,7 @@ export const GET = withMcpAuth('read')(
  * it will be updated instead of creating a duplicate.
  */
 export const POST = withMcpAuth('write')(
-  async (request: NextRequest, { userId, workspaceId, requestId }) => {
+  async (request: NextRequest, { userId, userName, userEmail, workspaceId, requestId }) => {
     try {
       const body = getParsedBody(request) || (await request.json())
 
@@ -72,6 +74,15 @@ export const POST = withMcpAuth('write')(
         )
       }
 
+      try {
+        validateMcpDomain(body.url)
+      } catch (e) {
+        if (e instanceof McpDomainNotAllowedError) {
+          return createMcpErrorResponse(e, e.message, 403)
+        }
+        throw e
+      }
+
       const serverId = body.url ? generateMcpServerId(workspaceId, body.url) : crypto.randomUUID()
 
       const [existingServer] = await db
@@ -151,6 +162,20 @@ export const POST = withMcpAuth('write')(
         // Silently fail
       }
 
+      recordAudit({
+        workspaceId,
+        actorId: userId,
+        actorName: userName,
+        actorEmail: userEmail,
+        action: AuditAction.MCP_SERVER_ADDED,
+        resourceType: AuditResourceType.MCP_SERVER,
+        resourceId: serverId,
+        resourceName: body.name,
+        description: `Added MCP server "${body.name}"`,
+        metadata: { serverName: body.name, transport: body.transport },
+        request,
+      })
+
       return createMcpSuccessResponse({ serverId }, 201)
     } catch (error) {
       logger.error(`[${requestId}] Error registering MCP server:`, error)
@@ -167,7 +192,7 @@ export const POST = withMcpAuth('write')(
  * DELETE - Delete an MCP server from the workspace (requires admin permission)
  */
 export const DELETE = withMcpAuth('admin')(
-  async (request: NextRequest, { userId, workspaceId, requestId }) => {
+  async (request: NextRequest, { userId, userName, userEmail, workspaceId, requestId }) => {
     try {
       const { searchParams } = new URL(request.url)
       const serverId = searchParams.get('serverId')
@@ -198,6 +223,20 @@ export const DELETE = withMcpAuth('admin')(
       await mcpService.clearCache(workspaceId)
 
       logger.info(`[${requestId}] Successfully deleted MCP server: ${serverId}`)
+
+      recordAudit({
+        workspaceId,
+        actorId: userId,
+        actorName: userName,
+        actorEmail: userEmail,
+        action: AuditAction.MCP_SERVER_REMOVED,
+        resourceType: AuditResourceType.MCP_SERVER,
+        resourceId: serverId!,
+        resourceName: deletedServer.name,
+        description: `Removed MCP server "${deletedServer.name}"`,
+        request,
+      })
+
       return createMcpSuccessResponse({ message: `Server ${serverId} deleted successfully` })
     } catch (error) {
       logger.error(`[${requestId}] Error deleting MCP server:`, error)

apps/sim/app/api/mcp/servers/test-connection/route.ts

@@ -1,6 +1,7 @@
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
 import { McpClient } from '@/lib/mcp/client'
+import { McpDomainNotAllowedError, validateMcpDomain } from '@/lib/mcp/domain-check'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
 import { resolveMcpConfigEnvVars } from '@/lib/mcp/resolve-config'
 import type { McpTransport } from '@/lib/mcp/types'
@@ -71,6 +72,15 @@ export const POST = withMcpAuth('write')(
         )
       }
 
+      try {
+        validateMcpDomain(body.url)
+      } catch (e) {
+        if (e instanceof McpDomainNotAllowedError) {
+          return createMcpErrorResponse(e, e.message, 403)
+        }
+        throw e
+      }
+
       // Build initial config for resolution
       const initialConfig = {
         id: `test-${requestId}`,
@@ -95,6 +105,16 @@ export const POST = withMcpAuth('write')(
         logger.warn(`[${requestId}] Some environment variables not found:`, { missingVars })
       }
 
+      // Re-validate domain after env var resolution
+      try {
+        validateMcpDomain(testConfig.url)
+      } catch (e) {
+        if (e instanceof McpDomainNotAllowedError) {
+          return createMcpErrorResponse(e, e.message, 403)
+        }
+        throw e
+      }
+
       const testSecurityPolicy = {
         requireConsent: false,
         auditLevel: 'none' as const,

apps/sim/app/api/mcp/workflow-servers/[id]/route.ts

@@ -3,6 +3,7 @@ import { workflowMcpServer, workflowMcpTool } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
 import { mcpPubSub } from '@/lib/mcp/pubsub'
 import { createMcpErrorResponse, createMcpSuccessResponse } from '@/lib/mcp/utils'
@@ -71,7 +72,11 @@ export const GET = withMcpAuth<RouteParams>('read')(
  * PATCH - Update a workflow MCP server
  */
 export const PATCH = withMcpAuth<RouteParams>('write')(
-  async (request: NextRequest, { userId, workspaceId, requestId }, { params }) => {
+  async (
+    request: NextRequest,
+    { userId, userName, userEmail, workspaceId, requestId },
+    { params }
+  ) => {
     try {
       const { id: serverId } = await params
       const body = getParsedBody(request) || (await request.json())
@@ -112,6 +117,19 @@ export const PATCH = withMcpAuth<RouteParams>('write')(
 
       logger.info(`[${requestId}] Successfully updated workflow MCP server: ${serverId}`)
 
+      recordAudit({
+        workspaceId,
+        actorId: userId,
+        actorName: userName,
+        actorEmail: userEmail,
+        action: AuditAction.MCP_SERVER_UPDATED,
+        resourceType: AuditResourceType.MCP_SERVER,
+        resourceId: serverId,
+        resourceName: updatedServer.name,
+        description: `Updated workflow MCP server "${updatedServer.name}"`,
+        request,
+      })
+
       return createMcpSuccessResponse({ server: updatedServer })
     } catch (error) {
       logger.error(`[${requestId}] Error updating workflow MCP server:`, error)
@@ -128,7 +146,11 @@ export const PATCH = withMcpAuth<RouteParams>('write')(
  * DELETE - Delete a workflow MCP server and all its tools
  */
 export const DELETE = withMcpAuth<RouteParams>('admin')(
-  async (request: NextRequest, { userId, workspaceId, requestId }, { params }) => {
+  async (
+    request: NextRequest,
+    { userId, userName, userEmail, workspaceId, requestId },
+    { params }
+  ) => {
     try {
       const { id: serverId } = await params
 
@@ -149,6 +171,19 @@ export const DELETE = withMcpAuth<RouteParams>('admin')(
 
       mcpPubSub?.publishWorkflowToolsChanged({ serverId, workspaceId })
 
+      recordAudit({
+        workspaceId,
+        actorId: userId,
+        actorName: userName,
+        actorEmail: userEmail,
+        action: AuditAction.MCP_SERVER_REMOVED,
+        resourceType: AuditResourceType.MCP_SERVER,
+        resourceId: serverId,
+        resourceName: deletedServer.name,
+        description: `Unpublished workflow MCP server "${deletedServer.name}"`,
+        request,
+      })
+
       return createMcpSuccessResponse({ message: `Server ${serverId} deleted successfully` })
     } catch (error) {
       logger.error(`[${requestId}] Error deleting workflow MCP server:`, error)

apps/sim/app/api/mcp/workflow-servers/[id]/tools/[toolId]/route.ts

@@ -3,6 +3,7 @@ import { workflowMcpServer, workflowMcpTool } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
 import { mcpPubSub } from '@/lib/mcp/pubsub'
 import { createMcpErrorResponse, createMcpSuccessResponse } from '@/lib/mcp/utils'
@@ -65,7 +66,11 @@ export const GET = withMcpAuth<RouteParams>('read')(
  * PATCH - Update a tool's configuration
  */
 export const PATCH = withMcpAuth<RouteParams>('write')(
-  async (request: NextRequest, { userId, workspaceId, requestId }, { params }) => {
+  async (
+    request: NextRequest,
+    { userId, userName, userEmail, workspaceId, requestId },
+    { params }
+  ) => {
     try {
       const { id: serverId, toolId } = await params
       const body = getParsedBody(request) || (await request.json())
@@ -118,6 +123,19 @@ export const PATCH = withMcpAuth<RouteParams>('write')(
 
       mcpPubSub?.publishWorkflowToolsChanged({ serverId, workspaceId })
 
