From 33ee7da6b912833f9b1919eb8f149d9184cbc317 Mon Sep 17 00:00:00 2001
From: waleed <walif6@gmail.com>
Date: Thu, 25 Jun 2026 14:53:29 -0700
Subject: [PATCH 1/8] feat(access-control): page-based permission groups,
 tool-level deny-list, settings row-action consistency

- Replace the cramped configure modal with a full-surface tabbed Access Control page (General/Model Providers/Blocks/Platform) with a sticky save bar
- Add deniedTools denylist to permission groups: deny individual tools within an allowed integration; enforced at the universal executeTool chokepoint via ToolNotAllowedError, and hidden from the operation dropdown for governed users
- Add per-section Select/Deselect All on the Blocks tab and expandable per-tool deny rows (mirrors Providers->Models)
- Standardize every settings list row on the canonical "..." DropdownMenu (custom-tools, mcp, workflow-mcp-servers, api-keys, secrets, credential-sets) and align badges (ChipTag), avatars (MemberAvatar), inputs (ChipInput), and the mothership env picker (ChipSelect)
---
 .../settings/components/admin/admin.tsx       |    6 +-
 .../settings/components/api-keys/api-keys.tsx |   95 +-
 .../credential-sets/credential-sets.tsx       |  119 +-
 .../components/custom-tools/custom-tools.tsx  |   45 +-
 .../settings/components/mcp/mcp.tsx           |   31 +-
 .../components/mothership/mothership.tsx      |   53 +-
 .../secrets-manager/secrets-manager.tsx       |  134 +-
 .../workflow-mcp-servers.tsx                  |   63 +-
 .../components/dropdown/dropdown.tsx          |   37 +-
 .../components/access-control.tsx             | 1701 +---------------
 .../components/group-detail.tsx               | 1738 +++++++++++++++++
 .../components/workspace-select.tsx           |   58 +
 .../utils/permission-check.test.ts            |   65 +
 .../access-control/utils/permission-check.ts  |   22 +-
 .../components/data-retention-settings.tsx    |    5 +-
 apps/sim/hooks/use-permission-config.ts       |   10 +
 .../lib/api/contracts/permission-groups.ts    |    1 +
 apps/sim/lib/permission-groups/types.ts       |   12 +
 apps/sim/tools/index.ts                       |    7 +-
 19 files changed, 2358 insertions(+), 1844 deletions(-)
 create mode 100644 apps/sim/ee/access-control/components/group-detail.tsx
 create mode 100644 apps/sim/ee/access-control/components/workspace-select.tsx

diff --git a/apps/sim/app/workspace/[workspaceId]/settings/components/admin/admin.tsx b/apps/sim/app/workspace/[workspaceId]/settings/components/admin/admin.tsx
index 62393f2d479..444d6f573bf 100644
--- a/apps/sim/app/workspace/[workspaceId]/settings/components/admin/admin.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/settings/components/admin/admin.tsx
@@ -196,7 +196,7 @@ export function Admin() {
             )}
           </div>
 
-          <div className='h-px bg-[var(--border-secondary)]' />
+          <div className='h-px bg-[var(--border)]' />
 
           <div className='flex flex-col gap-2'>
             <p className='text-[var(--text-secondary)] text-sm'>
@@ -231,10 +231,10 @@ export function Admin() {
             )}
           </div>
 
-          <div className='h-px bg-[var(--border-secondary)]' />
+          <div className='h-px bg-[var(--border)]' />
 
           <div className='flex flex-col gap-3'>
-            <p className='font-medium text-[var(--text-primary)] text-sm'>User Management</p>
+            <p className='font-medium text-[var(--text-muted)] text-small'>User Management</p>
             <div className='flex gap-2'>
               <ChipInput
                 icon={Search}
diff --git a/apps/sim/app/workspace/[workspaceId]/settings/components/api-keys/api-keys.tsx b/apps/sim/app/workspace/[workspaceId]/settings/components/api-keys/api-keys.tsx
index c9b2b89a776..abbc6927713 100644
--- a/apps/sim/app/workspace/[workspaceId]/settings/components/api-keys/api-keys.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/settings/components/api-keys/api-keys.tsx
@@ -5,7 +5,21 @@ import { createLogger } from '@sim/logger'
 import { formatDate } from '@sim/utils/formatting'
 import { Info, Plus } from 'lucide-react'
 import { useParams } from 'next/navigation'
-import { Chip, ChipConfirmModal, ChipInput, Search, Switch, Tooltip } from '@/components/emcn'
+import {
+  Chip,
+  ChipConfirmModal,
+  ChipInput,
+  chipVariants,
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuTrigger,
+  MoreHorizontal,
+  Search,
+  Switch,
+  Tooltip,
+  toast,
+} from '@/components/emcn'
 import { useSession } from '@/lib/auth/auth-client'
 import { useUserPermissionsContext } from '@/app/workspace/[workspaceId]/providers/workspace-permissions-provider'
 import { SettingsSection } from '@/app/workspace/[workspaceId]/settings/components/settings-section/settings-section'
@@ -20,6 +34,51 @@ import { CreateApiKeyModal } from './components'
 
 const logger = createLogger('ApiKeys')
 
+/** Copies an API key's name and confirms with a toast. */
+function copyKeyName(name: string) {
+  void navigator.clipboard.writeText(name)
+  toast.success('Copied name to clipboard')
+}
+
+interface ApiKeyRowMenuProps {
+  keyName: string
+  onDelete: () => void
+  /** When false, the Delete item is disabled (e.g. non-admins on workspace keys). */
+  canDelete?: boolean
+}
+
+/**
+ * Trailing `...` actions menu for an API key row. Mirrors the Secrets /
+ * Teammates row menu so the settings experience is consistent.
+ */
+function ApiKeyRowMenu({ keyName, onDelete, canDelete = true }: ApiKeyRowMenuProps) {
+  return (
+    <div className='flex-shrink-0'>
+      <DropdownMenu>
+        <DropdownMenuTrigger asChild>
+          <button
+            type='button'
+            aria-label='API key actions'
+            className={chipVariants({ flush: true })}
+          >
+            <MoreHorizontal className='size-[14px] flex-shrink-0 text-[var(--text-icon)]' />
+          </button>
+        </DropdownMenuTrigger>
+        <DropdownMenuContent align='end'>
+          <DropdownMenuItem onSelect={() => copyKeyName(keyName)}>Copy name</DropdownMenuItem>
+          <DropdownMenuItem
+            className='text-[var(--text-error)]'
+            onSelect={onDelete}
+            disabled={!canDelete}
+          >
+            Delete
+          </DropdownMenuItem>
+        </DropdownMenuContent>
+      </DropdownMenu>
+    </div>
+  )
+}
+
 export function ApiKeys() {
   const { data: session } = useSession()
   const userId = session?.user?.id
@@ -164,16 +223,14 @@ export function ApiKeys() {
                               {key.displayKey || key.key}
                             </p>
                           </div>
-                          <Chip
-                            className='flex-shrink-0'
-                            onClick={() => {
+                          <ApiKeyRowMenu
+                            keyName={key.name}
+                            onDelete={() => {
                               setDeleteKey(key)
                               setShowDeleteDialog(true)
                             }}
-                            disabled={!canManageWorkspaceKeys}
-                          >
-                            Delete
-                          </Chip>
+                            canDelete={canManageWorkspaceKeys}
+                          />
                         </div>
                       ))}
                     </div>
@@ -197,16 +254,14 @@ export function ApiKeys() {
                             {key.displayKey || key.key}
                           </p>
                         </div>
-                        <Chip
-                          className='flex-shrink-0'
-                          onClick={() => {
+                        <ApiKeyRowMenu
+                          keyName={key.name}
+                          onDelete={() => {
                             setDeleteKey(key)
                             setShowDeleteDialog(true)
                           }}
-                          disabled={!canManageWorkspaceKeys}
-                        >
-                          Delete
-                        </Chip>
+                          canDelete={canManageWorkspaceKeys}
+                        />
                       </div>
                     ))}
                   </div>
@@ -235,15 +290,13 @@ export function ApiKeys() {
                                 {key.displayKey || key.key}
                               </p>
                             </div>
-                            <Chip
-                              className='flex-shrink-0'
-                              onClick={() => {
+                            <ApiKeyRowMenu
+                              keyName={key.name}
+                              onDelete={() => {
                                 setDeleteKey(key)
                                 setShowDeleteDialog(true)
                               }}
-                            >
-                              Delete
-                            </Chip>
+                            />
                           </div>
                           {isConflict && (
                             <div className='text-[var(--text-error)] text-small leading-tight'>
diff --git a/apps/sim/app/workspace/[workspaceId]/settings/components/credential-sets/credential-sets.tsx b/apps/sim/app/workspace/[workspaceId]/settings/components/credential-sets/credential-sets.tsx
index f41d180ed6c..6f5f05477d3 100644
--- a/apps/sim/app/workspace/[workspaceId]/settings/components/credential-sets/credential-sets.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/settings/components/credential-sets/credential-sets.tsx
@@ -20,7 +20,13 @@ import {
   ChipModalField,
   ChipModalFooter,
   ChipModalHeader,
+  chipVariants,
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuTrigger,
   type FileInputOptions,
+  MoreHorizontal,
   Search,
   TagInput,
   type TagItem,
@@ -516,13 +522,26 @@ export function CredentialSets() {
                         </div>
 
                         <div className='ml-4 flex items-center gap-1'>
-                          <Chip
-                            variant='destructive'
-                            onClick={() => handleRemoveMember(member.id)}
-                            disabled={removeMember.isPending}
-                          >
-                            Remove
-                          </Chip>
+                          <DropdownMenu>
+                            <DropdownMenuTrigger asChild>
+                              <button
+                                type='button'
+                                aria-label='Member actions'
+                                className={chipVariants({ flush: true })}
+                              >
+                                <MoreHorizontal className='size-[14px] flex-shrink-0 text-[var(--text-icon)]' />
+                              </button>
+                            </DropdownMenuTrigger>
+                            <DropdownMenuContent align='end'>
+                              <DropdownMenuItem
+                                className='text-[var(--text-error)]'
+                                onSelect={() => handleRemoveMember(member.id)}
+                                disabled={removeMember.isPending}
+                              >
+                                Remove
+                              </DropdownMenuItem>
+                            </DropdownMenuContent>
+                          </DropdownMenu>
                         </div>
                       </div>
                     )
@@ -561,25 +580,41 @@ export function CredentialSets() {
                         </div>
 
