Skip to content

improvement(forking): fork time ux#5348

Merged
icecrasher321 merged 6 commits into
stagingfrom
feat/improve-forking-ux
Jul 2, 2026
Merged

improvement(forking): fork time ux#5348
icecrasher321 merged 6 commits into
stagingfrom
feat/improve-forking-ux

Conversation

@icecrasher321

@icecrasher321 icecrasher321 commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Summary

Fork time UX improvements.

  • Support non workflow used resource copy during sync
  • Fix user id auth issue with deployed route
  • Scope workflow in workflow to workspace correctly
  • Should not carry over empty folders
  • Count against storage quota correctly on fork

Type of Change

  • Other: UX Improvement

Testing

Tested manually

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@vercel

vercel Bot commented Jul 2, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Jul 2, 2026 7:05pm

Request Review

@cursor

cursor Bot commented Jul 2, 2026

Copy link
Copy Markdown

PR Summary

Medium Risk
Changes touch internal JWT authorization on deployed state, cross-workspace execution gates, sync promote blocking, and storage quota/charging on fork copies—areas where regressions affect security or billing, though behavior is heavily tested.

Overview
Fork/sync and fork-create UX is tightened around what blocks sync, what gets copied by default, and billing/storage, with separate auth and containment fixes for workflow APIs and nested execution.

Workspace sync (promote modal) now treats unresolved reference/workflow cleared-refs as blocking sync (with actionable copy from forkBlockerResolution), splits informational dependent clears, annotates source-deleted references on the diff API, and surfaces server blockers when preview and promote diverge. Copy candidates gain a referenced flag: referenced resources default-selected; unreferenced ones sit under “Not used by any workflow” and stay opt-in. Mapping entries are all required: true for synced workflows; MCP servers and deleted sources must be mapped (not satisfied by copy alone).

Fork create pre-checks storage headroom (sumForkCopyBytes + assertForkStorageHeadroom, 413 on failure) before any DB work. File blob copies increment storage usage per landed blob (with replay/idempotency guards); KB document blobs remain uncounted. Folder mirroring only creates folders on paths that will hold copied workflows (prunes empty subtrees). KB copies include tag definitions; table workflow-group remapping can use promote’s block-id resolver.

Workflow-in-workflow: execute API accepts optional parentWorkspaceId and returns 403 when the target workflow’s workspace differs; the executor handler enforces the same check (and fails closed without parent workspace). GET /api/workflows/[id]/deployed internal JWT calls must include an acting userId and are authorized via workspace read permission (no more implicit trust); session path unchanged.

Remap behavior: free-form manual workflow id fields are preserved verbatim under fork/promote; only selector-sourced refs are remapped/cleared. workflowIds remapping is limited to dropdown (workspace-event trigger), not legacy logs short-input.

Reviewed by Cursor Bugbot for commit 6ade475. Configure here.

@greptile-apps

greptile-apps Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR delivers several fork/sync UX improvements: it adds a zero-cleared-refs gate to promote (preventing silent reference loss on sync), fixes auth for server-to-server calls on the /deployed route, enforces workspace scoping for workflow-in-workflow execution, prunes empty folders during fork/sync, copies KB tag definitions, adds pre-copy storage quota checks, and exposes unreferenced source resources as opt-in copy candidates during sync.

  • Auth & security hardening: The /api/workflows/[id]/deployed route now rejects internal calls that lack a user ID in their JWT, and both the execute route and workflow-block handler enforce workspace isolation for child workflow calls.
  • Zero-cleared-refs gate: Promote now runs an in-transaction gate that blocks the sync if any reference would be cleared in a target workflow, with a parallel client-side preview driven by the diff's clearedRefs. The gate surfaces as actionable ForkSyncBlocker entries so the UI can explain each blocker.
  • Non-referenced resource copy: The diff/plan now also lists source-workspace resources not referenced by any synced workflow as opt-in (default-unselected) copy candidates, so newly created tables, KBs, files, tools, and skills can travel with a sync without requiring a manual mapping or being silently left behind.

Confidence Score: 5/5

This PR is safe to merge; all major new paths follow the existing defensive patterns and are backed by new unit tests.

The auth hardening on the deployed route is a clean targeted fix. The promote gate and client-side blocker split share the same taxonomy via sync-blockers.ts. The workspace-isolation check fails closed and the invariant is well-documented. No logic errors, schema mismatches, or unsafe fallback paths were identified.

No files require special attention; the most complex changes in promote.ts, cleared-refs.ts, and remap-references.ts are thoroughly documented and covered by new tests.

Important Files Changed

Filename Overview
apps/sim/app/api/workflows/[id]/deployed/route.ts Adds user-scoped authorization for internal JWT calls; calls without a user ID in the token are now rejected with 403 instead of being allowed through.
apps/sim/executor/handlers/workflow/workflow-handler.ts Adds assertChildWorkflowInWorkspace to prevent cross-workspace child workflow execution; throws (fails closed) when the executing context has no workspaceId.
apps/sim/lib/workspaces/fork/promote/promote.ts Adds the zero-cleared-refs gate, storage quota check pre-lock, and threads resolveBlockId into resource copy for correct table workflow-group output block ids on push.
apps/sim/lib/workspaces/fork/promote/promote-plan.ts Adds unreferenced copyable resource discovery; referenced: false entries are default-unselected so scratch data is never silently synced.
apps/sim/lib/workspaces/fork/copy/storage-quota.ts New file: sums blob bytes for a fork/sync copy selection and asserts headroom against the user's storage quota before any lock or write.
apps/sim/lib/workspaces/fork/remap/remap-references.ts Preserves MCP tool-selector values when their parent server was remapped; adds MCP server metadata rewriting in tool-input entries to avoid false stale badges.
apps/sim/lib/workspaces/fork/promote/cleared-refs.ts Adds collectForkSyncBlockers (happy-path zero-query gate) and annotateForkClearedRefSourceLiveness.
apps/sim/lib/workspaces/fork/promote/sync-blockers.ts New file: pure blocker taxonomy shared by the server gate and modal rendering.

Reviews (2): Last reviewed commit: "merge latest staging" | Re-trigger Greptile

Comment thread apps/sim/lib/workspaces/fork/remap/remap-references.ts
Comment thread apps/sim/lib/workspaces/fork/mapping/mapping-service.ts
@icecrasher321

Copy link
Copy Markdown
Collaborator Author

@greptile

@icecrasher321

Copy link
Copy Markdown
Collaborator Author

bugbot run

Comment thread apps/sim/lib/workspaces/fork/copy/copy-files.ts
@icecrasher321

Copy link
Copy Markdown
Collaborator Author

bugbot run

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit 6ade475. Configure here.

@icecrasher321 icecrasher321 merged commit b4b666b into staging Jul 2, 2026
17 checks passed
@waleedlatif1 waleedlatif1 deleted the feat/improve-forking-ux branch July 2, 2026 19:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant