add custom tool blockers based on perm configs

Author: icecrasher321

apps/docs/content/docs/en/enterprise/index.mdx

@@ -1,6 +1,6 @@
 ---
 title: Enterprise
-description: Enterprise features for organizations with advanced security and compliance requirements
+description: Enterprise features for business organizations
 ---
 
 import { Callout } from 'fumadocs-ui/components/callout'

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/access-control/access-control.tsx

@@ -2,7 +2,7 @@
 
 import { useCallback, useMemo, useState } from 'react'
 import { createLogger } from '@sim/logger'
-import { Check, Plus, Search, Users } from 'lucide-react'
+import { Check, Plus, Search } from 'lucide-react'
 import {
   Avatar,
   AvatarFallback,
@@ -864,40 +864,25 @@ export function AccessControl() {
                 </p>
               ) : (
                 <div className='flex flex-col gap-[12px]'>
-                  <button
-                    type='button'
-                    onClick={() => {
-                      const allIds = availableMembersToAdd.map((m: any) => m.userId)
-                      const allSelected = allIds.every((id: string) => selectedMemberIds.has(id))
-                      if (allSelected) {
-                        setSelectedMemberIds(new Set())
-                      } else {
-                        setSelectedMemberIds(new Set(allIds))
-                      }
-                    }}
-                    className={cn(
-                      'flex items-center gap-[12px] rounded-[8px] border p-[12px] transition-colors',
-                      selectedMemberIds.size === availableMembersToAdd.length
-                        ? 'border-[var(--accent)] bg-[var(--accent)]/5'
-                        : 'border-[var(--border)] hover:bg-[var(--surface-5)]'
-                    )}
-                  >
-                    <div className='flex h-8 w-8 items-center justify-center rounded-full bg-[var(--surface-5)]'>
-                      <Users className='h-4 w-4 text-[var(--text-secondary)]' />
-                    </div>
-                    <div className='min-w-0 flex-1 text-left'>
-                      <div className='font-medium text-[14px] text-[var(--text-primary)]'>
-                        Select All
-                      </div>
-                      <div className='text-[12px] text-[var(--text-muted)]'>
-                        {availableMembersToAdd.length} member
-                        {availableMembersToAdd.length !== 1 ? 's' : ''} available
-                      </div>
-                    </div>
-                    {selectedMemberIds.size === availableMembersToAdd.length && (
-                      <Check className='h-[16px] w-[16px] text-[var(--accent)]' />
-                    )}
-                  </button>
+                  <div className='flex justify-end'>
+                    <button
+                      type='button'
+                      onClick={() => {
+                        const allIds = availableMembersToAdd.map((m: any) => m.userId)
+                        const allSelected = allIds.every((id: string) => selectedMemberIds.has(id))
+                        if (allSelected) {
+                          setSelectedMemberIds(new Set())
+                        } else {
+                          setSelectedMemberIds(new Set(allIds))
+                        }
+                      }}
+                      className='text-[12px] text-[var(--accent)] hover:underline'
+                    >
+                      {selectedMemberIds.size === availableMembersToAdd.length
+                        ? 'Deselect All'
+                        : 'Select All'}
+                    </button>
+                  </div>
                   {availableMembersToAdd.map((member: any) => {
                     const name = member.user?.name || 'Unknown'
                     const email = member.user?.email || ''

apps/sim/lib/copilot/tools/client/workflow/manage-custom-tool.ts

@@ -1,5 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { Check, Loader2, Plus, X, XCircle } from 'lucide-react'
+import { client } from '@/lib/auth/auth-client'
 import {
   BaseClientTool,
   type BaseClientToolMetadata,
@@ -31,6 +32,20 @@ interface ManageCustomToolArgs {
 
 const API_ENDPOINT = '/api/tools/custom'
 
+async function checkCustomToolsPermission(): Promise<void> {
+  const activeOrgResponse = await client.organization.getFullOrganization()
+  const organizationId = activeOrgResponse.data?.id
+  if (!organizationId) return
+
+  const response = await fetch(`/api/permission-groups/user?organizationId=${organizationId}`)
+  if (!response.ok) return
+
+  const data = await response.json()
+  if (data?.config?.disableCustomTools) {
+    throw new Error('Custom tools are not allowed based on your permission group settings')
+  }
+}
+
 /**
  * Client tool for creating, editing, and deleting custom tools via the copilot.
  */
@@ -164,7 +179,10 @@ export class ManageCustomToolClientTool extends BaseClientTool {
     } catch (e: any) {
       logger.error('execute failed', { message: e?.message })
       this.setState(ClientToolCallState.error)
-      await this.markToolComplete(500, e?.message || 'Failed to manage custom tool')
+      await this.markToolComplete(500, e?.message || 'Failed to manage custom tool', {
+        success: false,
+        error: e?.message || 'Failed to manage custom tool',
+      })
     }
   }
 