+      recordAudit({
+        workspaceId,
+        actorId: userId,
+        actorName: userName,
+        actorEmail: userEmail,
+        action: AuditAction.MCP_SERVER_UPDATED,
+        resourceType: AuditResourceType.MCP_SERVER,
+        resourceId: serverId,
+        description: `Updated tool "${updatedTool.toolName}" in MCP server`,
+        metadata: { toolId, toolName: updatedTool.toolName },
+        request,
+      })
+
       return createMcpSuccessResponse({ tool: updatedTool })
     } catch (error) {
       logger.error(`[${requestId}] Error updating tool:`, error)
@@ -134,7 +152,11 @@ export const PATCH = withMcpAuth<RouteParams>('write')(
  * DELETE - Remove a tool from an MCP server
  */
 export const DELETE = withMcpAuth<RouteParams>('write')(
-  async (request: NextRequest, { userId, workspaceId, requestId }, { params }) => {
+  async (
+    request: NextRequest,
+    { userId, userName, userEmail, workspaceId, requestId },
+    { params }
+  ) => {
     try {
       const { id: serverId, toolId } = await params
 
@@ -165,6 +187,19 @@ export const DELETE = withMcpAuth<RouteParams>('write')(
 
       mcpPubSub?.publishWorkflowToolsChanged({ serverId, workspaceId })
 
+      recordAudit({
+        workspaceId,
+        actorId: userId,
+        actorName: userName,
+        actorEmail: userEmail,
+        action: AuditAction.MCP_SERVER_UPDATED,
+        resourceType: AuditResourceType.MCP_SERVER,
+        resourceId: serverId,
+        description: `Removed tool "${deletedTool.toolName}" from MCP server`,
+        metadata: { toolId, toolName: deletedTool.toolName },
+        request,
+      })
+
       return createMcpSuccessResponse({ message: `Tool ${toolId} deleted successfully` })
     } catch (error) {
       logger.error(`[${requestId}] Error deleting tool:`, error)

apps/sim/app/api/mcp/workflow-servers/[id]/tools/route.ts

@@ -3,6 +3,7 @@ import { workflow, workflowMcpServer, workflowMcpTool } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
 import { mcpPubSub } from '@/lib/mcp/pubsub'
 import { createMcpErrorResponse, createMcpSuccessResponse } from '@/lib/mcp/utils'
@@ -76,7 +77,11 @@ export const GET = withMcpAuth<RouteParams>('read')(
  * POST - Add a workflow as a tool to an MCP server
  */
 export const POST = withMcpAuth<RouteParams>('write')(
-  async (request: NextRequest, { userId, workspaceId, requestId }, { params }) => {
+  async (
+    request: NextRequest,
+    { userId, userName, userEmail, workspaceId, requestId },
+    { params }
+  ) => {
     try {
       const { id: serverId } = await params
       const body = getParsedBody(request) || (await request.json())
@@ -197,6 +202,19 @@ export const POST = withMcpAuth<RouteParams>('write')(
 
       mcpPubSub?.publishWorkflowToolsChanged({ serverId, workspaceId })
 
+      recordAudit({
+        workspaceId,
+        actorId: userId,
+        actorName: userName,
+        actorEmail: userEmail,
+        action: AuditAction.MCP_SERVER_UPDATED,
+        resourceType: AuditResourceType.MCP_SERVER,
+        resourceId: serverId,
+        description: `Added tool "${toolName}" to MCP server`,
+        metadata: { toolId, toolName, workflowId: body.workflowId },
+        request,
+      })
+
       return createMcpSuccessResponse({ tool }, 201)
     } catch (error) {
       logger.error(`[${requestId}] Error adding tool:`, error)

apps/sim/app/api/mcp/workflow-servers/route.ts

@@ -3,6 +3,7 @@ import { workflow, workflowMcpServer, workflowMcpTool } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq, inArray, sql } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
 import { mcpPubSub } from '@/lib/mcp/pubsub'
 import { createMcpErrorResponse, createMcpSuccessResponse } from '@/lib/mcp/utils'
@@ -85,7 +86,7 @@ export const GET = withMcpAuth('read')(
  * POST - Create a new workflow MCP server
  */
 export const POST = withMcpAuth('write')(
-  async (request: NextRequest, { userId, workspaceId, requestId }) => {
+  async (request: NextRequest, { userId, userName, userEmail, workspaceId, requestId }) => {
     try {
       const body = getParsedBody(request) || (await request.json())
 
@@ -188,6 +189,19 @@ export const POST = withMcpAuth('write')(
         `[${requestId}] Successfully created workflow MCP server: ${body.name} (ID: ${serverId})`
       )
 
+      recordAudit({
+        workspaceId,
+        actorId: userId,
+        actorName: userName,
+        actorEmail: userEmail,
+        action: AuditAction.MCP_SERVER_ADDED,
+        resourceType: AuditResourceType.MCP_SERVER,
+        resourceId: serverId,
+        resourceName: body.name.trim(),
+        description: `Published workflow MCP server "${body.name.trim()}" with ${addedTools.length} tool(s)`,
+        request,
+      })
+
       return createMcpSuccessResponse({ server, addedTools }, 201)
     } catch (error) {
       logger.error(`[${requestId}] Error creating workflow MCP server:`, error)

apps/sim/app/api/organizations/[id]/invitations/[invitationId]/route.ts

@@ -18,6 +18,7 @@ import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getEmailSubject, renderInvitationEmail } from '@/components/emails'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { hasAccessControlAccess } from '@/lib/billing'
 import { syncUsageLimitsFromSubscription } from '@/lib/billing/core/usage'
@@ -552,6 +553,25 @@ export async function PUT(
       email: orgInvitation.email,
     })
 
+    const auditActionMap = {
+      accepted: AuditAction.ORG_INVITATION_ACCEPTED,
+      rejected: AuditAction.ORG_INVITATION_REJECTED,
+      cancelled: AuditAction.ORG_INVITATION_CANCELLED,
+    } as const
+
+    recordAudit({
+      workspaceId: null,
+      actorId: session.user.id,
+      action: auditActionMap[status],
+      resourceType: AuditResourceType.ORGANIZATION,
+      resourceId: organizationId,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      description: `Organization invitation ${status} for ${orgInvitation.email}`,
+      metadata: { invitationId, email: orgInvitation.email, status },
+      request: req,
+    })
+
     return NextResponse.json({
       success: true,
       message: `Invitation ${status} successfully`,

apps/sim/app/api/organizations/[id]/invitations/route.ts

@@ -17,6 +17,7 @@ import {
   renderBatchInvitationEmail,
   renderInvitationEmail,
 } from '@/components/emails'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import {
   validateBulkInvitations,
@@ -411,6 +412,22 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
       workspaceInvitationCount: workspaceInvitationIds.length,
     })
 
+    for (const inv of invitationsToCreate) {
+      recordAudit({
+        workspaceId: null,
+        actorId: session.user.id,
+        action: AuditAction.ORG_INVITATION_CREATED,
+        resourceType: AuditResourceType.ORGANIZATION,
+        resourceId: organizationId,
+        actorName: session.user.name ?? undefined,
+        actorEmail: session.user.email ?? undefined,
+        resourceName: organizationEntry[0]?.name,
+        description: `Invited ${inv.email} to organization as ${role}`,
+        metadata: { invitationId: inv.id, email: inv.email, role },
+        request,
+      })
+    }
+
     return NextResponse.json({
       success: true,
       message: `${invitationsToCreate.length} invitation(s) sent successfully`,
@@ -532,6 +549,19 @@ export async function DELETE(
       email: result[0].email,
     })
 
+    recordAudit({
+      workspaceId: null,
+      actorId: session.user.id,
+      action: AuditAction.ORG_INVITATION_REVOKED,
+      resourceType: AuditResourceType.ORGANIZATION,
+      resourceId: organizationId,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      description: `Revoked organization invitation for ${result[0].email}`,
+      metadata: { invitationId, email: result[0].email },
+      request,
+    })
+
     return NextResponse.json({
       success: true,
       message: 'Invitation cancelled successfully',

apps/sim/app/api/organizations/[id]/members/[memberId]/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { getUserUsageData } from '@/lib/billing/core/usage'
 import { removeUserFromOrganization } from '@/lib/billing/organizations/membership'
@@ -213,6 +214,19 @@ export async function PUT(
       updatedBy: session.user.id,
     })
 
+    recordAudit({
+      workspaceId: null,
+      actorId: session.user.id,
+      action: AuditAction.ORG_MEMBER_ROLE_CHANGED,
+      resourceType: AuditResourceType.ORGANIZATION,
+      resourceId: organizationId,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      description: `Changed role for member ${memberId} to ${role}`,
+      metadata: { targetUserId: memberId, newRole: role },
+      request,
+    })
+
     return NextResponse.json({
       success: true,
       message: 'Member role updated successfully',
@@ -305,6 +319,22 @@ export async function DELETE(
       billingActions: result.billingActions,
     })
 
+    recordAudit({
+      workspaceId: null,
+      actorId: session.user.id,
+      action: AuditAction.ORG_MEMBER_REMOVED,
+      resourceType: AuditResourceType.ORGANIZATION,
+      resourceId: organizationId,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      description:
+        session.user.id === targetUserId
+          ? 'Left the organization'
+          : `Removed member ${targetUserId} from organization`,
+      metadata: { targetUserId, wasSelfRemoval: session.user.id === targetUserId },
+      request,
+    })
+
     return NextResponse.json({
       success: true,
       message:

apps/sim/app/api/organizations/[id]/members/route.ts

@@ -5,6 +5,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getEmailSubject, renderInvitationEmail } from '@/components/emails'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { getUserUsageData } from '@/lib/billing/core/usage'
 import { validateSeatAvailability } from '@/lib/billing/validation/seat-management'
@@ -285,6 +286,19 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
       // Don't fail the request if email fails
     }
 
+    recordAudit({
+      workspaceId: null,
+      actorId: session.user.id,
+      action: AuditAction.ORG_INVITATION_CREATED,
+      resourceType: AuditResourceType.ORGANIZATION,
+      resourceId: organizationId,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      description: `Invited ${normalizedEmail} to organization as ${role}`,
+      metadata: { invitationId, email: normalizedEmail, role },
+      request,
+    })
+
     return NextResponse.json({
       success: true,
       message: `Invitation sent to ${normalizedEmail}`,

apps/sim/app/api/organizations/[id]/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq, ne } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import {
   getOrganizationSeatAnalytics,
@@ -192,6 +193,20 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
         changes: { name, slug, logo },
       })
 
+      recordAudit({
+        workspaceId: null,
+        actorId: session.user.id,
+        action: AuditAction.ORGANIZATION_UPDATED,
+        resourceType: AuditResourceType.ORGANIZATION,
+        resourceId: organizationId,
+        actorName: session.user.name ?? undefined,
+        actorEmail: session.user.email ?? undefined,
+        resourceName: updatedOrg[0].name,
+        description: `Updated organization settings`,
+        metadata: { changes: { name, slug, logo } },
+        request,
+      })
+
       return NextResponse.json({
         success: true,
         message: 'Organization updated successfully',

apps/sim/app/api/organizations/route.ts

@@ -3,6 +3,7 @@ import { member, organization } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq, or } from 'drizzle-orm'
 import { NextResponse } from 'next/server'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { createOrganizationForTeamPlan } from '@/lib/billing/organization'
 
@@ -115,6 +116,19 @@ export async function POST(request: Request) {
       organizationId,
     })
 
+    recordAudit({
+      workspaceId: null,
+      actorId: user.id,
+      action: AuditAction.ORGANIZATION_CREATED,
+      resourceType: AuditResourceType.ORGANIZATION,
+      resourceId: organizationId,
+      actorName: user.name ?? undefined,
+      actorEmail: user.email ?? undefined,
+      resourceName: organizationName ?? undefined,
+      description: `Created organization "${organizationName}"`,
+      request,
+    })
+
     return NextResponse.json({
       success: true,
       organizationId,

apps/sim/app/api/permission-groups/[id]/members/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { hasAccessControlAccess } from '@/lib/billing'
 
@@ -13,6 +14,7 @@ async function getPermissionGroupWithAccess(groupId: string, userId: string) {
   const [group] = await db
     .select({
       id: permissionGroup.id,
+      name: permissionGroup.name,
       organizationId: permissionGroup.organizationId,
     })
     .from(permissionGroup)
@@ -151,6 +153,20 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       assignedBy: session.user.id,
     })
 
+    recordAudit({
+      workspaceId: null,
+      actorId: session.user.id,
+      action: AuditAction.PERMISSION_GROUP_MEMBER_ADDED,
+      resourceType: AuditResourceType.PERMISSION_GROUP,
+      resourceId: id,
+      resourceName: result.group.name,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      description: `Added member ${userId} to permission group "${result.group.name}"`,
+      metadata: { targetUserId: userId, permissionGroupId: id },
+      request: req,
+    })
+
     return NextResponse.json({ member: newMember }, { status: 201 })
   } catch (error) {
     if (error instanceof z.ZodError) {
@@ -221,6 +237,20 @@ export async function DELETE(req: NextRequest, { params }: { params: Promise<{ i
       userId: session.user.id,
     })
 
+    recordAudit({
+      workspaceId: null,
+      actorId: session.user.id,
+      action: AuditAction.PERMISSION_GROUP_MEMBER_REMOVED,
+      resourceType: AuditResourceType.PERMISSION_GROUP,
+      resourceId: id,
+      resourceName: result.group.name,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      description: `Removed member ${memberToRemove.userId} from permission group "${result.group.name}"`,
+      metadata: { targetUserId: memberToRemove.userId, memberId, permissionGroupId: id },
+      request: req,
+    })
+
     return NextResponse.json({ success: true })
   } catch (error) {
     logger.error('Error removing member from permission group', error)

apps/sim/app/api/permission-groups/[id]/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { hasAccessControlAccess } from '@/lib/billing'
 import {
@@ -181,6 +182,19 @@ export async function PUT(req: NextRequest, { params }: { params: Promise<{ id:
       .where(eq(permissionGroup.id, id))
       .limit(1)
 
+    recordAudit({
+      workspaceId: null,
+      actorId: session.user.id,
+      action: AuditAction.PERMISSION_GROUP_UPDATED,
+      resourceType: AuditResourceType.PERMISSION_GROUP,
+      resourceId: id,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      resourceName: updated.name,
+      description: `Updated permission group "${updated.name}"`,
+      request: req,
+    })
+
     return NextResponse.json({
       permissionGroup: {
         ...updated,
@@ -229,6 +243,19 @@ export async function DELETE(req: NextRequest, { params }: { params: Promise<{ i
 
     logger.info('Deleted permission group', { permissionGroupId: id, userId: session.user.id })
 
+    recordAudit({
+      workspaceId: null,
+      actorId: session.user.id,
+      action: AuditAction.PERMISSION_GROUP_DELETED,
+      resourceType: AuditResourceType.PERMISSION_GROUP,
+      resourceId: id,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      resourceName: result.group.name,
+      description: `Deleted permission group "${result.group.name}"`,
+      request: req,
+    })
+
     return NextResponse.json({ success: true })
   } catch (error) {
     logger.error('Error deleting permission group', error)

apps/sim/app/api/permission-groups/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, count, desc, eq } from 'drizzle-orm'
 import { NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { hasAccessControlAccess } from '@/lib/billing'
 import {
@@ -198,6 +199,19 @@ export async function POST(req: Request) {
       userId: session.user.id,
     })
 
+    recordAudit({
+      workspaceId: null,
+      actorId: session.user.id,
+      action: AuditAction.PERMISSION_GROUP_CREATED,
+      resourceType: AuditResourceType.PERMISSION_GROUP,
+      resourceId: newGroup.id,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      resourceName: name,
+      description: `Created permission group "${name}"`,
+      request: req,
+    })
+
     return NextResponse.json({ permissionGroup: newGroup }, { status: 201 })
   } catch (error) {
     if (error instanceof z.ZodError) {

apps/sim/app/api/schedules/[id]/route.test.ts

@@ -3,7 +3,7 @@
  *
  * @vitest-environment node
  */
-import { databaseMock, loggerMock } from '@sim/testing'
+import { auditMock, databaseMock, loggerMock } from '@sim/testing'
 import { NextRequest } from 'next/server'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
@@ -37,6 +37,8 @@ vi.mock('@/lib/core/utils/request', () => ({
 
 vi.mock('@sim/logger', () => loggerMock)
 
+vi.mock('@/lib/audit/log', () => auditMock)
+
 import { PUT } from './route'
 
 function createRequest(body: Record<string, unknown>): NextRequest {

apps/sim/app/api/schedules/[id]/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { validateCronExpression } from '@/lib/workflows/schedules/utils'
@@ -106,6 +107,18 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
 
     logger.info(`[${requestId}] Reactivated schedule: ${scheduleId}`)
 
