simstudioai
diff --git a/‎apps/sim/lib/auth/auth.ts‎
Lines changed: 7 additions & 0 deletions b/‎apps/sim/lib/auth/auth.ts‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎apps/sim/lib/core/config/env.ts‎
Lines changed: 1 addition & 0 deletions b/‎apps/sim/lib/core/config/env.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎apps/sim/lib/core/config/feature-flags.ts‎
Lines changed: 5 additions & 0 deletions b/‎apps/sim/lib/core/config/feature-flags.ts‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎apps/sim/lib/logs/execution/logging-session.ts‎
Lines changed: 74 additions & 6 deletions b/‎apps/sim/lib/logs/execution/logging-session.ts‎
Lines changed: 74 additions & 6 deletions
diff --git a/‎helm/sim/README.md‎
Lines changed: 107 additions & 0 deletions b/‎helm/sim/README.md‎
Lines changed: 107 additions & 0 deletions
@@ -47,6 +47,7 @@ import { env } from '@/lib/core/config/env'
 import {
   isAuthDisabled,
   isBillingEnabled,
+  isEmailPasswordEnabled,
   isEmailVerificationEnabled,
   isHosted,
   isRegistrationDisabled,
@@ -461,6 +462,12 @@ export const auth = betterAuth({
       if (ctx.path.startsWith('/sign-up') && isRegistrationDisabled)
         throw new Error('Registration is disabled, please contact your admin.')
 
+      if (!isEmailPasswordEnabled) {
+        const emailPasswordPaths = ['/sign-in/email', '/sign-up/email', '/email-otp']
+        if (emailPasswordPaths.some((path) => ctx.path.startsWith(path)))
+          throw new Error('Email/password authentication is disabled. Please use SSO to sign in.')
+      }
+
       if (
         (ctx.path.startsWith('/sign-in') || ctx.path.startsWith('/sign-up')) &&
         (env.ALLOWED_LOGIN_EMAILS || env.ALLOWED_LOGIN_DOMAINS)
 
@@ -20,6 +20,7 @@ export const env = createEnv({
     BETTER_AUTH_URL:                       z.string().url(),                       // Base URL for Better Auth service
     BETTER_AUTH_SECRET:                    z.string().min(32),                     // Secret key for Better Auth JWT signing
     DISABLE_REGISTRATION:                  z.boolean().optional(),                 // Flag to disable new user registration
+    EMAIL_PASSWORD_SIGNUP_ENABLED:         z.boolean().optional().default(true),   // Enable email/password authentication (server-side enforcement)
     DISABLE_AUTH:                          z.boolean().optional(),                 // Bypass authentication entirely (self-hosted only, creates anonymous session)
     ALLOWED_LOGIN_EMAILS:                  z.string().optional(),                  // Comma-separated list of allowed email addresses for login
     ALLOWED_LOGIN_DOMAINS:                 z.string().optional(),                  // Comma-separated list of allowed email domains for login
 
@@ -65,6 +65,11 @@ if (isTruthy(env.DISABLE_AUTH)) {
  */
 export const isRegistrationDisabled = isTruthy(env.DISABLE_REGISTRATION)
 
+/**
+ * Is email/password authentication enabled (defaults to true)
+ */
+export const isEmailPasswordEnabled = env.EMAIL_PASSWORD_SIGNUP_ENABLED !== false
+
 /**
  * Is Trigger.dev enabled for async job processing
  */
 
@@ -289,10 +289,12 @@ export class LoggingSession {
 
       this.completed = true
 
-      // Track workflow execution outcome
+      // Track workflow execution outcome and create trace spans
       if (traceSpans && traceSpans.length > 0) {
         try {
-          const { trackPlatformEvent } = await import('@/lib/core/telemetry')
+          const { trackPlatformEvent, createOTelSpansForWorkflowExecution } = await import(
+            '@/lib/core/telemetry'
+          )
 
           // Determine status from trace spans
           const hasErrors = traceSpans.some((span: any) => {
@@ -315,6 +317,20 @@ export class LoggingSession {
             'execution.has_errors': hasErrors,
             'execution.total_cost': costSummary.totalCost || 0,
           })
+
+          // Create OpenTelemetry trace spans for the workflow execution
+          const startTime = new Date(new Date(endTime).getTime() - duration).toISOString()
+          createOTelSpansForWorkflowExecution({
+            workflowId: this.workflowId,
+            workflowName: this.workflowState?.metadata?.name,
+            executionId: this.executionId,
+            traceSpans,
+            trigger: this.triggerType,
+            startTime,
+            endTime,
+            totalDurationMs: duration,
+            status: hasErrors ? 'error' : 'success',
+          })
         } catch (_e) {
           // Silently fail
         }
@@ -404,9 +420,11 @@ export class LoggingSession {
 