                         <div className='ml-4 flex items-center gap-1'>
-                          <Chip
-                            onClick={() => handleResendInvitation(invitation.id, email)}
-                            disabled={
-                              resendingInvitations.has(invitation.id) ||
-                              (resendCooldowns[invitation.id] ?? 0) > 0
-                            }
-                          >
-                            {resendingInvitations.has(invitation.id)
-                              ? 'Sending...'
-                              : resendCooldowns[invitation.id]
-                                ? `Resend (${resendCooldowns[invitation.id]}s)`
-                                : 'Resend'}
-                          </Chip>
-                          <Chip
-                            onClick={() => handleCancelInvitation(invitation.id)}
-                            disabled={cancellingInvitations.has(invitation.id)}
-                          >
-                            {cancellingInvitations.has(invitation.id) ? 'Cancelling...' : 'Cancel'}
-                          </Chip>
+                          <DropdownMenu>
+                            <DropdownMenuTrigger asChild>
+                              <button
+                                type='button'
+                                aria-label='Invitation actions'
+                                className={chipVariants({ flush: true })}
+                              >
+                                <MoreHorizontal className='size-[14px] flex-shrink-0 text-[var(--text-icon)]' />
+                              </button>
+                            </DropdownMenuTrigger>
+                            <DropdownMenuContent align='end'>
+                              <DropdownMenuItem
+                                onSelect={() => handleResendInvitation(invitation.id, email)}
+                                disabled={
+                                  resendingInvitations.has(invitation.id) ||
+                                  (resendCooldowns[invitation.id] ?? 0) > 0
+                                }
+                              >
+                                {resendingInvitations.has(invitation.id)
+                                  ? 'Sending...'
+                                  : resendCooldowns[invitation.id]
+                                    ? `Resend (${resendCooldowns[invitation.id]}s)`
+                                    : 'Resend'}
+                              </DropdownMenuItem>
+                              <DropdownMenuItem
+                                className='text-[var(--text-error)]'
+                                onSelect={() => handleCancelInvitation(invitation.id)}
+                                disabled={cancellingInvitations.has(invitation.id)}
+                              >
+                                {cancellingInvitations.has(invitation.id)
+                                  ? 'Cancelling...'
+                                  : 'Cancel'}
+                              </DropdownMenuItem>
+                            </DropdownMenuContent>
+                          </DropdownMenu>
                         </div>
                       </div>
                     )
@@ -729,14 +764,30 @@ export function CredentialSets() {
                                     </span>
                                   </div>
                                 </div>
-                                <div className='flex items-center gap-2'>
-                                  <Chip onClick={() => setViewingSet(set)}>Details</Chip>
-                                  <Chip
-                                    onClick={() => handleDeleteClick(set)}
-                                    disabled={deletingSetIds.has(set.id)}
-                                  >
-                                    {deletingSetIds.has(set.id) ? 'Deleting...' : 'Delete'}
-                                  </Chip>
+                                <div className='flex items-center gap-1'>
+                                  <DropdownMenu>
+                                    <DropdownMenuTrigger asChild>
+                                      <button
+                                        type='button'
+                                        aria-label='Group actions'
+                                        className={chipVariants({ flush: true })}
+                                      >
+                                        <MoreHorizontal className='size-[14px] flex-shrink-0 text-[var(--text-icon)]' />
+                                      </button>
+                                    </DropdownMenuTrigger>
+                                    <DropdownMenuContent align='end'>
+                                      <DropdownMenuItem onSelect={() => setViewingSet(set)}>
+                                        Details
+                                      </DropdownMenuItem>
+                                      <DropdownMenuItem
+                                        className='text-[var(--text-error)]'
+                                        onSelect={() => handleDeleteClick(set)}
+                                        disabled={deletingSetIds.has(set.id)}
+                                      >
+                                        Delete
+                                      </DropdownMenuItem>
+                                    </DropdownMenuContent>
+                                  </DropdownMenu>
                                 </div>
                               </div>
                             ))}
diff --git a/apps/sim/app/workspace/[workspaceId]/settings/components/custom-tools/custom-tools.tsx b/apps/sim/app/workspace/[workspaceId]/settings/components/custom-tools/custom-tools.tsx
index 797a86fafe2..86260a8fa51 100644
--- a/apps/sim/app/workspace/[workspaceId]/settings/components/custom-tools/custom-tools.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/settings/components/custom-tools/custom-tools.tsx
@@ -5,7 +5,18 @@ import { createLogger } from '@sim/logger'
 import { getErrorMessage } from '@sim/utils/errors'
 import { Plus } from 'lucide-react'
 import { useParams } from 'next/navigation'
-import { Chip, ChipConfirmModal, ChipInput, Search } from '@/components/emcn'
+import {
+  Chip,
+  ChipConfirmModal,
+  ChipInput,
+  chipVariants,
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuTrigger,
+  MoreHorizontal,
+  Search,
+} from '@/components/emcn'
 import { CustomToolModal } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/custom-tool-modal/custom-tool-modal'
 import { useCustomTools, useDeleteCustomTool } from '@/hooks/queries/custom-tools'
 
@@ -134,14 +145,30 @@ export function CustomTools() {
                         </p>
                       )}
                     </div>
-                    <div className='flex flex-shrink-0 items-center gap-2'>
-                      <Chip onClick={() => setEditingTool(tool.id)}>Edit</Chip>
-                      <Chip
-                        onClick={() => handleDeleteClick(tool.id)}
-                        disabled={deletingTools.has(tool.id)}
-                      >
-                        {deletingTools.has(tool.id) ? 'Deleting...' : 'Delete'}
-                      </Chip>
+                    <div className='flex flex-shrink-0 items-center gap-1'>
+                      <DropdownMenu>
+                        <DropdownMenuTrigger asChild>
+                          <button
+                            type='button'
+                            aria-label='Tool actions'
+                            className={chipVariants({ flush: true })}
+                          >
+                            <MoreHorizontal className='size-[14px] flex-shrink-0 text-[var(--text-icon)]' />
+                          </button>
+                        </DropdownMenuTrigger>
+                        <DropdownMenuContent align='end'>
+                          <DropdownMenuItem onSelect={() => setEditingTool(tool.id)}>
+                            Edit
+                          </DropdownMenuItem>
+                          <DropdownMenuItem
+                            className='text-[var(--text-error)]'
+                            onSelect={() => handleDeleteClick(tool.id)}
+                            disabled={deletingTools.has(tool.id)}
+                          >
+                            Delete
+                          </DropdownMenuItem>
+                        </DropdownMenuContent>
+                      </DropdownMenu>
                     </div>
                   </div>
                 ))}
diff --git a/apps/sim/app/workspace/[workspaceId]/settings/components/mcp/mcp.tsx b/apps/sim/app/workspace/[workspaceId]/settings/components/mcp/mcp.tsx
index 987ef148f6f..c468f1e8e4e 100644
--- a/apps/sim/app/workspace/[workspaceId]/settings/components/mcp/mcp.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/settings/components/mcp/mcp.tsx
@@ -12,6 +12,12 @@ import {
   Chip,
   ChipConfirmModal,
   ChipInput,
+  chipVariants,
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuTrigger,
+  MoreHorizontal,
   Search,
   Tooltip,
 } from '@/components/emcn'
@@ -120,10 +126,27 @@ function ServerListItem({
         </p>
       </div>
       <div className='flex flex-shrink-0 items-center gap-1'>
-        <Chip onClick={onViewDetails}>Details</Chip>
-        <Chip onClick={onRemove} disabled={isDeleting}>
-          {isDeleting ? 'Deleting...' : 'Delete'}
-        </Chip>
+        <DropdownMenu>
+          <DropdownMenuTrigger asChild>
+            <button
+              type='button'
+              aria-label='Server actions'
+              className={chipVariants({ flush: true })}
+            >
+              <MoreHorizontal className='size-[14px] flex-shrink-0 text-[var(--text-icon)]' />
+            </button>
+          </DropdownMenuTrigger>
+          <DropdownMenuContent align='end'>
+            <DropdownMenuItem onSelect={onViewDetails}>Details</DropdownMenuItem>
+            <DropdownMenuItem
+              className='text-[var(--text-error)]'
+              onSelect={onRemove}
+              disabled={isDeleting}
+            >
+              Delete
+            </DropdownMenuItem>
+          </DropdownMenuContent>
+        </DropdownMenu>
       </div>
     </div>
   )
diff --git a/apps/sim/app/workspace/[workspaceId]/settings/components/mothership/mothership.tsx b/apps/sim/app/workspace/[workspaceId]/settings/components/mothership/mothership.tsx
index 19865911ddd..4cdf68f9e54 100644
--- a/apps/sim/app/workspace/[workspaceId]/settings/components/mothership/mothership.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/settings/components/mothership/mothership.tsx
@@ -3,7 +3,7 @@
 import { useCallback, useMemo, useState } from 'react'
 import { useParams } from 'next/navigation'
 import { useQueryStates } from 'nuqs'
-import { Badge, Button, Input as EmcnInput, Label, Skeleton } from '@/components/emcn'
+import { Badge, Button, ChipInput, ChipSelect, Label, Skeleton } from '@/components/emcn'
 import { AnthropicIcon, OpenAIIcon } from '@/components/icons'
 import { cn } from '@/lib/core/utils/cn'
 import {
@@ -50,10 +50,10 @@ const TABS: { id: MothershipTab; label: string }[] = [
   { id: 'byok', label: 'BYOK' },
 ]
 