+    recordAudit({
+      workspaceId: authorization.workflow.workspaceId ?? null,
+      actorId: session.user.id,
+      action: AuditAction.SCHEDULE_UPDATED,
+      resourceType: AuditResourceType.SCHEDULE,
+      resourceId: scheduleId,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      description: `Reactivated schedule for workflow ${schedule.workflowId}`,
+      request,
+    })
+
     return NextResponse.json({
       message: 'Schedule activated successfully',
       nextRunAt,

apps/sim/app/api/settings/allowed-integrations/route.ts

@@ -0,0 +1,14 @@
+import { NextResponse } from 'next/server'
+import { getSession } from '@/lib/auth'
+import { getAllowedIntegrationsFromEnv } from '@/lib/core/config/feature-flags'
+
+export async function GET() {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  return NextResponse.json({
+    allowedIntegrations: getAllowedIntegrationsFromEnv(),
+  })
+}

apps/sim/app/api/settings/allowed-mcp-domains/route.ts

@@ -0,0 +1,27 @@
+import { NextResponse } from 'next/server'
+import { getSession } from '@/lib/auth'
+import { getAllowedMcpDomainsFromEnv } from '@/lib/core/config/feature-flags'
+import { getBaseUrl } from '@/lib/core/utils/urls'
+
+export async function GET() {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const configuredDomains = getAllowedMcpDomainsFromEnv()
+  if (configuredDomains === null) {
+    return NextResponse.json({ allowedMcpDomains: null })
+  }
+
+  try {
+    const platformHostname = new URL(getBaseUrl()).hostname.toLowerCase()
+    if (!configuredDomains.includes(platformHostname)) {
+      return NextResponse.json({
+        allowedMcpDomains: [...configuredDomains, platformHostname],
+      })
+    }
+  } catch {}
+
+  return NextResponse.json({ allowedMcpDomains: configuredDomains })
+}

apps/sim/app/api/templates/[id]/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { eq, sql } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
@@ -247,6 +248,18 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
 
     logger.info(`[${requestId}] Successfully updated template: ${id}`)
 
+    recordAudit({
+      actorId: session.user.id,
+      actorName: session.user.name,
+      actorEmail: session.user.email,
+      action: AuditAction.TEMPLATE_UPDATED,
+      resourceType: AuditResourceType.TEMPLATE,
+      resourceId: id,
+      resourceName: name ?? template.name,
+      description: `Updated template "${name ?? template.name}"`,
+      request,
+    })
+
     return NextResponse.json({
       data: updatedTemplate[0],
       message: 'Template updated successfully',
@@ -300,6 +313,19 @@ export async function DELETE(
     await db.delete(templates).where(eq(templates.id, id))
 
     logger.info(`[${requestId}] Deleted template: ${id}`)
+
+    recordAudit({
+      actorId: session.user.id,
+      actorName: session.user.name,
+      actorEmail: session.user.email,
+      action: AuditAction.TEMPLATE_DELETED,
+      resourceType: AuditResourceType.TEMPLATE,
+      resourceId: id,
+      resourceName: template.name,
+      description: `Deleted template "${template.name}"`,
+      request,
+    })
+
     return NextResponse.json({ success: true })
   } catch (error: any) {
     logger.error(`[${requestId}] Error deleting template: ${id}`, error)

apps/sim/app/api/templates/route.ts

@@ -11,6 +11,7 @@ import { and, desc, eq, ilike, or, sql } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { v4 as uuidv4 } from 'uuid'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { verifyEffectiveSuperUser } from '@/lib/templates/permissions'
@@ -285,6 +286,18 @@ export async function POST(request: NextRequest) {
 
     logger.info(`[${requestId}] Successfully created template: ${templateId}`)
 
+    recordAudit({
+      actorId: session.user.id,
+      actorName: session.user.name,
+      actorEmail: session.user.email,
+      action: AuditAction.TEMPLATE_CREATED,
+      resourceType: AuditResourceType.TEMPLATE,
+      resourceId: templateId,
+      resourceName: data.name,
+      description: `Created template "${data.name}"`,
+      request,
+    })
+
     return NextResponse.json(
       {
         id: templateId,

apps/sim/app/api/tools/pipedrive/get-files/route.ts

@@ -22,15 +22,20 @@ interface PipedriveFile {
 interface PipedriveApiResponse {
   success: boolean
   data?: PipedriveFile[]
+  additional_data?: {
+    pagination?: {
+      more_items_in_collection: boolean
+      next_start: number
+    }
+  }
   error?: string
 }
 
 const PipedriveGetFilesSchema = z.object({
   accessToken: z.string().min(1, 'Access token is required'),
-  deal_id: z.string().optional().nullable(),
+  sort: z.enum(['id', 'update_time']).optional().nullable(),
-  person_id: z.string().optional().nullable(),
-  org_id: z.string().optional().nullable(),
   limit: z.string().optional().nullable(),
+  start: z.string().optional().nullable(),
   downloadFiles: z.boolean().optional().default(false),
 })
 
@@ -54,20 +59,19 @@ export async function POST(request: NextRequest) {
     const body = await request.json()
     const validatedData = PipedriveGetFilesSchema.parse(body)
 
-    const { accessToken, deal_id, person_id, org_id, limit, downloadFiles } = validatedData
+    const { accessToken, sort, limit, start, downloadFiles } = validatedData
 
     const baseUrl = 'https://api.pipedrive.com/v1/files'
     const queryParams = new URLSearchParams()
 
-    if (deal_id) queryParams.append('deal_id', deal_id)
+    if (sort) queryParams.append('sort', sort)
-    if (person_id) queryParams.append('person_id', person_id)
-    if (org_id) queryParams.append('org_id', org_id)
     if (limit) queryParams.append('limit', limit)
+    if (start) queryParams.append('start', start)
 
     const queryString = queryParams.toString()
     const apiUrl = queryString ? `${baseUrl}?${queryString}` : baseUrl
 
-    logger.info(`[${requestId}] Fetching files from Pipedrive`, { deal_id, person_id, org_id })
+    logger.info(`[${requestId}] Fetching files from Pipedrive`)
 
     const urlValidation = await validateUrlWithDNS(apiUrl, 'apiUrl')
     if (!urlValidation.isValid) {
@@ -93,6 +97,8 @@ export async function POST(request: NextRequest) {
     }
 
     const files = data.data || []
+    const hasMore = data.additional_data?.pagination?.more_items_in_collection || false
+    const nextStart = data.additional_data?.pagination?.next_start ?? null
     const downloadedFiles: Array<{
       name: string
       mimeType: string
@@ -149,6 +155,8 @@ export async function POST(request: NextRequest) {
         files,
         downloadedFiles: downloadedFiles.length > 0 ? downloadedFiles : undefined,
         total_items: files.length,
+        has_more: hasMore,
+        next_start: nextStart,
         success: true,
       },
     })

apps/sim/app/api/users/me/api-keys/[id]/route.ts

@@ -3,6 +3,7 @@ import { apiKey } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 
@@ -34,12 +35,27 @@ export async function DELETE(
     const result = await db
       .delete(apiKey)
       .where(and(eq(apiKey.id, keyId), eq(apiKey.userId, userId)))
-      .returning({ id: apiKey.id })
+      .returning({ id: apiKey.id, name: apiKey.name })
 
     if (!result.length) {
       return NextResponse.json({ error: 'API key not found' }, { status: 404 })
     }
 
+    const deletedKey = result[0]
+
+    recordAudit({
+      workspaceId: null,
+      actorId: userId,
+      action: AuditAction.PERSONAL_API_KEY_REVOKED,
+      resourceType: AuditResourceType.API_KEY,
+      resourceId: keyId,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      resourceName: deletedKey.name,
+      description: `Revoked personal API key: ${deletedKey.name}`,
+      request,
+    })
+
     return NextResponse.json({ success: true })
   } catch (error) {
     logger.error('Failed to delete API key', { error })

apps/sim/app/api/users/me/api-keys/route.ts

@@ -5,6 +5,7 @@ import { and, eq } from 'drizzle-orm'
 import { nanoid } from 'nanoid'
 import { type NextRequest, NextResponse } from 'next/server'
 import { createApiKey, getApiKeyDisplayFormat } from '@/lib/api-key/auth'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 
 const logger = createLogger('ApiKeysAPI')
@@ -110,6 +111,19 @@ export async function POST(request: NextRequest) {
         createdAt: apiKey.createdAt,
       })
 