@@ -189,6 +207,8 @@ export class ManageCustomToolClientTool extends BaseClientTool {
       throw new Error('Operation is required')
     }
 
+    await checkCustomToolsPermission()
+
     const { operation, toolId, schema, code } = args
 
     // Get workspace ID from the workflow registry

apps/sim/lib/copilot/tools/client/workflow/manage-mcp-tool.ts

@@ -1,5 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { Check, Loader2, Server, X, XCircle } from 'lucide-react'
+import { client } from '@/lib/auth/auth-client'
 import {
   BaseClientTool,
   type BaseClientToolMetadata,
@@ -25,6 +26,20 @@ interface ManageMcpToolArgs {
 
 const API_ENDPOINT = '/api/mcp/servers'
 
+async function checkMcpToolsPermission(): Promise<void> {
+  const activeOrgResponse = await client.organization.getFullOrganization()
+  const organizationId = activeOrgResponse.data?.id
+  if (!organizationId) return
+
+  const response = await fetch(`/api/permission-groups/user?organizationId=${organizationId}`)
+  if (!response.ok) return
+
+  const data = await response.json()
+  if (data?.config?.disableMcpTools) {
+    throw new Error('MCP tools are not allowed based on your permission group settings')
+  }
+}
+
 /**
  * Client tool for creating, editing, and deleting MCP tool servers via the copilot.
  */
@@ -145,7 +160,10 @@ export class ManageMcpToolClientTool extends BaseClientTool {
     } catch (e: any) {
       logger.error('execute failed', { message: e?.message })
       this.setState(ClientToolCallState.error)
-      await this.markToolComplete(500, e?.message || 'Failed to manage MCP tool')
+      await this.markToolComplete(500, e?.message || 'Failed to manage MCP tool', {
+        success: false,
+        error: e?.message || 'Failed to manage MCP tool',
+      })
     }
   }
 
@@ -167,6 +185,8 @@ export class ManageMcpToolClientTool extends BaseClientTool {
       throw new Error('Operation is required')
     }
 
+    await checkMcpToolsPermission()
+
     const { operation, serverId, config } = args
 
     const { hydration } = useWorkflowRegistry.getState()

apps/sim/lib/copilot/tools/server/workflow/edit-workflow.ts

@@ -52,6 +52,7 @@ type SkippedItemType =
   | 'block_not_found'
   | 'invalid_block_type'
   | 'block_not_allowed'
+  | 'tool_not_allowed'
   | 'invalid_edge_target'
   | 'invalid_edge_source'
   | 'invalid_source_handle'
@@ -561,7 +562,9 @@ function createBlockFromParams(
   blockId: string,
   params: any,
   parentId?: string,
-  errorsCollector?: ValidationError[]
+  errorsCollector?: ValidationError[],
+  permissionConfig?: PermissionGroupConfig | null,
+  skippedItems?: SkippedItem[]
 ): any {
   const blockConfig = getAllBlocks().find((b) => b.type === params.type)
 
@@ -629,9 +632,14 @@ function createBlockFromParams(
         }
       }
 
-      // Special handling for tools - normalize to restore sanitized fields
+      // Special handling for tools - normalize and filter disallowed
       if (key === 'tools' && Array.isArray(value)) {
-        sanitizedValue = normalizeTools(value)
+        sanitizedValue = filterDisallowedTools(
+          normalizeTools(value),
+          permissionConfig ?? null,
+          blockId,
+          skippedItems ?? []
+        )
       }
 
       // Special handling for responseFormat - normalize to ensure consistent format
@@ -1109,6 +1117,49 @@ function isBlockTypeAllowed(
   return permissionConfig.allowedIntegrations.includes(blockType)
 }
 
