fix(logs): format duration in log details panel

* improvement(billing): improve against direct subscription creation bypasses

* more usage of block/unblock helpers

* address bugbot comments

* fail closed

* only run dup check for orgs

apps/sim/app/(auth)/sso/page.tsx

@@ -1,6 +1,6 @@
 import { redirect } from 'next/navigation'
 import { getEnv, isTruthy } from '@/lib/core/config/env'
-import SSOForm from '@/app/(auth)/sso/sso-form'
+import SSOForm from '@/ee/sso/components/sso-form'
 
 export const dynamic = 'force-dynamic'
 

apps/sim/app/api/cron/cleanup-stale-executions/route.ts

@@ -8,6 +8,7 @@ import { verifyCronAuth } from '@/lib/auth/internal'
 const logger = createLogger('CleanupStaleExecutions')
 
 const STALE_THRESHOLD_MINUTES = 30
+const MAX_INT32 = 2_147_483_647
 
 export async function GET(request: NextRequest) {
   try {
@@ -45,13 +46,14 @@ export async function GET(request: NextRequest) {
       try {
         const staleDurationMs = Date.now() - new Date(execution.startedAt).getTime()
         const staleDurationMinutes = Math.round(staleDurationMs / 60000)
+        const totalDurationMs = Math.min(staleDurationMs, MAX_INT32)
 
         await db
           .update(workflowExecutionLogs)
           .set({
             status: 'failed',
             endedAt: new Date(),
-            totalDurationMs: staleDurationMs,
+            totalDurationMs,
             executionData: sql`jsonb_set(
               COALESCE(execution_data, '{}'::jsonb),
               ARRAY['error'],

apps/sim/app/api/mcp/serve/[serverId]/route.ts

@@ -284,7 +284,7 @@ async function handleToolsCall(
       content: [
         { type: 'text', text: JSON.stringify(executeResult.output || executeResult, null, 2) },
       ],
-      isError: !executeResult.success,
+      isError: executeResult.success === false,
     }
 
     return NextResponse.json(createResponse(id, result))

apps/sim/app/api/organizations/[id]/invitations/[invitationId]/route.ts

@@ -20,6 +20,7 @@ import { z } from 'zod'
 import { getEmailSubject, renderInvitationEmail } from '@/components/emails'
 import { getSession } from '@/lib/auth'
 import { hasAccessControlAccess } from '@/lib/billing'
+import { syncUsageLimitsFromSubscription } from '@/lib/billing/core/usage'
 import { requireStripeClient } from '@/lib/billing/stripe-client'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { sendEmail } from '@/lib/messaging/email/mailer'
@@ -501,6 +502,18 @@ export async function PUT(
       }
     }
 
+    if (status === 'accepted') {
+      try {
+        await syncUsageLimitsFromSubscription(session.user.id)
+      } catch (syncError) {
+        logger.error('Failed to sync usage limits after joining org', {
+          userId: session.user.id,
+          organizationId,
+          error: syncError,
+        })
+      }
+    }
+
     logger.info(`Organization invitation ${status}`, {
       organizationId,
       invitationId,

apps/sim/app/api/organizations/[id]/invitations/route.ts

@@ -29,7 +29,7 @@ import { hasWorkspaceAdminAccess } from '@/lib/workspaces/permissions/utils'
 import {
   InvitationsNotAllowedError,
   validateInvitationsAllowed,
-} from '@/executor/utils/permission-check'
+} from '@/ee/access-control/utils/permission-check'
 
 const logger = createLogger('OrganizationInvitations')
 

apps/sim/app/api/users/me/subscription/[id]/transfer/route.ts

@@ -5,6 +5,7 @@ import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
+import { hasActiveSubscription } from '@/lib/billing'
 
 const logger = createLogger('SubscriptionTransferAPI')
 
@@ -88,6 +89,14 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
       )
     }
 
+    // Check if org already has an active subscription (prevent duplicates)
+    if (await hasActiveSubscription(organizationId)) {
+      return NextResponse.json(
+        { error: 'Organization already has an active subscription' },
+        { status: 409 }
+      )
+    }
+
     await db
       .update(subscription)
       .set({ referenceId: organizationId })

apps/sim/app/api/v1/admin/users/[id]/billing/route.ts

@@ -203,6 +203,10 @@ export const PATCH = withAdminAuthParams<RouteParams>(async (request, context) =
       }
 
       updateData.billingBlocked = body.billingBlocked
+      // Clear the reason when unblocking
+      if (body.billingBlocked === false) {
+        updateData.billingBlockedReason = null
+      }
       updated.push('billingBlocked')
     }
 

apps/sim/app/api/workflows/[id]/execute-from-block/route.ts

@@ -1,6 +1,4 @@
-import { db, workflow as workflowTable } from '@sim/db'
 import { createLogger } from '@sim/logger'
-import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { v4 as uuidv4 } from 'uuid'
 import { z } from 'zod'
@@ -8,6 +6,7 @@ import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { SSE_HEADERS } from '@/lib/core/utils/sse'
 import { markExecutionCancelled } from '@/lib/execution/cancellation'
+import { preprocessExecution } from '@/lib/execution/preprocessing'
 import { LoggingSession } from '@/lib/logs/execution/logging-session'
 import { executeWorkflowCore } from '@/lib/workflows/executor/execution-core'
 import { createSSECallbacks } from '@/lib/workflows/executor/execution-events'
@@ -75,12 +74,31 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
     const { startBlockId, sourceSnapshot, input } = validation.data
     const executionId = uuidv4()
 
-    const [workflowRecord] = await db
+    // Run preprocessing checks (billing, rate limits, usage limits)
-      .select({ workspaceId: workflowTable.workspaceId, userId: workflowTable.userId })
+    const preprocessResult = await preprocessExecution({
-      .from(workflowTable)
+      workflowId,
-      .where(eq(workflowTable.id, workflowId))
+      userId,
-      .limit(1)
+      triggerType: 'manual',
+      executionId,
+      requestId,
+      checkRateLimit: false, // Manual executions don't rate limit
+      checkDeployment: false, // Run-from-block doesn't require deployment
+    })
 
+    if (!preprocessResult.success) {
+      const { error } = preprocessResult
+      logger.warn(`[${requestId}] Preprocessing failed for run-from-block`, {
+        workflowId,
+        error: error?.message,
+        statusCode: error?.statusCode,
+      })
+      return NextResponse.json(
+        { error: error?.message || 'Execution blocked' },
+        { status: error?.statusCode || 500 }
+      )
+    }
+
+    const workflowRecord = preprocessResult.workflowRecord
     if (!workflowRecord?.workspaceId) {
       return NextResponse.json({ error: 'Workflow not found or has no workspace' }, { status: 404 })
     }
@@ -92,6 +110,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       workflowId,
       startBlockId,
       executedBlocksCount: sourceSnapshot.executedBlocks.length,
+      billingActorUserId: preprocessResult.actorUserId,
     })
 
     const loggingSession = new LoggingSession(workflowId, executionId, 'manual', requestId)

apps/sim/app/api/workspaces/invitations/route.test.ts

@@ -102,7 +102,7 @@ describe('Workspace Invitations API Route', () => {
       inArray: vi.fn().mockImplementation((field, values) => ({ type: 'inArray', field, values })),
     }))
 
-    vi.doMock('@/executor/utils/permission-check', () => ({
+    vi.doMock('@/ee/access-control/utils/permission-check', () => ({
       validateInvitationsAllowed: vi.fn().mockResolvedValue(undefined),
       InvitationsNotAllowedError: class InvitationsNotAllowedError extends Error {
         constructor() {

apps/sim/app/api/workspaces/invitations/route.ts

@@ -21,7 +21,7 @@ import { getFromEmailAddress } from '@/lib/messaging/email/utils'
 import {
   InvitationsNotAllowedError,
   validateInvitationsAllowed,
-} from '@/executor/utils/permission-check'
+} from '@/ee/access-control/utils/permission-check'
 
 export const dynamic = 'force-dynamic'
 
@@ -38,7 +38,6 @@ export async function GET(req: NextRequest) {
   }
 
   try {
-    // Get all workspaces where the user has permissions
     const userWorkspaces = await db
       .select({ id: workspace.id })
       .from(workspace)
@@ -55,10 +54,8 @@ export async function GET(req: NextRequest) {
       return NextResponse.json({ invitations: [] })
     }
 
-    // Get all workspaceIds where the user is a member
     const workspaceIds = userWorkspaces.map((w) => w.id)
 
-    // Find all invitations for those workspaces
     const invitations = await db
       .select()
       .from(workspaceInvitation)

apps/sim/app/chat/[identifier]/chat.tsx

@@ -14,11 +14,11 @@ import {
   ChatMessageContainer,
   EmailAuth,
   PasswordAuth,
-  SSOAuth,
   VoiceInterface,
 } from '@/app/chat/components'
 import { CHAT_ERROR_MESSAGES, CHAT_REQUEST_TIMEOUT_MS } from '@/app/chat/constants'
 import { useAudioStreaming, useChatStreaming } from '@/app/chat/hooks'
+import SSOAuth from '@/ee/sso/components/sso-auth'
 
 const logger = createLogger('ChatClient')
 

apps/sim/app/chat/components/index.ts

@@ -1,6 +1,5 @@
 export { default as EmailAuth } from './auth/email/email-auth'
 export { default as PasswordAuth } from './auth/password/password-auth'
-export { default as SSOAuth } from './auth/sso/sso-auth'
 export { ChatErrorState } from './error-state/error-state'
 export { ChatHeader } from './header/header'
 export { ChatInput } from './input/input'

apps/sim/app/workspace/[workspaceId]/knowledge/page.tsx

@@ -1,7 +1,7 @@
 import { redirect } from 'next/navigation'
 import { getSession } from '@/lib/auth'
 import { verifyWorkspaceMembership } from '@/app/api/workflows/utils'
-import { getUserPermissionConfig } from '@/executor/utils/permission-check'
+import { getUserPermissionConfig } from '@/ee/access-control/utils/permission-check'
 import { Knowledge } from './knowledge'
 
 interface KnowledgePageProps {
@@ -23,7 +23,6 @@ export default async function KnowledgePage({ params }: KnowledgePageProps) {
     redirect('/')
   }
 
-  // Check permission group restrictions
   const permissionConfig = await getUserPermissionConfig(session.user.id)
   if (permissionConfig?.hideKnowledgeBaseTab) {
     redirect(`/workspace/${workspaceId}`)

apps/sim/app/workspace/[workspaceId]/logs/components/log-details/log-details.tsx

@@ -18,6 +18,7 @@ import {
 import { ScrollArea } from '@/components/ui/scroll-area'
 import { BASE_EXECUTION_CHARGE } from '@/lib/billing/constants'
 import { cn } from '@/lib/core/utils/cn'
+import { formatDuration } from '@/lib/core/utils/formatting'
 import { filterHiddenOutputKeys } from '@/lib/logs/execution/trace-spans/trace-spans'
 import {
   ExecutionSnapshot,
@@ -453,7 +454,7 @@ export const LogDetails = memo(function LogDetails({
                       Duration
                     </span>
                     <span className='font-medium text-[13px] text-[var(--text-secondary)]'>
-                      {log.duration || '—'}
+                      {formatDuration(log.duration, { precision: 2 }) || '—'}
                     </span>
                   </div>
 

apps/sim/app/workspace/[workspaceId]/logs/components/logs-list/logs-list.tsx

@@ -6,11 +6,11 @@ import Link from 'next/link'
 import { List, type RowComponentProps, useListRef } from 'react-window'
 import { Badge, buttonVariants } from '@/components/emcn'
 import { cn } from '@/lib/core/utils/cn'
+import { formatDuration } from '@/lib/core/utils/formatting'
 import {
   DELETED_WORKFLOW_COLOR,
   DELETED_WORKFLOW_LABEL,
   formatDate,
-  formatDuration,
   getDisplayStatus,
   LOG_COLUMNS,
   StatusBadge,
@@ -113,7 +113,7 @@ const LogRow = memo(
 
