Skip to content

feat(access-control): add ALLOWED_INTEGRATIONS env var for self-hosted block restrictions#3238

Merged
waleedlatif1 merged 12 commits intostagingfrom
feat/allowlist
Feb 18, 2026
Merged

feat(access-control): add ALLOWED_INTEGRATIONS env var for self-hosted block restrictions#3238
waleedlatif1 merged 12 commits intostagingfrom
feat/allowlist

Conversation

@waleedlatif1
Copy link
Collaborator

Summary

  • Add ALLOWED_INTEGRATIONS server env var to restrict available blocks/integrations via allowlist
  • Client fetches allowlist from /api/settings/allowed-integrations and merges with permission group config
  • Server-side enforcement in validateBlockType blocks disallowed integrations at execution time
  • Filters apply to sidebar, cmd-k, toolbar, copilot mentions, and tool input picker
  • Empty = all allowed, set = only listed block types available

Type of Change

  • New feature

Testing

Tested manually

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@vercel
Copy link

vercel bot commented Feb 17, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Feb 18, 2026 2:42am

Request Review

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Feb 18, 2026

Greptile Summary

This PR adds an ALLOWED_INTEGRATIONS server environment variable that enables self-hosted deployments to restrict which block types/integrations are available to users. The implementation spans server-side enforcement (validateBlockType, copilot tools), client-side filtering (sidebar, cmd-k, toolbar, copilot mentions), and a new API endpoint for the client to fetch the env-based allowlist.

  • New getAllowedIntegrationsFromEnv() function parses and lowercases the comma-separated env var
  • Server-side mergeEnvAllowlist() intersects the env allowlist with any existing permission group config
  • Client-side usePermissionConfig hook fetches the env allowlist via /api/settings/allowed-integrations and merges with permission group data
  • All block type comparisons now use .toLowerCase() for case-insensitive matching
  • integrations.tsx now normalizes service IDs (hyphen → underscore) to match block type format
  • Comprehensive test coverage added for the new env allowlist behavior
  • Helm chart updated with the new ALLOWED_INTEGRATIONS config option

Confidence Score: 4/5

  • This PR is safe to merge with minor concerns around duplicated fallback patterns across copilot tools.
  • The feature is well-designed with consistent server and client enforcement, case normalization, and good test coverage. The env allowlist merge logic is sound. Minor deductions for the repeated fallback pattern across multiple copilot tool files (could benefit from a shared helper) and a subtle inconsistency in the client-side intersectAllowlists that only lowercases one side of the intersection.
  • apps/sim/ee/access-control/utils/permission-check.ts and apps/sim/hooks/use-permission-config.ts contain the core merge logic and deserve careful review.

Important Files Changed

Filename Overview
apps/sim/app/api/settings/allowed-integrations/route.ts New API route that serves the env-based integration allowlist. Includes session authentication. Simple and correct.
apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/integrations/integrations.tsx Adds hyphen-to-underscore normalization for service ID comparison against the allowlist. Correctly bridges the service ID format (hyphens) to block type format (underscores).
apps/sim/ee/access-control/utils/permission-check.ts Core logic for merging env allowlist with permission group config. Adds mergeEnvAllowlist function, updates validateBlockType to handle no-userId case, and applies case-insensitive matching.
apps/sim/ee/access-control/utils/permission-check.test.ts New test suite covering IntegrationNotAllowedError, getUserPermissionConfig with env allowlist, validateBlockType with/without env allowlist, and service ID normalization.
apps/sim/hooks/use-permission-config.ts Client-side hook now fetches env allowlist via API and merges it with permission group config using intersection logic. Adds useAllowedIntegrationsFromEnv and intersectAllowlists helpers.
apps/sim/lib/copilot/process-contents.ts Updated processBlockMetadata to apply env allowlist fallback when userId is absent, and adds case-insensitive comparison for block IDs.
apps/sim/lib/core/config/feature-flags.ts New getAllowedIntegrationsFromEnv function that parses and normalizes the ALLOWED_INTEGRATIONS env var to lowercase.