       this.completed = true
 
-      // Track workflow execution error outcome
+      // Track workflow execution error outcome and create trace spans
       try {
-        const { trackPlatformEvent } = await import('@/lib/core/telemetry')
+        const { trackPlatformEvent, createOTelSpansForWorkflowExecution } = await import(
+          '@/lib/core/telemetry'
+        )
         trackPlatformEvent('platform.workflow.executed', {
           'workflow.id': this.workflowId,
           'execution.duration_ms': Math.max(1, durationMs),
@@ -416,6 +434,20 @@ export class LoggingSession {
           'execution.has_errors': true,
           'execution.error_message': message,
         })
+
+        // Create OpenTelemetry trace spans for the workflow execution
+        createOTelSpansForWorkflowExecution({
+          workflowId: this.workflowId,
+          workflowName: this.workflowState?.metadata?.name,
+          executionId: this.executionId,
+          traceSpans: spans,
+          trigger: this.triggerType,
+          startTime: startTime.toISOString(),
+          endTime: endTime.toISOString(),
+          totalDurationMs: Math.max(1, durationMs),
+          status: 'error',
+          error: message,
+        })
       } catch (_e) {
         // Silently fail
       }
@@ -477,7 +509,9 @@ export class LoggingSession {
       this.completed = true
 
       try {
-        const { trackPlatformEvent } = await import('@/lib/core/telemetry')
+        const { trackPlatformEvent, createOTelSpansForWorkflowExecution } = await import(
+          '@/lib/core/telemetry'
+        )
         trackPlatformEvent('platform.workflow.executed', {
           'workflow.id': this.workflowId,
           'execution.duration_ms': Math.max(1, durationMs),
@@ -486,6 +520,22 @@ export class LoggingSession {
           'execution.blocks_executed': traceSpans?.length || 0,
           'execution.has_errors': false,
         })
+
+        // Create OpenTelemetry trace spans for the workflow execution
+        if (traceSpans && traceSpans.length > 0) {
+          const startTime = new Date(endTime.getTime() - Math.max(1, durationMs))
+          createOTelSpansForWorkflowExecution({
+            workflowId: this.workflowId,
+            workflowName: this.workflowState?.metadata?.name,
+            executionId: this.executionId,
+            traceSpans,
+            trigger: this.triggerType,
+            startTime: startTime.toISOString(),
+            endTime: endTime.toISOString(),
+            totalDurationMs: Math.max(1, durationMs),
+            status: 'success', // Cancelled executions are not errors
+          })
+        }
       } catch (_e) {
         // Silently fail
       }
@@ -540,7 +590,9 @@ export class LoggingSession {
       })
 
       try {
-        const { trackPlatformEvent } = await import('@/lib/core/telemetry')
+        const { trackPlatformEvent, createOTelSpansForWorkflowExecution } = await import(
+          '@/lib/core/telemetry'
+        )
         trackPlatformEvent('platform.workflow.executed', {
           'workflow.id': this.workflowId,
           'execution.duration_ms': Math.max(1, durationMs),
@@ -550,6 +602,22 @@ export class LoggingSession {
           'execution.has_errors': false,
           'execution.total_cost': costSummary.totalCost || 0,
         })
+
+        // Create OpenTelemetry trace spans for the workflow execution
+        if (traceSpans && traceSpans.length > 0) {
+          const startTime = new Date(endTime.getTime() - Math.max(1, durationMs))
+          createOTelSpansForWorkflowExecution({
+            workflowId: this.workflowId,
+            workflowName: this.workflowState?.metadata?.name,
+            executionId: this.executionId,
+            traceSpans,
+            trigger: this.triggerType,
+            startTime: startTime.toISOString(),
+            endTime: endTime.toISOString(),
+            totalDurationMs: Math.max(1, durationMs),
+            status: 'success', // Paused executions are not errors
+          })
+        }
       } catch (_e) {}
 
       if (this.requestId) {
 
@@ -39,6 +39,8 @@ The chart includes several pre-configured values files for different scenarios:
 | `values-azure.yaml` | Azure AKS optimized | Azure Kubernetes Service |
 | `values-aws.yaml` | AWS EKS optimized | Amazon Elastic Kubernetes Service |
 | `values-gcp.yaml` | GCP GKE optimized | Google Kubernetes Engine |
+| `values-external-secrets.yaml` | External Secrets Operator integration | Using Azure Key Vault, AWS Secrets Manager, Vault |
+| `values-existing-secret.yaml` | Pre-existing Kubernetes secrets | GitOps, Sealed Secrets, manual secret management |
 