+/**
+ * Filters out tools that are not allowed by the permission group config
+ * Returns both the allowed tools and any skipped tool items for logging
+ */
+function filterDisallowedTools(
+  tools: any[],
+  permissionConfig: PermissionGroupConfig | null,
+  blockId: string,
+  skippedItems: SkippedItem[]
+): any[] {
+  if (!permissionConfig) {
+    return tools
+  }
+
+  const allowedTools: any[] = []
+
+  for (const tool of tools) {
+    if (tool.type === 'custom-tool' && permissionConfig.disableCustomTools) {
+      logSkippedItem(skippedItems, {
+        type: 'tool_not_allowed',
+        operationType: 'add',
+        blockId,
+        reason: `Custom tool "${tool.title || tool.customToolId || 'unknown'}" is not allowed by permission group - tool not added`,
+        details: { toolType: 'custom-tool', toolId: tool.customToolId },
+      })
+      continue
+    }
+    if (tool.type === 'mcp' && permissionConfig.disableMcpTools) {
+      logSkippedItem(skippedItems, {
+        type: 'tool_not_allowed',
+        operationType: 'add',
+        blockId,
+        reason: `MCP tool "${tool.title || 'unknown'}" is not allowed by permission group - tool not added`,
+        details: { toolType: 'mcp', serverId: tool.params?.serverId },
+      })
+      continue
+    }
+    allowedTools.push(tool)
+  }
+
+  return allowedTools
+}
+
 /**
  * Apply operations directly to the workflow JSON state
  */
@@ -1314,9 +1365,14 @@ function applyOperationsToWorkflowState(
               }
             }
 
-            // Special handling for tools - normalize to restore sanitized fields
+            // Special handling for tools - normalize and filter disallowed
             if (key === 'tools' && Array.isArray(value)) {
-              sanitizedValue = normalizeTools(value)
+              sanitizedValue = filterDisallowedTools(
+                normalizeTools(value),
+                permissionConfig,
+                block_id,
+                skippedItems
+              )
             }
 
             // Special handling for responseFormat - normalize to ensure consistent format
@@ -1528,7 +1584,9 @@ function applyOperationsToWorkflowState(
               childId,
               childBlock,
               block_id,
-              validationErrors
+              validationErrors,
+              permissionConfig,
+              skippedItems
             )
             modifiedState.blocks[childId] = childBlockState
 
@@ -1718,7 +1776,14 @@ function applyOperationsToWorkflowState(
         }
 
         // Create new block with proper structure
-        const newBlock = createBlockFromParams(block_id, params, undefined, validationErrors)
+        const newBlock = createBlockFromParams(
+          block_id,
+          params,
+          undefined,
+          validationErrors,
+          permissionConfig,
+          skippedItems
+        )
 
         // Set loop/parallel data on parent block BEFORE adding to blocks (strict validation)
         if (params.nestedNodes) {
@@ -1797,7 +1862,9 @@ function applyOperationsToWorkflowState(
               childId,
               childBlock,
               block_id,
-              validationErrors
+              validationErrors,
+              permissionConfig,
+              skippedItems
             )
             modifiedState.blocks[childId] = childBlockState
 
@@ -1919,9 +1986,14 @@ function applyOperationsToWorkflowState(
                 }
               }
 
-              // Special handling for tools - normalize to restore sanitized fields
+              // Special handling for tools - normalize and filter disallowed
               if (key === 'tools' && Array.isArray(value)) {
-                sanitizedValue = normalizeTools(value)
+                sanitizedValue = filterDisallowedTools(
+                  normalizeTools(value),
+                  permissionConfig,
+                  block_id,
+                  skippedItems
+                )
               }
 
               // Special handling for responseFormat - normalize to ensure consistent format
@@ -1970,7 +2042,14 @@ function applyOperationsToWorkflowState(
           }
 
           // Create new block as child of subflow
-          const newBlock = createBlockFromParams(block_id, params, subflowId, validationErrors)
+          const newBlock = createBlockFromParams(
+            block_id,
+            params,
+            subflowId,
+            validationErrors,
+            permissionConfig,
+            skippedItems
+          )
           modifiedState.blocks[block_id] = newBlock
         }
 

apps/sim/lib/core/config/feature-flags.ts

@@ -92,6 +92,14 @@ export const isCredentialSetsEnabled = isTruthy(env.CREDENTIAL_SETS_ENABLED)
  */
 export const isAccessControlEnabled = isTruthy(env.ACCESS_CONTROL_ENABLED)
 
+/**
+ * Is organizations enabled
+ * True if billing is enabled (orgs come with billing), OR explicitly enabled via env var,
+ * OR if access control is enabled (access control requires organizations)
+ */
+export const isOrganizationsEnabled =
+  isBillingEnabled || isTruthy(env.ORGANIZATIONS_ENABLED) || isAccessControlEnabled
+
 /**
  * Is E2B enabled for remote code execution
  */