Merge remote-tracking branch 'origin/staging' into integrations-faq-geo

# Conflicts:
#	apps/sim/lib/integrations/integrations.json

Author: waleedlatif1

apps/docs/components/icons.tsx

@@ -2261,6 +2261,17 @@ export function BrandfetchIcon(props: SVGProps<SVGSVGElement>) {
   )
 }
 
+export function BrexIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg {...props} viewBox='0 0 223 179.3' fill='none' xmlns='http://www.w3.org/2000/svg'>
+      <path
+        fill='#FFFFFF'
+        d='M144.9,14.3c-8.7,11.6-10.8,15.5-19.2,15.5H0v149.4h49.3c11.1,0,21.9-5.4,28.9-14.3c9-12,10.2-15.5,18.9-15.5 H223V0h-49.6C162.3,0,151.5,5.4,144.9,14.3L144.9,14.3z M183.9,110.9h-52.6c-11.4,0-21.9,4.8-28.9,14c-9,12-10.8,15.5-19.2,15.5 H38.8V68.7h52.6c11.4,0,21.9-5.4,28.9-14.3c9-11.6,11.4-15.2,19.5-15.2h44.2V110.9z'
+      />
+    </svg>
+  )
+}
+
 export function BrightDataIcon(props: SVGProps<SVGSVGElement>) {
   return (
     <svg

apps/docs/components/ui/icon-mapping.ts

@@ -24,6 +24,7 @@ import {
   BoxCompanyIcon,
   BrainIcon,
   BrandfetchIcon,
+  BrexIcon,
   BrightDataIcon,
   BrowserUseIcon,
   CalComIcon,
@@ -243,6 +244,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
   azure_devops: AzureIcon,
   box: BoxCompanyIcon,
   brandfetch: BrandfetchIcon,
+  brex: BrexIcon,
   brightdata: BrightDataIcon,
   browser_use: BrowserUseIcon,
   calcom: CalComIcon,

apps/docs/content/docs/en/integrations/brex.mdx

@@ -21,6 +21,7 @@
     "azure_devops",
     "box",
     "brandfetch",
+    "brex",
     "brightdata",
     "browser_use",
     "calcom",

apps/docs/content/docs/en/integrations/meta.json

@@ -317,9 +317,9 @@ By default, your usage is capped at the credits included in your plan. To allow
 | **Free** | 1 | — |
 | **Pro** | Up to 3 | — |
 | **Max** | Up to 10 | — |
-| **Team / Enterprise** | Unlimited | Unlimited |
+| **Team / Enterprise** | — | Unlimited (Owners and Admins) |
 
-Team and Enterprise plans unlock shared workspaces that belong to your organization. Internal members invited to a shared workspace join the organization and count toward your seat total. Existing Sim users who already belong to another organization can be added as external workspace members; they get workspace access without joining your organization or using one of your seats. When a Team or Enterprise subscription is cancelled or downgraded, existing shared workspaces remain accessible to current members but new invites are disabled until the organization is upgraded again.
+Team and Enterprise plans unlock shared workspaces that belong to your organization. Every workspace created under a Team or Enterprise plan is organization-owned: Owners and Admins can create unlimited shared workspaces, while organization Members cannot create workspaces (personal workspaces created before joining the organization remain accessible). Internal members invited to a shared workspace join the organization and count toward your seat total — Enterprise invites require an available seat at invite time, while Team plans add a seat automatically when the invitee accepts. Existing Sim users who already belong to another organization can be added as external workspace members; they get workspace access without joining your organization or using one of your seats. When a Team or Enterprise subscription is cancelled or downgraded, existing shared workspaces remain accessible to current members but new invites are disabled until the organization is upgraded again.
 
 ### Rate Limits
 

apps/docs/content/docs/en/platform/costs.mdx

@@ -23,7 +23,9 @@ Sim has two kinds of workspaces:
 | **Free** | 1 | — |
 | **Pro** | Up to 3 | — |
 | **Max** | Up to 10 | — |
-| **Team / Enterprise** | Unlimited | Unlimited (seat-gated invites) |
+| **Team / Enterprise** | — | Unlimited (Owners and Admins) |
+
+On Team and Enterprise plans, every workspace you create belongs to the organization. Organization Owners and Admins can create unlimited shared workspaces; organization Members cannot create workspaces. Personal workspaces created before joining the organization remain accessible. Enterprise invites require an available seat at invite time; on Team plans, a seat is added automatically when the invitee accepts.
 
