feat(access-control): add per-model denylist to permission groups

apps/sim/app/api/guardrails/validate/route.ts

@@ -12,6 +12,7 @@ import { validatePII } from '@/lib/guardrails/validate_pii'
 import { validateRegex } from '@/lib/guardrails/validate_regex'
 import {
   assertPermissionsAllowed,
+  ModelNotAllowedError,
   ProviderNotAllowedError,
 } from '@/ee/access-control/utils/permission-check'
 
@@ -161,7 +162,7 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
           model,
         })
       } catch (err) {
-        if (err instanceof ProviderNotAllowedError) {
+        if (err instanceof ProviderNotAllowedError || err instanceof ModelNotAllowedError) {
           return NextResponse.json({
             success: true,
             output: {

apps/sim/app/api/providers/route.ts

@@ -19,6 +19,7 @@ import {
 import {
   assertPermissionsAllowed,
   IntegrationNotAllowedError,
+  ModelNotAllowedError,
   ProviderNotAllowedError,
 } from '@/ee/access-control/utils/permission-check'
 import type { StreamingExecution } from '@/executor/types'
@@ -132,7 +133,11 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
           model,
         })
       } catch (err) {
-        if (err instanceof ProviderNotAllowedError || err instanceof IntegrationNotAllowedError) {
+        if (
+          err instanceof ProviderNotAllowedError ||
+          err instanceof ModelNotAllowedError ||
+          err instanceof IntegrationNotAllowedError
+        ) {
           return NextResponse.json({ error: err.message }, { status: 403 })
         }
         throw err

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/combobox/combobox.tsx

@@ -151,7 +151,11 @@ export const ComboBox = memo(function ComboBox({
   const value = isPreview ? previewValue : propValue !== undefined ? propValue : storeValue
 
   // Permission-based filtering for model dropdowns
-  const { isProviderAllowed, isLoading: isPermissionLoading } = usePermissionConfig()
+  const {
+    isProviderAllowed,
+    isModelAllowed,
+    isLoading: isPermissionLoading,
+  } = usePermissionConfig()
 
   // Evaluate static options if provided as a function
   const staticOptions = useMemo(() => {
@@ -160,17 +164,17 @@ export const ComboBox = memo(function ComboBox({
     if (subBlockId === 'model') {
       return opts.filter((opt) => {
         const modelId = typeof opt === 'string' ? opt : opt.id
+        if (!isModelAllowed(modelId)) return false
         try {
-          const providerId = getProviderFromModel(modelId)
-          return isProviderAllowed(providerId)
+          return isProviderAllowed(getProviderFromModel(modelId))
         } catch {
           return true
         }
       })
     }
 
     return opts
-  }, [options, subBlockId, isProviderAllowed])
+  }, [options, subBlockId, isProviderAllowed, isModelAllowed])
 
   // Normalize fetched options to match ComboBoxOption format
   const normalizedFetchedOptions = useMemo((): ComboBoxOption[] => {
@@ -185,9 +189,9 @@ export const ComboBox = memo(function ComboBox({
     if (subBlockId === 'model' && fetchOptions && normalizedFetchedOptions.length > 0) {
       opts = opts.filter((opt) => {
         const modelId = typeof opt === 'string' ? opt : opt.id
+        if (!isModelAllowed(modelId)) return false
         try {
-          const providerId = getProviderFromModel(modelId)
-          return isProviderAllowed(providerId)
+          return isProviderAllowed(getProviderFromModel(modelId))
         } catch {
           return true
         }
@@ -212,6 +216,7 @@ export const ComboBox = memo(function ComboBox({
     hydratedOption,
     subBlockId,
     isProviderAllowed,
+    isModelAllowed,
   ])
 
   // Convert options to Combobox format