-const ENV_OPTIONS: { id: MothershipEnv; label: string }[] = [
-  { id: 'dev', label: 'Dev' },
-  { id: 'staging', label: 'Staging' },
-  { id: 'prod', label: 'Prod' },
+const ENV_OPTIONS: { value: MothershipEnv; label: string }[] = [
+  { value: 'dev', label: 'Dev' },
+  { value: 'staging', label: 'Staging' },
+  { value: 'prod', label: 'Prod' },
 ]
 
 function defaultTimeRange() {
@@ -81,11 +81,11 @@ function formatDate(d: string | null | undefined) {
 }
 
 function Divider() {
-  return <div className='h-px bg-[var(--border-secondary)]' />
+  return <div className='h-px bg-[var(--border)]' />
 }
 
 function SectionLabel({ children }: { children: React.ReactNode }) {
-  return <p className='font-medium text-[var(--text-primary)] text-sm'>{children}</p>
+  return <p className='font-medium text-[var(--text-muted)] text-small'>{children}</p>
 }
 
 export function Mothership() {
@@ -104,23 +104,14 @@ export function Mothership() {
           {/* Environment selector */}
           <div className='flex items-center gap-2'>
             <Label className='text-[var(--text-secondary)] text-sm'>Environment</Label>
-            <div className='flex gap-1'>
-              {ENV_OPTIONS.map((opt) => (
-                <button
-                  key={opt.id}
-                  type='button'
-                  onClick={() => setMothershipParams({ env: opt.id })}
-                  className={cn(
-                    'rounded-md px-3 py-1 font-medium text-sm transition-colors',
-                    environment === opt.id
-                      ? 'bg-[var(--surface-hover)] text-[var(--text-primary)]'
-                      : 'text-[var(--text-tertiary)] hover-hover:hover:text-[var(--text-secondary)]'
-                  )}
-                >
-                  {opt.label}
-                </button>
-              ))}
-            </div>
+            <ChipSelect
+              align='start'
+              dropdownWidth={160}
+              value={environment}
+              onChange={(value) => setMothershipParams({ env: value as MothershipEnv })}
+              placeholder='Select environment'
+              options={ENV_OPTIONS}
+            />
           </div>
 
           {/* Tab bar */}
@@ -149,20 +140,18 @@ export function Mothership() {
           <div className='flex items-center gap-3'>
             <div className='flex items-center gap-2'>
               <Label className='text-[var(--text-secondary)] text-caption'>From</Label>
-              <EmcnInput
+              <ChipInput
                 type='datetime-local'
                 value={start}
                 onChange={(e) => setStart(e.target.value)}
-                className='h-[30px] text-caption'
               />
             </div>
             <div className='flex items-center gap-2'>
               <Label className='text-[var(--text-secondary)] text-caption'>To</Label>
-              <EmcnInput
+              <ChipInput
                 type='datetime-local'
                 value={end}
                 onChange={(e) => setEnd(e.target.value)}
-                className='h-[30px] text-caption'
               />
             </div>
           </div>
@@ -431,23 +420,23 @@ function LicensesTab({ environment }: { environment: MothershipEnv }) {
       <div className='flex items-end gap-2'>
         <div className='flex flex-col gap-1'>
           <Label className='text-[var(--text-secondary)] text-caption'>Enterprise Name</Label>
-          <EmcnInput
+          <ChipInput
             value={newName}
             onChange={(e) => {
               setNewName(e.target.value)
               setGeneratedKey(null)
             }}
             placeholder='e.g. Acme Corp'
-            className='h-[32px] w-[200px]'
+            className='w-[200px]'
           />
         </div>
         <div className='flex flex-col gap-1'>
           <Label className='text-[var(--text-secondary)] text-caption'>Expiration (optional)</Label>
-          <EmcnInput
+          <ChipInput
             type='date'
             value={newExpiry}
             onChange={(e) => setNewExpiry(e.target.value)}
-            className='h-[32px] w-[160px]'
+            className='w-[160px]'
           />
         </div>
         <Button
diff --git a/apps/sim/app/workspace/[workspaceId]/settings/components/secrets/components/secrets-manager/secrets-manager.tsx b/apps/sim/app/workspace/[workspaceId]/settings/components/secrets/components/secrets-manager/secrets-manager.tsx
index ffb2becd85a..d1c25230b8f 100644
--- a/apps/sim/app/workspace/[workspaceId]/settings/components/secrets/components/secrets-manager/secrets-manager.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/settings/components/secrets/components/secrets-manager/secrets-manager.tsx
@@ -5,7 +5,19 @@ import { createLogger } from '@sim/logger'
 import { generateShortId } from '@sim/utils/id'
 import { useQueryClient } from '@tanstack/react-query'
 import { useParams, useRouter } from 'next/navigation'
-import { Chip, ChipInput, Search, Tooltip, Trash, toast } from '@/components/emcn'
+import {
+  Chip,
+  ChipInput,
+  chipVariants,
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuTrigger,
+  MoreHorizontal,
+  Search,
+  Tooltip,
+  toast,
+} from '@/components/emcn'
 import { cn } from '@/lib/core/utils/cn'
 import {
   clearPendingCredentialCreateRequest,
@@ -31,8 +43,54 @@ import { useSettingsDirtyStore } from '@/stores/settings/dirty/store'
 
 const logger = createLogger('SecretsManager')
 
-const GRID_COLS = 'grid grid-cols-[minmax(0,1fr)_8px_minmax(0,1fr)_auto_auto] items-center'
-const COL_SPAN_ALL = 'col-span-5'
+const GRID_COLS = 'grid grid-cols-[minmax(0,1fr)_8px_minmax(0,1fr)_auto] items-center'
+const COL_SPAN_ALL = 'col-span-4'
+
+/** Copies a secret's name and confirms with a toast. */
+function copyName(key: string) {
+  void navigator.clipboard.writeText(key)
+  toast.success('Copied name to clipboard')
+}
+
+interface SecretRowMenuProps {
+  /** Copies the secret's name. */
+  onCopyName: () => void
+  /** Opens credential details; omit when the row has no backing credential. */
+  onViewDetails?: () => void
+  /** Deletes the secret (or clears the draft row); omit when the caller can't delete. */
+  onDelete?: () => void
+}
+
+/**
+ * Trailing `...` actions menu for a secret row. Mirrors the Teammates /
+ * Organization member menu so the settings experience is consistent.
+ */
+function SecretRowMenu({ onCopyName, onViewDetails, onDelete }: SecretRowMenuProps) {
+  return (
+    <DropdownMenu>
+      <DropdownMenuTrigger asChild>
+        <button
+          type='button'
+          aria-label='Secret actions'
+          className={cn(chipVariants({ flush: true }), 'ml-2')}
+        >
+          <MoreHorizontal className='size-[14px] flex-shrink-0 text-[var(--text-icon)]' />
+        </button>
+      </DropdownMenuTrigger>
+      <DropdownMenuContent align='end'>
+        {onViewDetails && (
+          <DropdownMenuItem onSelect={onViewDetails}>View details</DropdownMenuItem>
+        )}
+        <DropdownMenuItem onSelect={onCopyName}>Copy name</DropdownMenuItem>
+        {onDelete && (
+          <DropdownMenuItem className='text-[var(--text-error)]' onSelect={onDelete}>
+            Delete
+          </DropdownMenuItem>
+        )}
+      </DropdownMenuContent>
+    </DropdownMenu>
+  )
+}
 