 <Callout type="info">
   When a Team or Enterprise subscription is cancelled or downgraded, existing shared workspaces stay accessible to current members. New invitations are blocked until the organization is upgraded again.

apps/docs/content/docs/en/platform/permissions.mdx

@@ -1,6 +1,12 @@
 import { AuditAction, AuditResourceType, recordAudit } from '@sim/audit'
 import * as schema from '@sim/db'
-import { workflow, workflowBlocks, workflowEdges, workflowSubflows } from '@sim/db'
+import {
+  instrumentPoolClient,
+  workflow,
+  workflowBlocks,
+  workflowEdges,
+  workflowSubflows,
+} from '@sim/db'
 import { createLogger } from '@sim/logger'
 import {
   BLOCK_OPERATIONS,
@@ -27,13 +33,16 @@ const logger = createLogger('SocketDatabase')
 
 const connectionString = env.DATABASE_URL
 const socketDb = drizzle(
-  postgres(connectionString, {
-    prepare: false,
-    idle_timeout: 10,
-    connect_timeout: 20,
-    max: 15,
-    onnotice: () => {},
-  }),
+  instrumentPoolClient(
+    postgres(connectionString, {
+      prepare: false,
+      idle_timeout: 10,
+      connect_timeout: 20,
+      max: 15,
+      onnotice: () => {},
+    }),
+    'socketDb'
+  ),
   { schema }
 )
 

apps/realtime/src/database/operations.ts

@@ -130,7 +130,7 @@ export function setupSubblocksHandlers(socket: AuthenticatedSocket, roomManager:
           socket.emit('operation-failed', {
             operationId,
             error: 'User session not found',
-            retryable: false,
+            retryable: true,
           })
         }
         return
@@ -250,7 +250,7 @@ async function flushSubblockUpdate(
         io.to(socketId).emit('operation-failed', {
           operationId: opId,
           error: 'Workflow not found',
-          retryable: false,
+          retryable: true,
         })
       })
       return
@@ -352,7 +352,7 @@ async function flushSubblockUpdate(
         io.to(socketId).emit('operation-failed', {
           operationId: opId,
           error: 'Block no longer exists',
-          retryable: false,
+          retryable: true,
         })
       })
     }

apps/realtime/src/handlers/subblocks.ts

@@ -118,7 +118,7 @@ export function setupVariablesHandlers(socket: AuthenticatedSocket, roomManager:
           socket.emit('operation-failed', {
             operationId,
             error: 'User session not found',
-            retryable: false,
+            retryable: true,
           })
         }
         return
@@ -236,7 +236,7 @@ async function flushVariableUpdate(
         io.to(socketId).emit('operation-failed', {
           operationId: opId,
           error: 'Workflow not found',
-          retryable: false,
+          retryable: true,
         })
       })
       return
@@ -318,7 +318,7 @@ async function flushVariableUpdate(
         io.to(socketId).emit('operation-failed', {
           operationId: opId,
           error: 'Variable no longer exists',
-          retryable: false,
+          retryable: true,
         })
       })
     }

apps/realtime/src/handlers/variables.ts

@@ -83,6 +83,13 @@ export function checkRolePermission(
   return { allowed: true }
 }
 
+/**
+ * Verifies a user's access to a workflow via workspace permissions.
+ *
+ * Returns `hasAccess: false` only for genuine denials (workflow missing/archived
+ * or no workspace permission). Transient failures (DB errors) are rethrown so the
+ * caller can report them as retryable instead of a permanent access denial.
+ */
 export async function verifyWorkflowAccess(
   userId: string,
   workflowId: string
@@ -129,6 +136,6 @@ export async function verifyWorkflowAccess(
       `Error verifying workflow access for user ${userId}, workflow ${workflowId}:`,
       error
     )
-    return { hasAccess: false }
+    throw error
   }
 }