fix(billing): deploy modal gates on workspace entitlement, not viewer plan

TheodoreSpeaks · TheodoreSpeaks · commit 53419124c078 · 2026-06-15T10:01:17.000-07:00
The deploy modal showed the upgrade wall to a free user in a PAID workspace,
because it gated on the viewer's individual plan (useSubscriptionData) while the
server gates on the workspace billed account (rolled-up plan). Add a workspace
api-execution-entitlement endpoint that mirrors isWorkspaceApiExecutionEntitled,
and gate the API/MCP/A2A tabs on it so the UI matches the server exactly.
diff --git a/apps/sim/app/api/workspaces/[id]/api-execution-entitlement/route.test.ts b/apps/sim/app/api/workspaces/[id]/api-execution-entitlement/route.test.ts
@@ -0,0 +1,77 @@
+/**
+ * @vitest-environment node
+ */
+import { createMockRequest } from '@sim/testing'
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+
+const { mockGetSession, mockGetUserEntityPermissions, mockIsWorkspaceApiExecutionEntitled } =
+  vi.hoisted(() => ({
+    mockGetSession: vi.fn(),
+    mockGetUserEntityPermissions: vi.fn(),
+    mockIsWorkspaceApiExecutionEntitled: vi.fn(),
+  }))
+
+vi.mock('@/lib/auth', () => ({
+  auth: { api: { getSession: vi.fn() } },
+  getSession: mockGetSession,
+}))
+
+vi.mock('@/lib/workspaces/permissions/utils', () => ({
+  getUserEntityPermissions: mockGetUserEntityPermissions,
+}))
+
+vi.mock('@/lib/billing/core/api-access', () => ({
+  isWorkspaceApiExecutionEntitled: mockIsWorkspaceApiExecutionEntitled,
+}))
+
+import { GET } from '@/app/api/workspaces/[id]/api-execution-entitlement/route'
+
+const WORKSPACE_ID = 'ws-1'
+
+function buildParams() {
+  return { params: Promise.resolve({ id: WORKSPACE_ID }) }
+}
+
+async function callGet() {
+  const request = createMockRequest('GET')
+  const response = await GET(request, buildParams())
+  return { status: response.status, body: await response.json() }
+}
+
+describe('GET /api/workspaces/[id]/api-execution-entitlement', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+    mockGetSession.mockResolvedValue({ user: { id: 'u-1' } })
+    mockGetUserEntityPermissions.mockResolvedValue('read')
+    mockIsWorkspaceApiExecutionEntitled.mockResolvedValue(true)
+  })
+
+  it('returns 401 when unauthenticated', async () => {
+    mockGetSession.mockResolvedValue(null)
+    const { status } = await callGet()
+    expect(status).toBe(401)
+    expect(mockIsWorkspaceApiExecutionEntitled).not.toHaveBeenCalled()
+  })
+
+  it('returns 404 when the caller has no workspace access', async () => {
+    mockGetUserEntityPermissions.mockResolvedValue(null)
+    const { status } = await callGet()
+    expect(status).toBe(404)
+    expect(mockIsWorkspaceApiExecutionEntitled).not.toHaveBeenCalled()
+  })
+
+  it('returns entitled: true for an entitled workspace', async () => {
+    mockIsWorkspaceApiExecutionEntitled.mockResolvedValue(true)
+    const { status, body } = await callGet()
+    expect(status).toBe(200)
+    expect(body).toEqual({ entitled: true })
+    expect(mockIsWorkspaceApiExecutionEntitled).toHaveBeenCalledWith(WORKSPACE_ID)
+  })
+
+  it('returns entitled: false for a free workspace with the gate active', async () => {
+    mockIsWorkspaceApiExecutionEntitled.mockResolvedValue(false)
+    const { status, body } = await callGet()
+    expect(status).toBe(200)
+    expect(body).toEqual({ entitled: false })
+  })
+})
diff --git a/apps/sim/app/api/workspaces/[id]/api-execution-entitlement/route.ts b/apps/sim/app/api/workspaces/[id]/api-execution-entitlement/route.ts
@@ -0,0 +1,39 @@
+import { createLogger } from '@sim/logger'
+import type { NextRequest } from 'next/server'
+import { NextResponse } from 'next/server'
+import { getWorkspaceApiExecutionEntitlementContract } from '@/lib/api/contracts/workspaces'
+import { parseRequest } from '@/lib/api/server'
+import { getSession } from '@/lib/auth'
+import { isWorkspaceApiExecutionEntitled } from '@/lib/billing/core/api-access'
+import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
+import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
+
+const logger = createLogger('WorkspaceApiExecutionEntitlementAPI')
+
+/**
+ * Whether this workspace may run workflows programmatically — the UI mirror of
+ * the server gate (`isWorkspaceApiExecutionEntitled`). Lets the deploy modal
+ * reflect the workspace's billed-account plan instead of the viewer's individual
+ * plan, so a free member of a paid workspace isn't shown the upgrade wall.
+ */
+export const GET = withRouteHandler(
+  async (req: NextRequest, context: { params: Promise<{ id: string }> }) => {
+    const session = await getSession()
+    if (!session?.user?.id) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const parsed = await parseRequest(getWorkspaceApiExecutionEntitlementContract, req, context)