 const generateRowId = (() => {
   let counter = 0
@@ -201,23 +259,11 @@ function WorkspaceVariableRow({
         canEdit={canEdit}
         name={`workspace_env_value_${envKey}_${generateShortId()}`}
       />
-      <Chip
-        onClick={() => onViewDetails(envKey)}
-        disabled={!hasCredential}
-        className={cn('ml-2', !hasCredential && 'opacity-40')}
-      >
-        Details
-      </Chip>
-      {canEdit ? (
-        <Tooltip.Root>
-          <Tooltip.Trigger asChild>
-            <Chip leftIcon={Trash} onClick={() => onDelete(envKey)} aria-label='Delete secret' />
-          </Tooltip.Trigger>
-          <Tooltip.Content>Delete secret</Tooltip.Content>
-        </Tooltip.Root>
-      ) : (
-        <div />
-      )}
+      <SecretRowMenu
+        onCopyName={() => copyName(envKey)}
+        onViewDetails={hasCredential ? () => onViewDetails(envKey) : undefined}
+        onDelete={canEdit ? () => onDelete(envKey) : undefined}
+      />
     </div>
   )
 }
@@ -262,22 +308,19 @@ function NewWorkspaceVariableRow({
         onPaste={onPaste ? (e) => onPaste(e, index) : undefined}
         placeholder='Enter value'
         name={`new_workspace_value_${envVar.id || index}_${generateShortId()}`}
-        className='col-span-2 ml-0'
+        className='ml-0'
       />
-      <Tooltip.Root>
-        <Tooltip.Trigger asChild>
-          <Chip
-            leftIcon={Trash}
-            onClick={() => {
-              onUpdate(index, 'key', '')
-              onUpdate(index, 'value', '')
-            }}
-            disabled={!hasContent}
-            aria-label='Delete secret'
-          />
-        </Tooltip.Trigger>
-        {hasContent && <Tooltip.Content>Delete secret</Tooltip.Content>}
-      </Tooltip.Root>
+      {hasContent ? (
+        <SecretRowMenu
+          onCopyName={() => copyName(envVar.key)}
+          onDelete={() => {
+            onUpdate(index, 'key', '')
+            onUpdate(index, 'value', '')
+          }}
+        />
+      ) : (
+        <div />
+      )}
       {keyError && (
         <div
           className={cn(
@@ -862,19 +905,16 @@ export function SecretsManager() {
           readOnly={isConflicted}
           placeholder={isConflicted ? 'Workspace override active' : 'Enter value'}
           name={`env_variable_value_${envVar.id || originalIndex}_${generateShortId()}`}
-          className={cn('col-span-2', isConflicted && 'cursor-not-allowed opacity-50')}
+          className={cn(isConflicted && 'cursor-not-allowed opacity-50')}
         />
-        <Tooltip.Root>
-          <Tooltip.Trigger asChild>
-            <Chip
-              leftIcon={Trash}
-              onClick={() => removeEnvVar(originalIndex)}
-              disabled={!hasContent}
-              aria-label='Delete secret'
-            />
-          </Tooltip.Trigger>
-          {hasContent && <Tooltip.Content>Delete secret</Tooltip.Content>}
-        </Tooltip.Root>
+        {hasContent ? (
+          <SecretRowMenu
+            onCopyName={() => copyName(envVar.key)}
+            onDelete={() => removeEnvVar(originalIndex)}
+          />
+        ) : (
+          <div />
+        )}
         {keyError && (
           <div
             className={cn(
diff --git a/apps/sim/app/workspace/[workspaceId]/settings/components/workflow-mcp-servers/workflow-mcp-servers.tsx b/apps/sim/app/workspace/[workspaceId]/settings/components/workflow-mcp-servers/workflow-mcp-servers.tsx
index 270979b2394..e3dc1996b57 100644
--- a/apps/sim/app/workspace/[workspaceId]/settings/components/workflow-mcp-servers/workflow-mcp-servers.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/settings/components/workflow-mcp-servers/workflow-mcp-servers.tsx
@@ -23,7 +23,13 @@ import {
   ChipSelect,
   Code,
   type ComboboxOption,
+  chipVariants,
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuTrigger,
   Label,
+  MoreHorizontal,
   Tooltip,
 } from '@/components/emcn'
 import { ArrowLeft, Search } from '@/components/emcn/icons'
@@ -459,13 +465,29 @@ function ServerDetailView({ workspaceId, serverId, onBack }: ServerDetailViewPro
                               </p>
                             </div>
                             <div className='flex flex-shrink-0 items-center gap-1'>
-                              <Chip onClick={() => setToolToView(tool)}>Edit</Chip>
-                              <Chip
-                                onClick={() => setToolToDelete(tool)}
-                                disabled={deleteToolMutation.isPending}
-                              >
-                                Remove
-                              </Chip>
+                              <DropdownMenu>
+                                <DropdownMenuTrigger asChild>
+                                  <button
+                                    type='button'
+                                    aria-label='Tool actions'
+                                    className={chipVariants({ flush: true })}
+                                  >
+                                    <MoreHorizontal className='size-[14px] flex-shrink-0 text-[var(--text-icon)]' />
+                                  </button>
+                                </DropdownMenuTrigger>
+                                <DropdownMenuContent align='end'>
+                                  <DropdownMenuItem onSelect={() => setToolToView(tool)}>
+                                    Edit
+                                  </DropdownMenuItem>
+                                  <DropdownMenuItem
+                                    className='text-[var(--text-error)]'
+                                    onSelect={() => setToolToDelete(tool)}
+                                    disabled={deleteToolMutation.isPending}
+                                  >
+                                    Remove
+                                  </DropdownMenuItem>
+                                </DropdownMenuContent>
+                              </DropdownMenu>
                             </div>
                           </div>
                         ))}
@@ -1021,10 +1043,29 @@ export function WorkflowMcpServers() {
                           </p>
                         </div>
                         <div className='flex flex-shrink-0 items-center gap-1'>
-                          <Chip onClick={() => setSelectedServerId(server.id)}>Details</Chip>
-                          <Chip onClick={() => setServerToDelete(server)} disabled={isDeleting}>
-                            {isDeleting ? 'Deleting...' : 'Delete'}
-                          </Chip>
+                          <DropdownMenu>
+                            <DropdownMenuTrigger asChild>
+                              <button
+                                type='button'
+                                aria-label='Server actions'
+                                className={chipVariants({ flush: true })}
+                              >
+                                <MoreHorizontal className='size-[14px] flex-shrink-0 text-[var(--text-icon)]' />
+                              </button>
+                            </DropdownMenuTrigger>
+                            <DropdownMenuContent align='end'>
+                              <DropdownMenuItem onSelect={() => setSelectedServerId(server.id)}>
+                                Details
+                              </DropdownMenuItem>
+                              <DropdownMenuItem
+                                className='text-[var(--text-error)]'
+                                onSelect={() => setServerToDelete(server)}
+                                disabled={isDeleting}
+                              >
+                                Delete
+                              </DropdownMenuItem>
+                            </DropdownMenuContent>
+                          </DropdownMenu>
                         </div>
                       </div>
                     )
diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/dropdown/dropdown.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/dropdown/dropdown.tsx
index 516ffdab35b..1aad573c91c 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/dropdown/dropdown.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/dropdown/dropdown.tsx
@@ -14,6 +14,7 @@ import { getBlock } from '@/blocks/registry'
 import type { SubBlockConfig } from '@/blocks/types'
 import { getDependsOnFields } from '@/blocks/utils'
 import { ResponseBlockHandler } from '@/executor/handlers/response/response-handler'
+import { usePermissionConfig } from '@/hooks/use-permission-config'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
 import { useSubBlockStore } from '@/stores/workflows/subblock/store'
 import { useWorkflowStore } from '@/stores/workflows/workflow/store'
@@ -98,6 +99,7 @@ export const Dropdown = memo(function Dropdown({
   searchable = false,
 }: DropdownProps) {
   const activeSearchTarget = useActiveSearchTarget()
+  const { isToolAllowed } = usePermissionConfig()
   const [storeValue, setStoreValue] = useSubBlockValue<string | string[]>(blockId, subBlockId) as [
     string | string[] | null | undefined,
     (value: string | string[]) => void,
@@ -214,19 +216,43 @@ export const Dropdown = memo(function Dropdown({
     return opts
   }, [fetchOptions, normalizedFetchedOptions, evaluatedOptions, hydratedOption])
 
+  /**
+   * Operation IDs whose resolved tool is denied by the caller's permission
+   * group. Only the `operation` selector of a block with a tool selector is
+   * gated. Denied operations are hidden from the picker (still resolvable for
+   * label display); the server is the authoritative gate regardless.
+   */
+  const deniedOperationIds = useMemo(() => {
+    const denied = new Set<string>()
+    if (subBlockId !== 'operation') return denied
+    const selectTool = blockConfig?.tools?.config?.tool
+    if (!selectTool) return denied
+    for (const opt of allOptions) {
+      const optionId = typeof opt === 'string' ? opt : opt.id
+      try {
+        const toolId = selectTool({ operation: optionId })
+        if (toolId && !isToolAllowed(toolId)) denied.add(optionId)
+      } catch {
+        // Selector couldn't resolve a tool from the operation alone — leave the
+        // option visible; runtime enforcement still applies.
+      }
+    }
+    return denied
+  }, [subBlockId, blockConfig, allOptions, isToolAllowed])
+
   const comboboxOptions = useMemo((): ComboboxOption[] => {
     return allOptions.map((opt) => {
       if (typeof opt === 'string') {
-        return { label: opt.toLowerCase(), value: opt }
+        return { label: opt.toLowerCase(), value: opt, hidden: deniedOperationIds.has(opt) }
       }
       return {
         label: opt.label.toLowerCase(),
         value: opt.id,
         icon: 'icon' in opt ? opt.icon : undefined,
-        hidden: opt.hidden,
+        hidden: opt.hidden || deniedOperationIds.has(opt.id),
       }
     })
-  }, [allOptions])
+  }, [allOptions, deniedOperationIds])
 
   const optionMap = useMemo(() => {
     return new Map(comboboxOptions.map((opt) => [opt.value, opt.label]))
@@ -238,8 +264,9 @@ export const Dropdown = memo(function Dropdown({
       return defaultValue
     }
 
-    if (comboboxOptions.length > 0) {
-      return comboboxOptions[0].value
+    const firstSelectable = comboboxOptions.find((opt) => !opt.hidden)
+    if (firstSelectable) {
+      return firstSelectable.value
     }
 
     return undefined
diff --git a/apps/sim/ee/access-control/components/access-control.tsx b/apps/sim/ee/access-control/components/access-control.tsx
index 22bede4363f..91be65dfdb4 100644
--- a/apps/sim/ee/access-control/components/access-control.tsx
+++ b/apps/sim/ee/access-control/components/access-control.tsx
@@ -1,18 +1,12 @@
 'use client'
 
-import { useCallback, useMemo, useRef, useState } from 'react'
+import { useCallback, useMemo, useState } from 'react'
 import { createLogger } from '@sim/logger'
-import { getErrorMessage } from '@sim/utils/errors'
-import { ArrowRight, ChevronDown, Plus } from 'lucide-react'
+import { ArrowRight, Plus } from 'lucide-react'
 import { useParams } from 'next/navigation'
 import {
-  Avatar,
-  AvatarFallback,
-  AvatarImage,
   Checkbox,
   Chip,
-  ChipConfirmModal,
-  ChipDropdown,
   ChipInput,
   ChipModal,
   ChipModalBody,
@@ -20,465 +14,23 @@ import {
   ChipModalField,
   ChipModalFooter,
   ChipModalHeader,
-  ChipModalTabs,
-  chipVariants,
-  DropdownMenu,
-  DropdownMenuContent,
-  DropdownMenuItem,
-  DropdownMenuTrigger,
+  ChipTag,
   Label,
-  MoreHorizontal,
   Search,
-  Skeleton,
-  Switch,
-  toast,
 } from '@/components/emcn'
-import { ArrowLeft } from '@/components/emcn/icons'
-import type { ShareAuthType } from '@/lib/api/contracts/public-shares'
 import { getEnv, isTruthy } from '@/lib/core/config/env'
-import { cn } from '@/lib/core/utils/cn'
-import { isBlockTypeAccessControlExempt } from '@/lib/permission-groups/block-access'
-import type { PermissionGroupConfig } from '@/lib/permission-groups/types'
-import { getUserColor } from '@/lib/workspaces/colors'
-import { MemberRow } from '@/app/workspace/[workspaceId]/settings/components/member-list'
 import { SettingsSection } from '@/app/workspace/[workspaceId]/settings/components/settings-section/settings-section'
-import { getAllBlocks } from '@/blocks'
+import { GroupDetail } from '@/ee/access-control/components/group-detail'
+import { WorkspaceSelect } from '@/ee/access-control/components/workspace-select'
 import {
-  type PermissionGroup,
-  useBulkAddPermissionGroupMembers,
   useCreatePermissionGroup,
-  useDeletePermissionGroup,
   useOrganizationWorkspaces,
-  usePermissionGroupMembers,
   usePermissionGroups,
-  useRemovePermissionGroupMember,
-  useUpdatePermissionGroup,
   useUserPermissionConfig,
 } from '@/ee/access-control/hooks/permission-groups'
-import { useBlacklistedProviders } from '@/hooks/queries/allowed-providers'
-import { useOrganizationRoster } from '@/hooks/queries/organization'
-import { useProviderModels } from '@/hooks/queries/providers'
-import {
-  DYNAMIC_MODEL_PROVIDERS,
-  getProviderModels,
-  PROVIDER_DEFINITIONS,
-} from '@/providers/models'
-import type { ProviderId } from '@/providers/types'
-import { getAllProviderIds, getProviderFromModel } from '@/providers/utils'
-import type { ProviderName } from '@/stores/providers'
 
 const logger = createLogger('AccessControl')
 
