Based on audit findings, adds lock validation to multiple operations:
1. BATCH_TOGGLE_HANDLES - now skips locked/protected blocks at:
- Store layer (batchToggleHandles)
- Collaborative hook (collaborativeBatchToggleBlockHandles)
- Server socket handler
2. BATCH_ADD_BLOCKS - server now filters blocks being added to
locked parent containers
3. BATCH_UPDATE_PARENT - server now:
- Skips protected blocks (locked or inside locked container)
- Prevents moving blocks into locked containers
All validations use consistent isProtected() helper that checks both
direct lock and parent container lock.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The redo logic for BATCH_TOGGLE_ENABLED and BATCH_TOGGLE_LOCKED was
incorrectly computing each block's new state as !previousStates[blockId].
However, the store's batchToggleEnabled/batchToggleLocked set ALL blocks
to the SAME target state based on the first block's previous state.
Now redo computes targetState = !previousStates[firstBlockId] and applies
it to all blocks, matching the store's behavior.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
1. BATCH_TOGGLE_LOCKED now requires admin role - non-admin users with
write role can no longer bypass UI restriction via direct socket
messages
2. BATCH_REMOVE_BLOCKS now validates lock status server-side - filters
out protected blocks (locked or inside locked parent) before deletion
3. Remove duplicate/outdated comment in regenerateBlockIds
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Both edit and delete operations now check if the block's parent
container is locked, not just if the block itself is locked. This
ensures consistent behavior with the UI which uses isBlockProtected
utility that checks both direct lock and parent lock.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
1. BATCH_TOGGLE_LOCKED now uses first block from blocksToToggle set
instead of blockIds[0], matching BATCH_TOGGLE_ENABLED pattern.
Also added early exit if blocksToToggle is empty.
2. Blocks inside locked containers are now properly non-draggable.
Changed draggable check from !block.locked to use isBlockProtected()
which checks both block lock and parent container lock.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
1. regenerateBlockIds now checks if existing parent is locked before
keeping the block inside it. If parent is locked, the duplicate
is placed outside (parentId cleared) instead of creating an
inconsistent state.
2. Remove unnecessary effectivePermissions.canAdmin and potentialParentId
from onNodeDragStart dependency array.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- insert_into_subflow: Check if existing block being moved is locked
- extract_from_subflow: Check if block or parent subflow is locked
These operations now match the UI behavior where locked blocks
cannot be moved into/out of containers.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
1. Store batchToggleEnabled now uses continue to skip locked blocks
entirely, matching database operation behavior
2. Copilot add operation now checks if parent container is locked
before adding nested nodes (defensive check for consistency)
3. Remove unused filterUnprotectedEdges function
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Extract duplicated block protection logic from workflow.tsx into
a reusable filterProtectedBlocks helper in utils/block-protection-utils.ts.
This ensures consistent behavior between context menu delete and
keyboard delete operations.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Paste creates new blocks, doesn't modify selected ones. Changed from
disableEdit (includes lock state) to !userCanEdit (permission only),
matching the Duplicate action behavior.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Added documentation for the lock/unlock block feature (admin only).
Note: Image placeholder added, pending actual screenshot.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Block Menu, Editor, Action Bar now all have identical behavior:
- Enable/Disable: disabled when locked OR parent locked
- Flip Handles: disabled when locked OR parent locked
- Delete: disabled when locked OR parent locked
- Remove from Subflow: disabled when locked OR parent locked
- Lock: always available for admins
- Unlock: disabled when parent is locked (unlock parent first)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Editor: can't unlock block if parent container is locked
- Action bar: can't unlock block if parent container is locked
- Shows "Parent container is locked" tooltip in both cases
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix toggle enabled using first toggleable block, not first block
- Delete button now checks isParentLocked
- Lock button now has disabled state
- Editor lock icon distinguishes block vs parent lock state
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Server-side workflow duplication now sets locked: false for all blocks
- regenerateWorkflowStateIds also unlocks blocks for templates
- Client-side regenerateBlockIds already handled this (for paste/import)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When duplicating a block that's inside a locked loop/parallel,
the duplicate is now placed outside the container since nothing
should be added to a locked container.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Resolved conflicts:
- Removed addBlock from store (now using batchAddBlocks)
- Updated lock tests to use test helper addBlock function
- Kept both staging's optimization tests and lock feature tests
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(workflow): optimize loop/parallel regeneration and prevent duplicate agent tools
* refactor(workflow): remove addBlock in favor of batchAddBlocks
- Migrated undo-redo to use batchAddBlocks instead of addBlock loop
- Removed addBlock method from workflow store (now unused)
- Updated tests to use helper function wrapping batchAddBlocks
- This fixes the cursor bot comments about inconsistent parent checking
* fix(executor): use performance.now() for precise block timing
Replace Date.now() with performance.now() for timing measurements in
the executor to provide sub-millisecond precision. This fixes timing
discrepancies with fast-executing blocks like the start block where
millisecond precision was insufficient.
Changes:
- block-executor.ts: Use performance.now() for block execution timing
- engine.ts: Use performance.now() for overall execution timing
Co-authored-by: emir <emir@simstudio.ai>
* format ms as whole nums,round secs to 2 decimal places and compute all started/ended times on server and passback to clinet
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: waleed <walif6@gmail.com>
* improvement(docker): add internal api secret to docker compose
* remove dead code
* remove more dead code
* add api encryption key to this too
* update
* feat(tools): added calcom
* added more triggers, tested
* updated regex in script for release to be more lenient
* fix(tag-dropdown): performance improvements and scroll bug fixes
- Add flatTagIndexMap for O(1) tag lookups (replaces O(n²) findIndex calls)
- Memoize caret position calculation to avoid DOM manipulation on every render
- Use refs for inputValue/cursorPosition to keep handleTagSelect callback stable
- Change itemRefs from index-based to tag-based keys to prevent stale refs
- Fix scroll jump in nested folders by removing scroll reset from registerFolder
- Add onFolderEnter callback for scroll reset when entering folder via keyboard
- Disable keyboard navigation wrap-around at boundaries
- Simplify selection reset to single effect on flatTagList.length change
Also:
- Add safeCompare utility for timing-safe string comparison
- Refactor webhook signature validation to use safeCompare
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* updated types
* fix(calcom): simplify required field constraints for booking attendee
The condition field already restricts these to calcom_create_booking,
so simplified to required: true. Per Cal.com API docs, email is optional
while name and timeZone are required.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* added tests
* updated folder multi select, updated calcom and github tools and docs generator script
* updated drag, updated outputs for tools, regen docs with nested docs script
* updated setup instructions links, destructure trigger outputs, fix text subblock styling
* updated docs gen script
* updated docs script
* updated docs script
* updated script
* remove destructuring of stripe webhook
* expanded wand textarea, updated calcom tools
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
