feat(enterprise): permission groups, access control (#2736)

* feat(permission-groups): integration/model access controls for enterprise

* feat: enterprise gating for BYOK, SSO, credential sets with org admin/owner checks

* execution time enforcement of mcp and custom tools

* add admin routes to cleanup permission group data

* fix not being on enterprise checks

* separate out orgs from billing system

* update the docs

* add custom tool blockers based on perm configs

* add migrations

* fix

* address greptile comments

* regen migrations

* fix default model picking based on user config

* cleaned up UI

apps/sim/executor/execution/block-executor.ts

@@ -26,6 +26,7 @@ import type {
 } from '@/executor/types'
 import { streamingResponseFormatProcessor } from '@/executor/utils'
 import { buildBlockExecutionError, normalizeError } from '@/executor/utils/errors'
+import { validateBlockType } from '@/executor/utils/permission-check'
 import type { VariableResolver } from '@/executor/variables/resolver'
 import type { SerializedBlock } from '@/serializer/types'
 import type { SubflowType } from '@/stores/workflows/workflow/types'
@@ -54,7 +55,8 @@ export class BlockExecutor {
       })
     }
 
-    const isSentinel = isSentinelBlockType(block.metadata?.id ?? '')
+    const blockType = block.metadata?.id ?? ''
+    const isSentinel = isSentinelBlockType(blockType)
 
     let blockLog: BlockLog | undefined
     if (!isSentinel) {
@@ -74,6 +76,10 @@ export class BlockExecutor {
     }
 
     try {
+      if (!isSentinel && blockType) {
+        await validateBlockType(ctx.userId, blockType, ctx)
+      }
+
       resolvedInputs = this.resolver.resolveInputs(ctx, node.id, block.config.params, block)
 
       if (block.metadata?.id === BlockType.AGENT && resolvedInputs.tools) {