-/** Public-file-share auth modes an admin can allow/disallow. `null` config = all allowed. */
-const FILE_SHARE_AUTH_TYPE_OPTIONS: { value: ShareAuthType; label: string }[] = [
-  { value: 'public', label: 'Anyone with link' },
-  { value: 'password', label: 'Password' },
-  { value: 'email', label: 'Email' },
-  { value: 'sso', label: 'SSO' },
-]
-const ALL_FILE_SHARE_AUTH_TYPES: ShareAuthType[] = FILE_SHARE_AUTH_TYPE_OPTIONS.map((o) => o.value)
-
-interface OrganizationMemberOption {
-  userId: string
-  user: {
-    name: string | null
-    email: string
-    image?: string | null
-  }
-}
-
-interface AddMembersModalProps {
-  open: boolean
-  onOpenChange: (open: boolean) => void
-  availableMembers: OrganizationMemberOption[]
-  selectedMemberIds: Set<string>
-  setSelectedMemberIds: React.Dispatch<React.SetStateAction<Set<string>>>
-  onAddMembers: () => void
-  isAdding: boolean
-  errorMessage: string | null
-}
-
-function AddMembersModal({
-  open,
-  onOpenChange,
-  availableMembers,
-  selectedMemberIds,
-  setSelectedMemberIds,
-  onAddMembers,
-  isAdding,
-  errorMessage,
-}: AddMembersModalProps) {
-  const [searchTerm, setSearchTerm] = useState('')
-
-  const filteredMembers = useMemo(() => {
-    if (!searchTerm.trim()) return availableMembers
-    const query = searchTerm.toLowerCase()
-    return availableMembers.filter((m) => {
-      const name = m.user?.name || ''
-      const email = m.user?.email || ''
-      return name.toLowerCase().includes(query) || email.toLowerCase().includes(query)
-    })
-  }, [availableMembers, searchTerm])
-
-  const allFilteredSelected = useMemo(() => {
-    if (filteredMembers.length === 0) return false
-    return filteredMembers.every((m) => selectedMemberIds.has(m.userId))
-  }, [filteredMembers, selectedMemberIds])
-
-  const handleToggleAll = () => {
-    if (allFilteredSelected) {
-      const filteredIds = new Set(filteredMembers.map((m) => m.userId))
-      setSelectedMemberIds((prev) => {
-        const next = new Set(prev)
-        filteredIds.forEach((id) => next.delete(id))
-        return next
-      })
-    } else {
-      setSelectedMemberIds((prev) => {
-        const next = new Set(prev)
-        filteredMembers.forEach((m) => next.add(m.userId))
-        return next
-      })
-    }
-  }
-
-  const handleToggleMember = (userId: string) => {
-    setSelectedMemberIds((prev) => {
-      const next = new Set(prev)
-      if (next.has(userId)) {
-        next.delete(userId)
-      } else {
-        next.add(userId)
-      }
-      return next
-    })
-  }
-
-  return (
-    <ChipModal
-      open={open}
-      onOpenChange={(o) => {
-        if (!o) setSearchTerm('')
-        onOpenChange(o)
-      }}
-      size='sm'
-      srTitle='Add Members'
-    >
-      <ChipModalHeader onClose={() => onOpenChange(false)}>Add Members</ChipModalHeader>
-      <ChipModalBody>
-        {availableMembers.length === 0 ? (
-          <p className='px-2 text-[var(--text-muted)] text-sm'>
-            All organization members are already in this group.
-          </p>
-        ) : (
-          <ChipModalField type='custom' title='Members'>
-            <div className='flex flex-col gap-3'>
-              <div className='flex items-center gap-2'>
-                <ChipInput
-                  icon={Search}
-                  placeholder='Search members...'
-                  value={searchTerm}
-                  onChange={(e) => setSearchTerm(e.target.value)}
-                  className='min-w-0 flex-1'
-                />
-                <Chip onClick={handleToggleAll}>
-                  {allFilteredSelected ? 'Deselect All' : 'Select All'}
-                </Chip>
-              </div>
-
-              <div className='max-h-[280px] overflow-y-auto'>
-                {filteredMembers.length === 0 ? (
-                  <p className='py-4 text-center text-[var(--text-muted)] text-sm'>
-                    No members found matching "{searchTerm}"
-                  </p>
-                ) : (
-                  <div className='flex flex-col'>
-                    {filteredMembers.map((member) => {
-                      const name = member.user?.name || 'Unknown'
-                      const email = member.user?.email || ''
-                      const avatarInitial = name.charAt(0).toUpperCase()
-                      const isSelected = selectedMemberIds.has(member.userId)
-
-                      return (
-                        <button
-                          key={member.userId}
-                          type='button'
-                          onClick={() => handleToggleMember(member.userId)}
-                          className='flex items-center gap-2.5 rounded-sm px-2 py-1.5 hover-hover:bg-[var(--surface-active)]'
-                        >
-                          <Checkbox checked={isSelected} />
-                          <Avatar size='sm'>
-                            {member.user?.image && (
-                              <AvatarImage src={member.user.image} alt={name} />
-                            )}
-                            <AvatarFallback
-                              style={{ background: getUserColor(member.userId || email) }}
-                              className='border-0 text-micro text-white'
-                            >
-                              {avatarInitial}
-                            </AvatarFallback>
-                          </Avatar>
-                          <div className='min-w-0 flex-1 text-left'>
-                            <div className='truncate text-[var(--text-body)] text-sm'>{name}</div>
-                            <div className='truncate text-[var(--text-muted)] text-xs'>{email}</div>
-                          </div>
-                        </button>
-                      )
-                    })}
-                  </div>
-                )}
-              </div>
-            </div>
-          </ChipModalField>
-        )}
-        <ChipModalError>{errorMessage}</ChipModalError>
-      </ChipModalBody>
-      <ChipModalFooter
-        onCancel={() => {
-          setSearchTerm('')
-          onOpenChange(false)
-        }}
-        primaryAction={{
-          label: isAdding ? 'Adding...' : 'Add Members',
-          onClick: onAddMembers,
-          disabled: selectedMemberIds.size === 0 || isAdding,
-        }}
-      />
-    </ChipModal>
-  )
-}
-
-interface WorkspaceSelectProps {
-  workspaceIds: string[]
-  onChange: (ids: string[]) => void
-  options: { value: string; label: string }[]
-  disabled?: boolean
-  isLoading?: boolean
-  fullWidth?: boolean
-  className?: string
-  /**
-   * When false, the "All workspaces" reset option is hidden and an empty
-   * selection reads as a prompt. Non-default groups must target ≥1 workspace.
-   */
-  allowAllWorkspaces?: boolean
-}
-
-/**
- * Workspace scope multi-select. With `allowAllWorkspaces` an empty selection
- * reads as "All workspaces" (the default group); otherwise it prompts for a
- * selection, since non-default groups must target specific workspaces.
- */
-function WorkspaceSelect({