           <div className={`${LOG_COLUMNS.duration.width} ${LOG_COLUMNS.duration.minWidth}`}>
             <Badge variant='default' className='rounded-[6px] px-[9px] py-[2px] text-[12px]'>
-              {formatDuration(log.duration) || '—'}
+              {formatDuration(log.duration, { precision: 2 }) || '—'}
             </Badge>
           </div>
         </div>

apps/sim/app/workspace/[workspaceId]/logs/utils.ts

@@ -1,6 +1,7 @@
 import React from 'react'
 import { format } from 'date-fns'
 import { Badge } from '@/components/emcn'
+import { formatDuration } from '@/lib/core/utils/formatting'
 import { getIntegrationMetadata } from '@/lib/logs/get-trigger-options'
 import { getBlock } from '@/blocks/registry'
 import { CORE_TRIGGER_TYPES } from '@/stores/logs/filters/types'
@@ -362,47 +363,14 @@ export function mapToExecutionLogAlt(log: RawLogResponse): ExecutionLog {
   }
 }
 
-/**
- * Format duration for display in logs UI
- * If duration is under 1 second, displays as milliseconds (e.g., "500ms")
- * If duration is 1 second or more, displays as seconds (e.g., "1.23s")
- * @param duration - Duration string (e.g., "500ms") or null
- * @returns Formatted duration string or null
- */
-export function formatDuration(duration: string | null): string | null {
-  if (!duration) return null
-
-  // Extract numeric value from duration string (e.g., "500ms" -> 500)
-  const ms = Number.parseInt(duration.replace(/[^0-9]/g, ''), 10)
-
-  if (!Number.isFinite(ms)) return duration
-
-  if (ms < 1000) {
-    return `${ms}ms`
-  }
-
-  // Convert to seconds with up to 2 decimal places
-  const seconds = ms / 1000
-  return `${seconds.toFixed(2).replace(/\.?0+$/, '')}s`
-}
-
 /**
  * Format latency value for display in dashboard UI
- * If latency is under 1 second, displays as milliseconds (e.g., "500ms")
- * If latency is 1 second or more, displays as seconds (e.g., "1.23s")
  * @param ms - Latency in milliseconds (number)
  * @returns Formatted latency string
  */
 export function formatLatency(ms: number): string {
   if (!Number.isFinite(ms) || ms <= 0) return '—'
-
+  return formatDuration(ms, { precision: 2 }) ?? '—'
-  if (ms < 1000) {
-    return `${Math.round(ms)}ms`
-  }
-
-  // Convert to seconds with up to 2 decimal places
-  const seconds = ms / 1000
-  return `${seconds.toFixed(2).replace(/\.?0+$/, '')}s`
 }
 
 export const formatDate = (dateString: string) => {

apps/sim/app/workspace/[workspaceId]/templates/page.tsx

@@ -6,7 +6,7 @@ import { getSession } from '@/lib/auth'
 import { verifyWorkspaceMembership } from '@/app/api/workflows/utils'
 import type { Template as WorkspaceTemplate } from '@/app/workspace/[workspaceId]/templates/templates'
 import Templates from '@/app/workspace/[workspaceId]/templates/templates'
-import { getUserPermissionConfig } from '@/executor/utils/permission-check'
+import { getUserPermissionConfig } from '@/ee/access-control/utils/permission-check'
 
 interface TemplatesPageProps {
   params: Promise<{

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/components/copilot-message/components/thinking-block/thinking-block.tsx

@@ -3,6 +3,7 @@
 import { memo, useEffect, useMemo, useRef, useState } from 'react'
 import clsx from 'clsx'
 import { ChevronUp } from 'lucide-react'
+import { formatDuration } from '@/lib/core/utils/formatting'
 import { CopilotMarkdownRenderer } from '../markdown-renderer'
 
 /** Removes thinking tags (raw or escaped) and special tags from streamed content */
@@ -241,15 +242,11 @@ export function ThinkingBlock({
     return () => window.clearInterval(intervalId)
   }, [isStreaming, isExpanded, userHasScrolledAway])
 
-  /** Formats duration in milliseconds to seconds (minimum 1s) */
-  const formatDuration = (ms: number) => {
-    const seconds = Math.max(1, Math.round(ms / 1000))
-    return `${seconds}s`
-  }
-
   const hasContent = cleanContent.length > 0
   const isThinkingDone = !isStreaming || hasFollowingContent || hasSpecialTags
-  const durationText = `${label} for ${formatDuration(duration)}`
+  // Round to nearest second (minimum 1s) to match original behavior
+  const roundedMs = Math.max(1000, Math.round(duration / 1000) * 1000)
+  const durationText = `${label} for ${formatDuration(roundedMs)}`
 
   const getStreamingLabel = (lbl: string) => {
     if (lbl === 'Thought') return 'Thinking'

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/components/tool-call/tool-call.tsx

@@ -15,6 +15,7 @@ import {
   hasInterrupt as hasInterruptFromConfig,
   isSpecialTool as isSpecialToolFromConfig,
 } from '@/lib/copilot/tools/client/ui-config'
+import { formatDuration } from '@/lib/core/utils/formatting'
 import { CopilotMarkdownRenderer } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/components/copilot-message/components/markdown-renderer'
 import { SmoothStreamingText } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/components/copilot-message/components/smooth-streaming'
 import { ThinkingBlock } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/copilot/components/copilot-message/components/thinking-block'
@@ -848,13 +849,10 @@ const SubagentContentRenderer = memo(function SubagentContentRenderer({
     (allParsed.options && Object.keys(allParsed.options).length > 0)
   )
 
-  const formatDuration = (ms: number) => {
-    const seconds = Math.max(1, Math.round(ms / 1000))
-    return `${seconds}s`
-  }
-
   const outerLabel = getSubagentCompletionLabel(toolCall.name)
-  const durationText = `${outerLabel} for ${formatDuration(duration)}`
+  // Round to nearest second (minimum 1s) to match original behavior
+  const roundedMs = Math.max(1000, Math.round(duration / 1000) * 1000)
+  const durationText = `${outerLabel} for ${formatDuration(roundedMs)}`
 
   const renderCollapsibleContent = () => (
     <>

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/editor.tsx

@@ -50,6 +50,12 @@ import { useSubBlockStore } from '@/stores/workflows/subblock/store'
 /** Stable empty object to avoid creating new references */
 const EMPTY_SUBBLOCK_VALUES = {} as Record<string, any>
 
+/** Shared style for dashed divider lines */
+const DASHED_DIVIDER_STYLE = {
+  backgroundImage:
+    'repeating-linear-gradient(to right, var(--border) 0px, var(--border) 6px, transparent 6px, transparent 12px)',
+} as const
+
 /**
  * Icon component for rendering block icons.
  *
@@ -89,31 +95,23 @@ export function Editor() {
   const blockConfig = currentBlock ? getBlock(currentBlock.type) : null
   const title = currentBlock?.name || 'Editor'
 
-  // Check if selected block is a subflow (loop or parallel)
   const isSubflow =
     currentBlock && (currentBlock.type === 'loop' || currentBlock.type === 'parallel')
 
-  // Get subflow display properties from configs
   const subflowConfig = isSubflow ? (currentBlock.type === 'loop' ? LoopTool : ParallelTool) : null
 
-  // Check if selected block is a workflow block
   const isWorkflowBlock =
     currentBlock && (currentBlock.type === 'workflow' || currentBlock.type === 'workflow_input')
 
-  // Get workspace ID from params
   const params = useParams()
   const workspaceId = params.workspaceId as string
 
-  // Refs for resize functionality
   const subBlocksRef = useRef<HTMLDivElement>(null)
 
-  // Get user permissions
   const userPermissions = useUserPermissionsContext()
 
-  // Get active workflow ID
   const activeWorkflowId = useWorkflowRegistry((state) => state.activeWorkflowId)
 
-  // Get block properties (advanced/trigger modes)
   const { advancedMode, triggerMode } = useEditorBlockProperties(
     currentBlockId,
     currentWorkflow.isSnapshotView
@@ -145,10 +143,9 @@ export function Editor() {
     [subBlocksForCanonical]
   )
   const canonicalModeOverrides = currentBlock?.data?.canonicalModes
-  const advancedValuesPresent = hasAdvancedValues(
+  const advancedValuesPresent = useMemo(
-    subBlocksForCanonical,
+    () => hasAdvancedValues(subBlocksForCanonical, blockSubBlockValues, canonicalIndex),
-    blockSubBlockValues,
+    [subBlocksForCanonical, blockSubBlockValues, canonicalIndex]
-    canonicalIndex
   )
   const displayAdvancedOptions = userPermissions.canEdit
     ? advancedMode
@@ -156,11 +153,9 @@ export function Editor() {
 
   const hasAdvancedOnlyFields = useMemo(() => {
     for (const subBlock of subBlocksForCanonical) {
-      // Must be standalone advanced (mode: 'advanced' without canonicalParamId)
       if (subBlock.mode !== 'advanced') continue
       if (canonicalIndex.canonicalIdBySubBlockId[subBlock.id]) continue
 
-      // Check condition - skip if condition not met for current values
       if (
         subBlock.condition &&
         !evaluateSubBlockCondition(subBlock.condition, blockSubBlockValues)
@@ -173,7 +168,6 @@ export function Editor() {
     return false
   }, [subBlocksForCanonical, canonicalIndex.canonicalIdBySubBlockId, blockSubBlockValues])
 
-  // Get subblock layout using custom hook
   const { subBlocks, stateToUse: subBlockState } = useEditorSubblockLayout(
     blockConfig || ({} as any),
     currentBlockId || '',
@@ -206,31 +200,34 @@ export function Editor() {
     return { regularSubBlocks: regular, advancedOnlySubBlocks: advancedOnly }
   }, [subBlocks, canonicalIndex.canonicalIdBySubBlockId])
 
-  // Get block connections
   const { incomingConnections, hasIncomingConnections } = useBlockConnections(currentBlockId || '')
 
-  // Connections resize hook
   const { handleMouseDown: handleConnectionsResizeMouseDown, isResizing } = useConnectionsResize({
     subBlocksRef,
   })
 
-  // Collaborative actions
   const {
     collaborativeSetBlockCanonicalMode,
     collaborativeUpdateBlockName,
     collaborativeToggleBlockAdvancedMode,
   } = useCollaborativeWorkflow()
 
