diff --git a/.claude/rules/global.md b/.claude/rules/global.md index cfcb4c7cc29..b5bc94ec1b2 100644 --- a/.claude/rules/global.md +++ b/.claude/rules/global.md @@ -1,7 +1,10 @@ # Global Standards ## Logging -Import `createLogger` from `sim/logger`. Use `logger.info`, `logger.warn`, `logger.error` instead of `console.log`. +Import `createLogger` from `@sim/logger`. Use `logger.info`, `logger.warn`, `logger.error` instead of `console.log`. Inside API routes wrapped with `withRouteHandler`, loggers automatically include the request ID. + +## API Route Handlers +All API route handlers must be wrapped with `withRouteHandler` from `@/lib/core/utils/with-route-handler`. Never export a bare `async function GET/POST/...` — always use `export const METHOD = withRouteHandler(...)`. ## Comments Use TSDoc for documentation. No `====` separators. No non-TSDoc comments. diff --git a/.claude/rules/sim-testing.md b/.claude/rules/sim-testing.md index 36b19dc0d64..4e281694493 100644 --- a/.claude/rules/sim-testing.md +++ b/.claude/rules/sim-testing.md @@ -217,13 +217,20 @@ it('reads a row', async () => { ``` **Default chains supported:** -- `select()/selectDistinct()/selectDistinctOn() → from() → where()/innerJoin()/leftJoin() → where() → limit()/orderBy()/returning()/groupBy()` +- `select()/selectDistinct()/selectDistinctOn() → from() → where()/innerJoin()/leftJoin() → where() → limit()/orderBy()/returning()/groupBy()/for()` - `insert() → values() → returning()/onConflictDoUpdate()/onConflictDoNothing()` -- `update() → set() → where() → limit()/orderBy()/returning()` -- `delete() → where() → limit()/orderBy()/returning()` +- `update() → set() → where() → limit()/orderBy()/returning()/for()` +- `delete() → where() → limit()/orderBy()/returning()/for()` - `db.execute()` resolves `[]` - `db.transaction(cb)` calls cb with `dbChainMock.db` +`.for('update')` (Postgres row-level locking) is supported on `where` +builders. It returns a thenable with `.limit` / `.orderBy` / `.returning` / +`.groupBy` attached, so both `await .where().for('update')` (terminal) and +`await .where().for('update').limit(1)` (chained) work. Override the terminal +result with `dbChainMockFns.for.mockResolvedValueOnce([...])`; for the chained +form, mock the downstream terminal (e.g. `dbChainMockFns.limit.mockResolvedValueOnce([...])`). + All terminals default to `Promise.resolve([])`. Override per-test with `dbChainMockFns..mockResolvedValueOnce(...)`. Use `resetDbChainMock()` in `beforeEach` only when tests replace wiring with `.mockReturnValue` / `.mockResolvedValue` (permanent). Tests using only `...Once` variants don't need it. diff --git a/CLAUDE.md b/CLAUDE.md index 1ca9bf41a25..bc4797c8314 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -4,7 +4,8 @@ You are a professional software engineer. All code must follow best practices: a ## Global Standards -- **Logging**: Import `createLogger` from `@sim/logger`. Use `logger.info`, `logger.warn`, `logger.error` instead of `console.log` +- **Logging**: Import `createLogger` from `@sim/logger`. Use `logger.info`, `logger.warn`, `logger.error` instead of `console.log`. Inside API routes wrapped with `withRouteHandler`, loggers automatically include the request ID — no manual `withMetadata({ requestId })` needed +- **API Route Handlers**: All API route handlers (`GET`, `POST`, `PUT`, `DELETE`, `PATCH`) must be wrapped with `withRouteHandler` from `@/lib/core/utils/with-route-handler`. This provides request ID tracking, automatic error logging for 4xx/5xx responses, and unhandled error catching. See "API Route Pattern" section below - **Comments**: Use TSDoc for documentation. No `====` separators. No non-TSDoc comments - **Styling**: Never update global styles. Keep all styling local to components - **ID Generation**: Never use `crypto.randomUUID()`, `nanoid`, or `uuid` package. Use `generateId()` (UUID v4) or `generateShortId()` (compact) from `@sim/utils/id` @@ -93,6 +94,41 @@ export function Component({ requiredProp, optionalProp = false }: ComponentProps Extract when: 50+ lines, used in 2+ files, or has own state/logic. Keep inline when: < 10 lines, single use, purely presentational. +## API Route Pattern + +Every API route handler must be wrapped with `withRouteHandler`. This sets up `AsyncLocalStorage`-based request context so all loggers in the request lifecycle automatically include the request ID. + +```typescript +import { createLogger } from '@sim/logger' +import type { NextRequest } from 'next/server' +import { NextResponse } from 'next/server' +import { withRouteHandler } from '@/lib/core/utils/with-route-handler' + +const logger = createLogger('MyAPI') + +// Simple route +export const GET = withRouteHandler(async (request: NextRequest) => { + logger.info('Handling request') // automatically includes {requestId=...} + return NextResponse.json({ ok: true }) +}) + +// Route with params +export const DELETE = withRouteHandler(async ( + request: NextRequest, + { params }: { params: Promise<{ id: string }> } +) => { + const { id } = await params + return NextResponse.json({ deleted: id }) +}) + +// Composing with other middleware (withRouteHandler wraps the outermost layer) +export const POST = withRouteHandler(withAdminAuth(async (request) => { + return NextResponse.json({ ok: true }) +})) +``` + +Never export a bare `async function GET/POST/...` — always use `export const METHOD = withRouteHandler(...)`. + ## Hooks ```typescript diff --git a/apps/docs/components/icons.tsx b/apps/docs/components/icons.tsx index 208cec09b42..061e0c0cdf5 100644 --- a/apps/docs/components/icons.tsx +++ b/apps/docs/components/icons.tsx @@ -4681,6 +4681,17 @@ export function IAMIcon(props: SVGProps) { ) } +export function IdentityCenterIcon(props: SVGProps) { + return ( + + + + ) +} + export function STSIcon(props: SVGProps) { return ( @@ -4699,6 +4710,24 @@ export function STSIcon(props: SVGProps) { ) } +export function SESIcon(props: SVGProps) { + return ( + + + + + + + + + + + ) +} + export function SecretsManagerIcon(props: SVGProps) { return ( diff --git a/apps/docs/components/ui/icon-mapping.ts b/apps/docs/components/ui/icon-mapping.ts index 66570ec3af3..13061ba7819 100644 --- a/apps/docs/components/ui/icon-mapping.ts +++ b/apps/docs/components/ui/icon-mapping.ts @@ -91,6 +91,7 @@ import { HuggingFaceIcon, HunterIOIcon, IAMIcon, + IdentityCenterIcon, ImageIcon, IncidentioIcon, InfisicalIcon, @@ -152,6 +153,7 @@ import { RootlyIcon, S3Icon, SalesforceIcon, + SESIcon, SearchIcon, SecretsManagerIcon, SendgridIcon, @@ -294,6 +296,7 @@ export const blockTypeToIconMap: Record = { huggingface: HuggingFaceIcon, hunter: HunterIOIcon, iam: IAMIcon, + identity_center: IdentityCenterIcon, image_generator: ImageIcon, imap: MailServerIcon, incidentio: IncidentioIcon, @@ -370,6 +373,7 @@ export const blockTypeToIconMap: Record = { sentry: SentryIcon, serper: SerperIcon, servicenow: ServiceNowIcon, + ses: SESIcon, sftp: SftpIcon, sharepoint: MicrosoftSharepointIcon, shopify: ShopifyIcon, diff --git a/apps/docs/content/docs/en/enterprise/access-control.mdx b/apps/docs/content/docs/en/enterprise/access-control.mdx new file mode 100644 index 00000000000..b1ab31105c9 --- /dev/null +++ b/apps/docs/content/docs/en/enterprise/access-control.mdx @@ -0,0 +1,216 @@ +--- +title: Access Control +description: Restrict which models, blocks, and platform features each group of users can access +--- + +import { Callout } from 'fumadocs-ui/components/callout' +import { FAQ } from '@/components/ui/faq' +import { Image } from '@/components/ui/image' + +Access Control lets workspace admins define permission groups that restrict what each set of workspace members can do — which AI model providers they can use, which workflow blocks they can place, and which platform features are visible to them. Permission groups are scoped to a single workspace: a user can be in different groups (or no group) in different workspaces. Restrictions are enforced both in the workflow executor and in Mothership, based on the workflow's workspace. + +--- + +## How it works + +Access control is built around **permission groups**. Each group belongs to a specific workspace and has a name, an optional description, and a configuration that defines what its members can and cannot do. A user can belong to at most one permission group **per workspace**, but can belong to different groups in different workspaces. + +When a user runs a workflow or uses Mothership, Sim reads their group's configuration and applies it: + +- **In the executor:** If a workflow uses a disallowed block type or model provider, execution halts immediately with an error. This applies to both manual runs and scheduled or API-triggered deployments. +- **In Mothership:** Disallowed blocks are filtered out of the block list so they cannot be added to a workflow. Disallowed tool types (MCP, custom tools, skills) are skipped if Mothership attempts to use them. + +--- + +## Setup + +### 1. Open Access Control settings + +Go to **Settings → Enterprise → Access Control** in the workspace you want to manage. Each workspace has its own set of permission groups. + + + +### 2. Create a permission group + +Click **+ Create** and enter a name (required) and optional description. You can also enable **Auto-add new members** — when active, any new member who joins this workspace is automatically added to this group. Only one group per workspace can have this setting enabled at a time. + +### 3. Configure permissions + +Click **Details** on a group, then open **Configure Permissions**. There are three tabs. + +#### Model Providers + +Controls which AI model providers members of this group can use. + + The list shows all providers available in Sim. + +- **All checked (default):** All providers are allowed. +- **Subset checked:** Only the selected providers are allowed. Any workflow block or agent using a provider not on the list will fail at execution time. + +#### Blocks + +Controls which workflow blocks members can place and execute. + + Blocks are split into two sections: **Core Blocks** (Agent, API, Condition, Function, etc.) and **Tools** (all integration blocks). + +- **All checked (default):** All blocks are allowed. +- **Subset checked:** Only the selected blocks are allowed. Workflows that already contain a disallowed block will fail when run — they are not automatically modified. + + + The `start_trigger` block (the entry point of every workflow) is always allowed and cannot be restricted. + + +#### Platform + +Controls visibility of platform features and modules. + + Each checkbox maps to a specific feature; checking it hides or disables that feature for group members. + +**Sidebar** + +| Feature | Effect when checked | +|---------|-------------------| +| Knowledge Base | Hides the Knowledge Base section from the sidebar | +| Tables | Hides the Tables section from the sidebar | +| Templates | Hides the Templates section from the sidebar | + +**Workflow Panel** + +| Feature | Effect when checked | +|---------|-------------------| +| Copilot | Hides the Copilot panel inside the workflow editor | + +**Settings Tabs** + +| Feature | Effect when checked | +|---------|-------------------| +| Integrations | Hides the Integrations tab in Settings | +| Secrets | Hides the Secrets tab in Settings | +| API Keys | Hides the Sim Keys tab in Settings | +| Files | Hides the Files tab in Settings | + +**Tools** + +| Feature | Effect when checked | +|---------|-------------------| +| MCP Tools | Disables the use of MCP tools in workflows and agents | +| Custom Tools | Disables the use of custom tools in workflows and agents | +| Skills | Disables the use of Sim Skills in workflows and agents | + +**Deploy Tabs** + +| Feature | Effect when checked | +|---------|-------------------| +| API | Hides the API deployment tab | +| MCP | Hides the MCP deployment tab | +| A2A | Hides the A2A deployment tab | +| Chat | Hides the Chat deployment tab | +| Template | Hides the Template deployment tab | + +**Features** + +| Feature | Effect when checked | +|---------|-------------------| +| Sim Mailer | Hides the Sim Mailer (Inbox) feature | +| Public API | Disables public API access for deployed workflows | + +**Logs** + +| Feature | Effect when checked | +|---------|-------------------| +| Trace Spans | Hides trace span details in execution logs | + +**Collaboration** + +| Feature | Effect when checked | +|---------|-------------------| +| Invitations | Disables the ability to invite new members to the workspace | + +### 4. Add members + +Open the group's **Details** view and add members by searching for users by name or email. Only users who already have workspace-level access can be added. A user can only belong to one group per workspace — adding a user to a new group within the same workspace removes them from their current group for that workspace. + +--- + +## Enforcement + +### Workflow execution + +Restrictions are enforced at the point of execution, not at save time. If a group's configuration changes after a workflow is built: + +- **Block restrictions:** Any workflow run that reaches a disallowed block halts immediately with an error. The workflow is not modified — only execution is blocked. +- **Model provider restrictions:** Any block or agent that uses a disallowed provider halts immediately with an error. +- **Tool restrictions (MCP, custom tools, skills):** Agents that use a disallowed tool type halt immediately with an error. + +This applies regardless