-  workspaceIds,
-  onChange,
-  options,
-  disabled = false,
-  isLoading = false,
-  fullWidth = false,
-  className,
-  allowAllWorkspaces = true,
-}: WorkspaceSelectProps) {
-  return (
-    <ChipDropdown
-      multiple
-      searchable
-      align={fullWidth ? 'start' : 'end'}
-      matchTriggerWidth={fullWidth}
-      options={options}
-      value={workspaceIds}
-      onChange={onChange}
-      disabled={disabled || isLoading}
-      showAllOption={allowAllWorkspaces}
-      allLabel={
-        isLoading
-          ? 'Loading workspaces…'
-          : allowAllWorkspaces
-            ? 'All workspaces'
-            : 'Select workspaces…'
-      }
-      searchPlaceholder='Search workspaces…'
-      fullWidth={fullWidth}
-      className={className}
-    />
-  )
-}
-
-interface ModelDenylistControls {
-  isModelAllowed: (model: string) => boolean
-  onToggleModel: (model: string) => void
-  onSetModelsDenied: (models: string[], denied: boolean) => void
-}
-
-interface ModelCheckboxGridProps extends ModelDenylistControls {
-  models: string[]
-  isLoading: boolean
-}
-
-function ModelCheckboxGrid({
-  models,
-  isLoading,
-  isModelAllowed,
-  onToggleModel,
-  onSetModelsDenied,
-}: ModelCheckboxGridProps) {
-  const [search, setSearch] = useState('')
-
-  const sortedModels = useMemo(() => [...models].sort((a, b) => a.localeCompare(b)), [models])
-
-  const filteredModels = useMemo(() => {
-    if (!search.trim()) return sortedModels
-    const query = search.toLowerCase()
-    return sortedModels.filter((model) => model.toLowerCase().includes(query))
-  }, [sortedModels, search])
-
-  if (isLoading) {
-    return <div className='px-2 py-3 text-[var(--text-muted)] text-xs'>Loading models…</div>
-  }
-
-  if (models.length === 0) {
-    return (
-      <div className='px-2 py-3 text-[var(--text-muted)] text-xs'>
-        No models available for this provider.
-      </div>
-    )
-  }
-
-  const allFilteredAllowed = filteredModels.every((model) => isModelAllowed(model))
-
-  return (
-    <div className='flex flex-col gap-2'>
-      <div className='flex items-center gap-2'>
-        <ChipInput
-          icon={Search}
-          placeholder='Search models...'
-          value={search}
-          onChange={(e) => setSearch(e.target.value)}
-          className='min-w-0 flex-1'
-        />
-        <Chip onClick={() => onSetModelsDenied(filteredModels, allFilteredAllowed)}>
-          {allFilteredAllowed ? 'Block All' : 'Allow All'}
-        </Chip>
-      </div>
-      <div className='grid grid-cols-2 gap-x-2 gap-y-0.5'>
-        {filteredModels.map((model) => {
-          const checkboxId = `model-${model}`
-          return (
-            <label
-              key={model}
-              htmlFor={checkboxId}
-              className='flex cursor-pointer items-center gap-2 rounded-md px-2 py-[5px] transition-colors hover-hover:bg-[var(--surface-active)]'
-            >
-              <Checkbox
-                id={checkboxId}
-                checked={isModelAllowed(model)}
-                onCheckedChange={() => onToggleModel(model)}
-              />
-              <span className='truncate text-sm'>{model}</span>
-            </label>
-          )
-        })}
-      </div>
-    </div>
-  )
-}
-
-interface DynamicProviderModelsProps extends ModelDenylistControls {
-  provider: ProviderName
-  workspaceId?: string
-}
-
-function DynamicProviderModels({ provider, workspaceId, ...controls }: DynamicProviderModelsProps) {
-  const { data, isPending } = useProviderModels(provider, workspaceId)
-  return <ModelCheckboxGrid models={data?.models ?? []} isLoading={isPending} {...controls} />
-}
-
-interface StaticProviderModelsProps extends ModelDenylistControls {
-  providerId: ProviderId
-}
-
-function StaticProviderModels({ providerId, ...controls }: StaticProviderModelsProps) {
-  const models = useMemo(() => getProviderModels(providerId), [providerId])
-  return <ModelCheckboxGrid models={models} isLoading={false} {...controls} />
-}
-
-interface ProviderRowProps extends ModelDenylistControls {
-  providerId: ProviderId
-  isProviderAllowed: boolean
-  onToggleProvider: () => void
-  deniedCount: number
-  workspaceId?: string
-}
-
-function ProviderRow({
-  providerId,
-  isProviderAllowed,
-  onToggleProvider,
-  deniedCount,
-  workspaceId,
-  ...controls
-}: ProviderRowProps) {
-  const [expanded, setExpanded] = useState(false)
-
-  const ProviderIcon = PROVIDER_DEFINITIONS[providerId]?.icon
-  const providerName =
-    PROVIDER_DEFINITIONS[providerId]?.name ||
-    providerId.replace(/-/g, ' ').replace(/\b\w/g, (c) => c.toUpperCase())
-  const isDynamic = (DYNAMIC_MODEL_PROVIDERS as readonly string[]).includes(providerId)
-  const checkboxId = `provider-${providerId}`
-
-  return (
-    <div>
-      <div className='flex items-center gap-2 rounded-md px-2 py-[5px] transition-colors hover-hover:bg-[var(--surface-active)]'>
-        <Checkbox
-          id={checkboxId}
-          checked={isProviderAllowed}
-          onCheckedChange={() => onToggleProvider()}
-        />
-        <div className='relative flex size-[16px] flex-shrink-0 items-center justify-center'>
-          {ProviderIcon && <ProviderIcon className='!h-[16px] !w-[16px]' />}
-        </div>
-        <button
-          type='button'
-          onClick={() => isProviderAllowed && setExpanded((prev) => !prev)}
-          disabled={!isProviderAllowed}
-          className={cn(
-            'flex flex-1 items-center gap-2 text-left',
-            isProviderAllowed ? 'cursor-pointer' : 'cursor-default opacity-60'
-          )}
-        >
-          <span className='truncate font-medium text-sm'>{providerName}</span>
-          {isProviderAllowed && deniedCount > 0 && (
-            <span className='rounded-sm bg-[var(--surface-3)] px-1.5 py-0.5 text-[var(--text-muted)] text-micro'>
-              {deniedCount} blocked
-            </span>
-          )}
-          {isProviderAllowed && (
-            <ChevronDown
-              className={cn(
-                'ml-auto size-[14px] flex-shrink-0 text-[var(--text-tertiary)] transition-transform',
-                expanded && 'rotate-180'
-              )}
-            />
-          )}
-        </button>
-      </div>
-      {expanded && isProviderAllowed && (
-        <div className='border-[var(--border)] border-t px-2 pt-2 pb-3'>
-          {isDynamic ? (
-            <DynamicProviderModels
-              provider={providerId as ProviderName}
-              workspaceId={workspaceId}
-              {...controls}
-            />
-          ) : (
-            <StaticProviderModels providerId={providerId} {...controls} />
-          )}
-        </div>
-      )}
-    </div>
-  )
-}
-
 export function AccessControl() {
   const params = useParams()
   const workspaceId = typeof params?.workspaceId === 'string' ? params.workspaceId : undefined
@@ -492,13 +44,10 @@ export function AccessControl() {
   const organizationId = userPermissionConfig?.organizationId ?? undefined
   const currentUserIsOrgAdmin = userPermissionConfig?.isOrgAdmin ?? false
 