Flowchart

flowchart TD
    A["ALLOWED_INTEGRATIONS env var"] --> B["getAllowedIntegrationsFromEnv()"]
    B -->|"parse, lowercase, split"| C["string[] | null"]
    
    subgraph Server-Side
        C --> D["mergeEnvAllowlist()"]
        E["Permission Group Config"] --> D
        D -->|"intersect or fallback"| F["Merged PermissionGroupConfig"]
        F --> G["validateBlockType()"]
        F --> H["Copilot Server Tools"]
        F --> I["process-contents.ts"]
    end
    
    subgraph Client-Side
        C --> J["/api/settings/allowed-integrations"]
        J --> K["useAllowedIntegrationsFromEnv()"]
        K --> L["intersectAllowlists()"]
        M["useUserPermissionConfig()"] --> L
        L --> N["mergedAllowedIntegrations"]
        N --> O["Sidebar / Toolbar / Cmd-K"]
        N --> P["Copilot Mentions"]
        N --> Q["Integrations Settings"]
    end
Loading

Last reviewed commit: 4eaad05

Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

6 files reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

@waleedlatif1
Copy link
Collaborator Author

@greptile

@waleedlatif1
Copy link
Collaborator Author

@cursor review

Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

7 files reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

@waleedlatif1
Copy link
Collaborator Author

@cursor review

Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

@waleedlatif1
Copy link
Collaborator Author

@greptile

@waleedlatif1
Copy link
Collaborator Author

@cursor review

Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

7 files reviewed, 2 comments

Edit Code Review Agent Settings | Greptile

@waleedlatif1
Copy link
Collaborator Author

@greptile

@waleedlatif1
Copy link
Collaborator Author

@cursor review

Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

7 files reviewed, no comments

Edit Code Review Agent Settings | Greptile

@waleedlatif1
Copy link
Collaborator Author

@greptile

@waleedlatif1
Copy link
Collaborator Author

@cursor review

Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

16 files reviewed, 2 comments

Edit Code Review Agent Settings | Greptile

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Feb 18, 2026

Additional Comments (2)

apps/sim/lib/copilot/tools/server/blocks/get-blocks-and-tools.ts
Env allowlist not enforced when userId is absent

When context?.userId is undefined, permissionConfig is set to null, bypassing the ALLOWED_INTEGRATIONS env allowlist entirely. This means all integrations are shown in copilot when there's no user context (e.g., auth-disabled self-hosted deployments — the primary use case for ALLOWED_INTEGRATIONS).

The validateBlockType function handles this correctly on line 191 of permission-check.ts by falling back to mergeEnvAllowlist(null). The same pattern should be applied here.

    const permissionConfig = context?.userId ? await getUserPermissionConfig(context.userId) : null
    const envAllowlist = !context?.userId ? (await import('@/lib/core/config/feature-flags')).getAllowedIntegrationsFromEnv() : null
    const allowedIntegrations = permissionConfig?.allowedIntegrations ?? envAllowlist

apps/sim/lib/copilot/process-contents.ts
Env allowlist not enforced when userId is absent

When userId is undefined, this block is skipped entirely, so the ALLOWED_INTEGRATIONS env var has no effect on copilot block mentions. The same bypass exists in all the copilot server tools (get-block-config, get-block-options, get-blocks-metadata-tool, get-trigger-blocks).

Since ALLOWED_INTEGRATIONS is designed for self-hosted deployments (which may run with auth disabled and thus no userId), the env allowlist should be checked even when userId is absent. Consider restructuring to also call getAllowedIntegrationsFromEnv() in the no-userId branch, matching the pattern used in validateBlockType.

Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

@waleedlatif1
Copy link
Collaborator Author

@greptile

@waleedlatif1
Copy link
Collaborator Author

@cursor review

Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

16 files reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

@waleedlatif1 waleedlatif1 merged commit bbcef7c into staging Feb 18, 2026
6 checks passed
@waleedlatif1 waleedlatif1 deleted the feat/allowlist branch February 18, 2026 02:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant

Comments