The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Jun 15, 2026 1:47am

PR Summary

Low Risk
Small, defensive change to embed authorization with no change to happy-path paid/free gating; low blast radius beyond external embed 403 behavior.

Overview
Cross-origin chat embed gating in assertChatEmbedAllowed now blocks third-party embeds when the workflow lookup does not yield a workspaceId (missing/archived row), returning 403 with "This chat is currently unavailable" instead of calling isWorkspaceApiExecutionEntitled with undefined, which treats missing workspace as entitled and would skip the paywall.

Paid-plan enforcement still runs only after a resolved workspaceId. Tests mock @sim/db via dbChainMock, default the workflow query to ws-1, and add a case asserting 403 and that entitlement is not invoked when the DB returns no row.

^{Reviewed by Cursor Bugbot for commit 0d8ebc8. Configure here.}

@greptile

@cursor review

Greptile Summary

This PR hardens the assertChatEmbedAllowed gate in the chat embed paywall to fail closed when the workflow DB lookup returns no row (or a row with no workspaceId), rather than silently passing undefined into isWorkspaceApiExecutionEntitled and inheriting its permissive default.

• utils.ts: Adds an explicit early return of 403 with a log warning when wf?.workspaceId is falsy, then calls isWorkspaceApiExecutionEntitled with the resolved (non-nullable) workspace ID.
• utils.test.ts: Wires the assertChatEmbedAllowed test suite to a chainable @sim/db mock (via dbChainMock), sets a default workspace resolution in beforeEach, and adds a new test verifying the missing-workspace path returns 403 without invoking the entitlement check.

Confidence Score: 5/5

Safe to merge; the change is a small, well-scoped guard that only tightens access and cannot introduce a regression in the allow path.

The guard is correct — !wf?.workspaceId covers both an empty DB result and a null workspaceId column, and the entitlement check below now receives a guaranteed non-nullable string. The new test directly exercises the missing-workspace code path and confirms the short-circuit. Existing tests remain green because beforeEach sets a default workspace mock that keeps the happy path intact.

No files require special attention.

Important Files Changed

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[assertChatEmbedAllowed called] --> B{Billing & gate flags enabled?}
    B -- No --> Z[return null — allow]
    B -- Yes --> C{Origin header present\nand non-first-party?}
    C -- No --> Z
    C -- Yes --> D[DB: SELECT workspaceId\nWHERE id=workflowId\nAND archivedAt IS NULL]
    D --> E{wf?.workspaceId\ntruthy?}
    E -- No: NEW fail closed --> F[warn + return 403\n'chat unavailable']
    E -- Yes --> G[isWorkspaceApiExecutionEntitled\nworkspaceId]
    G --> H{Entitled?}
    H -- No --> I[warn + return 403\n'paid plan required']
    H -- Yes --> Z

_{Reviews (1): Last reviewed commit: "fix(chat): fail closed when embed gate c..." | Re-trigger Greptile}

Greptile Summary

This PR hardens the assertChatEmbedAllowed paywall gate by failing closed when the queried workflow row has no resolvable workspace, replacing the prior behavior where undefined passed into isWorkspaceApiExecutionEntitled could silently evaluate as entitled. The test suite is also updated to wire @sim/db through the chainable dbChainMock so the DB result is controllable per-test.

• utils.ts: Adds an explicit !wf?.workspaceId guard that returns a 403 before the billing entitlement check; the entitlement call now always receives a concrete, non-null workspaceId.
• utils.test.ts: Mounts the chainable @sim/db mock, sets a sane default workspace row in beforeEach, and adds a new test covering the empty-result code path.

Confidence Score: 5/5

Safe to merge — the change tightens a security gate and is backed by a new test that exercises the previously unguarded code path.

Both changed files are small and self-contained. The guard added to assertChatEmbedAllowed correctly handles all falsy workspaceId states (missing row, null column) and narrows the type so the downstream entitlement call always receives a concrete string. The test wiring follows the established @sim/testing dbChainMock pattern, uses mockResolvedValueOnce for the one-shot override, and the beforeEach re-establishes the permanent default on every test — no ordering hazards observed.

No files require special attention.

Important Files Changed

Sequence Diagram

sequenceDiagram
    participant Client as External Embed
    participant Gate as assertChatEmbedAllowed
    participant DB as Database (workflow table)
    participant Billing as isWorkspaceApiExecutionEntitled

    Client->>Gate: request (cross-origin)
    Gate->>Gate: check billing/gate flags enabled
    Gate->>Gate: check isFirstPartyOrigin → false
    Gate->>DB: "SELECT workspaceId FROM workflow WHERE id=? AND archivedAt IS NULL LIMIT 1"
    alt Workflow not found / no workspaceId (new guard)
        DB-->>Gate: []
        Gate-->>Client: 403 — This chat is currently unavailable
    else Workspace found
        DB-->>Gate: "[{ workspaceId }]"
        Gate->>Billing: isWorkspaceApiExecutionEntitled(workspaceId)
        alt Not entitled (free plan)
            Billing-->>Gate: false
            Gate-->>Client: 403 — Requires paid plan
        else Entitled
            Billing-->>Gate: true
            Gate-->>Client: null (allow)
        end
    end

_{Reviews (2): Last reviewed commit: "fix(chat): fail closed when embed gate c..." | Re-trigger Greptile}