+    recordAudit({
+      workspaceId: null,
+      actorId: userId,
+      action: AuditAction.PERSONAL_API_KEY_CREATED,
+      resourceType: AuditResourceType.API_KEY,
+      resourceId: newKey.id,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      resourceName: name,
+      description: `Created personal API key: ${name}`,
+      request,
+    })
+
     return NextResponse.json({
       key: {
         ...newKey,

apps/sim/app/api/webhooks/[id]/route.ts

@@ -3,6 +3,7 @@ import { webhook, workflow } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { validateInteger } from '@/lib/core/security/input-validation'
 import { PlatformEvents } from '@/lib/core/telemetry'
@@ -261,6 +262,20 @@ export async function DELETE(
       logger.info(`[${requestId}] Successfully deleted webhook: ${id}`)
     }
 
+    recordAudit({
+      workspaceId: webhookData.workflow.workspaceId || null,
+      actorId: userId,
+      actorName: auth.userName,
+      actorEmail: auth.userEmail,
+      action: AuditAction.WEBHOOK_DELETED,
+      resourceType: AuditResourceType.WEBHOOK,
+      resourceId: id,
+      resourceName: foundWebhook.provider || 'generic',
+      description: 'Deleted webhook',
+      metadata: { workflowId: webhookData.workflow.id },
+      request,
+    })
+
     return NextResponse.json({ success: true }, { status: 200 })
   } catch (error: any) {
     logger.error(`[${requestId}] Error deleting webhook`, {

apps/sim/app/api/webhooks/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, desc, eq, inArray, isNull, or } from 'drizzle-orm'
 import { nanoid } from 'nanoid'
 import { type NextRequest, NextResponse } from 'next/server'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { generateRequestId } from '@/lib/core/utils/request'
@@ -145,7 +146,8 @@ export async function GET(request: NextRequest) {
 // Create or Update a webhook
 export async function POST(request: NextRequest) {
   const requestId = generateRequestId()
-  const userId = (await getSession())?.user?.id
+  const session = await getSession()
+  const userId = session?.user?.id
 
   if (!userId) {
     logger.warn(`[${requestId}] Unauthorized webhook creation attempt`)
@@ -678,6 +680,20 @@ export async function POST(request: NextRequest) {
       } catch {
         // Telemetry should not fail the operation
       }
+
+      recordAudit({
+        workspaceId: workflowRecord.workspaceId || null,
+        actorId: userId,
+        actorName: session?.user?.name ?? undefined,
+        actorEmail: session?.user?.email ?? undefined,
+        action: AuditAction.WEBHOOK_CREATED,
+        resourceType: AuditResourceType.WEBHOOK,
+        resourceId: savedWebhook.id,
+        resourceName: provider || 'generic',
+        description: `Created ${provider || 'generic'} webhook`,
+        metadata: { provider, workflowId },
+        request,
+      })
     }
 
     const status = targetWebhookId ? 200 : 201

apps/sim/app/api/workflows/[id]/deploy/route.ts

@@ -2,6 +2,7 @@ import { db, workflow, workflowDeploymentVersion } from '@sim/db'
 import { createLogger } from '@sim/logger'
 import { and, desc, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { removeMcpToolsForWorkflow, syncMcpToolsForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
 import {
@@ -258,6 +259,19 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
     // Sync MCP tools with the latest parameter schema
     await syncMcpToolsForWorkflow({ workflowId: id, requestId, context: 'deploy' })
 
+    recordAudit({
+      workspaceId: workflowData?.workspaceId || null,
+      actorId: actorUserId,
+      actorName: session?.user?.name,
+      actorEmail: session?.user?.email,
+      action: AuditAction.WORKFLOW_DEPLOYED,
+      resourceType: AuditResourceType.WORKFLOW,
+      resourceId: id,
+      resourceName: workflowData?.name,
+      description: `Deployed workflow "${workflowData?.name || id}"`,
+      request,
+    })
+
     const responseApiKeyInfo = workflowData!.workspaceId
       ? 'Workspace API keys'
       : 'Personal API keys'
@@ -297,11 +311,11 @@ export async function DELETE(
   try {
     logger.debug(`[${requestId}] Undeploying workflow: ${id}`)
 
-    const { error, workflow: workflowData } = await validateWorkflowPermissions(
+    const {
-      id,
+      error,
-      requestId,
+      session,
-      'admin'
+      workflow: workflowData,
-    )
+    } = await validateWorkflowPermissions(id, requestId, 'admin')
     if (error) {
       return createErrorResponse(error.message, error.status)
     }
@@ -325,6 +339,19 @@ export async function DELETE(
       // Silently fail
     }
 
+    recordAudit({
+      workspaceId: workflowData?.workspaceId || null,
+      actorId: session!.user.id,
+      actorName: session?.user?.name,
+      actorEmail: session?.user?.email,
+      action: AuditAction.WORKFLOW_UNDEPLOYED,
+      resourceType: AuditResourceType.WORKFLOW,
+      resourceId: id,
+      resourceName: workflowData?.name,
+      description: `Undeployed workflow "${workflowData?.name || id}"`,
+      request,
+    })
+
     return createSuccessResponse({
       isDeployed: false,
       deployedAt: null,

apps/sim/app/api/workflows/[id]/deployments/[version]/revert/route.ts

@@ -2,6 +2,7 @@ import { db, workflow, workflowDeploymentVersion } from '@sim/db'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { env } from '@/lib/core/config/env'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { syncMcpToolsForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
@@ -22,7 +23,11 @@ export async function POST(
   const { id, version } = await params
 
   try {
-    const { error } = await validateWorkflowPermissions(id, requestId, 'admin')
+    const {
+      error,
+      session,
+      workflow: workflowRecord,
+    } = await validateWorkflowPermissions(id, requestId, 'admin')
     if (error) {
       return createErrorResponse(error.message, error.status)
     }
@@ -107,6 +112,19 @@ export async function POST(
       logger.error('Error sending workflow reverted event to socket server', e)
     }
 
+    recordAudit({
+      workspaceId: workflowRecord?.workspaceId ?? null,
+      actorId: session!.user.id,
+      action: AuditAction.WORKFLOW_DEPLOYMENT_REVERTED,
+      resourceType: AuditResourceType.WORKFLOW,
+      resourceId: id,
+      actorName: session!.user.name ?? undefined,
+      actorEmail: session!.user.email ?? undefined,
+      resourceName: workflowRecord?.name ?? undefined,
+      description: `Reverted workflow to deployment version ${version}`,
+      request,
+    })
+
     return createSuccessResponse({
       message: 'Reverted to deployment version',
       lastSaved: Date.now(),

apps/sim/app/api/workflows/[id]/deployments/[version]/route.ts

@@ -3,6 +3,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { syncMcpToolsForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
 import { restorePreviousVersionWebhooks, saveTriggerWebhooksForDeploy } from '@/lib/webhooks/deploy'
@@ -297,6 +298,19 @@ export async function PATCH(
         }
       }
 
+      recordAudit({
+        workspaceId: workflowData?.workspaceId,
+        actorId: actorUserId,
+        actorName: session?.user?.name,
+        actorEmail: session?.user?.email,
+        action: AuditAction.WORKFLOW_DEPLOYMENT_ACTIVATED,
+        resourceType: AuditResourceType.WORKFLOW,
+        resourceId: id,
+        description: `Activated deployment version ${versionNum}`,
+        metadata: { version: versionNum },
+        request,
+      })
+
       return createSuccessResponse({
         success: true,
         deployedAt: result.deployedAt,

apps/sim/app/api/workflows/[id]/duplicate/route.ts

@@ -1,6 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { generateRequestId } from '@/lib/core/utils/request'
@@ -61,6 +62,20 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       `[${requestId}] Successfully duplicated workflow ${sourceWorkflowId} to ${result.id} in ${elapsed}ms`
     )
 