-  // Group + roster reads require org admin/owner on the host org; only fetch them
-  // for admins to avoid surfacing expected 403s for non-admins/external members.
   const { data: permissionGroups = [], isPending: groupsLoading } = usePermissionGroups(
     organizationId,
     !!organizationId && currentUserIsOrgAdmin
   )
-  const { data: roster } = useOrganizationRoster(currentUserIsOrgAdmin ? organizationId : undefined)
   const { data: organizationWorkspaces = [], isPending: workspacesLoading } =
     useOrganizationWorkspaces(organizationId, !!organizationId && currentUserIsOrgAdmin)
 
@@ -512,277 +61,15 @@ export function AccessControl() {
     (!!organizationId && currentUserIsOrgAdmin && groupsLoading)
 
   const createPermissionGroup = useCreatePermissionGroup()
-  const updatePermissionGroup = useUpdatePermissionGroup()
-  const deletePermissionGroup = useDeletePermissionGroup()
-  const bulkAddMembers = useBulkAddPermissionGroupMembers()
 
   const [searchTerm, setSearchTerm] = useState('')
+  const [selectedGroupId, setSelectedGroupId] = useState<string | null>(null)
   const [showCreateModal, setShowCreateModal] = useState(false)
-  const [viewingGroup, setViewingGroup] = useState<PermissionGroup | null>(null)
-  // Monotonic token for scope-affecting writes (workspace select + default
-  // toggle, which both change the group's workspace scope). Only the most
-  // recent write may reconcile or revert the local viewingGroup, so rapid
-  // multi-select toggles can't settle on a stale, out-of-order response.
-  const scopeWriteSeqRef = useRef(0)
   const [newGroupName, setNewGroupName] = useState('')
   const [newGroupDescription, setNewGroupDescription] = useState('')
   const [newGroupIsDefault, setNewGroupIsDefault] = useState(false)
   const [newGroupWorkspaceIds, setNewGroupWorkspaceIds] = useState<string[]>([])
   const [createError, setCreateError] = useState<string | null>(null)
-  const [deletingGroup, setDeletingGroup] = useState<{ id: string; name: string } | null>(null)
-  const [deletingGroupIds, setDeletingGroupIds] = useState<Set<string>>(() => new Set())
-
-  const { data: members = [], isPending: membersLoading } = usePermissionGroupMembers(
-    organizationId,
-    viewingGroup?.id
-  )
-  const removeMember = useRemovePermissionGroupMember()
-
-  const [showConfigModal, setShowConfigModal] = useState(false)
-  const [configTab, setConfigTab] = useState<'members' | 'providers' | 'blocks' | 'platform'>(
-    'providers'
-  )
-  const [editingConfig, setEditingConfig] = useState<PermissionGroupConfig | null>(null)
-  const [showAddMembersModal, setShowAddMembersModal] = useState(false)
-  const [addMembersError, setAddMembersError] = useState<string | null>(null)
-  const [selectedMemberIds, setSelectedMemberIds] = useState<Set<string>>(() => new Set())
-  const [providerSearchTerm, setProviderSearchTerm] = useState('')
-  const [integrationSearchTerm, setIntegrationSearchTerm] = useState('')
-  const [platformSearchTerm, setPlatformSearchTerm] = useState('')
-  const [showUnsavedChanges, setShowUnsavedChanges] = useState(false)
-
-  const platformFeatures = useMemo(
-    () => [
-      {
-        id: 'hide-knowledge-base',
-        label: 'Knowledge Base',
-        category: 'Sidebar',
-        configKey: 'hideKnowledgeBaseTab' as const,
-      },
-      {
-        id: 'hide-tables',
-        label: 'Tables',
-        category: 'Sidebar',
-        configKey: 'hideTablesTab' as const,
-      },
-      {
-        id: 'hide-copilot',
-        label: 'Chat',
-        category: 'Workflow Panel',
-        configKey: 'hideCopilot' as const,
-      },
-      {
-        id: 'hide-integrations',
-        label: 'Integrations',
-        category: 'Settings Tabs',
-        configKey: 'hideIntegrationsTab' as const,
-      },
-      {
-        id: 'hide-secrets',
-        label: 'Secrets',
-        category: 'Settings Tabs',
-        configKey: 'hideSecretsTab' as const,
-      },
-      {
-        id: 'hide-api-keys',
-        label: 'API Keys',
-        category: 'Settings Tabs',
-        configKey: 'hideApiKeysTab' as const,
-      },
-      {
-        id: 'hide-files',
-        label: 'Files',
-        category: 'Settings Tabs',
-        configKey: 'hideFilesTab' as const,
-      },
-      {
-        id: 'hide-deploy-api',
-        label: 'API',
-        category: 'Deploy Tabs',
-        configKey: 'hideDeployApi' as const,
-      },
-      {
-        id: 'hide-deploy-mcp',
-        label: 'MCP',
-        category: 'Deploy Tabs',
-        configKey: 'hideDeployMcp' as const,
-      },
-      {
-        id: 'hide-deploy-a2a',
-        label: 'A2A',
-        category: 'Deploy Tabs',
-        configKey: 'hideDeployA2a' as const,
-      },
-      {
-        id: 'hide-deploy-chatbot',
-        label: 'Chat',
-        category: 'Deploy Tabs',
-        configKey: 'hideDeployChatbot' as const,
-      },
-      {
-        id: 'hide-deploy-template',
-        label: 'Template',
-        category: 'Deploy Tabs',
-        configKey: 'hideDeployTemplate' as const,
-      },
-      {
-        id: 'disable-mcp',
-        label: 'MCP Tools',
-        category: 'Tools',
-        configKey: 'disableMcpTools' as const,
-      },
-      {
-        id: 'disable-custom-tools',
-        label: 'Custom Tools',
-        category: 'Tools',
-        configKey: 'disableCustomTools' as const,
-      },
-      {
-        id: 'disable-skills',
-        label: 'Skills',
-        category: 'Tools',
-        configKey: 'disableSkills' as const,
-      },
-      {
-        id: 'hide-trace-spans',
-        label: 'Trace Spans',
-        category: 'Logs',
-        configKey: 'hideTraceSpans' as const,
-      },
-      {
-        id: 'disable-invitations',
-        label: 'Invitations',
-        category: 'Collaboration',
-        configKey: 'disableInvitations' as const,
-      },
-      {
-        id: 'hide-inbox',
-        label: 'Sim Mailer',
-        category: 'Features',
-        configKey: 'hideInboxTab' as const,
-      },
-      {
-        id: 'disable-public-api',
-        label: 'Public API',
-        category: 'Features',
-        configKey: 'disablePublicApi' as const,
-      },
-      {
-        id: 'disable-public-file-sharing',
-        label: 'Public Sharing',
-        category: 'Files',
-        configKey: 'disablePublicFileSharing' as const,
-      },
-    ],
-    []
-  )
-
-  const filteredPlatformFeatures = useMemo(() => {
-    if (!platformSearchTerm.trim()) return platformFeatures
-    const search = platformSearchTerm.toLowerCase()
-    return platformFeatures.filter(
-      (f) => f.label.toLowerCase().includes(search) || f.category.toLowerCase().includes(search)
-    )
-  }, [platformFeatures, platformSearchTerm])
-
-  const platformCategories = useMemo(() => {
-    const categories: Record<string, typeof platformFeatures> = {}
-    for (const feature of filteredPlatformFeatures) {
-      if (!categories[feature.category]) {
-        categories[feature.category] = []
-      }
-      categories[feature.category].push(feature)
-    }
-    return categories
-  }, [filteredPlatformFeatures])
-
-  const platformCategoryColumns = useMemo(() => {
-    const categoryGroups = [
-      ['Sidebar', 'Deploy Tabs', 'Collaboration'],
-      ['Workflow Panel', 'Tools', 'Features'],
-      ['Settings Tabs', 'Logs'],
-    ]
-
-    const assignedCategories = new Set(categoryGroups.flat())
-    // Files has its own section below (with the file-sharing auth modes), so it
-    // stays out of the feature-toggle grid.
-    const unassigned = Object.keys(platformCategories).filter(
-      (c) => c !== 'Files' && !assignedCategories.has(c)
-    )
-    const groups = unassigned.length > 0 ? [...categoryGroups, unassigned] : categoryGroups
-
-    return groups
-      .map((column) =>
-        column
-          .map((category) => ({
-            category,
-            features: platformCategories[category] ?? [],
-          }))
-          .filter((section) => section.features.length > 0)
-      )
-      .filter((column) => column.length > 0)
-  }, [platformCategories])
-
-  const hasConfigChanges = useMemo(() => {
-    if (!viewingGroup || !editingConfig) return false
-    const original = viewingGroup.config
-    return JSON.stringify(original) !== JSON.stringify(editingConfig)
-  }, [viewingGroup, editingConfig])
-
-  const allBlocks = useMemo(() => {
-    const blocks = getAllBlocks().filter((b) => !isBlockTypeAccessControlExempt(b.type))
-    return blocks.sort((a, b) => {
-      const categoryOrder = { triggers: 0, blocks: 1, tools: 2 }
-      const catA = categoryOrder[a.category] ?? 3
-      const catB = categoryOrder[b.category] ?? 3
-      if (catA !== catB) return catA - catB
-      return a.name.localeCompare(b.name)
-    })
-  }, [])
-  const { data: blacklistedProvidersData } = useBlacklistedProviders({ enabled: showConfigModal })
-
-  const allProviderIds = useMemo(() => {
-    const allIds = getAllProviderIds()
-    const blacklist = blacklistedProvidersData?.blacklistedProviders ?? []
-    if (blacklist.length === 0) return allIds
-    return allIds.filter((id) => !blacklist.includes(id.toLowerCase()))
-  }, [blacklistedProvidersData])
-
-  const filteredProviders = useMemo(() => {
-    if (!providerSearchTerm.trim()) return allProviderIds
-    const query = providerSearchTerm.toLowerCase()
-    return allProviderIds.filter((id) => id.toLowerCase().includes(query))
-  }, [allProviderIds, providerSearchTerm])
-
-  const filteredBlocks = useMemo(() => {
-    if (!integrationSearchTerm.trim()) return allBlocks
-    const query = integrationSearchTerm.toLowerCase()
-    return allBlocks.filter((b) => b.name.toLowerCase().includes(query))
-  }, [allBlocks, integrationSearchTerm])
-
-  const filteredCoreBlocks = useMemo(() => {
-    return filteredBlocks.filter((block) => block.category === 'blocks')
-  }, [filteredBlocks])
-
-  const filteredToolBlocks = useMemo(() => {
-    return filteredBlocks
-      .filter((block) => block.category === 'tools' || block.category === 'triggers')
-      .sort((a, b) => a.name.localeCompare(b.name))
-  }, [filteredBlocks])
-
-  const organizationMembers = useMemo<OrganizationMemberOption[]>(() => {
-    if (!roster?.members) return []
-    return roster.members
-      .filter((m) => m.role !== 'external')
-      .map((m) => ({
-        userId: m.userId,
-        user: {
-          name: m.name,
-          email: m.email,
-          image: m.image,
-        },
-      }))
-  }, [roster])
 
   const workspaceOptions = useMemo(
     () => organizationWorkspaces.map((ws) => ({ value: ws.id, label: ws.name })),
@@ -795,6 +82,11 @@ export function AccessControl() {
     return permissionGroups.filter((g) => g.name.toLowerCase().includes(searchLower))
   }, [permissionGroups, searchTerm])
 
+  const selectedGroup = useMemo(
+    () => (selectedGroupId ? permissionGroups.find((g) => g.id === selectedGroupId) : undefined),
+    [permissionGroups, selectedGroupId]
+  )
+
   const handleCreatePermissionGroup = useCallback(async () => {
     if (!newGroupName.trim() || !organizationId) return
     setCreateError(null)
@@ -804,8 +96,6 @@ export function AccessControl() {
         name: newGroupName.trim(),
         description: newGroupDescription.trim() || undefined,
         isDefault: newGroupIsDefault,
-        // Only the default group is organization-wide; every other group targets
-        // specific workspaces (omitted for the default group).
         workspaceIds: newGroupIsDefault ? undefined : newGroupWorkspaceIds,
       })
       setShowCreateModal(false)
@@ -815,11 +105,7 @@ export function AccessControl() {
       setNewGroupWorkspaceIds([])
     } catch (error) {
       logger.error('Failed to create permission group', error)
-      if (error instanceof Error) {
-        setCreateError(error.message)
-      } else {
-        setCreateError('Failed to create permission group')
-      }
+      setCreateError(error instanceof Error ? error.message : 'Failed to create permission group')
     }
   }, [
     newGroupName,
@@ -839,385 +125,6 @@ export function AccessControl() {
     setCreateError(null)
   }, [])
 
