improvement(auth): added ability to inject secrets to kubernetes, server-side ff to disable email registration

[waleedlatif1]

Summary

• added native support for injecting secrets to kubernetes
• server-side ff to disable email registration, pairs with client-side envvar to email/password registration
• otel trace span collection for workflow executions
• consolidated spans into typed PlatformEvents

Type of Change

• New feature
• Documentation

Testing

N/A

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Review	Updated (UTC)
docs	Skipped		Jan 8, 2026 6:48pm

[greptile-apps]

Greptile Overview

Greptile Summary

This PR implements three major improvements: server-side feature flag to disable email/password authentication, native Kubernetes secret management with External Secrets Operator support, and consolidated OpenTelemetry span collection for workflow executions.

Key Changes

• Auth Enhancement: Added EMAIL_PASSWORD_SIGNUP_ENABLED feature flag allowing administrators to disable email/password registration and force SSO-only authentication. Pairs with client-side NEXT_PUBLIC_EMAIL_PASSWORD_SIGNUP_ENABLED for complete control.
• Kubernetes Secret Management: Implemented flexible secret injection supporting three strategies (inline values, existing secrets, External Secrets Operator) for production deployments. Includes comprehensive documentation and example configurations.
• Telemetry Refactor: Introduced typed PlatformEvents helpers (~500 lines) replacing raw trackPlatformEvent calls across 15+ API routes for consistent, type-safe telemetry tracking. Events follow semantic naming convention (platform.{resource}.{past_tense_action}).
• Span Filtering: Added custom business span sampler in OpenTelemetry instrumentation to filter out Next.js framework spans, reducing noise by 90%+ and focusing on business-relevant telemetry (platform.*, gen_ai.*, workflow.*, block.*).
• Workflow Tracing: Integrated createOTelSpansForWorkflowExecution to create proper OpenTelemetry spans for workflow executions with GenAI semantic conventions, providing end-to-end observability.
• Code Cleanup: Removed verbose comments across multiple files per global style guidelines, improving code readability.

Architecture Highlights

The telemetry refactor consolidates event tracking into a type-safe API, preventing inconsistent attribute naming and missing required fields. All telemetry calls are wrapped in try-catch to prevent failures from affecting business operations. The Kubernetes secret management enables enterprise deployments using Azure Key Vault, AWS Secrets Manager, HashiCorp Vault, etc., while maintaining backward compatibility with existing deployments.

Confidence Score: 5/5

• This PR is safe to merge with well-architected changes across authentication, Kubernetes infrastructure, and telemetry
• The PR demonstrates excellent engineering practices: (1) comprehensive Kubernetes secret management supporting multiple strategies (inline, existing secrets, External Secrets Operator), (2) type-safe telemetry refactor with ~500 lines of typed PlatformEvents helpers improving consistency, (3) intelligent span filtering reducing telemetry noise by 90%+, (4) proper error handling with try-catch wrapping all telemetry calls, (5) backward compatible feature flag implementation. The changes are well-tested conceptually, follow established patterns, and include comprehensive documentation.
• No files require special attention - all changes follow established patterns and best practices

Important Files Changed

File Analysis

Filename	Score	Overview
apps/sim/lib/auth/auth.ts	4/5	Added email/password authentication toggle via isEmailPasswordEnabled flag and telemetry tracking for user sign-ups and OAuth connections
apps/sim/lib/core/config/feature-flags.ts	5/5	Added isEmailPasswordEnabled feature flag to control email/password authentication server-side
apps/sim/lib/core/telemetry.ts	5/5	Added comprehensive PlatformEvents typed helpers (~500 lines) for consistent, type-safe telemetry tracking across the platform
apps/sim/instrumentation-node.ts	4/5	Implemented custom business span sampler to filter out Next.js framework spans and only collect business-relevant telemetry (platform., gen_ai., workflow.*, etc.)
apps/sim/lib/logs/execution/logging-session.ts	4/5	Refactored to use typed PlatformEvents helpers and added createOTelSpansForWorkflowExecution calls to create OpenTelemetry spans for workflow executions
helm/sim/values.yaml	5/5	Added comprehensive secret management configuration including existingSecret options for app/database secrets and External Secrets Operator integration
helm/sim/templates/_helpers.tpl	5/5	Added helper functions for secret name resolution and conditional secret creation logic to support existing secrets and ESO
helm/sim/templates/deployment-app.yaml	5/5	Updated to use helper functions for secret references, now loads both app secrets and database secrets via envFrom

Sequence Diagram

sequenceDiagram
    participant User
    participant AuthAPI as Auth API
    participant FeatureFlags as Feature Flags
    participant WorkflowAPI as Workflow API
    participant LoggingSession as Logging Session
    participant Telemetry as PlatformEvents
    participant OTel as OpenTelemetry
    participant K8s as Kubernetes Secrets

    Note over User,K8s: 1. Authentication Flow with Email/Password Toggle

    User->>AuthAPI: Sign up with email/password
    AuthAPI->>FeatureFlags: Check isEmailPasswordEnabled
    alt Email/Password Disabled
        FeatureFlags-->>AuthAPI: false
        AuthAPI-->>User: Error: Email/password auth disabled
    else Email/Password Enabled
        FeatureFlags-->>AuthAPI: true
        AuthAPI->>AuthAPI: Create user account
        AuthAPI->>Telemetry: PlatformEvents.userSignedUp()
        Telemetry->>OTel: Track platform.user.signed_up
        AuthAPI-->>User: Success
    end

    Note over User,K8s: 2. Workflow Execution with Telemetry

    User->>WorkflowAPI: Execute workflow
    WorkflowAPI->>LoggingSession: Start logging session
    LoggingSession->>LoggingSession: Track block executions
    LoggingSession->>Telemetry: PlatformEvents.workflowExecuted()
    Telemetry->>OTel: Track platform.workflow.executed
    LoggingSession->>Telemetry: createOTelSpansForWorkflowExecution()
    Telemetry->>OTel: Create workflow spans (workflow.*, block.*)
    OTel->>OTel: Business span sampler filters spans
    OTel->>OTel: Export to OTLP endpoint
    LoggingSession-->>WorkflowAPI: Execution complete
    WorkflowAPI-->>User: Results

    Note over User,K8s: 3. Kubernetes Secret Injection

    K8s->>K8s: External Secrets Operator enabled?
    alt Using External Secrets
        K8s->>K8s: Sync from Azure Key Vault/AWS Secrets
        K8s->>K8s: Create app-secrets from external store
    else Using Existing Secret
        K8s->>K8s: Reference pre-existing secret
    else Creating from Values
        K8s->>K8s: Create secret from values.yaml
    end
    K8s->>WorkflowAPI: Mount secrets as env vars
    WorkflowAPI->>WorkflowAPI: Use BETTER_AUTH_SECRET, etc.

Loading