+    recordAudit({
+      workspaceId: workspaceId || null,
+      actorId: userId,
+      actorName: auth.userName,
+      actorEmail: auth.userEmail,
+      action: AuditAction.WORKFLOW_DUPLICATED,
+      resourceType: AuditResourceType.WORKFLOW,
+      resourceId: result.id,
+      resourceName: result.name,
+      description: `Duplicated workflow from ${sourceWorkflowId}`,
+      metadata: { sourceWorkflowId },
+      request: req,
+    })
+
     return NextResponse.json(result, { status: 201 })
   } catch (error) {
     if (error instanceof Error) {

apps/sim/app/api/workflows/[id]/route.test.ts

@@ -5,7 +5,7 @@
  * @vitest-environment node
  */
 
-import { loggerMock, setupGlobalFetchMock } from '@sim/testing'
+import { auditMock, loggerMock, setupGlobalFetchMock } from '@sim/testing'
 import { NextRequest } from 'next/server'
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
@@ -23,6 +23,8 @@ vi.mock('@/lib/auth', () => ({
 
 vi.mock('@sim/logger', () => loggerMock)
 
+vi.mock('@/lib/audit/log', () => auditMock)
+
 vi.mock('@/lib/workflows/persistence/utils', () => ({
   loadWorkflowFromNormalizedTables: (workflowId: string) =>
     mockLoadWorkflowFromNormalizedTables(workflowId),

apps/sim/app/api/workflows/[id]/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { checkHybridAuth, checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { env } from '@/lib/core/config/env'
 import { PlatformEvents } from '@/lib/core/telemetry'
@@ -336,6 +337,19 @@ export async function DELETE(
       // Don't fail the deletion if Socket.IO notification fails
     }
 
+    recordAudit({
+      workspaceId: workflowData.workspaceId || null,
+      actorId: userId,
+      actorName: auth.userName,
+      actorEmail: auth.userEmail,
+      action: AuditAction.WORKFLOW_DELETED,
+      resourceType: AuditResourceType.WORKFLOW,
+      resourceId: workflowId,
+      resourceName: workflowData.name,
+      description: `Deleted workflow "${workflowData.name}"`,
+      request,
+    })
+
     return NextResponse.json({ success: true }, { status: 200 })
   } catch (error: any) {
     const elapsed = Date.now() - startTime

apps/sim/app/api/workflows/[id]/variables/route.test.ts

@@ -5,6 +5,7 @@
  * @vitest-environment node
  */
 import {
+  auditMock,
   databaseMock,
   defaultMockUser,
   mockAuth,
@@ -27,6 +28,8 @@ describe('Workflow Variables API Route', () => {
 
     vi.doMock('@sim/db', () => databaseMock)
 
+    vi.doMock('@/lib/audit/log', () => auditMock)
+
     vi.doMock('@/lib/workflows/utils', () => ({
       authorizeWorkflowByWorkspacePermission: mockAuthorizeWorkflowByWorkspacePermission,
     }))

apps/sim/app/api/workflows/[id]/variables/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
@@ -79,6 +80,19 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
         })
         .where(eq(workflow.id, workflowId))
 
+      recordAudit({
+        workspaceId: workflowData.workspaceId ?? null,
+        actorId: userId,
+        actorName: auth.userName,
+        actorEmail: auth.userEmail,
+        action: AuditAction.WORKFLOW_VARIABLES_UPDATED,
+        resourceType: AuditResourceType.WORKFLOW,
+        resourceId: workflowId,
+        resourceName: workflowData.name ?? undefined,
+        description: `Updated workflow variables`,
+        request: req,
+      })
+
       return NextResponse.json({ success: true })
     } catch (validationError) {
       if (validationError instanceof z.ZodError) {

apps/sim/app/api/workflows/route.test.ts

@@ -0,0 +1,137 @@
+/**
+ * @vitest-environment node
+ */
+import { auditMock, createMockRequest, mockConsoleLogger, setupCommonApiMocks } from '@sim/testing'
+import { drizzleOrmMock } from '@sim/testing/mocks'
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+
+const mockCheckSessionOrInternalAuth = vi.fn()
+const mockGetUserEntityPermissions = vi.fn()
+const mockDbSelect = vi.fn()
+const mockDbInsert = vi.fn()
+const mockWorkflowCreated = vi.fn()
+
+vi.mock('drizzle-orm', () => ({
+  ...drizzleOrmMock,
+  min: vi.fn((field) => ({ type: 'min', field })),
+}))
+
+vi.mock('@/lib/audit/log', () => auditMock)
+
+describe('Workflows API Route - POST ordering', () => {
+  beforeEach(() => {
+    vi.resetModules()
+    vi.clearAllMocks()
+
+    setupCommonApiMocks()
+    mockConsoleLogger()
+
+    vi.stubGlobal('crypto', {
+      randomUUID: vi.fn().mockReturnValue('workflow-new-id'),
+    })
+
+    mockCheckSessionOrInternalAuth.mockResolvedValue({
+      success: true,
+      userId: 'user-123',
+      userName: 'Test User',
+      userEmail: 'test@example.com',
+    })
+    mockGetUserEntityPermissions.mockResolvedValue('write')
+
+    vi.doMock('@sim/db', () => ({
+      db: {
+        select: (...args: unknown[]) => mockDbSelect(...args),
+        insert: (...args: unknown[]) => mockDbInsert(...args),
+      },
+    }))
+
+    vi.doMock('@/lib/auth/hybrid', () => ({
+      checkSessionOrInternalAuth: (...args: unknown[]) => mockCheckSessionOrInternalAuth(...args),
+    }))
+
+    vi.doMock('@/lib/workspaces/permissions/utils', () => ({
+      getUserEntityPermissions: (...args: unknown[]) => mockGetUserEntityPermissions(...args),
+      workspaceExists: vi.fn(),
+    }))
+
+    vi.doMock('@/app/api/workflows/utils', () => ({
+      verifyWorkspaceMembership: vi.fn(),
+    }))
+
+    vi.doMock('@/lib/core/telemetry', () => ({
+      PlatformEvents: {
+        workflowCreated: (...args: unknown[]) => mockWorkflowCreated(...args),
+      },
+    }))
+  })
+
+  it('uses top insertion against mixed siblings (folders + workflows)', async () => {
+    const minResultsQueue: Array<Array<{ minOrder: number }>> = [
+      [{ minOrder: 5 }],
+      [{ minOrder: 2 }],
+    ]
+
+    mockDbSelect.mockImplementation(() => ({
+      from: vi.fn().mockReturnValue({
+        where: vi.fn().mockImplementation(() => Promise.resolve(minResultsQueue.shift() ?? [])),
+      }),
+    }))
+
+    let insertedValues: Record<string, unknown> | null = null
+    mockDbInsert.mockReturnValue({
+      values: vi.fn().mockImplementation((values: Record<string, unknown>) => {
+        insertedValues = values
+        return Promise.resolve(undefined)
+      }),
+    })
+
+    const req = createMockRequest('POST', {
+      name: 'New Workflow',
+      description: 'desc',
+      color: '#3972F6',
+      workspaceId: 'workspace-123',
+      folderId: null,
+    })
+
+    const { POST } = await import('@/app/api/workflows/route')
+    const response = await POST(req)
+    const data = await response.json()
+    expect(response.status).toBe(200)
+    expect(data.sortOrder).toBe(1)
+    expect(insertedValues).not.toBeNull()
+    expect(insertedValues?.sortOrder).toBe(1)
+  })
+
+  it('defaults to sortOrder 0 when there are no siblings', async () => {
+    const minResultsQueue: Array<Array<{ minOrder: number }>> = [[], []]
+
+    mockDbSelect.mockImplementation(() => ({
+      from: vi.fn().mockReturnValue({
+        where: vi.fn().mockImplementation(() => Promise.resolve(minResultsQueue.shift() ?? [])),
+      }),
+    }))
+
+    let insertedValues: Record<string, unknown> | null = null
+    mockDbInsert.mockReturnValue({
+      values: vi.fn().mockImplementation((values: Record<string, unknown>) => {
+        insertedValues = values
+        return Promise.resolve(undefined)
+      }),
+    })
+
+    const req = createMockRequest('POST', {
+      name: 'New Workflow',
+      description: 'desc',
+      color: '#3972F6',
+      workspaceId: 'workspace-123',
+      folderId: null,
+    })
+
+    const { POST } = await import('@/app/api/workflows/route')
+    const response = await POST(req)
+    const data = await response.json()
+    expect(response.status).toBe(200)
+    expect(data.sortOrder).toBe(0)
+    expect(insertedValues?.sortOrder).toBe(0)
+  })
+})