+    if (!parsed.success) return parsed.response
+    const { id: workspaceId } = parsed.data.params
+
+    const permission = await getUserEntityPermissions(session.user.id, 'workspace', workspaceId)
+    if (!permission) {
+      return NextResponse.json({ error: 'Not found' }, { status: 404 })
+    }
+
+    const entitled = await isWorkspaceApiExecutionEntitled(workspaceId)
+    logger.info('Resolved workspace API-execution entitlement', { workspaceId, entitled })
+    return NextResponse.json({ entitled })
+  }
+)
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/deploy/components/deploy-modal/deploy-modal.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/deploy/components/deploy-modal/deploy-modal.tsx
@@ -21,12 +21,10 @@ import {
   ModalTabsList,
   ModalTabsTrigger,
 } from '@/components/emcn'
-import { isFree } from '@/lib/billing/plan-helpers'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { getInputFormatExample as getInputFormatExampleUtil } from '@/lib/workflows/operations/deployment-utils'
 import { useUserPermissionsContext } from '@/app/workspace/[workspaceId]/providers/workspace-permissions-provider'
 import { CreateApiKeyModal } from '@/app/workspace/[workspaceId]/settings/components/api-keys/components'
-import { isBillingEnabled } from '@/app/workspace/[workspaceId]/settings/navigation'
 import {
   releaseDeployAction,
   tryAcquireDeployAction,
@@ -46,10 +44,12 @@ import {
   useDeployWorkflow,
   useUndeployWorkflow,
 } from '@/hooks/queries/deployments'
-import { useSubscriptionData } from '@/hooks/queries/subscription'
 import { useWorkflowMcpServers } from '@/hooks/queries/workflow-mcp-servers'
 import { useWorkflowMap } from '@/hooks/queries/workflows'
-import { useWorkspaceSettings } from '@/hooks/queries/workspace'
+import {
+  useWorkspaceApiExecutionEntitlement,
+  useWorkspaceSettings,
+} from '@/hooks/queries/workspace'
 import { usePermissionConfig } from '@/hooks/use-permission-config'
 import { useSettingsNavigation } from '@/hooks/use-settings-navigation'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
@@ -158,11 +158,14 @@ export function DeployModal({
   const userPermissions = useUserPermissionsContext()
   const canManageWorkspaceKeys = userPermissions.canAdmin
   const { config: permissionConfig, isPublicApiDisabled } = usePermissionConfig()
-  const { data: subscriptionData, isLoading: isLoadingSubscription } = useSubscriptionData()
-  // Hold the gate closed until the plan is known — isFree(undefined) is true, so
-  // gating during load would flash the upgrade wall at paid users.
-  const gateProgrammaticDeploy =
-    isBillingEnabled && !isLoadingSubscription && isFree(subscriptionData?.data?.plan)
+  // Mirror the server gate: entitlement reflects the workspace's billed-account
+  // plan (rolled up), not the viewer's individual plan, so a free member of a
+  // paid workspace isn't shown the upgrade wall. Undefined while loading keeps
+  // the gate closed (no flash); only an explicit `entitled === false` gates.
+  const { data: apiExecutionEntitlement } = useWorkspaceApiExecutionEntitlement(
+    workflowWorkspaceId ?? undefined
+  )
+  const gateProgrammaticDeploy = apiExecutionEntitlement?.entitled === false
   const { data: apiKeysData, isLoading: isLoadingKeys } = useApiKeys(workflowWorkspaceId || '')
   const { data: workspaceSettingsData, isLoading: isLoadingSettings } = useWorkspaceSettings(
     workflowWorkspaceId || ''
diff --git a/apps/sim/hooks/queries/workspace.ts b/apps/sim/hooks/queries/workspace.ts
@@ -6,12 +6,14 @@ import type { ContractBodyInput } from '@/lib/api/contracts'
 import {
   createWorkspaceContract,
   deleteWorkspaceContract,
+  getWorkspaceApiExecutionEntitlementContract,
   getWorkspaceContract,
   getWorkspaceMembersContract,
   getWorkspacePermissionsContract,
   listWorkspacesContract,
   updateWorkspaceContract,
   type Workspace,
+  type WorkspaceApiExecutionEntitlement,
   type WorkspaceCreationPolicy,
   type WorkspaceMember,
   type WorkspacePermissions,
@@ -33,6 +35,8 @@ export const workspaceKeys = {
   settings: (id: string) => [...workspaceKeys.detail(id), 'settings'] as const,
   permissions: (id: string) => [...workspaceKeys.detail(id), 'permissions'] as const,
   members: (id: string) => [...workspaceKeys.detail(id), 'members'] as const,
+  apiExecutionEntitlement: (id: string) =>
+    [...workspaceKeys.detail(id), 'apiExecutionEntitlement'] as const,
   adminLists: () => [...workspaceKeys.all, 'adminList'] as const,
   adminList: (userId: string | undefined) => [...workspaceKeys.adminLists(), userId ?? ''] as const,
 }
@@ -108,6 +112,30 @@ export function useWorkspaceCreationPolicy(enabled = true) {
   })
 }
 
