fix(access-control): default deniedModels in response schema, hide blocked badge on disabled rows, trim comments

Author: waleedlatif1

apps/sim/ee/access-control/components/access-control.tsx

@@ -256,11 +256,7 @@ function AccessControlSkeleton() {
   )
 }
 
-/**
- * Providers whose model catalog is discovered at runtime from a user-configured
- * endpoint rather than the static {@link PROVIDER_DEFINITIONS} list. Their models
- * are fetched lazily via {@link useProviderModels} when a row is expanded.
- */
+/** Providers whose models are fetched at runtime (on row expand) rather than from {@link PROVIDER_DEFINITIONS}. */
 const DYNAMIC_MODEL_PROVIDERS = new Set<ProviderName>([
   'ollama',
   'vllm',
@@ -419,7 +415,7 @@ function ProviderRow({
           )}
         >
           <span className='truncate font-medium text-sm'>{providerName}</span>
-          {deniedCount > 0 && (
+          {isProviderAllowed && deniedCount > 0 && (
             <span className='rounded-sm bg-[var(--surface-3)] px-1.5 py-0.5 text-[var(--text-muted)] text-micro'>
               {deniedCount} blocked
             </span>
@@ -1000,7 +996,7 @@ export function AccessControl() {
         const providerId = getProviderFromModel(model)
         counts[providerId] = (counts[providerId] ?? 0) + 1
       } catch {
-        // Model maps to an unavailable provider (e.g. server-blacklisted); skip its badge.
+        // Unknown/blacklisted provider — omit from counts.
       }
     }
     return counts

apps/sim/lib/api/contracts/permission-groups.ts

@@ -5,7 +5,7 @@ import { permissionGroupConfigSchema } from '@/lib/permission-groups/types'
 export const permissionGroupFullConfigSchema = z.object({
   allowedIntegrations: z.array(z.string()).nullable(),
   allowedModelProviders: z.array(z.string()).nullable(),
-  deniedModels: z.array(z.string()),
+  deniedModels: z.array(z.string()).default([]),
   hideTraceSpans: z.boolean(),
   hideKnowledgeBaseTab: z.boolean(),
   hideTablesTab: z.boolean(),

apps/sim/lib/permission-groups/types.ts

@@ -34,12 +34,8 @@ export interface PermissionGroupConfig {
   allowedIntegrations: string[] | null
   allowedModelProviders: string[] | null
   /**
-   * Denylist of fully-qualified model IDs (e.g. `ollama/llama3`, `gpt-4o`) that
-   * members of this group may not use. Empty means no model is blocked. Applied
-   * on top of `allowedModelProviders`: a model is usable only when its provider
-   * is allowed AND the model is not present here. A denylist (rather than an
-   * allowlist) keeps dynamically-discovered models — vLLM, Ollama, LiteLLM —
-   * usable by default as the upstream catalog changes.
+   * Fully-qualified model IDs (e.g. `ollama/llama3`, `gpt-4o`) blocked for this
+   * group, checked after `allowedModelProviders`. Empty means nothing is blocked.
    */
   deniedModels: string[]
   hideTraceSpans: boolean