-  // Advanced mode toggle handler
   const handleToggleAdvancedMode = useCallback(() => {
     if (!currentBlockId || !userPermissions.canEdit) return
     collaborativeToggleBlockAdvancedMode(currentBlockId)
   }, [currentBlockId, userPermissions.canEdit, collaborativeToggleBlockAdvancedMode])
 
-  // Rename state
   const [isRenaming, setIsRenaming] = useState(false)
   const [editedName, setEditedName] = useState('')
-  const nameInputRef = useRef<HTMLInputElement>(null)
+
+  /**
+   * Ref callback that auto-selects the input text when mounted.
+   */
+  const nameInputRefCallback = useCallback((element: HTMLInputElement | null) => {
+    if (element) {
+      element.select()
+    }
+  }, [])
 
   /**
    * Handles starting the rename process.
@@ -251,7 +248,6 @@ export function Editor() {
     if (trimmedName && trimmedName !== currentBlock?.name) {
       const result = collaborativeUpdateBlockName(currentBlockId, trimmedName)
       if (!result.success) {
-        // Keep rename mode open on error so user can correct the name
         return
       }
     }
@@ -266,14 +262,6 @@ export function Editor() {
     setEditedName('')
   }, [])
 
-  // Focus input when entering rename mode
-  useEffect(() => {
-    if (isRenaming && nameInputRef.current) {
-      nameInputRef.current.select()
-    }
-  }, [isRenaming])
-
-  // Trigger rename mode when signaled from context menu
   useEffect(() => {
     if (shouldFocusRename && currentBlock) {
       handleStartRename()
@@ -284,17 +272,13 @@ export function Editor() {
   /**
    * Handles opening documentation link in a new secure tab.
    */
-  const handleOpenDocs = () => {
+  const handleOpenDocs = useCallback(() => {
     const docsLink = isSubflow ? subflowConfig?.docsLink : blockConfig?.docsLink
-    if (docsLink) {
+    window.open(docsLink || 'https://docs.sim.ai/quick-reference', '_blank', 'noopener,noreferrer')
-      window.open(docsLink, '_blank', 'noopener,noreferrer')
+  }, [isSubflow, subflowConfig?.docsLink, blockConfig?.docsLink])
-    }
-  }
 
-  // Get child workflow ID for workflow blocks
   const childWorkflowId = isWorkflowBlock ? blockSubBlockValues?.workflowId : null
 
-  // Fetch child workflow state for preview (only for workflow blocks with a selected workflow)
   const { data: childWorkflowState, isLoading: isLoadingChildWorkflow } =
     useWorkflowState(childWorkflowId)
 
@@ -307,7 +291,6 @@ export function Editor() {
     }
   }, [childWorkflowId, workspaceId])
 
-  // Determine if connections are at minimum height (collapsed state)
   const isConnectionsAtMinHeight = connectionsHeight <= 35
 
   return (
@@ -328,7 +311,7 @@ export function Editor() {
           )}
           {isRenaming ? (
             <input
-              ref={nameInputRef}
+              ref={nameInputRefCallback}
               type='text'
               value={editedName}
               onChange={(e) => setEditedName(e.target.value)}
@@ -399,23 +382,21 @@ export function Editor() {
               </Tooltip.Content>
             </Tooltip.Root>
           )} */}
-          {currentBlock && (isSubflow ? subflowConfig?.docsLink : blockConfig?.docsLink) && (
+          <Tooltip.Root>
-            <Tooltip.Root>
+            <Tooltip.Trigger asChild>
-              <Tooltip.Trigger asChild>
+              <Button
-                <Button
+                variant='ghost'
-                  variant='ghost'
+                className='p-0'
-                  className='p-0'
+                onClick={handleOpenDocs}
-                  onClick={handleOpenDocs}
+                aria-label='Open documentation'
-                  aria-label='Open documentation'
+              >
-                >
+                <BookOpen className='h-[14px] w-[14px]' />
-                  <BookOpen className='h-[14px] w-[14px]' />
+              </Button>
-                </Button>
+            </Tooltip.Trigger>
-              </Tooltip.Trigger>
+            <Tooltip.Content side='top'>
-              <Tooltip.Content side='top'>
+              <p>Open docs</p>
-                <p>Open docs</p>
+            </Tooltip.Content>
-              </Tooltip.Content>
+          </Tooltip.Root>
-            </Tooltip.Root>
-          )}
         </div>
       </div>
 
@@ -495,13 +476,7 @@ export function Editor() {
                     </div>
                   </div>
                   <div className='subblock-divider px-[2px] pt-[16px] pb-[13px]'>
-                    <div
+                    <div className='h-[1.25px]' style={DASHED_DIVIDER_STYLE} />
-                      className='h-[1.25px]'
-                      style={{
-                        backgroundImage:
-                          'repeating-linear-gradient(to right, var(--border) 0px, var(--border) 6px, transparent 6px, transparent 12px)',
-                      }}
-                    />
                   </div>
                 </>
               )}
@@ -566,13 +541,7 @@ export function Editor() {
                         />
                         {showDivider && (
                           <div className='subblock-divider px-[2px] pt-[16px] pb-[13px]'>
-                            <div
+                            <div className='h-[1.25px]' style={DASHED_DIVIDER_STYLE} />
-                              className='h-[1.25px]'
-                              style={{
-                                backgroundImage:
-                                  'repeating-linear-gradient(to right, var(--border) 0px, var(--border) 6px, transparent 6px, transparent 12px)',
-                              }}
-                            />
                           </div>
                         )}
                       </div>
@@ -581,13 +550,7 @@ export function Editor() {
 
                   {hasAdvancedOnlyFields && userPermissions.canEdit && (
                     <div className='flex items-center gap-[10px] px-[2px] pt-[14px] pb-[12px]'>
-                      <div
+                      <div className='h-[1.25px] flex-1' style={DASHED_DIVIDER_STYLE} />
-                        className='h-[1.25px] flex-1'
-                        style={{
-                          backgroundImage:
-                            'repeating-linear-gradient(to right, var(--border) 0px, var(--border) 6px, transparent 6px, transparent 12px)',
-                        }}
-                      />
                       <button
                         type='button'
                         onClick={handleToggleAdvancedMode}
@@ -600,13 +563,7 @@ export function Editor() {
                           className={`h-[14px] w-[14px] transition-transform duration-200 ${displayAdvancedOptions ? 'rotate-180' : ''}`}
                         />
                       </button>
-                      <div
+                      <div className='h-[1.25px] flex-1' style={DASHED_DIVIDER_STYLE} />
-                        className='h-[1.25px] flex-1'
-                        style={{
-                          backgroundImage:
-                            'repeating-linear-gradient(to right, var(--border) 0px, var(--border) 6px, transparent 6px, transparent 12px)',
-                        }}
-                      />
                     </div>
                   )}
 
@@ -630,13 +587,7 @@ export function Editor() {
                         />
                         {index < advancedOnlySubBlocks.length - 1 && (
                           <div className='subblock-divider px-[2px] pt-[16px] pb-[13px]'>
-                            <div
+                            <div className='h-[1.25px]' style={DASHED_DIVIDER_STYLE} />
-                              className='h-[1.25px]'
-                              style={{
-                                backgroundImage:
-                                  'repeating-linear-gradient(to right, var(--border) 0px, var(--border) 6px, transparent 6px, transparent 12px)',
-                              }}
-                            />
                           </div>
                         )}
                       </div>

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/terminal/terminal.tsx

@@ -24,6 +24,7 @@ import {
   Tooltip,
 } from '@/components/emcn'
 import { getEnv, isTruthy } from '@/lib/core/config/env'
+import { formatDuration } from '@/lib/core/utils/formatting'
 import { useRegisterGlobalCommands } from '@/app/workspace/[workspaceId]/providers/global-commands-provider'
 import { createCommands } from '@/app/workspace/[workspaceId]/utils/commands-utils'
 import {
@@ -43,7 +44,6 @@ import {
   type EntryNode,
   type ExecutionGroup,
   flattenBlockEntriesOnly,
-  formatDuration,
   getBlockColor,
   getBlockIcon,
   groupEntriesByExecution,
@@ -128,7 +128,7 @@ const BlockRow = memo(function BlockRow({
         <StatusDisplay
           isRunning={isRunning}
           isCanceled={isCanceled}
-          formattedDuration={formatDuration(entry.durationMs)}
+          formattedDuration={formatDuration(entry.durationMs, { precision: 2 }) ?? '-'}
         />
       </span>
     </div>
@@ -201,7 +201,7 @@ const IterationNodeRow = memo(function IterationNodeRow({
           <StatusDisplay
             isRunning={hasRunningChild}
             isCanceled={hasCanceledChild}
-            formattedDuration={formatDuration(entry.durationMs)}
+            formattedDuration={formatDuration(entry.durationMs, { precision: 2 }) ?? '-'}
           />
         </span>
       </div>
@@ -314,7 +314,7 @@ const SubflowNodeRow = memo(function SubflowNodeRow({
           <StatusDisplay
             isRunning={hasRunningDescendant}
             isCanceled={hasCanceledDescendant}
-            formattedDuration={formatDuration(entry.durationMs)}
+            formattedDuration={formatDuration(entry.durationMs, { precision: 2 }) ?? '-'}
           />
         </span>
       </div>

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/terminal/utils.ts

@@ -53,17 +53,6 @@ export function getBlockColor(blockType: string): string {
   return '#6b7280'
 }
 
-/**
- * Formats duration from milliseconds to readable format
- */
-export function formatDuration(ms?: number): string {
-  if (ms === undefined || ms === null) return '-'
-  if (ms < 1000) {
-    return `${Math.round(ms)}ms`
-  }
-  return `${(ms / 1000).toFixed(2)}s`
-}
-
 /**
  * Determines if a keyboard event originated from a text-editable element
  */

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/training-modal/training-modal.tsx

@@ -30,6 +30,7 @@ import {
   Textarea,
 } from '@/components/emcn'
 import { cn } from '@/lib/core/utils/cn'
+import { formatDuration } from '@/lib/core/utils/formatting'
 import { sanitizeForCopilot } from '@/lib/workflows/sanitization/json-sanitizer'
 import { formatEditSequence } from '@/lib/workflows/training/compute-edit-sequence'
 import { useCurrentWorkflow } from '@/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-current-workflow'
@@ -575,7 +576,9 @@ export function TrainingModal() {
                                     <span className='text-[var(--text-muted)]'>Duration:</span>{' '}
                                     <span className='text-[var(--text-secondary)]'>
                                       {dataset.metadata?.duration
-                                        ? `${(dataset.metadata.duration / 1000).toFixed(1)}s`
+                                        ? formatDuration(dataset.metadata.duration, {
+                                            precision: 1,
+                                          })
                                         : 'N/A'}
                                     </span>
                                   </div>

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credential-sets/credential-sets.tsx

@@ -246,7 +246,6 @@ export function CredentialSets() {
       setNewSetDescription('')
       setNewSetProvider('google-email')
 