apps/sim/app/api/workflows/route.ts

@@ -1,9 +1,10 @@
 import { db } from '@sim/db'
-import { permissions, workflow } from '@sim/db/schema'
+import { permissions, workflow, workflowFolder } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, asc, eq, inArray, isNull, min } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getUserEntityPermissions, workspaceExists } from '@/lib/workspaces/permissions/utils'
@@ -161,12 +162,33 @@ export async function POST(req: NextRequest) {
     if (providedSortOrder !== undefined) {
       sortOrder = providedSortOrder
     } else {
-      const folderCondition = folderId ? eq(workflow.folderId, folderId) : isNull(workflow.folderId)
+      const workflowParentCondition = folderId
-      const [minResult] = await db
+        ? eq(workflow.folderId, folderId)
-        .select({ minOrder: min(workflow.sortOrder) })
+        : isNull(workflow.folderId)
-        .from(workflow)
+      const folderParentCondition = folderId
-        .where(and(eq(workflow.workspaceId, workspaceId), folderCondition))
+        ? eq(workflowFolder.parentId, folderId)
-      sortOrder = (minResult?.minOrder ?? 1) - 1
+        : isNull(workflowFolder.parentId)
+
+      const [[workflowMinResult], [folderMinResult]] = await Promise.all([
+        db
+          .select({ minOrder: min(workflow.sortOrder) })
+          .from(workflow)
+          .where(and(eq(workflow.workspaceId, workspaceId), workflowParentCondition)),
+        db
+          .select({ minOrder: min(workflowFolder.sortOrder) })
+          .from(workflowFolder)
+          .where(and(eq(workflowFolder.workspaceId, workspaceId), folderParentCondition)),
+      ])
+
+      const minSortOrder = [workflowMinResult?.minOrder, folderMinResult?.minOrder].reduce<
+        number | null
+      >((currentMin, candidate) => {
+        if (candidate == null) return currentMin
+        if (currentMin == null) return candidate
+        return Math.min(currentMin, candidate)
+      }, null)
+
+      sortOrder = minSortOrder != null ? minSortOrder - 1 : 0
     }
 
     await db.insert(workflow).values({
@@ -188,6 +210,20 @@ export async function POST(req: NextRequest) {
 
     logger.info(`[${requestId}] Successfully created empty workflow ${workflowId}`)
 
+    recordAudit({
+      workspaceId,
+      actorId: userId,
+      actorName: auth.userName,
+      actorEmail: auth.userEmail,
+      action: AuditAction.WORKFLOW_CREATED,
+      resourceType: AuditResourceType.WORKFLOW,
+      resourceId: workflowId,
+      resourceName: name,
+      description: `Created workflow "${name}"`,
+      metadata: { name },
+      request: req,
+    })
+
     return NextResponse.json({
       id: workflowId,
       name,

apps/sim/app/api/workspaces/[id]/api-keys/[keyId]/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq, not } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
@@ -86,6 +87,19 @@ export async function PUT(
         updatedAt: apiKey.updatedAt,
       })
 
+    recordAudit({
+      workspaceId,
+      actorId: userId,
+      action: AuditAction.API_KEY_UPDATED,
+      resourceType: AuditResourceType.API_KEY,
+      resourceId: keyId,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      resourceName: name,
+      description: `Updated workspace API key: ${name}`,
+      request,
+    })
+
     logger.info(`[${requestId}] Updated workspace API key: ${keyId} in workspace ${workspaceId}`)
     return NextResponse.json({ key: updatedKey })
   } catch (error: unknown) {
@@ -123,12 +137,27 @@ export async function DELETE(
       .where(
         and(eq(apiKey.workspaceId, workspaceId), eq(apiKey.id, keyId), eq(apiKey.type, 'workspace'))
       )
-      .returning({ id: apiKey.id })
+      .returning({ id: apiKey.id, name: apiKey.name })
 
     if (deletedRows.length === 0) {
       return NextResponse.json({ error: 'API key not found' }, { status: 404 })
     }
 
+    const deletedKey = deletedRows[0]
+
+    recordAudit({
+      workspaceId,
+      actorId: userId,
+      action: AuditAction.API_KEY_REVOKED,
+      resourceType: AuditResourceType.API_KEY,
+      resourceId: keyId,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      resourceName: deletedKey.name,
+      description: `Revoked workspace API key: ${deletedKey.name}`,
+      request,
+    })
+
     logger.info(`[${requestId}] Deleted workspace API key: ${keyId} from workspace ${workspaceId}`)
     return NextResponse.json({ success: true })
   } catch (error: unknown) {

apps/sim/app/api/workspaces/[id]/api-keys/route.ts

@@ -6,6 +6,7 @@ import { nanoid } from 'nanoid'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createApiKey, getApiKeyDisplayFormat } from '@/lib/api-key/auth'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { generateRequestId } from '@/lib/core/utils/request'
@@ -159,6 +160,20 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
 
     logger.info(`[${requestId}] Created workspace API key: ${name} in workspace ${workspaceId}`)
 
+    recordAudit({
+      workspaceId,
+      actorId: userId,
+      actorName: session?.user?.name,
+      actorEmail: session?.user?.email,
+      action: AuditAction.API_KEY_CREATED,
+      resourceType: AuditResourceType.API_KEY,
+      resourceId: newKey.id,
+      resourceName: name,
+      description: `Created API key "${name}"`,
+      metadata: { keyName: name },
+      request,
+    })
+
     return NextResponse.json({
       key: {
         ...newKey,
@@ -222,6 +237,19 @@ export async function DELETE(
     logger.info(
       `[${requestId}] Deleted ${deletedCount} workspace API keys from workspace ${workspaceId}`
     )
+
+    recordAudit({
+      workspaceId,
+      actorId: userId,
+      actorName: session?.user?.name,
+      actorEmail: session?.user?.email,
+      action: AuditAction.API_KEY_REVOKED,
+      resourceType: AuditResourceType.API_KEY,
+      description: `Revoked ${deletedCount} API key(s)`,
+      metadata: { keyIds: keys, deletedCount },
+      request,
+    })
+
     return NextResponse.json({ success: true, deletedCount })
   } catch (error: unknown) {
     logger.error(`[${requestId}] Workspace API key DELETE error`, error)

apps/sim/app/api/workspaces/[id]/byok-keys/route.ts

@@ -5,6 +5,7 @@ import { and, eq } from 'drizzle-orm'
 import { nanoid } from 'nanoid'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
 import { generateRequestId } from '@/lib/core/utils/request'
@@ -185,6 +186,20 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
 
     logger.info(`[${requestId}] Created BYOK key for ${providerId} in workspace ${workspaceId}`)
 
+    recordAudit({
+      workspaceId,
+      actorId: userId,
+      actorName: session?.user?.name,
+      actorEmail: session?.user?.email,
+      action: AuditAction.BYOK_KEY_CREATED,
+      resourceType: AuditResourceType.BYOK_KEY,
+      resourceId: newKey.id,
+      resourceName: providerId,
+      description: `Added BYOK key for ${providerId}`,
+      metadata: { providerId },
+      request,
+    })
+
     return NextResponse.json({
       success: true,
       key: {
@@ -242,6 +257,19 @@ export async function DELETE(
 
     logger.info(`[${requestId}] Deleted BYOK key for ${providerId} from workspace ${workspaceId}`)
 
+    recordAudit({
+      workspaceId,
+      actorId: userId,
+      actorName: session?.user?.name,
+      actorEmail: session?.user?.email,
+      action: AuditAction.BYOK_KEY_DELETED,
+      resourceType: AuditResourceType.BYOK_KEY,
+      resourceName: providerId,
+      description: `Removed BYOK key for ${providerId}`,
+      metadata: { providerId },
+      request,
+    })
+
     return NextResponse.json({ success: true })
   } catch (error: unknown) {
     logger.error(`[${requestId}] BYOK key DELETE error`, error)

apps/sim/app/api/workspaces/[id]/duplicate/route.ts

@@ -1,6 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { duplicateWorkspace } from '@/lib/workspaces/duplicate'
@@ -45,6 +46,19 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       `[${requestId}] Successfully duplicated workspace ${sourceWorkspaceId} to ${result.id} in ${elapsed}ms`
     )
 
