feat(ee): access control, sso

[Sebmono]

Original PR: simstudioai/sim#3061
Opened by: +emir-karabeg
Created at: 2026-01-29 01:57:30 UTC
Base branch: staging → Head branch: feat/ee

---

Summary

Brief description of what this PR does and why.

Fixes #(issue)

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation
• Other: ___________

Testing

How has this been tested? What should reviewers focus on?

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

Screenshots/Videos

[Sebmono]

Comment by +vercel[bot] (2026-01-29 01:57:34 UTC):

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Review	Updated (UTC)
docs	Skipped		Jan 29, 2026 2:08am

[Sebmono]

Comment by +greptile-apps[bot] (2026-01-29 02:01:51 UTC):

Greptile Overview

Greptile Summary

This PR consolidates enterprise features (Access Control and SSO) into a dedicated apps/sim/ee/ directory under a separate enterprise license, clearly separating them from the Apache 2.0 codebase.

Key Changes:

• Moved access control components, hooks, and types from scattered locations into ee/access-control/
• Moved SSO components, hooks, and constants from @/lib/auth/sso and @/hooks/queries into ee/sso/
• Created comprehensive barrel exports at @/ee for clean imports
• Updated all import paths across the codebase to reference the new EE directory
• Added enterprise license and documentation explaining the dual-license structure

Architecture Impact:
The refactoring follows the project's import patterns using absolute paths and barrel exports. All API routes remain in app/api/ per Next.js conventions. The separation enables clear license boundaries while maintaining the existing runtime behavior and permission enforcement logic.

Confidence Score: 4/5

• Safe to merge with minor code quality improvement recommended
• This is a well-executed refactoring that properly reorganizes enterprise features into a dedicated directory with appropriate licensing. All imports are correctly updated and the architecture follows project conventions. The only issue is a duplicate constant definition in the SSO component that should be cleaned up.
• apps/sim/ee/sso/components/sso.tsx contains duplicate constant that should import from lib/constants instead

Important Files Changed

Filename	Overview
apps/sim/ee/index.ts	consolidated EE barrel exports for access control and SSO
apps/sim/ee/access-control/lib/types.ts	moved permission group types from @/lib to EE directory
apps/sim/ee/sso/components/sso.tsx	moved SSO UI from settings modal to EE directory; contains duplicate constant definition
apps/sim/app/api/permission-groups/route.ts	updated imports to reference EE types from new location
apps/sim/executor/utils/permission-check.ts	updated imports to reference EE types from new location

Sequence Diagram

sequenceDiagram
    participant User
    participant UI as Settings UI
    participant API as Backend API
    participant DB as Database
    participant Executor

    Note over User,Executor: Access Control Configuration
    User->>UI: Configure permission group
    UI->>API: Create permission group
    API->>DB: Store group config
    DB-->>UI: Group created
    UI->>API: Add members
    API->>DB: Link users to group
    DB-->>UI: Members added

    Note over User,Executor: SSO Configuration  
    User->>UI: Setup SSO provider
    UI->>API: Register provider
    API->>DB: Save OIDC or SAML config
    DB-->>UI: Provider configured
    
    User->>API: Login via SSO
    API->>DB: Lookup provider
    API->>API: Authenticate via IdP
    API->>DB: Create session
    API-->>User: Authenticated

    Note over User,Executor: Runtime Permission Validation
    User->>Executor: Run workflow
    Executor->>DB: Get permission config
    DB-->>Executor: Config retrieved
    Executor->>Executor: Validate models
    Executor->>Executor: Validate blocks
    alt Not permitted
        Executor-->>User: Error
    else Permitted
        Executor-->>User: Success
    end

Loading

[Sebmono]

Comment by +greptile-apps[bot] (2026-01-29 02:01:59 UTC):

Additional Comments (1)

apps/sim/ee/sso/components/sso.tsx
duplicate constant TRUSTED_SSO_PROVIDERS already exists in constants.ts as SSO_TRUSTED_PROVIDERS

// Remove this duplicate - import from constants instead:
// import { SSO_TRUSTED_PROVIDERS } from '@/ee/sso/lib/constants'

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/sim/ee/sso/components/sso.tsx
Line: 20:61

Comment:
duplicate constant `TRUSTED_SSO_PROVIDERS` already exists in `constants.ts` as `SSO_TRUSTED_PROVIDERS`

```suggestion
// Remove this duplicate - import from constants instead:
// import { SSO_TRUSTED_PROVIDERS } from '@/ee/sso/lib/constants'
```

How can I resolve this? If you propose a fix, please make it concise.

[Sebmono]

Comment by +waleedlatif1 (2026-01-29 02:02:28 UTC):

+cursor review