-      // Open detail view for the newly created group
       if (result?.credentialSet) {
         setViewingSet(result.credentialSet)
       }
@@ -336,7 +335,6 @@ export function CredentialSets() {
           email,
         })
 
-        // Start 60s cooldown
         setResendCooldowns((prev) => ({ ...prev, [invitationId]: 60 }))
         const interval = setInterval(() => {
           setResendCooldowns((prev) => {
@@ -393,7 +391,6 @@ export function CredentialSets() {
     return <GmailIcon className='h-4 w-4' />
   }
 
-  // All hooks must be called before any early returns
   const activeMemberships = useMemo(
     () => memberships.filter((m) => m.status === 'active'),
     [memberships]
@@ -447,7 +444,6 @@ export function CredentialSets() {
         <div className='flex h-full flex-col gap-[16px]'>
           <div className='min-h-0 flex-1 overflow-y-auto'>
             <div className='flex flex-col gap-[16px]'>
-              {/* Group Info */}
               <div className='flex items-center gap-[16px]'>
                 <div className='flex items-center gap-[8px]'>
                   <span className='font-medium text-[13px] text-[var(--text-primary)]'>
@@ -471,7 +467,6 @@ export function CredentialSets() {
                 </div>
               </div>
 
-              {/* Invite Section - Email Tags Input */}
               <div className='flex flex-col gap-[4px]'>
                 <div className='flex items-center gap-[8px]'>
                   <TagInput
@@ -495,7 +490,6 @@ export function CredentialSets() {
                 {emailError && <p className='text-[12px] text-[var(--text-error)]'>{emailError}</p>}
               </div>
 
-              {/* Members List - styled like team members */}
               <div className='flex flex-col gap-[16px]'>
                 <h4 className='font-medium text-[14px] text-[var(--text-primary)]'>Members</h4>
 
@@ -519,7 +513,6 @@ export function CredentialSets() {
                   </p>
                 ) : (
                   <div className='flex flex-col gap-[16px]'>
-                    {/* Active Members */}
                     {activeMembers.map((member) => {
                       const name = member.userName || 'Unknown'
                       const avatarInitial = name.charAt(0).toUpperCase()
@@ -572,7 +565,6 @@ export function CredentialSets() {
                       )
                     })}
 
-                    {/* Pending Invitations */}
                     {pendingInvitations.map((invitation) => {
                       const email = invitation.email || 'Unknown'
                       const emailPrefix = email.split('@')[0]
@@ -641,7 +633,6 @@ export function CredentialSets() {
             </div>
           </div>
 
-          {/* Footer Actions */}
           <div className='mt-auto flex items-center justify-end'>
             <Button onClick={handleBackToList} variant='tertiary'>
               Back
@@ -822,7 +813,6 @@ export function CredentialSets() {
         </div>
       </div>
 
-      {/* Create Polling Group Modal */}
       <Modal open={showCreateModal} onOpenChange={handleCloseCreateModal}>
         <ModalContent size='sm'>
           <ModalHeader>Create Polling Group</ModalHeader>
@@ -895,7 +885,6 @@ export function CredentialSets() {
         </ModalContent>
       </Modal>
 
-      {/* Leave Confirmation Modal */}
       <Modal open={!!leavingMembership} onOpenChange={() => setLeavingMembership(null)}>
         <ModalContent size='sm'>
           <ModalHeader>Leave Polling Group</ModalHeader>
@@ -923,7 +912,6 @@ export function CredentialSets() {
         </ModalContent>
       </Modal>
 
-      {/* Delete Confirmation Modal */}
       <Modal open={!!deletingSet} onOpenChange={() => setDeletingSet(null)}>
         <ModalContent size='sm'>
           <ModalHeader>Delete Polling Group</ModalHeader>

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/index.ts

@@ -1,4 +1,3 @@
-export { AccessControl } from './access-control/access-control'
 export { ApiKeys } from './api-keys/api-keys'
 export { BYOK } from './byok/byok'
 export { Copilot } from './copilot/copilot'
@@ -10,7 +9,6 @@ export { Files as FileUploads } from './files/files'
 export { General } from './general/general'
 export { Integrations } from './integrations/integrations'
 export { MCP } from './mcp/mcp'
-export { SSO } from './sso/sso'
 export { Subscription } from './subscription/subscription'
 export { TeamManagement } from './team-management/team-management'
 export { WorkflowMcpServers } from './workflow-mcp-servers/workflow-mcp-servers'

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/mcp/mcp.tsx

@@ -407,14 +407,12 @@ export function MCP({ initialServerId }: MCPProps) {
   const [urlScrollLeft, setUrlScrollLeft] = useState(0)
   const [headerScrollLeft, setHeaderScrollLeft] = useState<Record<string, number>>({})
 
-  // Auto-select server when initialServerId is provided
   useEffect(() => {
     if (initialServerId && servers.some((s) => s.id === initialServerId)) {
       setSelectedServerId(initialServerId)
     }
   }, [initialServerId, servers])
 
-  // Force refresh tools when entering server detail view to detect stale schemas
   useEffect(() => {
     if (selectedServerId) {
       forceRefreshTools(workspaceId)
@@ -717,7 +715,6 @@ export function MCP({ initialServerId }: MCPProps) {
           `Refreshed MCP server: ${serverId}, workflows updated: ${result.workflowsUpdated}`
         )
 
-        // If the active workflow was updated, reload its subblock values from DB
         const activeWorkflowId = useWorkflowRegistry.getState().activeWorkflowId
         if (activeWorkflowId && result.updatedWorkflowIds?.includes(activeWorkflowId)) {
           logger.info(`Active workflow ${activeWorkflowId} was updated, reloading subblock values`)

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/settings-modal.tsx

@@ -41,7 +41,6 @@ import { getEnv, isTruthy } from '@/lib/core/config/env'
 import { isHosted } from '@/lib/core/config/feature-flags'
 import { getUserRole } from '@/lib/workspaces/organization'
 import {
-  AccessControl,
   ApiKeys,
   BYOK,
   Copilot,
@@ -53,15 +52,16 @@ import {
   General,
   Integrations,
   MCP,
-  SSO,
   Subscription,
   TeamManagement,
   WorkflowMcpServers,
 } from '@/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components'
 import { TemplateProfile } from '@/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/template-profile/template-profile'
+import { AccessControl } from '@/ee/access-control/components/access-control'
+import { SSO } from '@/ee/sso/components/sso-settings'
+import { ssoKeys, useSSOProviders } from '@/ee/sso/hooks/sso'
 import { generalSettingsKeys, useGeneralSettings } from '@/hooks/queries/general-settings'
 import { organizationKeys, useOrganizations } from '@/hooks/queries/organization'
-import { ssoKeys, useSSOProviders } from '@/hooks/queries/sso'
 import { subscriptionKeys, useSubscriptionData } from '@/hooks/queries/subscription'
 import { usePermissionConfig } from '@/hooks/use-permission-config'
 import { useSettingsModalStore } from '@/stores/modals/settings/store'

apps/sim/background/workspace-notification-delivery.ts

@@ -19,6 +19,7 @@ import { checkUsageStatus } from '@/lib/billing/calculations/usage-monitor'
 import { getHighestPrioritySubscription } from '@/lib/billing/core/subscription'
 import { RateLimiter } from '@/lib/core/rate-limiter'
 import { decryptSecret } from '@/lib/core/security/encryption'
+import { formatDuration } from '@/lib/core/utils/formatting'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import type { TraceSpan, WorkflowExecutionLog } from '@/lib/logs/types'
 import { sendEmail } from '@/lib/messaging/email/mailer'
@@ -227,12 +228,6 @@ async function deliverWebhook(
   }
 }
 
-function formatDuration(ms: number): string {
-  if (ms < 1000) return `${ms}ms`
-  if (ms < 60000) return `${(ms / 1000).toFixed(1)}s`
-  return `${(ms / 60000).toFixed(1)}m`
-}
-
 function formatCost(cost?: Record<string, unknown>): string {
   if (!cost?.total) return 'N/A'
   const total = cost.total as number
@@ -302,7 +297,7 @@ async function deliverEmail(
     workflowName: payload.data.workflowName || 'Unknown Workflow',
     status: payload.data.status,
     trigger: payload.data.trigger,
-    duration: formatDuration(payload.data.totalDurationMs),
+    duration: formatDuration(payload.data.totalDurationMs, { precision: 1 }) ?? '-',
     cost: formatCost(payload.data.cost),
     logUrl,
     alertReason,
@@ -315,7 +310,7 @@ async function deliverEmail(
     to: subscription.emailRecipients,
     subject,
     html,
-    text: `${subject}\n${alertReason ? `\nReason: ${alertReason}\n` : ''}\nWorkflow: ${payload.data.workflowName}\nStatus: ${statusText}\nTrigger: ${payload.data.trigger}\nDuration: ${formatDuration(payload.data.totalDurationMs)}\nCost: ${formatCost(payload.data.cost)}\n\nView Log: ${logUrl}${includedDataText}`,
+    text: `${subject}\n${alertReason ? `\nReason: ${alertReason}\n` : ''}\nWorkflow: ${payload.data.workflowName}\nStatus: ${statusText}\nTrigger: ${payload.data.trigger}\nDuration: ${formatDuration(payload.data.totalDurationMs, { precision: 1 }) ?? '-'}\nCost: ${formatCost(payload.data.cost)}\n\nView Log: ${logUrl}${includedDataText}`,
     emailType: 'notifications',
   })
 
@@ -373,7 +368,10 @@ async function deliverSlack(
       fields: [
         { type: 'mrkdwn', text: `*Status:*\n${payload.data.status}` },
         { type: 'mrkdwn', text: `*Trigger:*\n${payload.data.trigger}` },
-        { type: 'mrkdwn', text: `*Duration:*\n${formatDuration(payload.data.totalDurationMs)}` },
+        {
+          type: 'mrkdwn',
+          text: `*Duration:*\n${formatDuration(payload.data.totalDurationMs, { precision: 1 }) ?? '-'}`,
+        },
         { type: 'mrkdwn', text: `*Cost:*\n${formatCost(payload.data.cost)}` },
       ],
     },

apps/sim/components/ui/tool-call.tsx

@@ -7,6 +7,7 @@ import { Button } from '@/components/ui/button'
 import { Collapsible, CollapsibleContent, CollapsibleTrigger } from '@/components/ui/collapsible'
 import type { ToolCallGroup, ToolCallState } from '@/lib/copilot/types'
 import { cn } from '@/lib/core/utils/cn'
+import { formatDuration } from '@/lib/core/utils/formatting'
 
 interface ToolCallProps {
   toolCall: ToolCallState
@@ -225,11 +226,6 @@ export function ToolCallCompletion({ toolCall, isCompact = false }: ToolCallProp
   const isError = toolCall.state === 'error'
   const isAborted = toolCall.state === 'aborted'
 