of how the workflow is triggered — manually, via API, via schedule, or via webhook. + +### Mothership + +When a user opens Mothership, their permission group is read before any block or tool suggestions are made: + +- Blocks not in the allowed list are filtered out of the block picker entirely — they do not appear as options. +- If Mothership generates a workflow step that would use a disallowed tool (MCP, custom, or skills), that step is skipped and the reason is noted. + +--- + +## User membership rules + +- A user can belong to **at most one** permission group **per workspace**, but may be in different groups across different workspaces. +- Moving a user to a new group within a workspace automatically removes them from their previous group in that workspace. +- Users not assigned to any group in a workspace have no restrictions applied in that workspace (all blocks, providers, and features are available to them there). +- If **Auto-add new members** is enabled on a group, new members of that workspace are automatically placed in the group. Only one group per workspace can have this setting active. + +--- + + + +--- + +## Self-hosted setup + +Self-hosted deployments use environment variables instead of the billing/plan check. + +### Environment variables + +```bash +ACCESS_CONTROL_ENABLED=true +NEXT_PUBLIC_ACCESS_CONTROL_ENABLED=true +``` + +You can also set a server-level block allowlist using the `ALLOWED_INTEGRATIONS` environment variable. This is applied as an additional constraint on top of any permission group configuration — a block must be allowed by both the environment allowlist and the user's group to be usable. + +```bash +# Only these block types are available across the entire instance +ALLOWED_INTEGRATIONS=slack,gmail,agent,function,condition +``` + +Once enabled, permission groups are managed through **Settings → Enterprise → Access Control** the same way as Sim Cloud. diff --git a/apps/docs/content/docs/en/enterprise/audit-logs.mdx b/apps/docs/content/docs/en/enterprise/audit-logs.mdx new file mode 100644 index 00000000000..ebd9be41a19 --- /dev/null +++ b/apps/docs/content/docs/en/enterprise/audit-logs.mdx @@ -0,0 +1,146 @@ +--- +title: Audit Logs +description: Track every action taken across your organization's workspaces +--- + +import { Callout } from 'fumadocs-ui/components/callout' +import { FAQ } from '@/components/ui/faq' +import { Image } from '@/components/ui/image' + +Audit logs give your organization a tamper-evident record of every significant action taken across workspaces — who did what, when, and on which resource. Use them for security reviews, compliance investigations, and incident response. + +--- + +## Viewing audit logs + +### In the UI + +Go to **Settings → Enterprise → Audit Logs** in your workspace. Logs are displayed in a table with the following columns: + + + +| Column | Description | +|--------|-------------| +| **Timestamp** | When the action occurred. | +| **Event** | The action taken, e.g. `workflow.created`. | +| **Description** | A human-readable summary of the action. | +| **Actor** | The email address of the user who performed the action. | + +Use the search bar, event type filter, and date range selector to narrow results. + +### Via API + +Audit logs are also accessible through the Sim API for integration with external SIEM or log management tools. + +```http +GET /api/v1/audit-logs +Authorization: Bearer +``` + +**Query parameters:** + +| Parameter | Type | Description | +|-----------|------|-------------| +| `action` | string | Filter by event type (e.g. `workflow.created`) | +| `resourceType` | string | Filter by resource type (e.g. `workflow`) | +| `resourceId` | string | Filter by a specific resource ID | +| `workspaceId` | string | Filter by workspace | +| `actorId` | string | Filter by user ID (must be an org member) | +| `startDate` | string | ISO 8601 date — return logs on or after this date | +| `endDate` | string | ISO 8601 date — return logs on or before this date | +| `includeDeparted` | boolean | Include logs from members who have since left the organization (default `false`) | +| `limit` | number | Results per page (1–100, default 50) | +| `cursor` | string | Opaque cursor for fetching the next page | + +**Example response:** + +```json +{ + "data": [ + { + "id": "abc123", + "action": "workflow.created", + "resourceType": "workflow", + "resourceId": "wf_xyz", + "resourceName": "Customer Onboarding", + "description": "Created workflow \"Customer Onboarding\"", + "actorId": "usr_abc", + "actorName": "Alice Smith", + "actorEmail": "alice@company.com", + "workspaceId": "ws_def", + "metadata": {}, + "createdAt": "2026-04-20T21:16:00.000Z" + } + ], + "nextCursor": "eyJpZCI6ImFiYzEyMyJ9" +} +``` + +Paginate by passing the `nextCursor` value as the `cursor` parameter in the next request. When `nextCursor` is absent, you have reached the last page. + + + The API accepts both personal and workspace-scoped API keys. Rate limits apply — the response includes `X-RateLimit-*` headers with your current limit and remaining quota. + + +--- + +## Event types + +Audit log events follow a `resource.action` naming pattern. The table below lists the main categories. + +| Category | Example events | +|----------|---------------| +| **Workflows** | `workflow.created`, `workflow.deleted`, `workflow.deployed`, `workflow.locked` | +| **Workspaces** | `workspace.created`, `workspace.updated`, `workspace.deleted` | +| **Members** | `member.invited`, `member.removed`, `member.role_changed` | +| **Permission groups** | `permission_group.created`, `permission_group.updated`, `permission_group.deleted` | +| **Environments** | `environment.updated`, `environment.deleted` | +| **Knowledge bases** | `knowledge_base.created`, `knowledge_base.deleted`, `connector.synced` | +| **Tables** | `table.created`, `table.updated`, `table.deleted` | +| **API keys** | `api_key.created`, `api_key.revoked` | +| **Credentials** | `credential.created`, `credential.deleted`, `oauth.disconnected` | +| **Organization** | `organization.updated`, `org_member.added`, `org_member.role_changed` | + +--- + + + +--- + +## Self-hosted setup + +Self-hosted deployments use environment variables instead of the billing/plan check. + +### Environment variables + +```bash +AUDIT_LOGS_ENABLED=true +NEXT_PUBLIC_AUDIT_LOGS_ENABLED=true +``` + +Once enabled, audit logs are viewable in **Settings → Enterprise → Audit Logs** and accessible via the API. diff --git a/apps/docs/content/docs/en/enterprise/data-retention.mdx b/apps/docs/content/docs/en/enterprise/data-retention.mdx new file mode 100644 index 00000000000..2590d324089 --- /dev/null +++ b/apps/docs/content/docs/en/enterprise/data-retention.mdx @@ -0,0 +1,131 @@ +--- +title: Data Retention +description: Control how long execution logs, deleted resources, and copilot data are kept before permanent deletion +--- + +import { Callout } from 'fumadocs-ui/components/callout' +import { FAQ } from '@/components/ui/faq' +import { Image } from '@/components/ui/image' + +Data Retention lets workspace admins on Enterprise plans configure how long three categories of data are kept before they are permanently deleted. Each workspace in your organization can have its own independent configuration. + +--- + +## Setup + +Go to **Settings → Enterprise → Data Retention** in your workspace. + + + +You will see three independent settings, each with the same set of options: **1 day, 3 days, 7 days, 14 days, 30 days, 60 days, 90 days, 180 days, 1 year, 5 years,** or **Forever**. + +Setting a period to **Forever** means that category of data is never automatically deleted. + +--- + +## Settings + +### Log retention + +Controls how long **workflow execution logs** are kept. + +When the retention period expires, execution log records are permanently deleted, along with any files associated with those executions stored in cloud storage. + +### Soft deletion cleanup + +Controls how long **soft-deleted resources** remain recoverable before permanent removal. + +When you delete a workflow, folder, knowledge base, table, or file, it is initially soft-deleted and can be recovered from Recently Deleted. Once the soft deletion cleanup period expires, those resources are permanently removed and cannot be recovered. + +Resources covered: + +- Workflows +- Workflow folders +- Knowledge bases +- Tables +- Files +- MCP server configurations +- Agent memory + +### Task cleanup + +Controls how long **Mothership data** is kept, including: + +- Copilot chats and run history +- Run checkpoints and async tool calls +- Inbox tasks (Sim Mailer) + + + Each setting is independent. You can configure a short log retention period alongside a long soft deletion cleanup period, or set any combination that fits your compliance requirements. + + +--- + +## Per-workspace configuration + +Retention is configured at the **workspace level**, not organization-wide. Each workspace in your organization can have a different configuration. Changes to one workspace's settings do not affect other workspaces. + +--- + +## Plan defaults + +Non-enterprise workspaces use the following automatic defaults. These cannot be changed. + +| Setting | Free | Pro | Team | +|---------|------|-----|------| +| Log retention | 30 days | Not configured | Not configured | +| Soft deletion cleanup | 30 days | 90 days | 90 days | +| Task cleanup | Not configured | Not configured | Not configured | + +"Not configured" means that category of data is not automatically deleted on that plan. + +Enterprise workspaces have no defaults — retention only runs for a setting once you configure it. Until configured, that category of data is not automatically deleted. + + + On Enterprise, setting a period to **Forever** explicitly keeps data indefinitely. Leaving a setting unconfigured has the same effect, but setting it to Forever makes the intent explicit and allows you to change it later without needing to save from scratch. + + +--- + + + +--- + +## Self-hosted setup + +### Environment variables + +```bash +NEXT_PUBLIC_DATA_RETENTION_ENABLED=true +``` + +Once enabled, data retention settings are configurable through **Settings → Enterprise → Data Retention** the same way as Sim Cloud. diff --git a/apps/docs/content/docs/en/enterprise/index.mdx b/apps/docs/content/docs/en/enterprise/index.mdx index 0cd2aa9dbae..a4a7aff19bf 100644 --- a/apps/docs/content/docs/en/enterprise/index.mdx +++ b/apps/docs/content/docs/en/enterprise/index.mdx @@ -12,7 +12,7 @@ Sim Enterprise provides advanced features for organizations with enhanced securi ## Access Control -Define permission groups to control what features and integrations team members can use. +Define permission groups on a workspace to control what features and integrations its members can use. Permission groups are scoped to a single workspace — a user can belong to different groups (or no group) in different workspaces. ### Features @@ -22,38 +22,21 @@ Define permission groups to control what features and integrations team members ### Setup -1. Navigate to **Settings** → **Access Control** in your workspace +1. Navigate to **Settings** → **Access Control** in the workspace you want to manage 2. Create a permission group with your desired restrictions -3. Add team members to the permission group +3. Add workspace members to the permission group - Users not assigned to any permission group have full access. Permission restrictions are enforced at both UI and execution time. + Any workspace admin on an Enterprise-entitled workspace can manage permission groups. Users not assigned to any group have full access. Permission restrictions are enforced at both UI and execution time, and apply to workflows based on the workflow's workspace. --- ## Single Sign-On (SSO) -Enterprise authentication with SAML 2.0 and OIDC support for centralized identity management. +Enterprise authentication with SAML 2.0 and OIDC support. Works with Okta, Azure AD (Entra ID), Google Workspace, ADFS, and any standard OIDC or SAML 2.0 provider. -### Supported Providers - -- Okta -- Azure AD / Entra ID -- Google Workspace -- OneLogin -- Any SAML 2.0 or OIDC provider - -### Setup - -1. Navigate to **Settings** → **SSO** in your workspace -2. Choose your identity provider -3. Configure the connection using your IdP's metadata -4. Enable SSO for your organization - - - Once SSO is enabled, team members authenticate through your identity provider instead of email/password. - +See the [SSO setup guide](/docs/enterprise/sso) for step-by-step instructions and provider-specific configuration. --- @@ -110,7 +93,7 @@ curl -X DELETE "https://your-instance/api/v1/admin/workspaces/{workspaceId}/memb ### Notes -- Enabling `ACCESS_CONTROL_ENABLED` automatically enables organizations, as access control requires organization membership. +- Access Control is scoped per workspace. Set `ACCESS_CONTROL_ENABLED` and `NEXT_PUBLIC_ACCESS_CONTROL_ENABLED` to enable it on every workspace in a self-hosted deployment, bypassing the Enterprise plan check. - When `DISABLE_INVITATIONS` is set, users cannot send invitations. Use the Admin API to manage workspace and organization memberships instead. diff --git a/apps/docs/content/docs/en/enterprise/meta.json b/apps/docs/content/docs/en/enterprise/meta.json new file mode 100644 index 00000000000..05e1a74e09b --- /dev/null +++ b/apps/docs/content/docs/en/enterprise/meta.json @@ -0,0 +1,5 @@ +{ + "title": "Enterprise", + "pages": ["index", "sso", "access-control", "whitelabeling", "audit-logs", "data-retention"], + "defaultOpen": false +} diff --git a/apps/docs/content/docs/en/enterprise/sso.mdx b/apps/docs/content/docs/en/enterprise/sso.mdx new file mode 100644 index 00000000000..8cc264d7dce --- /dev/null +++ b/apps/docs/content/docs/en/enterprise/sso.mdx @@ -0,0 +1,340 @@ +--- +title: Single Sign-On (SSO) +description: Configure SAML 2.0 or OIDC-based single sign-on for your organization +--- + +import { Callout } from 'fumadocs-ui/components/callout' +import { Tab, Tabs } from 'fumadocs-ui/components/tabs' +import { FAQ } from '@/components/ui/faq' +import { Image } from '@/components/ui/image' + +Single Sign-On lets your team sign in to Sim through your company's identity provider instead of managing separate passwords. Sim supports both OIDC and SAML 2.0. + +--- + +## Setup + +### 1. Open SSO settings + +Go to **Settings → Enterprise → Single Sign-On** in your workspace. + +### 2. Choose a protocol + +| Protocol | Use when | +|----------|----------| +| **OIDC** | Your IdP supports OpenID Connect — Okta, Microsoft Entra ID, Auth0, Google Workspace | +| **SAML 2.0** | Your IdP is SAML-only — ADFS, Shibboleth, or older enterprise IdPs | + +### 3. Fill in the form + + + +**Fields required for both protocols:** + +| Field | What to enter | +|-------|--------------| +| **Provider ID** | A short slug identifying this connection, e.g. `okta` or `azure-ad`. Letters, numbers, and dashes only. | +| **Issuer URL** | The identity provider's issuer URL. Must be HTTPS. | +| **Domain** | Your organization's email domain, e.g. `company.com`. Users with this domain will be routed through SSO at sign-in. | + +**OIDC additional fields:** + +| Field | What to enter | +|-------|--------------| +| **Client ID** | The application client ID from your IdP. | +| **Client Secret** | The client secret from your IdP. | +| **Scopes** | Comma-separated OIDC scopes. Default: `openid,profile,email`. | + + + For OIDC, Sim automatically fetches endpoints (`authorization_endpoint`, `token_endpoint`, `userinfo_endpoint`, `jwks_uri`) from your issuer's `/.well-known/openid-configuration` discovery document. You only need to provide the issuer URL. + + +**SAML additional fields:** + +| Field | What to enter | +|-------|--------------| +| **Entry Point URL** | The IdP's SSO service URL where Sim sends authentication requests. | +| **Identity Provider Certificate** | The Base-64 encoded X.509 certificate from your IdP for verifying assertions. | + +### 4. Copy the Callback URL + +The **Callback URL** shown in the form is the endpoint your identity provider must redirect users back to after authentication. Copy it and register it in your IdP before saving. + +**OIDC providers** (Okta, Microsoft Entra ID, Google Workspace, Auth0): +``` +https://simstudio.ai/api/auth/sso/callback/{provider-id} +``` + +**SAML providers** (ADFS, Shibboleth): +``` +https://simstudio.ai/api/auth/sso/saml2/callback/{provider-id} +``` + +For self-hosted, replace `simstudio.ai` with your instance hostname. + +### 5. Save and test + +Click **Save**. To test, sign out and use the **Sign in with SSO** button on the login page. Enter an email address at your configured domain — Sim will redirect you to your identity provider. + +--- + +## Provider Guides + + + + + +### Okta (OIDC) + +**In Okta** ([official docs](https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_oidc.htm)): + +1. Go to **Applications → Create App Integration** +2. Select **OIDC - OpenID Connect**, then **Web Application** +3. Set the **Sign-in redirect URI** to your Sim callback URL: + ``` + https://simstudio.ai/api/auth/sso/callback/okta + ``` +4. Under **Assignments**, grant access to the relevant users or groups +5. Copy the **Client ID** and **Client Secret** from the app's **General** tab +6. Your Okta domain is the hostname of your admin console, e.g. `dev-1234567.okta.com` + +**In Sim:** + +| Field | Value | +|-------|-------| +| Provider Type | OIDC | +| Provider ID | `okta` | +| Issuer URL | `https://dev-1234567.okta.com/oauth2/default` | +| Domain | `company.com` | +| Client ID | From Okta app | +| Client Secret | From Okta app | + + + The issuer URL uses Okta's default authorization server (`/oauth2/default`), which is pre-configured on every Okta org. If you created a custom authorization server, replace `default` with your server name. + + + + + + +### Microsoft Entra ID (OIDC) + +**In Azure** ([official docs](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)): + +1. Go to **Microsoft Entra ID → App registrations → New registration** +2. Under **Redirect URI**, select **Web** and enter your Sim callback URL: + ``` + https://simstudio.ai/api/auth/sso/callback/azure-ad + ``` +3. After registration, go to **Certificates & secrets → New client secret** and copy the value immediately — it won't be shown again +4. Go to **Overview** and copy the **Application (client) ID** and **Directory (tenant) ID** + +**In Sim:** + +| Field | Value | +|-------|-------| +| Provider Type | OIDC | +| Provider ID | `azure-ad` | +| Issuer URL | `https://login.microsoftonline.com/{tenant-id}/v2.0` | +| Domain | `company.com` | +| Client ID | Application (client) ID | +| Client Secret | Secret value | + + + Replace `{tenant-id}` with your Directory (tenant) ID from the app's Overview page. Sim auto-discovers token and JWKS endpoints from the issuer. + + + + + + +### Google Workspace (OIDC) + +**In Google Cloud Console** ([official docs](https://developers.google.com/identity/openid-connect/openid-connect)): + +1. Go to **APIs & Services → Credentials → Create Credentials → OAuth 2.0 Client ID** +2. Set the application type to **Web application** +3. Add your Sim callback URL to **Authorized redirect URIs**: + ``` + https://simstudio.ai/api/auth/sso/callback/google-workspace + ``` +4. Copy the **Client ID** and **Client Secret** + +**In Sim:** + +| Field | Value | +|-------|-------| +| Provider Type | OIDC | +| Provider ID | `google-workspace` | +| Issuer URL | `https://accounts.google.com` | +| Domain | `company.com` | +| Client ID | From Google Cloud Console | +| Client Secret | From Google Cloud Console | + + + To restrict sign-in to your Google Workspace domain, configure the OAuth consent screen and ensure your app is set to **Internal** (Workspace users only) under **User type**. Setting the app to Internal limits access to users within your Google Workspace organization. + + + + + + +### ADFS (SAML 2.0) + +**In ADFS** ([official docs](https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-relying-party-trust)): + +1. Open **AD FS Management → Relying Party Trusts → Add Relying Party Trust** +2. Choose **Claims aware**, then **Enter data about the relying party manually** +3. Set the **Relying party identifier** (Entity ID) to your Sim base URL: + ``` + https://simstudio.ai + ``` + For self-hosted, use your instance's base URL (e.g. `https://sim.company.com`) +4. Add an endpoint: **SAML Assertion Consumer Service** (HTTP POST) with the URL: + ``` + https://simstudio.ai/api/auth/sso/saml2/callback/adfs + ``` + For self-hosted: `https://sim.company.com/api/auth/sso/saml2/callback/adfs` +5. Export the **Token-signing certificate** from **Certificates**: right-click → **View Certificate → Details → Copy to File**, choose **Base-64 encoded X.509 (.CER)**. The `.cer` file is PEM-encoded — rename it to `.pem` before pasting its contents into Sim. +6. Note the **ADFS Federation Service endpoint URL** (e.g. `https://adfs.company.com/adfs/ls`) + +**In Sim:** + +| Field | Value | +|-------|-------| +| Provider Type | SAML | +| Provider ID | `adfs` | +| Issuer URL | `https://simstudio.ai` | +| Domain | `company.com` | +| Entry Point URL | `https://adfs.company.com/adfs/ls` | +| Certificate | Contents of the `.pem` file | + + + For ADFS, the **Issuer URL** field is the SP entity ID — the identifier ADFS uses to identify Sim as a relying party. It must match the **Relying party identifier** you registered in ADFS. + + + + + + +--- + +## How sign-in works after setup + +Once SSO is configured, users with your domain (`company.com`) can sign in through your identity provider: + +1. User goes to `simstudio.ai` and clicks **Sign in with SSO** +2. They enter their work email (e.g. `alice@company.com`) +3. Sim redirects them to your identity provider +4. After authenticating, they are returned to Sim and added to your organization automatically +5. They land in the workspace + +Users who sign in via SSO for the first time are automatically provisioned and added to your organization — no manual invite required. + + + Password-based login remains available. Forcing all organization members to use SSO exclusively is not yet supported. + + + + **Self-hosted:** Automatic organization provisioning requires `ORGANIZATIONS_ENABLED=true` in addition to `SSO_ENABLED=true`. Without it, SSO authentication still works — users get a valid session — but they are not automatically added to an organization. + + +--- + + + +--- + +## Self-hosted setup + +Self-hosted deployments use environment variables instead of the billing/plan check. + +### Environment variables + +```bash +# Required +SSO_ENABLED=true +NEXT_PUBLIC_SSO_ENABLED=true + +# Required if you want users auto-added to your organization on first SSO sign-in +ORGANIZATIONS_ENABLED=true +NEXT_PUBLIC_ORGANIZATIONS_ENABLED=true +``` + +You can register providers through the **Settings UI** (same as cloud) or by running the registration script directly against your database. + +### Script-based registration + +Use this when you need to register an SSO provider without going through the UI — for example, during initial deployment or CI/CD automation. + +```bash +# OIDC example (Okta) +SSO_ENABLED=true \ +NEXT_PUBLIC_APP_URL=https://your-instance.com \ +SSO_PROVIDER_TYPE=oidc \ +SSO_PROVIDER_ID=okta \ +SSO_ISSUER=https://dev-1234567.okta.com/oauth2/default \ +SSO_DOMAIN=company.com \ +SSO_USER_EMAIL=admin@company.com \ +SSO_OIDC_CLIENT_ID=your-client-id \ +SSO_OIDC_CLIENT_SECRET=your-client-secret \ +bun run packages/db/scripts/register-sso-provider.ts +``` + +```bash +# SAML example (ADFS) +SSO_ENABLED=true \ +NEXT_PUBLIC_APP_URL=https://your-instance.com \ +SSO_PROVIDER_TYPE=saml \ +SSO_PROVIDER_ID=adfs \ +SSO_ISSUER=https://your-instance.com \ +SSO_DOMAIN=company.com \ +SSO_USER_EMAIL=admin@company.com \ +SSO_SAML_ENTRY_POINT=https://adfs.company.com/adfs/ls \ +SSO_SAML_CERT="-----BEGIN CERTIFICATE----- +... +-----END CERTIFICATE-----" \ +bun run packages/db/scripts/register-sso-provider.ts +``` + +The script outputs the callback URL to configure in your IdP once it completes. + +To remove a provider: + +```bash +SSO_USER_EMAIL=admin@company.com \ +bun run packages/db/scripts/deregister-sso-provider.ts +``` diff --git a/apps/docs/content/docs/en/enterprise/whitelabeling.mdx b/apps/docs/content/docs/en/enterprise/whitelabeling.mdx new file mode 100644 index 00000000000..a4c5f527f2f --- /dev/null +++ b/apps/docs/content/docs/en/enterprise/whitelabeling.mdx @@ -0,0 +1,106 @@ +--- +title: Whitelabeling +description: Replace Sim branding with your own logo, colors, and links +--- + +import { Callout } from 'fumadocs-ui/components/callout' +import { FAQ } from '@/components/ui/faq' +import { Image } from '@/components/ui/image' + +Whitelabeling lets you replace Sim's default branding — logo, colors, and support links — with your own. Members of your organization see your brand instead of Sim's throughout the workspace. + +--- + +## Setup + +### 1. Open Whitelabeling settings + +Go to **Settings → Enterprise → Whitelabeling** in your workspace. + + + +### 2. Configure brand identity + +| Field | Description | +|-------|-------------| +| **Logo** | Shown in the collapsed sidebar. Square image (PNG, JPEG, SVG, or WebP). Max 5 MB. | +| **Wordmark** | Shown in the expanded sidebar. Wide image (PNG, JPEG, SVG, or WebP). Max 5 MB. | +| **Brand name** | Replaces "Sim" in the sidebar and select UI elements. Max 64 characters. | + + +### 3. Configure colors + +All colors must be valid hex values (e.g. `#701ffc`). + +| Field | Description | +|-------|-------------| +| **Primary color** | Main accent color used for buttons and active states. | +| **Primary hover color** | Color shown when hovering over primary elements. | +| **Accent color** | Secondary accent for highlights and secondary interactive elements. | +| **Accent hover color** | Color shown when hovering over accent elements. | + +### 4. Configure links + +Replace Sim's default support and legal links with your own. + +| Field | Description | +|-------|-------------| +| **Support email** | Shown in help prompts. Must be a valid email address. | +| **Documentation URL** | Link to your internal documentation. Must be a valid URL. | +| **Terms of service URL** | Link to your terms page. Must be a valid URL. | +| **Privacy policy URL** | Link to your privacy page. Must be a valid URL. | + +### 5. Save + +Click **Save changes**. The new branding is applied immediately for all members of your organization. + +--- + +## What gets replaced + +Whitelabeling replaces the following visual elements: + +- **Sidebar logo and wordmark** — your uploaded images replace the Sim logo +- **Brand name** — appears in the sidebar and select UI labels +- **Primary and accent colors** — applied to buttons, active states, and highlights +- **Support and legal links** — help prompts and footer links point to your URLs + + + Whitelabeling applies only to members of your organization. Public-facing pages (login, marketing) are not affected. + + +--- + + + +--- + +## Self-hosted setup + +Self-hosted deployments use environment variables instead of the billing/plan check. + +### Environment variables + +```bash +WHITELABELING_ENABLED=true +NEXT_PUBLIC_WHITELABELING_ENABLED=true +``` + +Once enabled, configure branding through **Settings → Enterprise → Whitelabeling** the same way as Sim Cloud. diff --git a/apps/docs/content/docs/en/execution/costs.mdx b/apps/docs/content/docs/en/execution/costs.mdx index b32530febe6..3028a79f983 100644 --- a/apps/docs/content/docs/en/execution/costs.mdx +++ b/apps/docs/content/docs/en/execution/costs.mdx @@ -308,6 +308,17 @@ By default, your usage is capped at the credits included in your plan. To allow ## Plan Limits +### Workspaces + +| Plan | Personal Workspaces | Shared (Organization) Workspaces | +|------|---------------------|----------------------------------| +| **Free** | 1 | — | +| **Pro** | Up to 3 | — | +| **Max** | Up to 10 | — | +| **Team / Enterprise** | Unlimited | Unlimited | + +Team and Enterprise plans unlock shared workspaces that belong to your organization. Members invited to a shared workspace automatically join the organization and count toward your seat total. When a Team or Enterprise subscription is cancelled or downgraded, existing shared workspaces remain accessible to current members but new invites are disabled until the organization is upgraded again. + ### Rate Limits | Plan | Sync (req/min) | Async (req/min) | diff --git a/apps/docs/content/docs/en/mcp/index.mdx b/apps/docs/content/docs/en/mcp/index.mdx index 7ab67e4880f..50b731e0d26 100644 --- a/apps/docs/content/docs/en/mcp/index.mdx +++ b/apps/docs/content/docs/en/mcp/index.mdx @@ -220,6 +220,6 @@ import { FAQ } from '@/components/ui/faq' { question: "Who can configure MCP servers in a workspace?", answer: "Users with Write permission can configure (add and update) MCP servers in workspace settings. Only Admin permission is required to delete MCP servers. Users with Read permission can view available MCP tools and execute them in agents and MCP Tool blocks. This means all workspace members with at least Read access can use MCP tools in their workflows." }, { question: "Can I use MCP servers from multiple workspaces?", answer: "MCP servers are configured per workspace. Each workspace maintains its own set of MCP server connections. If you need the same MCP server in multiple workspaces, you need to configure it separately in each workspace's settings." }, { question: "How do I update MCP tool schemas after a server changes its available tools?", answer: "Click the Refresh button on the MCP server in your workspace settings. This fetches the latest tool schemas from the server and automatically updates any agent blocks that use those tools with the new parameter definitions." }, - { question: "Can permission groups restrict access to MCP tools?", answer: "Yes. Organization admins can create permission groups that disable MCP tools for specific members using the disableMcpTools configuration option. When this is enabled, affected users will not be able to add or use MCP tools in their workflows." }, + { question: "Can permission groups restrict access to MCP tools?", answer: "Yes. On Enterprise-entitled workspaces, any workspace admin can create a permission group that disables MCP tools for its members using the disableMcpTools option. When this is enabled, affected users will not be able to add or use MCP tools in workflows that belong to that workspace." }, { question: "What happens if an MCP server goes offline during workflow execution?", answer: "If the MCP server is unreachable during execution, the tool call will fail and return an error. In an Agent block, the AI may attempt to handle the failure gracefully. In a standalone MCP Tool block, the workflow step will fail. Check MCP server logs and verify the server is running and accessible to troubleshoot connectivity issues." }, ]} /> \ No newline at end of file diff --git a/apps/docs/content/docs/en/meta.json b/apps/docs/content/docs/en/meta.json index 24eb6eba869..b0446caab8f 100644 --- a/apps/docs/content/docs/en/meta.json +++ b/apps/docs/content/docs/en/meta.json @@ -25,7 +25,7 @@ "execution", "permissions", "self-hosting", - "./enterprise/index", + "enterprise", "./keyboard-shortcuts/index" ], "defaultOpen": false diff --git a/apps/docs/content/docs/en/permissions/roles-and-permissions.mdx b/apps/docs/content/docs/en/permissions/roles-and-permissions.mdx index daf9bd0847d..fb048651eab 100644 --- a/apps/docs/content/docs/en/permissions/roles-and-permissions.mdx +++ b/apps/docs/content/docs/en/permissions/roles-and-permissions.mdx @@ -2,10 +2,31 @@ title: "Roles and Permissions" --- +import { Callout } from 'fumadocs-ui/components/callout' import { Video } from '@/components/ui/video' When you invite team members to your organization or workspace, you'll need to choose what level of access to give them. This guide explains what each permission level allows users to do, helping you understand team roles and what access each permission level provides. +## Workspaces and Organizations + +Sim has two kinds of workspaces: + +- **Personal workspaces** live under your individual account. The number you can create depends on your plan. +- **Shared (organization) workspaces** live under an organization and are available on Team and Enterprise plans. Any organization Owner or Admin can create them. Members invited to a shared workspace automatically join the organization and count toward your seat total. + +### Workspace Limits by Plan + +| Plan | Personal Workspaces | Shared Workspaces | +|------|---------------------|-------------------| +| **Free** | 1 | — | +| **Pro** | Up to 3 | — | +| **Max** | Up to 10 | — | +| **Team / Enterprise** | Unlimited | Unlimited (seat-gated invites) | + + + When a Team or Enterprise subscription is cancelled or downgraded, existing shared workspaces stay accessible to current members. New invitations are blocked until the organization is upgraded again. + + ## How to Invite Someone to a Workspace
@@ -88,6 +109,10 @@ Every workspace has one **Owner** (the person who created it) plus any number of - Can do everything except delete the workspace or remove the owner - Can be removed from the workspace by the owner or other admins + + For shared (organization) workspaces, the organization's Owner and Admins are treated as Admins of every workspace in the organization, even without an explicit per-workspace invite. + + --- ## Common Scenarios @@ -145,28 +170,41 @@ Periodically review who has access to what, especially when team members change ## Organization Roles -When inviting someone to your organization, you can assign one of two roles: +An organization has three roles: **Owner**, **Admin**, and **Member**. + +### Organization Owner +**What they can do:** +- Everything an Admin can do +- Transfer organization ownership to another user +- Only one Owner exists per organization ### Organization Admin **What they can do:** - Invite and remove team members from the organization -- Create new workspaces -- Manage billing and subscription settings -- Access all workspaces within the organization +- Create new shared workspaces under the organization +- Manage billing, seat count, and subscription settings +- Access all shared workspaces within the organization as a workspace Admin +- Promote members to Admin or demote Admins to Member + + + Owners and Admins have the same day-to-day permissions. The only action reserved for the Owner is transferring ownership. + ### Organization Member **What they can do:** -- Access workspaces they've been specifically invited to +- Access shared workspaces they've been specifically invited to - View the list of organization members -- Cannot invite new people or manage organization settings +- Cannot invite new people, create shared workspaces, or manage organization settings import { FAQ } from '@/components/ui/faq' \ No newline at end of file diff --git a/apps/docs/content/docs/en/skills/index.mdx b/apps/docs/content/docs/en/skills/index.mdx index 611841db370..73a01f9ad4f 100644 --- a/apps/docs/content/docs/en/skills/index.mdx +++ b/apps/docs/content/docs/en/skills/index.mdx @@ -140,7 +140,7 @@ import { FAQ } from '@/components/ui/faq' { question: "How does the agent decide when to load a skill?", answer: "The agent sees an available_skills section in its system prompt listing each skill's name and description. When the agent determines that a skill is relevant to the current task, it calls the load_skill tool with the skill name. The full skill content is then returned as a tool response. This is why writing a specific, keyword-rich description is critical -- it is the only thing the agent reads before deciding whether to activate a skill." }, { question: "Do skills work with all LLM providers?", answer: "Yes. The load_skill mechanism uses standard tool-calling, which is supported by all LLM providers in Sim. No provider-specific configuration is needed. The skill system works the same way whether you are using Anthropic, OpenAI, Google, or any other supported provider." }, { question: "When should I use skills vs. agent instructions?", answer: "Use skills for knowledge that applies across multiple workflows or changes frequently. Skills are reusable packages that can be attached to any agent. Use agent instructions for task-specific context that is unique to a single agent and workflow. If you find yourself copying the same instructions into multiple agents, that content should be a skill instead." }, - { question: "Can permission groups disable skills for certain users?", answer: "Yes. Organization admins can create permission groups with the disableSkills option enabled. When a user is assigned to such a permission group, the skills dropdown in agent blocks will be disabled and they will not be able to add or use skills in their workflows." }, + { question: "Can permission groups disable skills for certain users?", answer: "Yes. On Enterprise-entitled workspaces, any workspace admin can create a permission group with the disableSkills option enabled. When a user is assigned to such a group in a workspace, the skills dropdown in agent blocks is disabled and they cannot add or use skills in workflows belonging to that workspace." }, { question: "What is the recommended maximum length for skill content?", answer: "Keep skills focused and under 500 lines. If a skill grows too large, split it into multiple specialized skills. Shorter, focused skills are more effective because the agent can load exactly what it needs. A broad skill with too much content can overwhelm the agent and reduce the quality of its responses." }, { question: "Where do I create and manage skills?", answer: "Go to Settings and select Skills under the Tools section. From there you can add new skills with a name (kebab-case identifier, max 64 characters), description (max 1024 characters), and content (full instructions in markdown). You can also edit or delete existing skills from this page." }, ]} /> diff --git a/apps/docs/content/docs/en/tools/cloudwatch.mdx b/apps/docs/content/docs/en/tools/cloudwatch.mdx index 1fc1b19ea75..af0fc0a2b0e 100644 --- a/apps/docs/content/docs/en/tools/cloudwatch.mdx +++ b/apps/docs/content/docs/en/tools/cloudwatch.mdx @@ -57,9 +57,12 @@ Run a CloudWatch Log Insights query against one or more log groups | Parameter | Type | Description | | --------- | ---- | ----------- | -| `results` | array | Query result rows | -| `statistics` | object | Query statistics \(bytesScanned, recordsMatched, recordsScanned\) | -| `status` | string | Query completion status | +| `results` | array | Query result rows \(each row is a key/value map of field name to value\) | +| `statistics` | object | Query statistics | +| ↳ `bytesScanned` | number | Total bytes of log data scanned | +| ↳ `recordsMatched` | number | Number of log records that matched the query | +| ↳ `recordsScanned` | number | Total log records scanned | +| `status` | string | Query completion status \(Complete, Failed, Cancelled, or Timeout\) | ### `cloudwatch_describe_log_groups` @@ -80,6 +83,11 @@ List available CloudWatch log groups | Parameter | Type | Description | | --------- | ---- | ----------- | | `logGroups` | array | List of CloudWatch log groups with metadata | +| ↳ `logGroupName` | string | Log group name | +| ↳ `arn` | string | Log group ARN | +| ↳ `storedBytes` | number | Total stored bytes | +| ↳ `retentionInDays` | number | Retention period in days \(if set\) | +| ↳ `creationTime` | number | Creation time in epoch milliseconds | ### `cloudwatch_get_log_events` @@ -103,6 +111,9 @@ Retrieve log events from a specific CloudWatch log stream | Parameter | Type | Description | | --------- | ---- | ----------- | | `events` | array | Log events with timestamp, message, and ingestion time | +| ↳ `timestamp` | number | Event timestamp in epoch milliseconds | +| ↳ `message` | string | Log event message | +| ↳ `ingestionTime` | number | Ingestion time in epoch milliseconds | ### `cloudwatch_describe_log_streams` @@ -123,7 +134,12 @@ List log streams within a CloudWatch log group | Parameter | Type | Description | | --------- | ---- | ----------- | -| `logStreams` | array | List of log streams with metadata | +| `logStreams` | array | List of log streams with metadata, sorted