 ### Development Environment
 
@@ -623,6 +625,111 @@ To uninstall/delete the release:
 helm uninstall sim
 ```
 
+## External Secret Management
+
+The chart supports integration with external secret management systems for production-grade secret handling. This enables you to store secrets in secure vaults and have them automatically synced to Kubernetes.
+
+### Option 1: External Secrets Operator (Recommended)
+
+[External Secrets Operator](https://external-secrets.io/) is the industry-standard solution for syncing secrets from external stores like Azure Key Vault, AWS Secrets Manager, HashiCorp Vault, and GCP Secret Manager.
+
+**Prerequisites:**
+```bash
+# Install External Secrets Operator
+helm repo add external-secrets https://charts.external-secrets.io
+helm install external-secrets external-secrets/external-secrets \
+  -n external-secrets --create-namespace
+```
+
+**Configuration:**
+```yaml
+externalSecrets:
+  enabled: true
+  refreshInterval: "1h"
+  secretStoreRef:
+    name: "my-secret-store"
+    kind: "ClusterSecretStore"
+  remoteRefs:
+    app:
+      BETTER_AUTH_SECRET: "sim/app/better-auth-secret"
+      ENCRYPTION_KEY: "sim/app/encryption-key"
+      INTERNAL_API_SECRET: "sim/app/internal-api-secret"
+    postgresql:
+      password: "sim/postgresql/password"
+```
+
+See `examples/values-external-secrets.yaml` for complete examples including SecretStore configurations for Azure, AWS, GCP, and Vault.
+
+### Option 2: Pre-Existing Kubernetes Secrets
+
+Reference secrets you've created manually, via GitOps (Sealed Secrets, SOPS), or through other automation.
+
+**Configuration:**
+```yaml
+app:
+  secrets:
+    existingSecret:
+      enabled: true
+      name: "my-app-secrets"
+
+postgresql:
+  auth:
+    existingSecret:
+      enabled: true
+      name: "my-postgresql-secret"
+      passwordKey: "POSTGRES_PASSWORD"
+
+externalDatabase:
+  existingSecret:
+    enabled: true
+    name: "my-external-db-secret"
+    passwordKey: "password"
+```
+
+**Create secrets manually:**
+```bash
+# Generate secure values
+BETTER_AUTH_SECRET=$(openssl rand -hex 32)
+ENCRYPTION_KEY=$(openssl rand -hex 32)
+INTERNAL_API_SECRET=$(openssl rand -hex 32)
+POSTGRES_PASSWORD=$(openssl rand -base64 16 | tr -d '/+=')
+
+# Create app secrets
+kubectl create secret generic my-app-secrets \
+  --namespace sim \
+  --from-literal=BETTER_AUTH_SECRET="$BETTER_AUTH_SECRET" \
+  --from-literal=ENCRYPTION_KEY="$ENCRYPTION_KEY" \
+  --from-literal=INTERNAL_API_SECRET="$INTERNAL_API_SECRET"
+
+# Create PostgreSQL secret
+kubectl create secret generic my-postgresql-secret \
+  --namespace sim \
+  --from-literal=POSTGRES_PASSWORD="$POSTGRES_PASSWORD"
+```
+
+See `examples/values-existing-secret.yaml` for more details.
+
+### External Secrets Parameters
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `app.secrets.existingSecret.enabled` | Use existing secret for app credentials | `false` |
+| `app.secrets.existingSecret.name` | Name of existing secret | `""` |
+| `app.secrets.existingSecret.keys` | Key name mappings | See values.yaml |
+| `postgresql.auth.existingSecret.enabled` | Use existing secret for PostgreSQL | `false` |
+| `postgresql.auth.existingSecret.name` | Name of existing secret | `""` |
+| `postgresql.auth.existingSecret.passwordKey` | Key containing password | `"POSTGRES_PASSWORD"` |
+| `externalDatabase.existingSecret.enabled` | Use existing secret for external DB | `false` |
+| `externalDatabase.existingSecret.name` | Name of existing secret | `""` |
+| `externalDatabase.existingSecret.passwordKey` | Key containing password | `"EXTERNAL_DB_PASSWORD"` |
+| `externalSecrets.enabled` | Enable External Secrets Operator integration | `false` |
+| `externalSecrets.refreshInterval` | How often to sync secrets | `"1h"` |
+| `externalSecrets.secretStoreRef.name` | Name of SecretStore/ClusterSecretStore | `""` |
+| `externalSecrets.secretStoreRef.kind` | Kind of store | `"ClusterSecretStore"` |
+| `externalSecrets.remoteRefs.app.*` | Remote paths for app secrets | See values.yaml |
+| `externalSecrets.remoteRefs.postgresql.password` | Remote path for PostgreSQL password | `""` |
+| `externalSecrets.remoteRefs.externalDatabase.password` | Remote path for external DB password | `""` |
+
 ## Security Considerations
 
 ### Production Secrets