fix(auth): address PR review comments

Author: waleedlatif1

apps/sim/lib/auth/auth.ts

@@ -149,11 +149,14 @@ const additionalTrustedOrigins = parseOriginList(env.TRUSTED_ORIGINS, (value) =>
   logger.warn('Ignoring invalid entry in TRUSTED_ORIGINS', { value })
 )
 
-if (env.NODE_ENV === 'production' && isLocalhostUrl(getBaseUrl())) {
-  logger.warn(
-    'NEXT_PUBLIC_APP_URL points to localhost in production. Self-hosted deployments must set NEXT_PUBLIC_APP_URL to the public URL users access (e.g. https://sim.example.com), otherwise auth POST requests from any non-localhost origin will be rejected by trustedOrigins. Set TRUSTED_ORIGINS to allow additional public origins.',
-    { baseUrl: getBaseUrl() }
-  )
+if (env.NODE_ENV === 'production') {
+  const baseUrl = getBaseUrl()
+  if (isLocalhostUrl(baseUrl)) {
+    logger.warn(
+      'NEXT_PUBLIC_APP_URL points to localhost in production. Self-hosted deployments must set NEXT_PUBLIC_APP_URL to the public URL users access (e.g. https://sim.example.com), otherwise auth POST requests from any non-localhost origin will be rejected by trustedOrigins. Set TRUSTED_ORIGINS to allow additional public origins.',
+      { baseUrl }
+    )
+  }
 }
 
 const validStripeKey = env.STRIPE_SECRET_KEY

apps/sim/lib/core/utils/urls.ts

@@ -184,7 +184,7 @@ export function getSocketUrl(): string {
   if (explicit) return explicit
 
   const browserOrigin = getBrowserOrigin()
-  if (browserOrigin && !LOCALHOST_HOSTNAMES.has(window.location.hostname)) {
+  if (browserOrigin && !LOCALHOST_HOSTNAMES.has(new URL(browserOrigin).hostname)) {
     return browserOrigin
   }
 

packages/db/scripts/migrate-deployment-versions.ts

@@ -2,6 +2,7 @@
 
 // This script is intentionally self-contained for execution in the migrations image.
 // Do not import from the main app code; duplicate minimal schema and DB setup here.
+// Workspace-internal packages (`@sim/*`) are permitted since they ship in the migrations image.
 
 import { generateId } from '@sim/utils/id'
 import { sql } from 'drizzle-orm'