improvement(governance): derived access

[icecrasher321]

Summary

Org Admins are auto Workspace Admins. And workspace admins are auto credential admins.

Type of Change

• Other: UX improvement

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Jun 19, 2026 7:33pm

[cursor]

PR Summary

High Risk
Broad changes to authorization and credential/workspace access across sim, realtime, and many API routes; incorrect derived-role logic could grant or deny access incorrectly.

Overview
Replaces @sim/workflow-authz with @sim/platform-authz (workflow, workspace, and predicate subpaths) and wires derived governance through APIs and UI.

Organization admins are treated as workspace admins on every org workspace (roster, workspace lists, permission updates block demotion). Workspace admins are credential admins for shared credentials (OAuth, service accounts, workspace env vars)—listing, OAuth credential pickers, member APIs, and env secret read/edit rules follow that model; personal env vars stay private.

Credential member APIs now merge workspace-admin rows with roleSource, block demoting/removing org/workspace admins, and use getCredentialActorContext / deriveCredentialAdmin instead of raw membership-only checks. Many routes swap permissions joins for checkWorkspaceAccess, listAccessibleWorkspaceRowsForUser, or permissionSatisfies so org-derived access applies (logs, copilot chats, webhooks, MCP discover, v1 logs, etc.).

Settings UI adds RoleLockTooltip on locked workspace/credential roles; docs expand credential access and env-variable permissions. Org member usage-limit GET also returns billingInterval (month/year).

^{Reviewed by Cursor Bugbot for commit e1241a0. Configure here.}

[greptile-apps]

Greptile Summary

This PR implements a governance inheritance model where org owners/admins are automatically workspace admins, and workspace admins are automatically credential admins on all shared (non-personal) credentials. The implementation is centralized in a new @sim/platform-authz package so both apps/sim and apps/realtime share the same resolution logic.

• Derived workspace access: resolveEffectiveWorkspacePermission (shared package) adds an org-admin lookup on top of the explicit permissions row, replacing the old hand-written ownerId === userId owner shortcut with a claim that every owner always holds an explicit admin permission row.
• Derived credential access: deriveCredentialAdmin grants credential admin to any user who is a workspace admin on the containing workspace (except for personal env credentials); the credential-member API's GET/POST/DELETE endpoints are updated to enforce and surface these derived roles.
• revokeWorkspaceCredentialMembershipsTx simplification: the previous per-credential owner-promotion logic is removed since workspace admins can never orphan a shared credential.

Confidence Score: 5/5

Safe to merge; the governance inheritance is correctly centralized in a shared package and consistently applied across workspace and credential access checks.

The core derivation logic in resolveEffectiveWorkspacePermission and deriveCredentialAdmin is correct, and the credential route's last-admin guards are properly scoped to personal env credentials. The only new finding is a display-only isExternal non-determinism in getUsersWithPermissions from an unconstrained leftJoin on the member table, which does not affect access control.

apps/sim/lib/workspaces/permissions/utils.ts — the leftJoin(member, ...) without org-id scoping in getUsersWithPermissions.

Important Files Changed

Filename	Overview
packages/platform-authz/src/workspace.ts	New shared resolver for effective workspace permission: fetches explicit permission row and optionally derives admin from org owner/admin role; logic is correct for the defined governance model.
packages/platform-authz/src/predicates.ts	New shared permission predicates (permissionSatisfies, isOrgAdminRole, PERMISSION_RANK) extracted so both apps/sim and apps/realtime can share them; correct and dependency-free.
apps/sim/lib/workspaces/permissions/utils.ts	Refactored checkWorkspaceAccess and getUserEntityPermissions to use org-admin inheritance; introduces getUsersWithPermissions rewrite with a leftJoin on member that is not scoped to the workspace org, producing non-deterministic isExternal for multi-org users.
apps/sim/lib/workspaces/utils.ts	Adds getOrgAdminWorkspaceRows and listAccessibleWorkspaceRowsForUser to surface derived workspace access; the .limit(1) query without a role filter in getOrgAdminWorkspaceRows may miss admin roles for users in multiple orgs (noted in previous review threads).
apps/sim/lib/credentials/access.ts	Adds deriveCredentialAdmin, isSharedCredentialType, and SHARED_CREDENTIAL_TYPES; removes the complex ownership-transfer logic in revokeWorkspaceCredentialMembershipsTx since workspace admins are now always derived credential admins.
apps/sim/app/api/credentials/[id]/members/route.ts	GET endpoint now merges derived workspace-admin entries into the credential member list; POST/DELETE guard workspace admins from demotion/removal; last-admin guard is correctly scoped to personal env credentials only.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[User] -->|member.role = owner/admin?| B{Org Admin?}
    B -->|Yes| C[Derived Workspace Admin]
    B -->|No| D[Check permissions table]
    D -->|explicit row| E{permissionType}
    E -->|admin| F[Workspace Admin]
    E -->|write/read/null| G[Workspace write/read/none]
    C --> F

    F -->|isSharedCredentialType?| H{Shared Credential?}
    H -->|Yes env_workspace, oauth, service_account| I[Derived Credential Admin]
    H -->|No env_personal| J[Check credentialMember table]
    J -->|role=admin, status=active| K[Explicit Credential Admin]
    J -->|other/none| L[Credential member/no access]

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[User] -->|member.role = owner/admin?| B{Org Admin?}
    B -->|Yes| C[Derived Workspace Admin]
    B -->|No| D[Check permissions table]
    D -->|explicit row| E{permissionType}
    E -->|admin| F[Workspace Admin]
    E -->|write/read/null| G[Workspace write/read/none]
    C --> F

    F -->|isSharedCredentialType?| H{Shared Credential?}
    H -->|Yes env_workspace, oauth, service_account| I[Derived Credential Admin]
    H -->|No env_personal| J[Check credentialMember table]
    J -->|role=admin, status=active| K[Explicit Credential Admin]
    J -->|other/none| L[Credential member/no access]

Loading

_{Reviews (4): Last reviewed commit: "chore(db): regenerate kb→workspace casca..." | Re-trigger Greptile}

[icecrasher321]

@greptile

[icecrasher321]

bugbot run

[icecrasher321]

@greptile

[icecrasher321]

bugbot run

[icecrasher321]

@greptile

[icecrasher321]

bugbot run

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit e1241a0. Configure here.}