by last event time \(most recent first\) unless a prefix filter is applied | +| ↳ `logStreamName` | string | Log stream name | +| ↳ `lastEventTimestamp` | number | Timestamp of the last log event in epoch milliseconds | +| ↳ `firstEventTimestamp` | number | Timestamp of the first log event in epoch milliseconds | +| ↳ `creationTime` | number | Stream creation time in epoch milliseconds | +| ↳ `storedBytes` | number | Total stored bytes | ### `cloudwatch_list_metrics` @@ -146,6 +162,9 @@ List available CloudWatch metrics | Parameter | Type | Description | | --------- | ---- | ----------- | | `metrics` | array | List of metrics with namespace, name, and dimensions | +| ↳ `namespace` | string | Metric namespace \(e.g., AWS/EC2\) | +| ↳ `metricName` | string | Metric name \(e.g., CPUUtilization\) | +| ↳ `dimensions` | array | Array of name/value dimension pairs | ### `cloudwatch_get_metric_statistics` @@ -170,8 +189,15 @@ Get statistics for a CloudWatch metric over a time range | Parameter | Type | Description | | --------- | ---- | ----------- | -| `label` | string | Metric label | -| `datapoints` | array | Datapoints with timestamp and statistics values | +| `label` | string | Metric label returned by CloudWatch | +| `datapoints` | array | Datapoints sorted by timestamp with statistics values | +| ↳ `timestamp` | number | Datapoint timestamp in epoch milliseconds | +| ↳ `average` | number | Average statistic value | +| ↳ `sum` | number | Sum statistic value | +| ↳ `minimum` | number | Minimum statistic value | +| ↳ `maximum` | number | Maximum statistic value | +| ↳ `sampleCount` | number | Sample count statistic value | +| ↳ `unit` | string | Unit of the metric | ### `cloudwatch_put_metric_data` @@ -222,5 +248,13 @@ List and filter CloudWatch alarms | Parameter | Type | Description | | --------- | ---- | ----------- | | `alarms` | array | List of CloudWatch alarms with state and configuration | +| ↳ `alarmName` | string | Alarm name | +| ↳ `alarmArn` | string | Alarm ARN | +| ↳ `stateValue` | string | Current state \(OK, ALARM, INSUFFICIENT_DATA\) | +| ↳ `stateReason` | string | Human-readable reason for the state | +| ↳ `metricName` | string | Metric name \(MetricAlarm only\) | +| ↳ `namespace` | string | Metric namespace \(MetricAlarm only\) | +| ↳ `threshold` | number | Threshold value \(MetricAlarm only\) | +| ↳ `stateUpdatedTimestamp` | number | Epoch ms when state last changed | diff --git a/apps/docs/content/docs/en/tools/dynamodb.mdx b/apps/docs/content/docs/en/tools/dynamodb.mdx index 36bc79f6f04..3d37f479dba 100644 --- a/apps/docs/content/docs/en/tools/dynamodb.mdx +++ b/apps/docs/content/docs/en/tools/dynamodb.mdx @@ -1,6 +1,6 @@ --- title: Amazon DynamoDB -description: Connect to Amazon DynamoDB +description: Get, put, query, scan, update, and delete items in Amazon DynamoDB tables --- import { BlockInfoCard } from "@/components/ui/block-info-card" @@ -55,7 +55,7 @@ Get an item from a DynamoDB table by primary key | `accessKeyId` | string | Yes | AWS access key ID | | `secretAccessKey` | string | Yes | AWS secret access key | | `tableName` | string | Yes | DynamoDB table name \(e.g., "Users", "Orders"\) | -| `key` | object | Yes | Primary key of the item to retrieve \(e.g., \{"pk": "USER#123"\} or \{"pk": "ORDER#456", "sk": "ITEM#789"\}\) | +| `key` | json | Yes | Primary key of the item to retrieve \(e.g., \{"pk": "USER#123"\} or \{"pk": "ORDER#456", "sk": "ITEM#789"\}\) | | `consistentRead` | boolean | No | Use strongly consistent read | #### Output @@ -63,7 +63,7 @@ Get an item from a DynamoDB table by primary key | Parameter | Type | Description | | --------- | ---- | ----------- | | `message` | string | Operation status message | -| `item` | object | Retrieved item | +| `item` | json | Retrieved item | ### `dynamodb_put` @@ -77,14 +77,17 @@ Put an item into a DynamoDB table | `accessKeyId` | string | Yes | AWS access key ID | | `secretAccessKey` | string | Yes | AWS secret access key | | `tableName` | string | Yes | DynamoDB table name \(e.g., "Users", "Orders"\) | -| `item` | object | Yes | Item to put into the table \(e.g., \{"pk": "USER#123", "name": "John", "email": "john@example.com"\}\) | +| `item` | json | Yes | Item to put into the table \(e.g., \{"pk": "USER#123", "name": "John", "email": "john@example.com"\}\) | +| `conditionExpression` | string | No | Condition that must be met for the put to succeed \(e.g., "attribute_not_exists\(pk\)" to prevent overwrites\) | +| `expressionAttributeNames` | json | No | Attribute name mappings for reserved words used in conditionExpression \(e.g., \{"#name": "name"\}\) | +| `expressionAttributeValues` | json | No | Expression attribute values used in conditionExpression \(e.g., \{":expected": "value"\}\) | #### Output | Parameter | Type | Description | | --------- | ---- | ----------- | | `message` | string | Operation status message | -| `item` | object | Created item | +| `item` | json | Created item | ### `dynamodb_query` @@ -100,10 +103,12 @@ Query items from a DynamoDB table using key conditions | `tableName` | string | Yes | DynamoDB table name \(e.g., "Users", "Orders"\) | | `keyConditionExpression` | string | Yes | Key condition expression \(e.g., "pk = :pk" or "pk = :pk AND sk BEGINS_WITH :prefix"\) | | `filterExpression` | string | No | Filter expression for results \(e.g., "age > :minAge AND #status = :status"\) | -| `expressionAttributeNames` | object | No | Attribute name mappings for reserved words \(e.g., \{"#status": "status"\}\) | -| `expressionAttributeValues` | object | No | Expression attribute values \(e.g., \{":pk": "USER#123", ":minAge": 18\}\) | +| `expressionAttributeNames` | json | No | Attribute name mappings for reserved words \(e.g., \{"#status": "status"\}\) | +| `expressionAttributeValues` | json | No | Expression attribute values \(e.g., \{":pk": "USER#123", ":minAge": 18\}\) | | `indexName` | string | No | Secondary index name to query \(e.g., "GSI1", "email-index"\) | | `limit` | number | No | Maximum number of items to return \(e.g., 10, 50, 100\) | +| `exclusiveStartKey` | json | No | Pagination token from a previous query's lastEvaluatedKey to continue fetching results | +| `scanIndexForward` | boolean | No | Sort order for the sort key: true for ascending \(default\), false for descending | #### Output @@ -112,6 +117,7 @@ Query items from a DynamoDB table using key conditions | `message` | string | Operation status message | | `items` | array | Array of items returned | | `count` | number | Number of items returned | +| `lastEvaluatedKey` | json | Pagination token to pass as exclusiveStartKey to fetch the next page of results | ### `dynamodb_scan` @@ -127,9 +133,10 @@ Scan all items in a DynamoDB table | `tableName` | string | Yes | DynamoDB table name \(e.g., "Users", "Orders"\) | | `filterExpression` | string | No | Filter expression for results \(e.g., "age > :minAge AND #status = :status"\) | | `projectionExpression` | string | No | Attributes to retrieve \(e.g., "pk, sk, #name, email"\) | -| `expressionAttributeNames` | object | No | Attribute name mappings for reserved words \(e.g., \{"#name": "name", "#status": "status"\}\) | -| `expressionAttributeValues` | object | No | Expression attribute values \(e.g., \{":minAge": 18, ":status": "active"\}\) | +| `expressionAttributeNames` | json | No | Attribute name mappings for reserved words \(e.g., \{"#name": "name", "#status": "status"\}\) | +| `expressionAttributeValues` | json | No | Expression attribute values \(e.g., \{":minAge": 18, ":status": "active"\}\) | | `limit` | number | No | Maximum number of items to return \(e.g., 10, 50, 100\) | +| `exclusiveStartKey` | json | No | Pagination token from a previous scan's lastEvaluatedKey to continue fetching results | #### Output @@ -138,6 +145,7 @@ Scan all items in a DynamoDB table | `message` | string | Operation status message | | `items` | array | Array of items returned | | `count` | number | Number of items returned | +| `lastEvaluatedKey` | json | Pagination token to pass as exclusiveStartKey to fetch the next page of results | ### `dynamodb_update` @@ -151,10 +159,10 @@ Update an item in a DynamoDB table | `accessKeyId` | string | Yes | AWS access key ID | | `secretAccessKey` | string | Yes | AWS secret access key | | `tableName` | string | Yes | DynamoDB table name \(e.g., "Users", "Orders"\) | -| `key` | object | Yes | Primary key of the item to update \(e.g., \{"pk": "USER#123"\} or \{"pk": "ORDER#456", "sk": "ITEM#789"\}\) | +| `key` | json | Yes | Primary key of the item to update \(e.g., \{"pk": "USER#123"\} or \{"pk": "ORDER#456", "sk": "ITEM#789"\}\) | | `updateExpression` | string | Yes | Update expression \(e.g., "SET #name = :name, age = :age" or "SET #count = #count + :inc"\) | -| `expressionAttributeNames` | object | No | Attribute name mappings for reserved words \(e.g., \{"#name": "name", "#count": "count"\}\) | -| `expressionAttributeValues` | object | No | Expression attribute values \(e.g., \{":name": "John", ":age": 30, ":inc": 1\}\) | +| `expressionAttributeNames` | json | No | Attribute name mappings for reserved words \(e.g., \{"#name": "name", "#count": "count"\}\) | +| `expressionAttributeValues` | json | No | Expression attribute values \(e.g., \{":name": "John", ":age": 30, ":inc": 1\}\) | | `conditionExpression` | string | No | Condition that must be met for the update to succeed \(e.g., "attribute_exists\(pk\)" or "version = :expectedVersion"\) | #### Output @@ -162,7 +170,7 @@ Update an item in a DynamoDB table | Parameter | Type | Description | | --------- | ---- | ----------- | | `message` | string | Operation status message | -| `item` | object | Updated item | +| `item` | json | Updated item with all attributes | ### `dynamodb_delete` @@ -176,8 +184,10 @@ Delete an item from a DynamoDB table | `accessKeyId` | string | Yes | AWS access key ID | | `secretAccessKey` | string | Yes | AWS secret access key | | `tableName` | string | Yes | DynamoDB table name \(e.g., "Users", "Orders"\) | -| `key` | object | Yes | Primary key of the item to delete \(e.g., \{"pk": "USER#123"\} or \{"pk": "ORDER#456", "sk": "ITEM#789"\}\) | +| `key` | json | Yes | Primary key of the item to delete \(e.g., \{"pk": "USER#123"\} or \{"pk": "ORDER#456", "sk": "ITEM#789"\}\) | | `conditionExpression` | string | No | Condition that must be met for the delete to succeed \(e.g., "attribute_exists\(pk\)"\) | +| `expressionAttributeNames` | json | No | Attribute name mappings for reserved words used in conditionExpression \(e.g., \{"#status": "status"\}\) | +| `expressionAttributeValues` | json | No | Expression attribute values used in conditionExpression \(e.g., \{":status": "active"\}\) | #### Output @@ -204,6 +214,6 @@ Introspect DynamoDB to list tables or get detailed schema information for a spec | --------- | ---- | ----------- | | `message` | string | Operation status message | | `tables` | array | List of table names in the region | -| `tableDetails` | object | Detailed schema information for a specific table | +| `tableDetails` | json | Detailed schema information for a specific table | diff --git a/apps/docs/content/docs/en/tools/iam.mdx b/apps/docs/content/docs/en/tools/iam.mdx index 5fd9263eadd..36b3aee42f5 100644 --- a/apps/docs/content/docs/en/tools/iam.mdx +++ b/apps/docs/content/docs/en/tools/iam.mdx @@ -68,7 +68,7 @@ Get detailed information about an IAM user | `region` | string | Yes | AWS region \(e.g., us-east-1\) | | `accessKeyId` | string | Yes | AWS access key ID | | `secretAccessKey` | string | Yes | AWS secret access key | -| `userName` | string | Yes | The name of the IAM user to retrieve | +| `userName` | string | No | The name of the IAM user to retrieve \(defaults to the caller if omitted\) | #### Output @@ -440,4 +440,80 @@ Remove an IAM user from a group | --------- | ---- | ----------- | | `message` | string | Operation status message | +### `iam_list_attached_role_policies` + +List all managed policies attached to an IAM role + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | +| `roleName` | string | Yes | Name of the IAM role | +| `pathPrefix` | string | No | Path prefix to filter policies \(e.g., /application/\) | +| `maxItems` | number | No | Maximum number of policies to return \(1-1000\) | +| `marker` | string | No | Pagination marker from a previous request | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `attachedPolicies` | json | List of attached policies with policyName and policyArn | +| `isTruncated` | boolean | Whether there are more results available | +| `marker` | string | Pagination marker for the next page of results | +| `count` | number | Number of attached policies returned | + +### `iam_list_attached_user_policies` + +List all managed policies attached to an IAM user + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | +| `userName` | string | Yes | Name of the IAM user | +| `pathPrefix` | string | No | Path prefix to filter policies \(e.g., /application/\) | +| `maxItems` | number | No | Maximum number of policies to return \(1-1000\) | +| `marker` | string | No | Pagination marker from a previous request | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `attachedPolicies` | json | List of attached policies with policyName and policyArn | +| `isTruncated` | boolean | Whether there are more results available | +| `marker` | string | Pagination marker for the next page of results | +| `count` | number | Number of attached policies returned | + +### `iam_simulate_principal_policy` + +Simulate whether a user, role, or group is allowed to perform specific AWS actions — useful for pre-flight access checks + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | +| `policySourceArn` | string | Yes | ARN of the user, group, or role to simulate \(e.g., arn:aws:iam::123456789012:user/alice\) | +| `actionNames` | string | Yes | Comma-separated list of AWS actions to simulate \(e.g., s3:GetObject,ec2:DescribeInstances\) | +| `resourceArns` | string | No | Comma-separated list of resource ARNs to simulate against \(defaults to * if not provided\) | +| `maxResults` | number | No | Maximum number of simulation results to return \(1-1000\) | +| `marker` | string | No | Pagination marker from a previous request | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `evaluationResults` | json | Simulation results per action: evalActionName, evalResourceName, evalDecision \(allowed/explicitDeny/implicitDeny\), matchedStatements \(sourcePolicyId, sourcePolicyType\), missingContextValues | +| `isTruncated` | boolean | Whether there are more results available | +| `marker` | string | Pagination marker for the next page of results | +| `count` | number | Number of evaluation results returned | + diff --git a/apps/docs/content/docs/en/tools/identity_center.mdx b/apps/docs/content/docs/en/tools/identity_center.mdx new file mode 100644 index 00000000000..4c000e8fe05 --- /dev/null +++ b/apps/docs/content/docs/en/tools/identity_center.mdx @@ -0,0 +1,340 @@ +--- +title: AWS Identity Center +description: Manage temporary elevated access in AWS IAM Identity Center +--- + +import { BlockInfoCard } from "@/components/ui/block-info-card" + + + +{/* MANUAL-CONTENT-START:intro */} +[AWS IAM Identity Center](https://aws.amazon.com/iam/identity-center/) (formerly AWS Single Sign-On) is the recommended service for managing workforce access to multiple AWS accounts and applications. It provides a central place to assign users and groups temporary, permission-scoped access to AWS accounts using permission sets — without creating long-lived IAM credentials. + +With AWS IAM Identity Center, you can: + +- **Provision account assignments**: Grant a user or group access to a specific AWS account with a specific permission set — the core primitive of temporary elevated access +- **Revoke access on demand**: Delete account assignments to immediately remove elevated permissions when they are no longer needed +- **Look up users by email**: Resolve a federated identity (email address) to an Identity Store user ID for programmatic access provisioning +- **List permission sets**: Enumerate the available permission sets (e.g., ReadOnly, PowerUser, AdministratorAccess) defined in your Identity Center instance +- **Monitor assignment status**: Poll the provisioning status of create/delete operations, which are asynchronous in AWS +- **List accounts in your organization**: Enumerate all AWS accounts in your AWS Organizations structure to populate access request dropdowns +- **Manage groups**: List groups and resolve group IDs by display name for group-based access grants + +In Sim, the AWS Identity Center integration is designed to power **TEAM (Temporary Elevated Access Management)** workflows — automated pipelines where users request elevated access, approvers approve or deny it, access is provisioned with a time limit, and auto-revocation removes it when the window expires. This replaces manual console-based access management with auditable, agent-driven workflows that integrate with Slack, email, ticketing systems, and CloudTrail for full traceability. +{/* MANUAL-CONTENT-END */} + + +## Usage Instructions + +Provision and revoke temporary access to AWS accounts via IAM Identity Center (SSO). Assign permission sets to users or groups, look up users by email, and list accounts and permission sets for access request workflows. + + + +## Tools + +### `identity_center_list_instances` + +List all AWS IAM Identity Center instances in your account + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | +| `maxResults` | number | No | Maximum number of instances to return \(1-100\) | +| `nextToken` | string | No | Pagination token from a previous request | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `instances` | json | List of Identity Center instances with instanceArn, identityStoreId, name, status, statusReason | +| `nextToken` | string | Pagination token for the next page of results | +| `count` | number | Number of instances returned | + +### `identity_center_list_accounts` + +List all AWS accounts in your organization + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | +| `maxResults` | number | No | Maximum number of accounts to return | +| `nextToken` | string | No | Pagination token from a previous request | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `accounts` | json | List of AWS accounts with id, arn, name, email, status | +| `nextToken` | string | Pagination token for the next page of results | +| `count` | number | Number of accounts returned | + +### `identity_center_describe_account` + +Retrieve details about a specific AWS account by its ID + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | +| `accountId` | string | Yes | AWS account ID to describe | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `id` | string | AWS account ID | +| `arn` | string | AWS account ARN | +| `name` | string | Account name | +| `email` | string | Root email address of the account | +| `status` | string | Account status \(ACTIVE, SUSPENDED, etc.\) | +| `joinedTimestamp` | string | Date the account joined the organization | + +### `identity_center_list_permission_sets` + +List all permission sets defined in an IAM Identity Center instance + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | +| `instanceArn` | string | Yes | ARN of the Identity Center instance | +| `maxResults` | number | No | Maximum number of permission sets to return | +| `nextToken` | string | No | Pagination token from a previous request | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `permissionSets` | json | List of permission sets with permissionSetArn, name, description, sessionDuration | +| `nextToken` | string | Pagination token for the next page of results | +| `count` | number | Number of permission sets returned | + +### `identity_center_get_user` + +Look up a user in the Identity Store by email address + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | +| `identityStoreId` | string | Yes | Identity Store ID \(from the Identity Center instance\) | +| `email` | string | Yes | Email address of the user to look up | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `userId` | string | Identity Store user ID \(use as principalId\) | +| `userName` | string | Username in the Identity Store | +| `displayName` | string | Display name of the user | +| `email` | string | Email address of the user | + +### `identity_center_get_group` + +Look up a group in the Identity Store by display name + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | +| `identityStoreId` | string | Yes | Identity Store ID \(from the Identity Center instance\) | +| `displayName` | string | Yes | Display name of the group to look up | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `groupId` | string | Identity Store group ID \(use as principalId\) | +| `displayName` | string | Display name of the group | +| `description` | string | Group description | + +### `identity_center_list_groups` + +List all groups in the Identity Store + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | +| `identityStoreId` | string | Yes | Identity Store ID \(from the Identity Center instance\) | +| `maxResults` | number | No | Maximum number of groups to return | +| `nextToken` | string | No | Pagination token from a previous request | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `groups` | json | List of groups with groupId, displayName, description | +| `nextToken` | string | Pagination token for the next page of results | +| `count` | number | Number of groups returned | + +### `identity_center_create_account_assignment` + +Grant a user or group access to an AWS account via a permission set (temporary elevated access) + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | +| `instanceArn` | string | Yes | ARN of the Identity Center instance | +| `accountId` | string | Yes | AWS account ID to grant access to | +| `permissionSetArn` | string | Yes | ARN of the permission set to assign | +| `principalType` | string | Yes | Type of principal: USER or GROUP | +| `principalId` | string | Yes | Identity Store ID of the user or group | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `message` | string | Status message | +| `status` | string | Provisioning status: IN_PROGRESS, FAILED, or SUCCEEDED | +| `requestId` | string | Request ID to use with Check Assignment Status | +| `accountId` | string | Target AWS account ID | +| `permissionSetArn` | string | Permission set ARN | +| `principalType` | string | Principal type \(USER or GROUP\) | +| `principalId` | string | Principal ID | +| `failureReason` | string | Reason for failure if status is FAILED | +| `createdDate` | string | Date the request was created | + +### `identity_center_delete_account_assignment` + +Revoke a user or group access to an AWS account by removing a permission set assignment + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | +| `instanceArn` | string | Yes | ARN of the Identity Center instance | +| `accountId` | string | Yes | AWS account ID to revoke access from | +| `permissionSetArn` | string | Yes | ARN of the permission set to remove | +| `principalType` | string | Yes | Type of principal: USER or GROUP | +| `principalId` | string | Yes | Identity Store ID of the user or group | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `message` | string | Status message | +| `status` | string | Deprovisioning status: IN_PROGRESS, FAILED, or SUCCEEDED | +| `requestId` | string | Request ID to use with Check Assignment Status | +| `accountId` | string | Target AWS account ID | +| `permissionSetArn` | string | Permission set ARN | +| `principalType` | string | Principal type \(USER or GROUP\) | +| `principalId` | string | Principal ID | +| `failureReason` | string | Reason for failure if status is FAILED | +| `createdDate` | string | Date the request was created | + +### `identity_center_check_assignment_status` + +Check the provisioning status of an account assignment creation request + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | +| `instanceArn` | string | Yes | ARN of the Identity Center instance | +| `requestId` | string | Yes | Request ID returned from Create or Delete Account Assignment | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `message` | string | Human-readable status message | +| `status` | string | Current status: IN_PROGRESS, FAILED, or SUCCEEDED | +| `requestId` | string | The request ID that was checked | +| `accountId` | string | Target AWS account ID | +| `permissionSetArn` | string | Permission set ARN | +| `principalType` | string | Principal type \(USER or GROUP\) | +| `principalId` | string | Principal ID | +| `failureReason` | string | Reason for failure if status is FAILED | +| `createdDate` | string | Date the request was created | + +### `identity_center_check_assignment_deletion_status` + +Check the deprovisioning status of an account assignment deletion request + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | +| `instanceArn` | string | Yes | ARN of the Identity Center instance | +| `requestId` | string | Yes | Request ID returned from Delete Account Assignment | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `message` | string | Human-readable status message | +| `status` | string | Current deletion status: IN_PROGRESS, FAILED, or SUCCEEDED | +| `requestId` | string | The deletion request ID that was checked | +| `accountId` | string | Target AWS account ID | +| `permissionSetArn` | string | Permission set ARN | +| `principalType` | string | Principal type \(USER or GROUP\) | +| `principalId` | string | Principal ID | +| `failureReason` | string | Reason for failure if status is FAILED | +| `createdDate` | string | Date the request was created | + +### `identity_center_list_account_assignments` + +List all account assignments for a specific user or group across all accounts + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | +| `instanceArn` | string | Yes | ARN of the Identity Center instance | +| `principalId` | string | Yes | Identity Store ID of the user or group | +| `principalType` | string | Yes | Type of principal: USER or GROUP | +| `maxResults` | number | No | Maximum number of assignments to return | +| `nextToken` | string | No | Pagination token from a previous request | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `assignments` | json | List of account assignments with accountId, permissionSetArn, principalType, principalId | +| `nextToken` | string | Pagination token for the next page of results | +| `count` | number | Number of assignments returned | + + diff --git a/apps/docs/content/docs/en/tools/meta.json b/apps/docs/content/docs/en/tools/meta.json index 2658fa2c390..91d84fa1e9e 100644 --- a/apps/docs/content/docs/en/tools/meta.json +++ b/apps/docs/content/docs/en/tools/meta.json @@ -86,6 +86,7 @@ "huggingface", "hunter", "iam", + "identity_center", "image_generator", "imap", "incidentio", @@ -154,6 +155,7 @@ "sentry", "serper", "servicenow", + "ses", "sftp", "sharepoint", "shopify", diff --git a/apps/docs/content/docs/en/tools/ses.mdx b/apps/docs/content/docs/en/tools/ses.mdx new file mode 100644 index 00000000000..33248914c2a --- /dev/null +++ b/apps/docs/content/docs/en/tools/ses.mdx @@ -0,0 +1,241 @@ +--- +title: AWS SES +description: Send emails and manage templates with AWS Simple Email Service +--- + +import { BlockInfoCard } from "@/components/ui/block-info-card" + + + +{/* MANUAL-CONTENT-START:intro */} +[Amazon Simple Email Service (SES)](https://aws.amazon.com/ses/) is a cloud-based email sending service designed for high-volume, transactional, and marketing email delivery. It provides a cost-effective, scalable way to send email without managing your own mail server infrastructure. + +With AWS SES, you can: + +- **Send simple emails**: Deliver one-off emails with plain text or HTML body content to individual recipients +- **Send templated emails**: Use pre-defined templates with variable substitution (e.g., `{{name}}`, `{{link}}`) for personalized emails at scale +- **Send bulk emails**: Deliver templated emails to large lists of recipients in a single API call, with per-destination data overrides +- **Manage email templates**: Create, retrieve, list, and delete reusable email templates for transactional and marketing campaigns +- **Monitor account health**: Retrieve your account's sending quota, send rate, and whether sending is currently enabled + +In Sim, the AWS SES integration is designed for workflows that need reliable, programmatic email delivery — from access request notifications and approval alerts to bulk outreach and automated reporting. It pairs naturally with the IAM Identity Center integration for TEAM (Temporary Elevated Access Management) workflows, where email notifications are sent when access is provisioned, approved, or revoked. +{/* MANUAL-CONTENT-END */} + + +## Usage Instructions + +Integrate AWS SES v2 into the workflow. Send simple, templated, and bulk emails. Manage email templates and retrieve account sending quota and verified identity information. + + + +## Tools + +### `ses_send_email` + +Send an email via AWS SES using simple or HTML content + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | +| `fromAddress` | string | Yes | Verified sender email address | +| `toAddresses` | string | Yes | Comma-separated list of recipient email addresses | +| `subject` | string | Yes | Email subject line | +| `bodyText` | string | No | Plain text email body | +| `bodyHtml` | string | No | HTML email body | +| `ccAddresses` | string | No | Comma-separated list of CC email addresses | +| `bccAddresses` | string | No | Comma-separated list of BCC email addresses | +| `replyToAddresses` | string | No | Comma-separated list of reply-to email addresses | +| `configurationSetName` | string | No | SES configuration set name for tracking | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `messageId` | string | SES message ID for the sent email | + +### `ses_send_templated_email` + +Send an email using an SES email template with dynamic template data + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | +| `fromAddress` | string | Yes | Verified sender email address | +| `toAddresses` | string | Yes | Comma-separated list of recipient email addresses | +| `templateName` | string | Yes | Name of the SES email template to use | +| `templateData` | string | Yes | JSON string of key-value pairs for template variable substitution | +| `ccAddresses` | string | No | Comma-separated list of CC email addresses | +| `bccAddresses` | string | No | Comma-separated list of BCC email addresses | +| `configurationSetName` | string | No | SES configuration set name for tracking | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `messageId` | string | SES message ID for the sent email | + +### `ses_send_bulk_email` + +Send emails to multiple recipients using an SES template with per-recipient data + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | +| `fromAddress` | string | Yes | Verified sender email address | +| `templateName` | string | Yes | Name of the SES email template to use | +| `destinations` | string | Yes | JSON array of destination objects with toAddresses \(string\[\]\) and optional templateData \(JSON string\); falls back to defaultTemplateData when omitted | +| `defaultTemplateData` | string | No | Default JSON template data used when a destination does not specify its own | +| `configurationSetName` | string | No | SES configuration set name for tracking | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `results` | array | Per-destination send results with status and messageId | +| `successCount` | number | Number of successfully sent emails | +| `failureCount` | number | Number of failed email sends | + +### `ses_list_identities` + +List all verified email identities (email addresses and domains) in your SES account + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | +| `pageSize` | number | No | Maximum number of identities to return \(1-1000\) | +| `nextToken` | string | No | Pagination token from a previous list response | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `identities` | array | List of email identities with name, type, sending status, and verification status | +| `nextToken` | string | Pagination token for the next page of results | +| `count` | number | Number of identities returned | + +### `ses_get_account` + +Get SES account sending quota and status information + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `sendingEnabled` | boolean | Whether email sending is enabled for the account | +| `max24HourSend` | number | Maximum emails allowed per 24-hour period | +| `maxSendRate` | number | Maximum emails allowed per second | +| `sentLast24Hours` | number | Number of emails sent in the last 24 hours | + +### `ses_create_template` + +Create a new SES email template for use with templated email sending + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | +| `templateName` | string | Yes | Unique name for the email template | +| `subjectPart` | string | Yes | Subject line template \(supports \{\{variable\}\} substitution\) | +| `textPart` | string | No | Plain text version of the template body | +| `htmlPart` | string | No | HTML version of the template body | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `message` | string | Confirmation message for the created template | + +### `ses_get_template` + +Retrieve the content and details of an SES email template + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | +| `templateName` | string | Yes | Name of the template to retrieve | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `templateName` | string | Name of the template | +| `subjectPart` | string | Subject line of the template | +| `textPart` | string | Plain text body of the template | +| `htmlPart` | string | HTML body of the template | + +### `ses_list_templates` + +List all SES email templates in your account + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | +| `pageSize` | number | No | Maximum number of templates to return | +| `nextToken` | string | No | Pagination token from a previous list response | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `templates` | array | List of email templates with name and creation timestamp | +| `nextToken` | string | Pagination token for the next page of results | +| `count` | number | Number of templates returned | + +### `ses_delete_template` + +Delete an existing SES email template + +#### Input + +| Parameter | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `region` | string | Yes | AWS region \(e.g., us-east-1\) | +| `accessKeyId` | string | Yes | AWS access key ID | +| `secretAccessKey` | string | Yes | AWS secret access key | +| `templateName` | string | Yes | Name of the template to delete | + +#### Output + +| Parameter | Type | Description | +| --------- | ---- | ----------- | +| `message` | string | Confirmation message for the deleted template | + + diff --git a/apps/docs/content/docs/en/tools/sts.mdx b/apps/docs/content/docs/en/tools/sts.mdx index 29fd0445e16..6c46a0ba784 100644 --- a/apps/docs/content/docs/en/tools/sts.mdx +++ b/apps/docs/content/docs/en/tools/sts.mdx @@ -46,6 +46,7 @@ Assume an IAM role and receive temporary security credentials | `roleArn` | string | Yes | ARN of the IAM role to assume | | `roleSessionName` | string | Yes | Identifier for the assumed role session | | `durationSeconds` | number | No | Duration of the session in seconds \(900-43200, default 3600\) | +| `policy` | string | No | JSON IAM policy to further restrict session permissions \(max 2048 chars\) | | `externalId` | string | No | External ID for cross-account access | | `serialNumber` | string | No | MFA device serial number or ARN | | `tokenCode` | string | No | MFA token code \(6 digits\) | @@ -61,6 +62,7 @@ Assume an IAM role and receive temporary security credentials | `assumedRoleArn` | string | ARN of the assumed role | | `assumedRoleId` | string | Assumed role ID with session name | | `packedPolicySize` | number | Percentage of allowed policy size used | +| `sourceIdentity` | string | Source identity set on the role session, if any | ### `sts_get_caller_identity` diff --git a/apps/docs/content/docs/en/triggers/fireflies.mdx b/apps/docs/content/docs/en/triggers/fireflies.mdx index 563f6608509..9a265f451b0 100644 --- a/apps/docs/content/docs/en/triggers/fireflies.mdx +++ b/apps/docs/content/docs/en/triggers/fireflies.mdx @@ -29,6 +29,7 @@ Trigger workflow when a Fireflies meeting transcription is complete | Parameter | Type | Description | | --------- | ---- | ----------- | | `meetingId` | string | The ID of the transcribed meeting | -| `eventType` | string | The type of event \(Transcription completed\) | +| `eventType` | string | The type of event \(e.g. Transcription completed, meeting.transcribed\) | | `clientReferenceId` | string | Custom reference ID if set during upload | +| `timestamp` | number | Unix timestamp in milliseconds when the event was fired \(V2 webhooks\) | diff --git a/apps/docs/content/docs/en/triggers/jsm.mdx b/apps/docs/content/docs/en/triggers/jsm.mdx index 6aabf82cade..4233fa04e7b 100644 --- a/apps/docs/content/docs/en/triggers/jsm.mdx +++ b/apps/docs/content/docs/en/triggers/jsm.mdx @@ -304,7 +304,7 @@ Trigger workflow on any Jira Service Management webhook event | ↳ `id` | string | Changelog ID | | `comment` | object | comment output from the tool | | ↳ `id` | string | Comment ID | -| ↳ `body` | string | Comment text/body | +| ↳ `body` | json | Comment body in Atlassian Document Format \(ADF\). On Jira Server this may be a plain string. | | ↳ `author` | object | author output from the tool | | ↳ `displayName` | string | Comment author display name | | ↳ `accountId` | string | Comment author account ID | diff --git a/apps/docs/content/docs/en/triggers/slack.mdx b/apps/docs/content/docs/en/triggers/slack.mdx index cdffda257ac..cc5d20b042c 100644 --- a/apps/docs/content/docs/en/triggers/slack.mdx +++ b/apps/docs/content/docs/en/triggers/slack.mdx @@ -25,6 +25,7 @@ Trigger workflow from Slack events like mentions, messages, and reactions | `signingSecret` | string | Yes | The signing secret from your Slack app to validate request authenticity. | | `botToken` | string | No | The bot token from your Slack app. Required for downloading files attached to messages. | | `includeFiles` | boolean | No | Download and include file attachments from messages. Requires a bot token with files:read scope. | +| `setupWizard` | modal | No | Walk through manifest creation, app install, and pasting credentials. | #### Output diff --git a/apps/docs/package.json b/apps/docs/package.json index 5b764a30e84..8c314fb40bf 100644 --- a/apps/docs/package.json +++ b/apps/docs/package.json @@ -20,7 +20,7 @@ "@vercel/og": "^0.6.5", "class-variance-authority": "^0.7.1", "clsx": "^2.1.1", - "drizzle-orm": "^0.44.5", + "drizzle-orm": "^0.45.2", "fumadocs-core": "16.6.7", "fumadocs-mdx": "14.2.8", "fumadocs-openapi": "10.3.13", diff --git a/apps/docs/public/static/enterprise/access-control-blocks.png b/apps/docs/public/static/enterprise/access-control-blocks.png new file mode 100644 index 00000000000..709be54f7ef Binary files /dev/null and b/apps/docs/public/static/enterprise/access-control-blocks.png differ diff --git a/apps/docs/public/static/enterprise/access-control-groups.png b/apps/docs/public/static/enterprise/access-control-groups.png new file mode 100644 index 00000000000..7e1a264b422 Binary files /dev/null and b/apps/docs/public/static/enterprise/access-control-groups.png differ diff --git a/apps/docs/public/static/enterprise/access-control-model-providers.png b/apps/docs/public/static/enterprise/access-control-model-providers.png new file mode 100644 index 00000000000..57797021716 Binary files /dev/null and b/apps/docs/public/static/enterprise/access-control-model-providers.png differ diff --git a/apps/docs/public/static/enterprise/access-control-platform.png b/apps/docs/public/static/enterprise/access-control-platform.png new file mode 100644 index 00000000000..2eb5cf5304f Binary files /dev/null and b/apps/docs/public/static/enterprise/access-control-platform.png differ diff --git a/apps/docs/public/static/enterprise/audit-logs.png b/apps/docs/public/static/enterprise/audit-logs.png new file mode 100644 index 00000000000..5838898f6f9 Binary files /dev/null and