-  const formatDuration = (duration?: number) => {
-    if (!duration) return ''
-    return duration < 1000 ? `${duration}ms` : `${(duration / 1000).toFixed(1)}s`
-  }
-
   return (
     <div
       className={cn(
@@ -279,7 +275,7 @@ export function ToolCallCompletion({ toolCall, isCompact = false }: ToolCallProp
                   )}
                   style={{ fontSize: '0.625rem' }}
                 >
-                  {formatDuration(toolCall.duration)}
+                  {toolCall.duration ? formatDuration(toolCall.duration, { precision: 1 }) : ''}
                 </Badge>
               )}
             </div>

apps/sim/ee/LICENSE

@@ -0,0 +1,43 @@
+Sim Enterprise License
+
+Copyright (c) 2025-present Sim Studio, Inc.
+
+This software and associated documentation files (the "Software") are licensed
+under the following terms:
+
+1. LICENSE GRANT
+
+   Subject to the terms of this license, Sim Studio, Inc. grants you a limited,
+   non-exclusive, non-transferable license to use the Software for:
+
+   - Development, testing, and evaluation purposes
+   - Internal non-production use
+
+   Production use of the Software requires a valid Sim Enterprise subscription.
+
+2. RESTRICTIONS
+
+   You may not:
+
+   - Use the Software in production without a valid Enterprise subscription
+   - Modify, adapt, or create derivative works of the Software
+   - Redistribute, sublicense, or transfer the Software
+   - Remove or alter any proprietary notices in the Software
+
+3. ENTERPRISE SUBSCRIPTION
+
+   Production deployment of enterprise features requires an active Sim Enterprise
+   subscription. Contact sales@simstudio.ai for licensing information.
+
+4. DISCLAIMER
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+
+5. LIMITATION OF LIABILITY
+
+   IN NO EVENT SHALL SIM STUDIO, INC. BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY ARISING FROM THE USE OF THE SOFTWARE.
+
+For questions about enterprise licensing, contact: sales@simstudio.ai

apps/sim/ee/README.md

@@ -0,0 +1,21 @@
+# Sim Enterprise Edition
+
+This directory contains enterprise features that require a Sim Enterprise subscription
+for production use.
+
+## Features
+
+- **SSO (Single Sign-On)**: OIDC and SAML authentication integration
+- **Access Control**: Permission groups for fine-grained user access management
+- **Credential Sets**: Shared credential pools for email polling workflows
+
+## Licensing
+
+See [LICENSE](./LICENSE) for terms. Development and testing use is permitted.
+Production deployment requires an active Enterprise subscription.
+
+## Architecture
+
+Enterprise features are imported directly throughout the codebase. The `ee/` directory
+is required at build time. Feature visibility is controlled at runtime via environment
+variables (e.g., `NEXT_PUBLIC_ACCESS_CONTROL_ENABLED`, `NEXT_PUBLIC_SSO_ENABLED`).

apps/sim/ee/access-control/components/access-control.tsx

@@ -29,7 +29,6 @@ import type { PermissionGroupConfig } from '@/lib/permission-groups/types'
 import { getUserColor } from '@/lib/workspaces/colors'
 import { getUserRole } from '@/lib/workspaces/organization'
 import { getAllBlocks } from '@/blocks'
-import { useOrganization, useOrganizations } from '@/hooks/queries/organization'
 import {
   type PermissionGroup,
   useBulkAddPermissionGroupMembers,
@@ -39,7 +38,8 @@ import {
   usePermissionGroups,
   useRemovePermissionGroupMember,
   useUpdatePermissionGroup,
-} from '@/hooks/queries/permission-groups'
+} from '@/ee/access-control/hooks/permission-groups'
+import { useOrganization, useOrganizations } from '@/hooks/queries/organization'
 import { useSubscriptionData } from '@/hooks/queries/subscription'
 import { PROVIDER_DEFINITIONS } from '@/providers/models'
 import { getAllProviderIds } from '@/providers/utils'
@@ -255,7 +255,6 @@ export function AccessControl() {
     queryEnabled
   )
 
-  // Show loading while dependencies load, or while permission groups query is pending
   const isLoading = orgsLoading || subLoading || (queryEnabled && groupsLoading)
   const { data: organization } = useOrganization(activeOrganization?.id || '')
 
@@ -410,10 +409,8 @@ export function AccessControl() {
   }, [viewingGroup, editingConfig])
 
   const allBlocks = useMemo(() => {
-    // Filter out hidden blocks and start_trigger (which should never be disabled)
     const blocks = getAllBlocks().filter((b) => !b.hideFromToolbar && b.type !== 'start_trigger')
     return blocks.sort((a, b) => {
-      // Group by category: triggers first, then blocks, then tools
       const categoryOrder = { triggers: 0, blocks: 1, tools: 2 }
       const catA = categoryOrder[a.category] ?? 3
       const catB = categoryOrder[b.category] ?? 3
@@ -555,10 +552,9 @@ export function AccessControl() {
   }, [viewingGroup, editingConfig, activeOrganization?.id, updatePermissionGroup])
 
   const handleOpenAddMembersModal = useCallback(() => {
-    const existingMemberUserIds = new Set(members.map((m) => m.userId))
     setSelectedMemberIds(new Set())
     setShowAddMembersModal(true)
-  }, [members])
+  }, [])
 
   const handleAddSelectedMembers = useCallback(async () => {
     if (!viewingGroup || selectedMemberIds.size === 0) return
@@ -891,7 +887,6 @@ export function AccessControl() {
                             prev
                               ? {
                                   ...prev,
-                                  // When deselecting all, keep start_trigger allowed (it should never be disabled)
                                   allowedIntegrations: allAllowed ? ['start_trigger'] : null,
                                 }
                               : prev

apps/sim/ee/access-control/hooks/permission-groups.ts

@@ -1,3 +1,5 @@
+'use client'
+
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
 import type { PermissionGroupConfig } from '@/lib/permission-groups/types'
 import { fetchJson } from '@/hooks/selectors/helpers'

apps/sim/ee/sso/components/sso-settings.tsx

@@ -11,55 +11,13 @@ import { isBillingEnabled } from '@/lib/core/config/feature-flags'
 import { cn } from '@/lib/core/utils/cn'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { getUserRole } from '@/lib/workspaces/organization/utils'
+import { SSO_TRUSTED_PROVIDERS } from '@/ee/sso/constants'
+import { useConfigureSSO, useSSOProviders } from '@/ee/sso/hooks/sso'
 import { useOrganizations } from '@/hooks/queries/organization'
-import { useConfigureSSO, useSSOProviders } from '@/hooks/queries/sso'
 import { useSubscriptionData } from '@/hooks/queries/subscription'
 
 const logger = createLogger('SSO')
 
-const TRUSTED_SSO_PROVIDERS = [
-  'okta',
-  'okta-saml',
-  'okta-prod',
-  'okta-dev',
-  'okta-staging',
-  'okta-test',
-  'azure-ad',
-  'azure-active-directory',
-  'azure-corp',
-  'azure-enterprise',
-  'adfs',
-  'adfs-company',
-  'adfs-corp',
-  'adfs-enterprise',
-  'auth0',
-  'auth0-prod',
-  'auth0-dev',
-  'auth0-staging',
-  'onelogin',
-  'onelogin-prod',
-  'onelogin-corp',
-  'jumpcloud',
-  'jumpcloud-prod',
-  'jumpcloud-corp',
-  'ping-identity',
-  'ping-federate',
-  'pingone',
-  'shibboleth',
-  'shibboleth-idp',
-  'google-workspace',
-  'google-sso',
-  'saml',
-  'saml2',
-  'saml-sso',
-  'oidc',
-  'oidc-sso',
-  'openid-connect',
-  'custom-sso',
-  'enterprise-sso',
-  'company-sso',
-]
-
 interface SSOProvider {
   id: string
   providerId: string
@@ -565,7 +523,7 @@ export function SSO() {
             <Combobox
               value={formData.providerId}
               onChange={(value: string) => handleInputChange('providerId', value)}
-              options={TRUSTED_SSO_PROVIDERS.map((id) => ({
+              options={SSO_TRUSTED_PROVIDERS.map((id) => ({
                 label: id,
                 value: id,
               }))}

apps/sim/ee/sso/constants.ts

@@ -1,3 +1,7 @@
+/**
+ * List of trusted SSO provider identifiers.
+ * Used for validation and autocomplete in SSO configuration.
+ */
 export const SSO_TRUSTED_PROVIDERS = [
   'okta',
   'okta-saml',

apps/sim/ee/sso/hooks/sso.ts

@@ -1,3 +1,5 @@
+'use client'
+
 import { keepPreviousData, useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
 import { organizationKeys } from '@/hooks/queries/organization'
 
@@ -75,39 +77,3 @@ export function useConfigureSSO() {
     },
   })
 }
-
-/**
- * Delete SSO provider mutation
- */
-interface DeleteSSOParams {
-  providerId: string
-  orgId?: string
-}
-
-export function useDeleteSSO() {
-  const queryClient = useQueryClient()
-
-  return useMutation({
-    mutationFn: async ({ providerId }: DeleteSSOParams) => {
-      const response = await fetch(`/api/auth/sso/providers/${providerId}`, {
-        method: 'DELETE',
-      })
-
-      if (!response.ok) {
-        const error = await response.json()
-        throw new Error(error.message || 'Failed to delete SSO provider')
-      }
-
-      return response.json()
-    },
-    onSuccess: (_data, variables) => {
-      queryClient.invalidateQueries({ queryKey: ssoKeys.providers() })
-
-      if (variables.orgId) {
-        queryClient.invalidateQueries({
-          queryKey: organizationKeys.detail(variables.orgId),
-        })
-      }
-    },
-  })
-}

apps/sim/executor/execution/block-executor.ts

@@ -5,6 +5,7 @@ import {
   hydrateUserFilesWithBase64,
 } from '@/lib/uploads/utils/user-file-base64.server'
 import { sanitizeInputFormat, sanitizeTools } from '@/lib/workflows/comparison/normalize'
+import { validateBlockType } from '@/ee/access-control/utils/permission-check'
 import {
   BlockType,
   buildResumeApiUrl,
@@ -31,7 +32,6 @@ import { streamingResponseFormatProcessor } from '@/executor/utils'
 import { buildBlockExecutionError, normalizeError } from '@/executor/utils/errors'
 import { isJSONString } from '@/executor/utils/json'
 import { filterOutputForLog } from '@/executor/utils/output-filter'
-import { validateBlockType } from '@/executor/utils/permission-check'
 import type { VariableResolver } from '@/executor/variables/resolver'
 import type { SerializedBlock } from '@/serializer/types'
 import type { SubflowType } from '@/stores/workflows/workflow/types'

apps/sim/executor/handlers/agent/agent-handler.ts

@@ -6,6 +6,12 @@ import { createMcpToolId } from '@/lib/mcp/utils'
 import { refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 import { getAllBlocks } from '@/blocks'
 import type { BlockOutput } from '@/blocks/types'
+import {
+  validateBlockType,
+  validateCustomToolsAllowed,
+  validateMcpToolsAllowed,
+  validateModelProvider,
+} from '@/ee/access-control/utils/permission-check'
 import { AGENT, BlockType, DEFAULTS, REFERENCE, stripCustomToolPrefix } from '@/executor/constants'
 import { memoryService } from '@/executor/handlers/agent/memory'
 import type {
@@ -18,12 +24,6 @@ import type { BlockHandler, ExecutionContext, StreamingExecution } from '@/execu
 import { collectBlockData } from '@/executor/utils/block-data'
 import { buildAPIUrl, buildAuthHeaders } from '@/executor/utils/http'
 import { stringifyJSON } from '@/executor/utils/json'
-import {
-  validateBlockType,
-  validateCustomToolsAllowed,
-  validateMcpToolsAllowed,
-  validateModelProvider,
-} from '@/executor/utils/permission-check'
 import { executeProviderRequest } from '@/providers'
 import { getProviderFromModel, transformBlockTool } from '@/providers/utils'
 import type { SerializedBlock } from '@/serializer/types'