+    recordAudit({
+      workspaceId: sourceWorkspaceId,
+      actorId: session.user.id,
+      actorName: session.user.name,
+      actorEmail: session.user.email,
+      action: AuditAction.WORKSPACE_DUPLICATED,
+      resourceType: AuditResourceType.WORKSPACE,
+      resourceId: result.id,
+      resourceName: name,
+      description: `Duplicated workspace to "${name}"`,
+      request: req,
+    })
+
     return NextResponse.json(result, { status: 201 })
   } catch (error) {
     if (error instanceof Error) {

apps/sim/app/api/workspaces/[id]/environment/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
 import { generateRequestId } from '@/lib/core/utils/request'
@@ -156,6 +157,19 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
         set: { variables: merged, updatedAt: new Date() },
       })
 
+    recordAudit({
+      workspaceId,
+      actorId: userId,
+      actorName: session?.user?.name,
+      actorEmail: session?.user?.email,
+      action: AuditAction.ENVIRONMENT_UPDATED,
+      resourceType: AuditResourceType.ENVIRONMENT,
+      resourceId: workspaceId,
+      description: `Updated environment variables`,
+      metadata: { keysUpdated: Object.keys(variables) },
+      request,
+    })
+
     return NextResponse.json({ success: true })
   } catch (error: any) {
     logger.error(`[${requestId}] Workspace env PUT error`, error)

apps/sim/app/api/workspaces/[id]/files/[fileId]/route.ts

@@ -1,5 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { deleteWorkspaceFile } from '@/lib/uploads/contexts/workspace'
@@ -39,6 +40,18 @@ export async function DELETE(
 
     logger.info(`[${requestId}] Deleted workspace file: ${fileId}`)
 
+    recordAudit({
+      workspaceId,
+      actorId: session.user.id,
+      actorName: session.user.name,
+      actorEmail: session.user.email,
+      action: AuditAction.FILE_DELETED,
+      resourceType: AuditResourceType.FILE,
+      resourceId: fileId,
+      description: `Deleted file "${fileId}"`,
+      request,
+    })
+
     return NextResponse.json({
       success: true,
     })

apps/sim/app/api/workspaces/[id]/files/route.ts

@@ -1,5 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { listWorkspaceFiles, uploadWorkspaceFile } from '@/lib/uploads/contexts/workspace'
@@ -104,6 +105,19 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
 
     logger.info(`[${requestId}] Uploaded workspace file: ${file.name}`)
 
+    recordAudit({
+      workspaceId,
+      actorId: session.user.id,
+      actorName: session.user.name,
+      actorEmail: session.user.email,
+      action: AuditAction.FILE_UPLOADED,
+      resourceType: AuditResourceType.FILE,
+      resourceId: userFile.id,
+      resourceName: file.name,
+      description: `Uploaded file "${file.name}"`,
+      request,
+    })
+
     return NextResponse.json({
       success: true,
       file: userFile,

apps/sim/app/api/workspaces/[id]/notifications/[notificationId]/route.ts

@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq, inArray } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { encryptSecret } from '@/lib/core/security/encryption'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
@@ -251,6 +252,19 @@ export async function PUT(request: NextRequest, { params }: RouteParams) {
       subscriptionId: subscription.id,
     })
 
+    recordAudit({
+      workspaceId,
+      actorId: session.user.id,
+      action: AuditAction.NOTIFICATION_UPDATED,
+      resourceType: AuditResourceType.NOTIFICATION,
+      resourceId: notificationId,
+      resourceName: subscription.notificationType,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      description: `Updated ${subscription.notificationType} notification subscription`,
+      request,
+    })
+
     return NextResponse.json({
       data: {
         id: subscription.id,
@@ -300,17 +314,35 @@ export async function DELETE(request: NextRequest, { params }: RouteParams) {
           eq(workspaceNotificationSubscription.workspaceId, workspaceId)
         )
       )
-      .returning({ id: workspaceNotificationSubscription.id })
+      .returning({
+        id: workspaceNotificationSubscription.id,
+        notificationType: workspaceNotificationSubscription.notificationType,
+      })
 
     if (deleted.length === 0) {
       return NextResponse.json({ error: 'Notification not found' }, { status: 404 })
     }
 
+    const deletedSubscription = deleted[0]
+
     logger.info('Deleted notification subscription', {
       workspaceId,
       subscriptionId: notificationId,
     })
 
+    recordAudit({
+      workspaceId,
+      actorId: session.user.id,
+      action: AuditAction.NOTIFICATION_DELETED,
+      resourceType: AuditResourceType.NOTIFICATION,
+      resourceId: notificationId,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      resourceName: deletedSubscription.notificationType,
+      description: `Deleted ${deletedSubscription.notificationType} notification subscription`,
+      request,
+    })
+
     return NextResponse.json({ success: true })
   } catch (error) {
     logger.error('Error deleting notification', { error })

apps/sim/app/api/workspaces/[id]/notifications/route.ts

@@ -5,6 +5,7 @@ import { and, eq, inArray } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { v4 as uuidv4 } from 'uuid'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { encryptSecret } from '@/lib/core/security/encryption'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
@@ -256,6 +257,19 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
       type: data.notificationType,
     })
 
+    recordAudit({
+      workspaceId,
+      actorId: session.user.id,
+      action: AuditAction.NOTIFICATION_CREATED,
+      resourceType: AuditResourceType.NOTIFICATION,
+      resourceId: subscription.id,
+      resourceName: data.notificationType,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      description: `Created ${data.notificationType} notification subscription`,
+      request,
+    })
+
     return NextResponse.json({
       data: {
         id: subscription.id,

apps/sim/app/api/workspaces/[id]/permissions/route.ts

@@ -5,6 +5,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import {
   getUsersWithPermissions,
@@ -156,6 +157,21 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
 
     const updatedUsers = await getUsersWithPermissions(workspaceId)
 
+    for (const update of body.updates) {
+      recordAudit({
+        workspaceId,
+        actorId: session.user.id,
+        action: AuditAction.MEMBER_ROLE_CHANGED,
+        resourceType: AuditResourceType.WORKSPACE,
+        resourceId: workspaceId,
+        actorName: session.user.name ?? undefined,
+        actorEmail: session.user.email ?? undefined,
+        description: `Changed permissions for user ${update.userId} to ${update.permissions}`,
+        metadata: { targetUserId: update.userId, newPermissions: update.permissions },
+        request,
+      })
+    }
+
     return NextResponse.json({
       message: 'Permissions updated successfully',
       users: updatedUsers,

apps/sim/app/api/workspaces/[id]/route.ts

@@ -3,6 +3,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq, inArray } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 
 const logger = createLogger('WorkspaceByIdAPI')
@@ -228,6 +229,13 @@ export async function DELETE(
       `Deleting workspace ${workspaceId} for user ${session.user.id}, deleteTemplates: ${deleteTemplates}`
     )
 
+    // Fetch workspace name before deletion for audit logging
+    const [workspaceRecord] = await db
+      .select({ name: workspace.name })
+      .from(workspace)
+      .where(eq(workspace.id, workspaceId))
+      .limit(1)
+
     // Delete workspace and all related data in a transaction
     await db.transaction(async (tx) => {
       // Get all workflows in this workspace before deletion
@@ -281,6 +289,19 @@ export async function DELETE(
       logger.info(`Successfully deleted workspace ${workspaceId} and all related data`)
     })
 
+    recordAudit({
+      workspaceId: null,
+      actorId: session.user.id,
+      actorName: session.user.name,
+      actorEmail: session.user.email,
+      action: AuditAction.WORKSPACE_DELETED,
+      resourceType: AuditResourceType.WORKSPACE,
+      resourceId: workspaceId,
+      resourceName: workspaceRecord?.name,
+      description: `Deleted workspace "${workspaceRecord?.name || workspaceId}"`,
+      request,
+    })
+
     return NextResponse.json({ success: true })
   } catch (error) {
     logger.error(`Error deleting workspace ${workspaceId}:`, error)

apps/sim/app/api/workspaces/invitations/[invitationId]/route.test.ts

@@ -1,4 +1,4 @@
-import { createSession, createWorkspaceRecord, loggerMock } from '@sim/testing'
+import { auditMock, createSession, createWorkspaceRecord, loggerMock } from '@sim/testing'
 import { NextRequest } from 'next/server'
 import { beforeEach, describe, expect, it, vi } from 'vitest'
 
@@ -55,6 +55,8 @@ vi.mock('@/lib/workspaces/permissions/utils', () => ({
 
 vi.mock('@sim/logger', () => loggerMock)
 
+vi.mock('@/lib/audit/log', () => auditMock)
+
 vi.mock('@/lib/core/utils/urls', () => ({
   getBaseUrl: vi.fn().mockReturnValue('https://test.sim.ai'),
 }))