b/apps/docs/public/static/enterprise/audit-logs.png differ diff --git a/apps/docs/public/static/enterprise/data-retention.png b/apps/docs/public/static/enterprise/data-retention.png new file mode 100644 index 00000000000..1b8d559e764 Binary files /dev/null and b/apps/docs/public/static/enterprise/data-retention.png differ diff --git a/apps/docs/public/static/enterprise/sso-form.png b/apps/docs/public/static/enterprise/sso-form.png new file mode 100644 index 00000000000..f44f5f80d14 Binary files /dev/null and b/apps/docs/public/static/enterprise/sso-form.png differ diff --git a/apps/docs/public/static/enterprise/whitelabeling.png b/apps/docs/public/static/enterprise/whitelabeling.png new file mode 100644 index 00000000000..f643dd2f989 Binary files /dev/null and b/apps/docs/public/static/enterprise/whitelabeling.png differ diff --git a/apps/sim/app/(auth)/signup/signup-form.tsx b/apps/sim/app/(auth)/signup/signup-form.tsx index 5d1b2d25ff6..c721a07291b 100644 --- a/apps/sim/app/(auth)/signup/signup-form.tsx +++ b/apps/sim/app/(auth)/signup/signup-form.tsx @@ -10,6 +10,7 @@ import { usePostHog } from 'posthog-js/react' import { Input, Label } from '@/components/emcn' import { client, useSession } from '@/lib/auth/auth-client' import { getEnv, isFalsy, isTruthy } from '@/lib/core/config/env' +import { validateCallbackUrl } from '@/lib/core/security/input-validation' import { cn } from '@/lib/core/utils/cn' import { quickValidateEmail } from '@/lib/messaging/email/validation' import { captureClientEvent, captureEvent } from '@/lib/posthog/client' @@ -102,10 +103,14 @@ function SignupFormContent({ githubAvailable, googleAvailable, isProduction }: S useEffect(() => { setTurnstileSiteKey(getEnv('NEXT_PUBLIC_TURNSTILE_SITE_KEY')) }, []) - const redirectUrl = useMemo( - () => searchParams.get('redirect') || searchParams.get('callbackUrl') || '', - [searchParams] - ) + const rawRedirectUrl = searchParams.get('redirect') || searchParams.get('callbackUrl') || '' + const isValidRedirectUrl = rawRedirectUrl ? validateCallbackUrl(rawRedirectUrl) : false + const invalidCallbackRef = useRef(false) + if (rawRedirectUrl && !isValidRedirectUrl && !invalidCallbackRef.current) { + invalidCallbackRef.current = true + logger.warn('Invalid callback URL detected and blocked:', { url: rawRedirectUrl }) + } + const redirectUrl = isValidRedirectUrl ? rawRedirectUrl : '' const isInviteFlow = useMemo( () => searchParams.get('invite_flow') === 'true' || diff --git a/apps/sim/app/(auth)/verify/use-verification.ts b/apps/sim/app/(auth)/verify/use-verification.ts index 3ef05231a4e..ec95836c98a 100644 --- a/apps/sim/app/(auth)/verify/use-verification.ts +++ b/apps/sim/app/(auth)/verify/use-verification.ts @@ -4,6 +4,7 @@ import { useEffect, useState } from 'react' import { createLogger } from '@sim/logger' import { useRouter, useSearchParams } from 'next/navigation' import { client, useSession } from '@/lib/auth/auth-client' +import { validateCallbackUrl } from '@/lib/core/security/input-validation' const logger = createLogger('useVerification') @@ -55,8 +56,11 @@ export function useVerification({ } const storedRedirectUrl = sessionStorage.getItem('inviteRedirectUrl') - if (storedRedirectUrl) { + if (storedRedirectUrl && validateCallbackUrl(storedRedirectUrl)) { setRedirectUrl(storedRedirectUrl) + } else if (storedRedirectUrl) { + logger.warn('Ignoring unsafe stored invite redirect URL', { url: storedRedirectUrl }) + sessionStorage.removeItem('inviteRedirectUrl') } const storedIsInviteFlow = sessionStorage.getItem('isInviteFlow') @@ -67,7 +71,11 @@ export function useVerification({ const redirectParam = searchParams.get('redirectAfter') if (redirectParam) { - setRedirectUrl(redirectParam) + if (validateCallbackUrl(redirectParam)) { + setRedirectUrl(redirectParam) + } else { + logger.warn('Ignoring unsafe redirectAfter parameter', { url: redirectParam }) + } } const inviteFlowParam = searchParams.get('invite_flow') diff --git a/apps/sim/app/(landing)/components/contact/consts.ts b/apps/sim/app/(landing)/components/contact/consts.ts new file mode 100644 index 00000000000..242d06ecaf0 --- /dev/null +++ b/apps/sim/app/(landing)/components/contact/consts.ts @@ -0,0 +1,82 @@ +import { z } from 'zod' +import { NO_EMAIL_HEADER_CONTROL_CHARS_REGEX } from '@/lib/messaging/email/utils' +import { quickValidateEmail } from '@/lib/messaging/email/validation' + +export const CONTACT_TOPIC_VALUES = [ + 'general', + 'support', + 'integration', + 'feature_request', + 'sales', + 'partnership', + 'billing', + 'other', +] as const + +export const CONTACT_TOPIC_OPTIONS = [ + { value: 'general', label: 'General question' }, + { value: 'support', label: 'Technical support' }, + { value: 'integration', label: 'Integration request' }, + { value: 'feature_request', label: 'Feature request' }, + { value: 'sales', label: 'Sales & pricing' }, + { value: 'partnership', label: 'Partnership' }, + { value: 'billing', label: 'Billing' }, + { value: 'other', label: 'Other' }, +] as const + +export const contactRequestSchema = z.object({ + name: z + .string() + .trim() + .min(1, 'Name is required') + .max(120, 'Name must be 120 characters or less') + .regex(NO_EMAIL_HEADER_CONTROL_CHARS_REGEX, 'Invalid characters'), + email: z + .string() + .trim() + .min(1, 'Email is required') + .max(320) + .transform((value) => value.toLowerCase()) + .refine((value) => quickValidateEmail(value).isValid, 'Enter a valid email'), + company: z + .string() + .trim() + .max(120, 'Company must be 120 characters or less') + .optional() + .transform((value) => (value && value.length > 0 ? value : undefined)), + topic: z.enum(CONTACT_TOPIC_VALUES, { + errorMap: () => ({ message: 'Please select a topic' }), + }), + subject: z + .string() + .trim() + .min(1, 'Subject is required') + .max(200, 'Subject must be 200 characters or less') + .regex(NO_EMAIL_HEADER_CONTROL_CHARS_REGEX, 'Invalid characters'), + message: z + .string() + .trim() + .min(1, 'Message is required') + .max(5000, 'Message must be 5,000 characters or less'), +}) + +export type ContactRequestPayload = z.infer + +export function getContactTopicLabel(value: ContactRequestPayload['topic']): string { + return CONTACT_TOPIC_OPTIONS.find((option) => option.value === value)?.label ?? value +} + +export type HelpEmailType = 'bug' | 'feedback' | 'feature_request' | 'other' + +export function mapContactTopicToHelpType(topic: ContactRequestPayload['topic']): HelpEmailType { + switch (topic) { + case 'feature_request': + return 'feature_request' + case 'support': + return 'bug' + case 'integration': + return 'feedback' + default: + return 'other' + } +} diff --git a/apps/sim/app/(landing)/components/contact/contact-form.tsx b/apps/sim/app/(landing)/components/contact/contact-form.tsx new file mode 100644 index 00000000000..11030ac760a --- /dev/null +++ b/apps/sim/app/(landing)/components/contact/contact-form.tsx @@ -0,0 +1,354 @@ +'use client' + +import { useEffect, useRef, useState } from 'react' +import { Turnstile, type TurnstileInstance } from '@marsidev/react-turnstile' +import { toError } from '@sim/utils/errors' +import { useMutation } from '@tanstack/react-query' +import Link from 'next/link' +import { Combobox, type ComboboxOption, Input, Textarea } from '@/components/emcn' +import { Check } from '@/components/emcn/icons' +import { getEnv } from '@/lib/core/config/env' +import { captureClientEvent } from '@/lib/posthog/client' +import { + CONTACT_TOPIC_OPTIONS, + type ContactRequestPayload, + contactRequestSchema, +} from '@/app/(landing)/components/contact/consts' +import { LandingField } from '@/app/(landing)/components/forms/landing-field' + +type ContactField = keyof ContactRequestPayload +type ContactErrors = Partial> + +interface ContactFormState { + name: string + email: string + company: string + topic: ContactRequestPayload['topic'] | '' + subject: string + message: string +} + +const INITIAL_FORM_STATE: ContactFormState = { + name: '', + email: '', + company: '', + topic: '', + subject: '', + message: '', +} + +const LANDING_INPUT = + 'h-[40px] rounded-[5px] border border-[var(--landing-bg-elevated)] bg-[var(--landing-bg-surface)] px-3 font-[430] font-season text-[14px] text-[var(--landing-text)] outline-none transition-colors placeholder:text-[var(--landing-text-muted)] focus:border-[var(--landing-border-strong)]' + +const LANDING_TEXTAREA = + 'min-h-[140px] rounded-[5px] border border-[var(--landing-bg-elevated)] bg-[var(--landing-bg-surface)] px-3 py-2.5 font-[430] font-season text-[14px] text-[var(--landing-text)] outline-none transition-colors placeholder:text-[var(--landing-text-muted)] focus:border-[var(--landing-border-strong)]' + +const LANDING_COMBOBOX = + 'h-[40px] rounded-[5px] border border-[var(--landing-bg-elevated)] bg-[var(--landing-bg-surface)] px-3 font-[430] font-season text-[14px] text-[var(--landing-text)] hover:bg-[var(--landing-bg-surface)] focus-within:border-[var(--landing-border-strong)]' + +const LANDING_SUBMIT = + 'flex h-[40px] w-full items-center justify-center rounded-[5px] border border-[var(--landing-text-subtle)] bg-[var(--landing-text-subtle)] font-[430] font-season text-[14px] text-[var(--landing-text-dark)] transition-colors hover:border-[var(--landing-bg-hover)] hover:bg-[var(--landing-bg-hover)] disabled:cursor-not-allowed disabled:opacity-60' + +const LANDING_LABEL = + 'font-[500] font-season text-[13px] text-[var(--landing-text)] tracking-[0.02em]' + +interface SubmitContactRequestInput extends ContactRequestPayload { + website: string + captchaToken?: string + captchaUnavailable?: boolean +} + +async function submitContactRequest(payload: SubmitContactRequestInput) { + const response = await fetch('/api/contact', { + method: 'POST', + headers: { 'Content-Type': 'application/json' }, + body: JSON.stringify(payload), + }) + + const result = (await response.json().catch(() => null)) as { + error?: string + message?: string + } | null + + if (!response.ok) { + throw new Error(result?.error || 'Failed to send message') + } + + return result +} + +export function ContactForm() { + const turnstileRef = useRef(null) + + const contactMutation = useMutation({ + mutationFn: submitContactRequest, + onSuccess: (_data, variables) => { + captureClientEvent('landing_contact_submitted', { topic: variables.topic }) + setForm(INITIAL_FORM_STATE) + setErrors({}) + setSubmitSuccess(true) + }, + onError: () => { + turnstileRef.current?.reset() + }, + }) + + const [form, setForm] = useState(INITIAL_FORM_STATE) + const [errors, setErrors] = useState({}) + const [submitSuccess, setSubmitSuccess] = useState(false) + const [isSubmitting, setIsSubmitting] = useState(false) + const [website, setWebsite] = useState('') + const [widgetReady, setWidgetReady] = useState(false) + const [turnstileSiteKey, setTurnstileSiteKey] = useState() + + useEffect(() => { + setTurnstileSiteKey(getEnv('NEXT_PUBLIC_TURNSTILE_SITE_KEY')) + }, []) + + function updateField( + field: TField, + value: ContactFormState[TField] + ) { + setForm((prev) => ({ ...prev, [field]: value })) + setErrors((prev) => { + if (!prev[field as ContactField]) { + return prev + } + const nextErrors = { ...prev } + delete nextErrors[field as ContactField] + return nextErrors + }) + if (contactMutation.isError) { + contactMutation.reset() + } + } + + async function handleSubmit(event: React.FormEvent) { + event.preventDefault() + if (contactMutation.isPending || isSubmitting) return + setIsSubmitting(true) + + const parsed = contactRequestSchema.safeParse({ + ...form, + company: form.company || undefined, + }) + + if (!parsed.success) { + const fieldErrors = parsed.error.flatten().fieldErrors + setErrors({ + name: fieldErrors.name?.[0], + email: fieldErrors.email?.[0], + company: fieldErrors.company?.[0], + topic: fieldErrors.topic?.[0], + subject: fieldErrors.subject?.[0], + message: fieldErrors.message?.[0], + }) + setIsSubmitting(false) + return + } + + let captchaToken: string | undefined + let captchaUnavailable: boolean | undefined + const widget = turnstileRef.current + + if (turnstileSiteKey) { + if (widgetReady && widget) { + try { + widget.reset() + widget.execute() + captchaToken = await widget.getResponsePromise(30_000) + } catch { + captchaUnavailable = true + } + } else { + captchaUnavailable = true + } + } + + contactMutation.mutate({ ...parsed.data, website, captchaToken, captchaUnavailable }) + setIsSubmitting(false) + } + + const isBusy = contactMutation.isPending || isSubmitting + + const submitError = contactMutation.isError + ? toError(contactMutation.error).message || 'Failed to send message. Please try again.' + : null + + if (submitSuccess) { + return ( +
+
+ +
+

+ Message received +

+

+ Thanks for reaching out. We've sent a confirmation to your inbox and will get back to you + shortly. +

+ +
+ ) + } + + return ( +
+ {/* Honeypot */} + + +
+ + updateField('name', event.target.value)} + placeholder='Your name' + className={LANDING_INPUT} + /> + + + updateField('email', event.target.value)} + placeholder='you@company.com' + className={LANDING_INPUT} + /> + +
+ +
+ + updateField('company', event.target.value)} + placeholder='Company name' + className={LANDING_INPUT} + /> + + + updateField('topic', value as ContactRequestPayload['topic'])} + placeholder='Select a topic' + editable={false} + filterOptions={false} + className={LANDING_COMBOBOX} + /> + +
+ + + updateField('subject', event.target.value)} + placeholder='How can we help?' + className={LANDING_INPUT} + /> + + + +