apps/sim/executor/handlers/evaluator/evaluator-handler.ts

@@ -4,11 +4,11 @@ import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 import type { BlockOutput } from '@/blocks/types'
+import { validateModelProvider } from '@/ee/access-control/utils/permission-check'
 import { BlockType, DEFAULTS, EVALUATOR } from '@/executor/constants'
 import type { BlockHandler, ExecutionContext } from '@/executor/types'
 import { buildAPIUrl, buildAuthHeaders, extractAPIErrorMessage } from '@/executor/utils/http'
 import { isJSONString, parseJSON, stringifyJSON } from '@/executor/utils/json'
-import { validateModelProvider } from '@/executor/utils/permission-check'
 import { calculateCost, getProviderFromModel } from '@/providers/utils'
 import type { SerializedBlock } from '@/serializer/types'
 

apps/sim/executor/handlers/router/router-handler.ts

@@ -6,6 +6,7 @@ import { getBaseUrl } from '@/lib/core/utils/urls'
 import { refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 import { generateRouterPrompt, generateRouterV2Prompt } from '@/blocks/blocks/router'
 import type { BlockOutput } from '@/blocks/types'
+import { validateModelProvider } from '@/ee/access-control/utils/permission-check'
 import {
   BlockType,
   DEFAULTS,
@@ -15,7 +16,6 @@ import {
 } from '@/executor/constants'
 import type { BlockHandler, ExecutionContext } from '@/executor/types'
 import { buildAuthHeaders } from '@/executor/utils/http'
-import { validateModelProvider } from '@/executor/utils/permission-check'
 import { calculateCost, getProviderFromModel } from '@/providers/utils'
 import type { SerializedBlock } from '@/serializer/types'
 

apps/sim/hooks/queries/credential-sets.ts

@@ -1,3 +1,5 @@
+'use client'
+
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
 import { fetchJson } from '@/hooks/selectors/helpers'
 

apps/sim/hooks/use-permission-config.ts

@@ -1,3 +1,5 @@
+'use client'
+
 import { useMemo } from 'react'
 import { getEnv, isTruthy } from '@/lib/core/config/env'
 import { isAccessControlEnabled, isHosted } from '@/lib/core/config/feature-flags'
@@ -5,8 +7,8 @@ import {
   DEFAULT_PERMISSION_GROUP_CONFIG,
   type PermissionGroupConfig,
 } from '@/lib/permission-groups/types'
+import { useUserPermissionConfig } from '@/ee/access-control/hooks/permission-groups'
 import { useOrganizations } from '@/hooks/queries/organization'
-import { useUserPermissionConfig } from '@/hooks/queries/permission-groups'
 
 export interface PermissionConfigResult {
   config: PermissionGroupConfig

apps/sim/lib/auth/auth.ts

@@ -59,8 +59,8 @@ import { sendEmail } from '@/lib/messaging/email/mailer'
 import { getFromEmailAddress, getPersonalEmailFrom } from '@/lib/messaging/email/utils'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
 import { syncAllWebhooksForCredentialSet } from '@/lib/webhooks/utils.server'
+import { SSO_TRUSTED_PROVIDERS } from '@/ee/sso/constants'
 import { createAnonymousSession, ensureAnonymousUserExists } from './anonymous'
-import { SSO_TRUSTED_PROVIDERS } from './sso/constants'
 
 const logger = createLogger('Auth')
 

apps/sim/lib/billing/authorization.ts

@@ -1,20 +1,37 @@
 import { db } from '@sim/db'
 import * as schema from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
+import { hasActiveSubscription } from '@/lib/billing'
+
+const logger = createLogger('BillingAuthorization')
 
 /**
  * Check if a user is authorized to manage billing for a given reference ID
  * Reference ID can be either a user ID (individual subscription) or organization ID (team subscription)
+ *
+ * This function also performs duplicate subscription validation for organizations:
+ * - Rejects if an organization already has an active subscription (prevents duplicates)
+ * - Personal subscriptions (referenceId === userId) skip this check to allow upgrades
  */
 export async function authorizeSubscriptionReference(
   userId: string,
   referenceId: string
 ): Promise<boolean> {
-  // User can always manage their own subscriptions
+  // User can always manage their own subscriptions (Pro upgrades, etc.)
   if (referenceId === userId) {
     return true
   }
 
+  // For organizations: check for existing active subscriptions to prevent duplicates
+  if (await hasActiveSubscription(referenceId)) {
+    logger.warn('Blocking checkout - active subscription already exists for organization', {
+      userId,
+      referenceId,
+    })
+    return false
+  }
+
   // Check if referenceId is an organizationId the user has admin rights to
   const members = await db
     .select()

apps/sim/lib/billing/client/upgrade.ts

@@ -25,9 +25,11 @@ export function useSubscriptionUpgrade() {
       }
 
       let currentSubscriptionId: string | undefined
+      let allSubscriptions: any[] = []
       try {
         const listResult = await client.subscription.list()
-        const activePersonalSub = listResult.data?.find(
+        allSubscriptions = listResult.data || []
+        const activePersonalSub = allSubscriptions.find(
           (sub: any) => sub.status === 'active' && sub.referenceId === userId
         )
         currentSubscriptionId = activePersonalSub?.id
@@ -50,6 +52,25 @@ export function useSubscriptionUpgrade() {
           )
 
           if (existingOrg) {
+            // Check if this org already has an active team subscription
+            const existingTeamSub = allSubscriptions.find(
+              (sub: any) =>
+                sub.status === 'active' &&
+                sub.referenceId === existingOrg.id &&
+                (sub.plan === 'team' || sub.plan === 'enterprise')
+            )
+
+            if (existingTeamSub) {
+              logger.warn('Organization already has an active team subscription', {
+                userId,
+                organizationId: existingOrg.id,
+                existingSubscriptionId: existingTeamSub.id,
+              })
+              throw new Error(
+                'This organization already has an active team subscription. Please manage it from the billing settings.'
+              )
+            }
+
             logger.info('Using existing organization for team plan upgrade', {
               userId,
               organizationId: existingOrg.id,

apps/sim/lib/billing/core/plan.ts

@@ -1,5 +1,5 @@
 import { db } from '@sim/db'
-import { member, subscription } from '@sim/db/schema'
+import { member, organization, subscription } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq, inArray } from 'drizzle-orm'
 import { checkEnterprisePlan, checkProPlan, checkTeamPlan } from '@/lib/billing/subscriptions/utils'
@@ -26,10 +26,22 @@ export async function getHighestPrioritySubscription(userId: string) {
 
     let orgSubs: typeof personalSubs = []
     if (orgIds.length > 0) {
-      orgSubs = await db
+      // Verify orgs exist to filter out orphaned subscriptions
-        .select()
+      const existingOrgs = await db
-        .from(subscription)
+        .select({ id: organization.id })
-        .where(and(inArray(subscription.referenceId, orgIds), eq(subscription.status, 'active')))
+        .from(organization)
+        .where(inArray(organization.id, orgIds))
+
+      const validOrgIds = existingOrgs.map((o) => o.id)
+
+      if (validOrgIds.length > 0) {
+        orgSubs = await db
+          .select()
+          .from(subscription)
+          .where(
+            and(inArray(subscription.referenceId, validOrgIds), eq(subscription.status, 'active'))
+          )
+      }
     }
 
     const allSubs = [...personalSubs, ...orgSubs]

apps/sim/lib/billing/core/subscription.ts

@@ -25,6 +25,28 @@ const logger = createLogger('SubscriptionCore')
 
 export { getHighestPrioritySubscription }
 
+/**
+ * Check if a referenceId (user ID or org ID) has an active subscription
+ * Used for duplicate subscription prevention
+ *
+ * Fails closed: returns true on error to prevent duplicate creation
+ */
+export async function hasActiveSubscription(referenceId: string): Promise<boolean> {
+  try {
+    const [activeSub] = await db
+      .select({ id: subscription.id })
+      .from(subscription)
+      .where(and(eq(subscription.referenceId, referenceId), eq(subscription.status, 'active')))
+      .limit(1)
+
+    return !!activeSub
+  } catch (error) {
+    logger.error('Error checking active subscription', { error, referenceId })
+    // Fail closed: assume subscription exists to prevent duplicate creation
+    return true
+  }
+}
+
 /**
  * Check if user is on Pro plan (direct or via organization)
  */

apps/sim/lib/billing/index.ts

@@ -11,6 +11,7 @@ export {
   getHighestPrioritySubscription as getActiveSubscription,
   getUserSubscriptionState as getSubscriptionState,
   hasAccessControlAccess,
+  hasActiveSubscription,
   hasCredentialSetsAccess,
   hasSSOAccess,
   isEnterpriseOrgAdminOrOwner,
@@ -32,6 +33,11 @@ export {
 } from '@/lib/billing/core/usage'
 export * from '@/lib/billing/credits/balance'
 export * from '@/lib/billing/credits/purchase'
+export {
+  blockOrgMembers,
+  getOrgMemberIds,
+  unblockOrgMembers,
+} from '@/lib/billing/organizations/membership'
 export * from '@/lib/billing/subscriptions/utils'
 export { canEditUsageLimit as canEditLimit } from '@/lib/billing/subscriptions/utils'
 export * from '@/lib/billing/types'

apps/sim/lib/billing/organization.ts

@@ -8,6 +8,7 @@ import {
 } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
+import { hasActiveSubscription } from '@/lib/billing'
 import { getPlanPricing } from '@/lib/billing/core/billing'
 import { syncUsageLimitsFromSubscription } from '@/lib/billing/core/usage'
 
@@ -159,6 +160,16 @@ export async function ensureOrganizationForTeamSubscription(
   if (existingMembership.length > 0) {
     const membership = existingMembership[0]
     if (membership.role === 'owner' || membership.role === 'admin') {
+      // Check if org already has an active subscription (prevent duplicates)
+      if (await hasActiveSubscription(membership.organizationId)) {
+        logger.error('Organization already has an active subscription', {
+          userId,
+          organizationId: membership.organizationId,
+          newSubscriptionId: subscription.id,
+        })
+        throw new Error('Organization already has an active subscription')
+      }
+
       logger.info('User already owns/admins an org, using it', {
         userId,
         organizationId: membership.organizationId,

apps/sim/lib/billing/organizations/membership.ts

@@ -15,13 +15,86 @@ import {
   userStats,
 } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, eq, sql } from 'drizzle-orm'
+import { and, eq, inArray, isNull, ne, or, sql } from 'drizzle-orm'
 import { syncUsageLimitsFromSubscription } from '@/lib/billing/core/usage'
 import { requireStripeClient } from '@/lib/billing/stripe-client'
 import { validateSeatAvailability } from '@/lib/billing/validation/seat-management'
 
 const logger = createLogger('OrganizationMembership')
 