+async function fetchWorkspaceApiExecutionEntitlement(
+  workspaceId: string,
+  signal?: AbortSignal
+): Promise<WorkspaceApiExecutionEntitlement> {
+  return requestJson(getWorkspaceApiExecutionEntitlementContract, {
+    params: { id: workspaceId },
+    signal,
+  })
+}
+
+/**
+ * Whether the workspace may run workflows programmatically — the UI mirror of the
+ * server gate. Reflects the workspace's billed-account plan, not the viewer's
+ * individual plan, so a free member of a paid workspace isn't gated.
+ */
+export function useWorkspaceApiExecutionEntitlement(workspaceId?: string) {
+  return useQuery({
+    queryKey: workspaceKeys.apiExecutionEntitlement(workspaceId ?? ''),
+    queryFn: ({ signal }) => fetchWorkspaceApiExecutionEntitlement(workspaceId as string, signal),
+    enabled: Boolean(workspaceId),
+    staleTime: 60 * 1000,
+  })
+}
+
 type CreateWorkspaceParams = Pick<ContractBodyInput<typeof createWorkspaceContract>, 'name'>
 
 /**
diff --git a/apps/sim/lib/api/contracts/workspaces.ts b/apps/sim/lib/api/contracts/workspaces.ts
@@ -181,6 +181,25 @@ export const getWorkspaceContract = defineRouteContract({
   },
 })
 
+export const workspaceApiExecutionEntitlementSchema = z.object({
+  /** Whether this workspace may run workflows programmatically (mirrors the server gate). */
+  entitled: z.boolean(),
+})
+
+export type WorkspaceApiExecutionEntitlement = z.output<
+  typeof workspaceApiExecutionEntitlementSchema
+>
+
+export const getWorkspaceApiExecutionEntitlementContract = defineRouteContract({
+  method: 'GET',
+  path: '/api/workspaces/[id]/api-execution-entitlement',
+  params: workspaceParamsSchema,
+  response: {
+    mode: 'json',
+    schema: workspaceApiExecutionEntitlementSchema,
+  },
+})
+
 export const updateWorkspaceContract = defineRouteContract({
   method: 'PATCH',
   path: '/api/workspaces/[id]',
diff --git a/scripts/check-api-validation-contracts.ts b/scripts/check-api-validation-contracts.ts
@@ -9,8 +9,8 @@ const QUERY_HOOKS_DIR = path.join(ROOT, 'apps/sim/hooks/queries')
 const SELECTOR_HOOKS_DIR = path.join(ROOT, 'apps/sim/hooks/selectors')
 
 const BASELINE = {
-  totalRoutes: 826,
-  zodRoutes: 826,
+  totalRoutes: 827,
+  zodRoutes: 827,
   nonZodRoutes: 0,
 } as const
 