+export type BillingBlockReason = 'payment_failed' | 'dispute'
+
+/**
+ * Get all member user IDs for an organization
+ */
+export async function getOrgMemberIds(organizationId: string): Promise<string[]> {
+  const members = await db
+    .select({ userId: member.userId })
+    .from(member)
+    .where(eq(member.organizationId, organizationId))
+
+  return members.map((m) => m.userId)
+}
+
+/**
+ * Block all members of an organization for billing reasons
+ * Returns the number of members actually blocked
+ *
+ * Reason priority: dispute > payment_failed
+ * A payment_failed block won't overwrite an existing dispute block
+ */
+export async function blockOrgMembers(
+  organizationId: string,
+  reason: BillingBlockReason
+): Promise<number> {
+  const memberIds = await getOrgMemberIds(organizationId)
+
+  if (memberIds.length === 0) {
+    return 0
+  }
+
+  // Don't overwrite dispute blocks with payment_failed (dispute is higher priority)
+  const whereClause =
+    reason === 'payment_failed'
+      ? and(
+          inArray(userStats.userId, memberIds),
+          or(ne(userStats.billingBlockedReason, 'dispute'), isNull(userStats.billingBlockedReason))
+        )
+      : inArray(userStats.userId, memberIds)
+
+  const result = await db
+    .update(userStats)
+    .set({ billingBlocked: true, billingBlockedReason: reason })
+    .where(whereClause)
+    .returning({ userId: userStats.userId })
+
+  return result.length
+}
+
+/**
+ * Unblock all members of an organization blocked for a specific reason
+ * Only unblocks members blocked for the specified reason (not other reasons)
+ * Returns the number of members actually unblocked
+ */
+export async function unblockOrgMembers(
+  organizationId: string,
+  reason: BillingBlockReason
+): Promise<number> {
+  const memberIds = await getOrgMemberIds(organizationId)
+
+  if (memberIds.length === 0) {
+    return 0
+  }
+
+  const result = await db
+    .update(userStats)
+    .set({ billingBlocked: false, billingBlockedReason: null })
+    .where(and(inArray(userStats.userId, memberIds), eq(userStats.billingBlockedReason, reason)))
+    .returning({ userId: userStats.userId })
+
+  return result.length
+}
+
 export interface RestoreProResult {
   restored: boolean
   usageRestored: boolean

apps/sim/lib/billing/webhooks/disputes.ts

@@ -1,8 +1,9 @@
 import { db } from '@sim/db'
-import { member, subscription, user, userStats } from '@sim/db/schema'
+import { subscription, user, userStats } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import type Stripe from 'stripe'
+import { blockOrgMembers, unblockOrgMembers } from '@/lib/billing'
 import { requireStripeClient } from '@/lib/billing/stripe-client'
 
 const logger = createLogger('DisputeWebhooks')
@@ -57,36 +58,34 @@ export async function handleChargeDispute(event: Stripe.Event): Promise<void> {
 
   if (subs.length > 0) {
     const orgId = subs[0].referenceId
+    const memberCount = await blockOrgMembers(orgId, 'dispute')
 
-    const owners = await db
+    if (memberCount > 0) {
-      .select({ userId: member.userId })
+      logger.warn('Blocked all org members due to dispute', {
-      .from(member)
-      .where(and(eq(member.organizationId, orgId), eq(member.role, 'owner')))
-      .limit(1)
-
-    if (owners.length > 0) {
-      await db
-        .update(userStats)
-        .set({ billingBlocked: true, billingBlockedReason: 'dispute' })
-        .where(eq(userStats.userId, owners[0].userId))
-
-      logger.warn('Blocked org owner due to dispute', {
         disputeId: dispute.id,
-        ownerId: owners[0].userId,
         organizationId: orgId,
+        memberCount,
       })
     }
   }
 }
 
 /**
- * Handles charge.dispute.closed - unblocks user if dispute was won
+ * Handles charge.dispute.closed - unblocks user if dispute was won or warning closed
+ *
+ * Status meanings:
+ * - 'won': Merchant won, customer's chargeback denied → unblock
+ * - 'lost': Customer won, money refunded → stay blocked (they owe us)
+ * - 'warning_closed': Pre-dispute inquiry closed without chargeback → unblock (false alarm)
  */
 export async function handleDisputeClosed(event: Stripe.Event): Promise<void> {
   const dispute = event.data.object as Stripe.Dispute
 
-  if (dispute.status !== 'won') {
+  // Only unblock if we won or the warning was closed without a full dispute
-    logger.info('Dispute not won, user remains blocked', {
+  const shouldUnblock = dispute.status === 'won' || dispute.status === 'warning_closed'
+
+  if (!shouldUnblock) {
+    logger.info('Dispute resolved against us, user remains blocked', {
       disputeId: dispute.id,
       status: dispute.status,
     })
@@ -98,7 +97,7 @@ export async function handleDisputeClosed(event: Stripe.Event): Promise<void> {
     return
   }
 
-  // Find and unblock user (Pro plans)
+  // Find and unblock user (Pro plans) - only if blocked for dispute, not other reasons
   const users = await db
     .select({ id: user.id })
     .from(user)
@@ -109,16 +108,17 @@ export async function handleDisputeClosed(event: Stripe.Event): Promise<void> {
     await db
       .update(userStats)
       .set({ billingBlocked: false, billingBlockedReason: null })
-      .where(eq(userStats.userId, users[0].id))
+      .where(and(eq(userStats.userId, users[0].id), eq(userStats.billingBlockedReason, 'dispute')))
 
-    logger.info('Unblocked user after winning dispute', {
+    logger.info('Unblocked user after dispute resolved in our favor', {
       disputeId: dispute.id,
       userId: users[0].id,
+      status: dispute.status,
     })
     return
   }
 
-  // Find and unblock org owner (Team/Enterprise)
+  // Find and unblock all org members (Team/Enterprise) - consistent with payment success
   const subs = await db
     .select({ referenceId: subscription.referenceId })
     .from(subscription)
@@ -127,24 +127,13 @@ export async function handleDisputeClosed(event: Stripe.Event): Promise<void> {
 
   if (subs.length > 0) {
     const orgId = subs[0].referenceId
+    const memberCount = await unblockOrgMembers(orgId, 'dispute')
 
-    const owners = await db
+    logger.info('Unblocked all org members after dispute resolved in our favor', {
-      .select({ userId: member.userId })
+      disputeId: dispute.id,
-      .from(member)
+      organizationId: orgId,
-      .where(and(eq(member.organizationId, orgId), eq(member.role, 'owner')))
+      memberCount,
-      .limit(1)
+      status: dispute.status,
-
+    })
-    if (owners.length > 0) {
-      await db
-        .update(userStats)
-        .set({ billingBlocked: false, billingBlockedReason: null })
-        .where(eq(userStats.userId, owners[0].userId))
-
-      logger.info('Unblocked org owner after winning dispute', {
-        disputeId: dispute.id,
-        ownerId: owners[0].userId,
-        organizationId: orgId,
-      })
-    }
   }
 }

apps/sim/lib/billing/webhooks/invoices.ts

@@ -8,12 +8,13 @@ import {
   userStats,
 } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, eq, inArray } from 'drizzle-orm'
+import { and, eq, inArray, isNull, ne, or } from 'drizzle-orm'
 import type Stripe from 'stripe'
 import { getEmailSubject, PaymentFailedEmail, renderCreditPurchaseEmail } from '@/components/emails'
 import { calculateSubscriptionOverage } from '@/lib/billing/core/billing'
 import { addCredits, getCreditBalance, removeCredits } from '@/lib/billing/credits/balance'
 import { setUsageLimitForCredits } from '@/lib/billing/credits/purchase'
+import { blockOrgMembers, unblockOrgMembers } from '@/lib/billing/organizations/membership'
 import { requireStripeClient } from '@/lib/billing/stripe-client'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { sendEmail } from '@/lib/messaging/email/mailer'
@@ -502,24 +503,7 @@ export async function handleInvoicePaymentSucceeded(event: Stripe.Event) {
     }
 
     if (sub.plan === 'team' || sub.plan === 'enterprise') {
-      const members = await db
+      await unblockOrgMembers(sub.referenceId, 'payment_failed')
-        .select({ userId: member.userId })
-        .from(member)
-        .where(eq(member.organizationId, sub.referenceId))
-      const memberIds = members.map((m) => m.userId)
-
-      if (memberIds.length > 0) {
-        // Only unblock users blocked for payment_failed, not disputes
-        await db
-          .update(userStats)
-          .set({ billingBlocked: false, billingBlockedReason: null })
-          .where(
-            and(
-              inArray(userStats.userId, memberIds),
-              eq(userStats.billingBlockedReason, 'payment_failed')
-            )
-          )
-      }
     } else {
       // Only unblock users blocked for payment_failed, not disputes
       await db
@@ -616,28 +600,26 @@ export async function handleInvoicePaymentFailed(event: Stripe.Event) {
       if (records.length > 0) {
         const sub = records[0]
         if (sub.plan === 'team' || sub.plan === 'enterprise') {
-          const members = await db
+          const memberCount = await blockOrgMembers(sub.referenceId, 'payment_failed')
-            .select({ userId: member.userId })
-            .from(member)
-            .where(eq(member.organizationId, sub.referenceId))
-          const memberIds = members.map((m) => m.userId)
-
-          if (memberIds.length > 0) {
-            await db
-              .update(userStats)
-              .set({ billingBlocked: true, billingBlockedReason: 'payment_failed' })
-              .where(inArray(userStats.userId, memberIds))
-          }
           logger.info('Blocked team/enterprise members due to payment failure', {
             organizationId: sub.referenceId,
-            memberCount: members.length,
+            memberCount,
             isOverageInvoice,
           })
         } else {
+          // Don't overwrite dispute blocks (dispute > payment_failed priority)
           await db
             .update(userStats)
             .set({ billingBlocked: true, billingBlockedReason: 'payment_failed' })
-            .where(eq(userStats.userId, sub.referenceId))
+            .where(
+              and(
+                eq(userStats.userId, sub.referenceId),
+                or(
+                  ne(userStats.billingBlockedReason, 'dispute'),
+                  isNull(userStats.billingBlockedReason)
+                )
+              )
+            )
           logger.info('Blocked user due to payment failure', {
             userId: sub.referenceId,
             isOverageInvoice,

apps/sim/lib/billing/webhooks/subscription.ts

@@ -3,6 +3,7 @@ import { member, organization, subscription } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq, ne } from 'drizzle-orm'
 import { calculateSubscriptionOverage } from '@/lib/billing/core/billing'
+import { hasActiveSubscription } from '@/lib/billing/core/subscription'
 import { syncUsageLimitsFromSubscription } from '@/lib/billing/core/usage'
 import { restoreUserProSubscription } from '@/lib/billing/organizations/membership'
 import { requireStripeClient } from '@/lib/billing/stripe-client'
@@ -52,14 +53,37 @@ async function restoreMemberProSubscriptions(organizationId: string): Promise<nu
 
 /**
  * Cleanup organization when team/enterprise subscription is deleted.
+ * - Checks if other active subscriptions point to this org (skip deletion if so)
  * - Restores member Pro subscriptions
- * - Deletes the organization
+ * - Deletes the organization (only if no other active subs)
  * - Syncs usage limits for former members (resets to free or Pro tier)
  */
 async function cleanupOrganizationSubscription(organizationId: string): Promise<{
   restoredProCount: number
   membersSynced: number
+  organizationDeleted: boolean
 }> {
+  // Check if other active subscriptions still point to this org
+  // Note: The subscription being deleted is already marked as 'canceled' by better-auth
+  // before this handler runs, so we only find truly active ones
+  if (await hasActiveSubscription(organizationId)) {
+    logger.info('Skipping organization deletion - other active subscriptions exist', {
+      organizationId,
+    })
+
+    // Still sync limits for members since this subscription was deleted
+    const memberUserIds = await db
+      .select({ userId: member.userId })
+      .from(member)
+      .where(eq(member.organizationId, organizationId))
+
+    for (const m of memberUserIds) {
+      await syncUsageLimitsFromSubscription(m.userId)
+    }
+
+    return { restoredProCount: 0, membersSynced: memberUserIds.length, organizationDeleted: false }
+  }
+
   // Get member userIds before deletion (needed for limit syncing after org deletion)
   const memberUserIds = await db
     .select({ userId: member.userId })
@@ -75,7 +99,7 @@ async function cleanupOrganizationSubscription(organizationId: string): Promise<
     await syncUsageLimitsFromSubscription(m.userId)
   }
 
-  return { restoredProCount, membersSynced: memberUserIds.length }
+  return { restoredProCount, membersSynced: memberUserIds.length, organizationDeleted: true }
 }
 
 /**
@@ -172,15 +196,14 @@ export async function handleSubscriptionDeleted(subscription: {
         referenceId: subscription.referenceId,
       })
 
-      const { restoredProCount, membersSynced } = await cleanupOrganizationSubscription(
+      const { restoredProCount, membersSynced, organizationDeleted } =
-        subscription.referenceId
+        await cleanupOrganizationSubscription(subscription.referenceId)
-      )
 
       logger.info('Successfully processed enterprise subscription cancellation', {
         subscriptionId: subscription.id,
         stripeSubscriptionId,
         restoredProCount,
-        organizationDeleted: true,
+        organizationDeleted,
         membersSynced,
       })
       return
@@ -297,7 +320,7 @@ export async function handleSubscriptionDeleted(subscription: {
       const cleanup = await cleanupOrganizationSubscription(subscription.referenceId)
       restoredProCount = cleanup.restoredProCount
       membersSynced = cleanup.membersSynced
-      organizationDeleted = true
+      organizationDeleted = cleanup.organizationDeleted
     } else if (subscription.plan === 'pro') {
       await syncUsageLimitsFromSubscription(subscription.referenceId)
       membersSynced = 1

apps/sim/lib/copilot/process-contents.ts

@@ -5,8 +5,8 @@ import { and, eq, isNull } from 'drizzle-orm'
 import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
 import { sanitizeForCopilot } from '@/lib/workflows/sanitization/json-sanitizer'
 import { isHiddenFromDisplay } from '@/blocks/types'
+import { getUserPermissionConfig } from '@/ee/access-control/utils/permission-check'
 import { escapeRegExp } from '@/executor/constants'
-import { getUserPermissionConfig } from '@/executor/utils/permission-check'
 import type { ChatContext } from '@/stores/panel/copilot/types'
 
 export type AgentContextType =

apps/sim/lib/copilot/tools/server/blocks/get-block-config.ts

@@ -7,7 +7,7 @@ import {
 } from '@/lib/copilot/tools/shared/schemas'
 import { registry as blockRegistry, getLatestBlock } from '@/blocks/registry'
 import { isHiddenFromDisplay, type SubBlockConfig } from '@/blocks/types'
-import { getUserPermissionConfig } from '@/executor/utils/permission-check'
+import { getUserPermissionConfig } from '@/ee/access-control/utils/permission-check'
 import { PROVIDER_DEFINITIONS } from '@/providers/models'
 import { tools as toolsRegistry } from '@/tools/registry'
 import { getTrigger, isTriggerValid } from '@/triggers'

apps/sim/lib/copilot/tools/server/blocks/get-block-options.ts

@@ -6,7 +6,7 @@ import {
   type GetBlockOptionsResultType,
 } from '@/lib/copilot/tools/shared/schemas'
 import { registry as blockRegistry, getLatestBlock } from '@/blocks/registry'
-import { getUserPermissionConfig } from '@/executor/utils/permission-check'
+import { getUserPermissionConfig } from '@/ee/access-control/utils/permission-check'
 import { tools as toolsRegistry } from '@/tools/registry'
 
 export const getBlockOptionsServerTool: BaseServerTool<

apps/sim/lib/copilot/tools/server/blocks/get-blocks-and-tools.ts

@@ -6,7 +6,7 @@ import {
 } from '@/lib/copilot/tools/shared/schemas'
 import { registry as blockRegistry } from '@/blocks/registry'
 import type { BlockConfig } from '@/blocks/types'
-import { getUserPermissionConfig } from '@/executor/utils/permission-check'
+import { getUserPermissionConfig } from '@/ee/access-control/utils/permission-check'
 
 export const getBlocksAndToolsServerTool: BaseServerTool<
   ReturnType<typeof GetBlocksAndToolsInput.parse>,

apps/sim/lib/copilot/tools/server/blocks/get-blocks-metadata-tool.ts

@@ -8,7 +8,7 @@ import {
 } from '@/lib/copilot/tools/shared/schemas'
 import { registry as blockRegistry } from '@/blocks/registry'
 import { AuthMode, type BlockConfig, isHiddenFromDisplay } from '@/blocks/types'
-import { getUserPermissionConfig } from '@/executor/utils/permission-check'
+import { getUserPermissionConfig } from '@/ee/access-control/utils/permission-check'
 import { PROVIDER_DEFINITIONS } from '@/providers/models'
 import { tools as toolsRegistry } from '@/tools/registry'
 import { getTrigger, isTriggerValid } from '@/triggers'

apps/sim/lib/copilot/tools/server/blocks/get-trigger-blocks.ts

@@ -3,7 +3,7 @@ import { z } from 'zod'
 import type { BaseServerTool } from '@/lib/copilot/tools/server/base-tool'
 import { registry as blockRegistry } from '@/blocks/registry'
 import type { BlockConfig } from '@/blocks/types'
-import { getUserPermissionConfig } from '@/executor/utils/permission-check'
+import { getUserPermissionConfig } from '@/ee/access-control/utils/permission-check'
 
 export const GetTriggerBlocksInput = z.object({})
 export const GetTriggerBlocksResult = z.object({

apps/sim/lib/copilot/tools/server/workflow/edit-workflow.ts

@@ -15,8 +15,8 @@ import { buildCanonicalIndex, isCanonicalPair } from '@/lib/workflows/subblocks/
 import { TriggerUtils } from '@/lib/workflows/triggers/triggers'
 import { getAllBlocks, getBlock } from '@/blocks/registry'
 import type { BlockConfig, SubBlockConfig } from '@/blocks/types'
+import { getUserPermissionConfig } from '@/ee/access-control/utils/permission-check'
 import { EDGE, normalizeName, RESERVED_BLOCK_NAMES } from '@/executor/constants'
-import { getUserPermissionConfig } from '@/executor/utils/permission-check'
 import { generateLoopBlocks, generateParallelBlocks } from '@/stores/workflows/workflow/utils'
 import { TRIGGER_RUNTIME_SUBBLOCK_IDS } from '@/triggers/constants'
 

apps/sim/lib/core/utils/formatting.ts

@@ -153,22 +153,50 @@ export function formatCompactTimestamp(iso: string): string {
 }
 
 /**
- * Format a duration in milliseconds to a human-readable format
+ * Format a duration to a human-readable format
- * @param durationMs - The duration in milliseconds
+ * @param duration - Duration in milliseconds (number) or as string (e.g., "500ms")
  * @param options - Optional formatting options
- * @param options.precision - Number of decimal places for seconds (default: 0)
+ * @param options.precision - Number of decimal places for seconds (default: 0), trailing zeros are stripped
- * @returns A formatted duration string
+ * @returns A formatted duration string, or null if input is null/undefined
  */
-export function formatDuration(durationMs: number, options?: { precision?: number }): string {
+export function formatDuration(
-  const precision = options?.precision ?? 0
+  duration: number | string | undefined | null,
-
+  options?: { precision?: number }
-  if (durationMs < 1000) {
+): string | null {
-    return `${durationMs}ms`
+  if (duration === undefined || duration === null) {
+    return null
   }
 
-  const seconds = durationMs / 1000
+  // Parse string durations (e.g., "500ms", "0.44ms", "1234")
+  let ms: number
+  if (typeof duration === 'string') {
+    ms = Number.parseFloat(duration.replace(/[^0-9.-]/g, ''))
+    if (!Number.isFinite(ms)) {
+      return duration
+    }
+  } else {
+    ms = duration
+  }
+
+  const precision = options?.precision ?? 0
+
+  if (ms < 1) {
+    // Sub-millisecond: show with 2 decimal places
+    return `${ms.toFixed(2)}ms`
+  }
+
+  if (ms < 1000) {
+    // Milliseconds: round to integer
+    return `${Math.round(ms)}ms`
+  }
+
+  const seconds = ms / 1000
   if (seconds < 60) {
-    return precision > 0 ? `${seconds.toFixed(precision)}s` : `${Math.floor(seconds)}s`
+    if (precision > 0) {
+      // Strip trailing zeros (e.g., "5.00s" -> "5s", "5.10s" -> "5.1s")
+      return `${seconds.toFixed(precision).replace(/\.?0+$/, '')}s`
+    }
+    return `${Math.floor(seconds)}s`
   }
 
   const minutes = Math.floor(seconds / 60)

apps/sim/lib/logs/execution/logger.ts

@@ -33,6 +33,7 @@ import type {
   WorkflowExecutionSnapshot,
   WorkflowState,
 } from '@/lib/logs/types'
+import { getWorkspaceBilledAccountUserId } from '@/lib/workspaces/utils'
 
 export interface ToolCall {
   name: string
@@ -503,7 +504,7 @@ export class ExecutionLogger implements IExecutionLoggerService {
     }
 
     try {
-      // Get the workflow record to get the userId
+      // Get the workflow record to get workspace and fallback userId
       const [workflowRecord] = await db
         .select()
         .from(workflow)
@@ -515,7 +516,12 @@ export class ExecutionLogger implements IExecutionLoggerService {
         return
       }
 
-      const userId = workflowRecord.userId
+      let billingUserId: string | null = null
+      if (workflowRecord.workspaceId) {
+        billingUserId = await getWorkspaceBilledAccountUserId(workflowRecord.workspaceId)
+      }
+
+      const userId = billingUserId || workflowRecord.userId
       const costToStore = costSummary.totalCost
 
       const existing = await db.select().from(userStats).where(eq(userStats.userId, userId))