-  const handleBackToList = useCallback(() => {
-    setViewingGroup(null)
-  }, [])
-
-  const handleDeleteClick = useCallback((group: PermissionGroup) => {
-    setDeletingGroup({ id: group.id, name: group.name })
-  }, [])
-
-  const confirmDelete = useCallback(async () => {
-    if (!deletingGroup || !organizationId) return
-    setDeletingGroupIds((prev) => new Set(prev).add(deletingGroup.id))
-    try {
-      await deletePermissionGroup.mutateAsync({
-        permissionGroupId: deletingGroup.id,
-        organizationId,
-      })
-      setDeletingGroup(null)
-      if (viewingGroup?.id === deletingGroup.id) {
-        setViewingGroup(null)
-      }
-    } catch (error) {
-      logger.error('Failed to delete permission group', error)
-    } finally {
-      setDeletingGroupIds((prev) => {
-        const next = new Set(prev)
-        next.delete(deletingGroup.id)
-        return next
-      })
-    }
-  }, [deletingGroup, organizationId, deletePermissionGroup, viewingGroup?.id])
-
-  const handleRemoveMember = useCallback(
-    async (memberId: string) => {
-      if (!viewingGroup || !organizationId) return
-      try {
-        await removeMember.mutateAsync({
-          organizationId,
-          permissionGroupId: viewingGroup.id,
-          memberId,
-        })
-      } catch (error) {
-        logger.error('Failed to remove member', error)
-        toast.error("Couldn't remove member", {
-          description: getErrorMessage(error, 'Please try again in a moment.'),
-        })
-      }
-    },
-    [viewingGroup, organizationId, removeMember]
-  )
-
-  const handleOpenConfigModal = useCallback(() => {
-    if (!viewingGroup) return
-    setEditingConfig({ ...viewingGroup.config })
-    setConfigTab('providers')
-    setShowConfigModal(true)
-  }, [viewingGroup])
-
-  const handleSaveConfig = useCallback(async () => {
-    if (!viewingGroup || !editingConfig || !organizationId) return
-    try {
-      await updatePermissionGroup.mutateAsync({
-        id: viewingGroup.id,
-        organizationId,
-        config: editingConfig,
-      })
-      setShowConfigModal(false)
-      setEditingConfig(null)
-      setProviderSearchTerm('')
-      setIntegrationSearchTerm('')
-      setPlatformSearchTerm('')
-      setViewingGroup((prev) => (prev ? { ...prev, config: editingConfig } : null))
-    } catch (error) {
-      logger.error('Failed to update config', error)
-    }
-  }, [viewingGroup, editingConfig, organizationId, updatePermissionGroup])
-
-  const handleCloseConfigModal = useCallback(() => {
-    if (hasConfigChanges) {
-      setShowUnsavedChanges(true)
-    } else {
-      setShowConfigModal(false)
-      setProviderSearchTerm('')
-      setIntegrationSearchTerm('')
-      setPlatformSearchTerm('')
-    }
-  }, [hasConfigChanges])
-
-  const handleDiscardConfig = useCallback(() => {
-    setShowUnsavedChanges(false)
-    setShowConfigModal(false)
-    setEditingConfig(null)
-    setProviderSearchTerm('')
-    setIntegrationSearchTerm('')
-    setPlatformSearchTerm('')
-  }, [])
-
-  const handleSaveConfigFromUnsaved = useCallback(() => {
-    setShowUnsavedChanges(false)
-    handleSaveConfig()
-  }, [handleSaveConfig])
-
-  const handleOpenAddMembersModal = useCallback(() => {
-    setSelectedMemberIds(new Set())
-    setAddMembersError(null)
-    setShowAddMembersModal(true)
-  }, [])
-
-  const handleAddSelectedMembers = useCallback(async () => {
-    if (!viewingGroup || !organizationId || selectedMemberIds.size === 0) return
-    setAddMembersError(null)
-    try {
-      // Bulk add is all-or-nothing for conflicts: a conflicting selection
-      // returns a 409 (no one is added) and the named error is shown inline so
-      // the admin can adjust the selection.
-      await bulkAddMembers.mutateAsync({
-        organizationId,
-        permissionGroupId: viewingGroup.id,
-        userIds: Array.from(selectedMemberIds),
-      })
-      setShowAddMembersModal(false)
-      setSelectedMemberIds(new Set())
-    } catch (error) {
-      logger.error('Failed to add members', error)
-      setAddMembersError(getErrorMessage(error, 'Failed to add members'))
-    }
-  }, [viewingGroup, organizationId, selectedMemberIds, bulkAddMembers])
-
-  const handleScopeChange = useCallback(
-    async (workspaceIds: string[]) => {
-      if (!viewingGroup || !organizationId) return
-      // Zero workspaces is allowed: the group then governs nothing (the resolver
-      // inner-joins on the workspace link table, so an empty group never matches
-      // any workspace). Re-add a workspace to make it active again.
-      const previous = viewingGroup
-      const seq = ++scopeWriteSeqRef.current
-
-      setViewingGroup((prev) =>
-        prev
-          ? {
-              ...prev,
-              workspaces: organizationWorkspaces.filter((ws) => workspaceIds.includes(ws.id)),
-            }
-          : null
-      )
-      try {
-        const result = await updatePermissionGroup.mutateAsync({
-          id: viewingGroup.id,
-          organizationId,
-          workspaceIds,
-        })
-
-        if (seq !== scopeWriteSeqRef.current) return
-        setViewingGroup((prev) =>
-          prev
-            ? {
-                ...prev,
-                workspaces: organizationWorkspaces.filter((ws) =>
-                  result.permissionGroup.workspaceIds.includes(ws.id)
-                ),
-              }
-            : null
-        )
-      } catch (error) {
-        logger.error('Failed to update workspace scope', error)
-        // Only the latest write may revert, so a failed earlier request can't
-        // clobber a newer (successful) selection.
-        if (seq !== scopeWriteSeqRef.current) return
-        setViewingGroup(previous)
-        toast.error("Couldn't update workspaces", {
-          description: getErrorMessage(error, 'Please try again in a moment.'),
-        })
-      }
-    },
-    [viewingGroup, organizationId, organizationWorkspaces, updatePermissionGroup]
-  )
-
-  const handleToggleDefault = useCallback(
-    async (enabled: boolean) => {
-      if (!viewingGroup || !organizationId) return
-      const seq = ++scopeWriteSeqRef.current
-      try {
-        // Promoting forces all-workspaces; demoting leaves the group non-default
-        // with no workspaces (inert) until it is re-scoped from the selector — the
-        // route handles this from `isDefault: false` alone, so no workspace list
-        // (bounded by the per-group cap) is sent.
-        const result = await updatePermissionGroup.mutateAsync({
-          id: viewingGroup.id,
-          organizationId,
-          isDefault: enabled,
-        })
-
-        if (seq !== scopeWriteSeqRef.current) return
-        setViewingGroup((prev) =>
-          prev
-            ? {
-                ...prev,
-                isDefault: result.permissionGroup.isDefault,
-                workspaces: result.permissionGroup.isDefault
-                  ? []
-                  : organizationWorkspaces.filter((ws) =>
-                      result.permissionGroup.workspaceIds.includes(ws.id)
-                    ),
-              }
-            : null
-        )
-      } catch (error) {
-        logger.error('Failed to toggle default group', error)
-        toast.error("Couldn't update the default group", {
-          description: getErrorMessage(error, 'Please try again in a moment.'),
-        })
-      }
-    },
-    [viewingGroup, organizationId, organizationWorkspaces, updatePermissionGroup]
-  )
-
-  const toggleIntegration = useCallback(
-    (blockType: string) => {
-      if (!editingConfig) return
-      const current = editingConfig.allowedIntegrations
-      if (current === null) {
-        const allExcept = allBlocks.map((b) => b.type).filter((t) => t !== blockType)
-        setEditingConfig({ ...editingConfig, allowedIntegrations: allExcept })
-      } else if (current.includes(blockType)) {
-        const updated = current.filter((t) => t !== blockType)
-        setEditingConfig({
-          ...editingConfig,
-          allowedIntegrations: updated.length === allBlocks.length ? null : updated,
-        })
-      } else {
-        const updated = [...current, blockType]
-        setEditingConfig({
-          ...editingConfig,
-          allowedIntegrations: updated.length === allBlocks.length ? null : updated,
-        })
-      }
-    },
-    [editingConfig, allBlocks]
-  )
-
-  const toggleProvider = useCallback(
-    (providerId: string) => {
-      if (!editingConfig) return
-      const current = editingConfig.allowedModelProviders
-      if (current === null) {
-        const allExcept = allProviderIds.filter((p) => p !== providerId)
-        setEditingConfig({ ...editingConfig, allowedModelProviders: allExcept })
-      } else if (current.includes(providerId)) {
-        const updated = current.filter((p) => p !== providerId)
-        setEditingConfig({
-          ...editingConfig,
-          allowedModelProviders: updated.length === allProviderIds.length ? null : updated,
-        })
-      } else {
-        const updated = [...current, providerId]
-        setEditingConfig({
-          ...editingConfig,
-          allowedModelProviders: updated.length === allProviderIds.length ? null : updated,
-        })
-      }
-    },
-    [editingConfig, allProviderIds]
-  )
-
-  const isFileShareAuthAllowed = useCallback(
-    (authType: ShareAuthType) => {
-      if (!editingConfig) return true
-      return (
-        editingConfig.allowedFileShareAuthTypes === null ||
-        editingConfig.allowedFileShareAuthTypes.includes(authType)
-      )
-    },
-    [editingConfig]
-  )
-
-  const toggleFileShareAuthType = useCallback(
-    (authType: ShareAuthType) => {
-      if (!editingConfig) return
-      const current = editingConfig.allowedFileShareAuthTypes
-      const next =
-        current === null
-          ? ALL_FILE_SHARE_AUTH_TYPES.filter((t) => t !== authType)
-          : current.includes(authType)
-            ? current.filter((t) => t !== authType)
-            : [...current, authType]
-      // A full list collapses back to `null` ("all allowed").
-      setEditingConfig({
-        ...editingConfig,
-        allowedFileShareAuthTypes: next.length === ALL_FILE_SHARE_AUTH_TYPES.length ? null : next,
-      })
-    },
-    [editingConfig]
-  )
-
-  const isIntegrationAllowed = useCallback(
-    (blockType: string) => {
-      if (!editingConfig) return true
-      return (
-        editingConfig.allowedIntegrations === null ||
-        editingConfig.allowedIntegrations.includes(blockType)
-      )
-    },
-    [editingConfig]
-  )
-
-  const isProviderAllowed = useCallback(
-    (providerId: string) => {
-      if (!editingConfig) return true
-      return (
-        editingConfig.allowedModelProviders === null ||
-        editingConfig.allowedModelProviders.includes(providerId)
-      )
-    },
-    [editingConfig]
-  )
-
-  const isModelAllowed = useCallback(
-    (model: string) => {
-      if (!editingConfig) return true
-      const normalized = model.toLowerCase()
-      return !editingConfig.deniedModels.some((denied) => denied.toLowerCase() === normalized)
-    },
-    [editingConfig]
-  )
-
-  const toggleModel = useCallback(
-    (model: string) => {
-      if (!editingConfig) return
-      const normalized = model.toLowerCase()
-      const isDenied = editingConfig.deniedModels.some(
-        (denied) => denied.toLowerCase() === normalized
-      )
-      const deniedModels = isDenied
-        ? editingConfig.deniedModels.filter((denied) => denied.toLowerCase() !== normalized)
-        : [...editingConfig.deniedModels, model]
-      setEditingConfig({ ...editingConfig, deniedModels })
-    },
-    [editingConfig]
-  )
-
-  const setModelsDenied = useCallback(
-    (models: string[], denied: boolean) => {
-      if (!editingConfig) return
-      if (denied) {
-        const existing = new Set(editingConfig.deniedModels.map((m) => m.toLowerCase()))
-        const additions = models.filter((m) => !existing.has(m.toLowerCase()))
-        if (additions.length === 0) return
-        setEditingConfig({
-          ...editingConfig,
-          deniedModels: [...editingConfig.deniedModels, ...additions],
-        })
-      } else {
-        const toRemove = new Set(models.map((m) => m.toLowerCase()))
-        setEditingConfig({
-          ...editingConfig,
-          deniedModels: editingConfig.deniedModels.filter((m) => !toRemove.has(m.toLowerCase())),
-        })
-      }
-    },
-    [editingConfig]
-  )
-
-  const deniedCountByProvider = useMemo(() => {
-    const counts: Record<string, number> = {}
-    for (const model of editingConfig?.deniedModels ?? []) {
-      try {
-        const providerId = getProviderFromModel(model)
-        counts[providerId] = (counts[providerId] ?? 0) + 1
-      } catch {
-        // Unknown/blacklisted provider — omit from counts.
-      }
-    }
-    return counts
-  }, [editingConfig?.deniedModels])
-
-  const availableMembersToAdd = useMemo(() => {
-    const existingMemberUserIds = new Set(members.map((m) => m.userId))
-    return organizationMembers.filter((m) => !existingMemberUserIds.has(m.userId))
-  }, [organizationMembers, members])
-
   if (isLoading) {
     return null
   }
@@ -1232,566 +139,18 @@ export function AccessControl() {
     )
   }
 
-  const deleteConfirmModal = (
-    <ChipConfirmModal
-      open={!!deletingGroup}
-      onOpenChange={() => setDeletingGroup(null)}
-      srTitle='Delete Permission Group'
-      title='Delete Permission Group'
-      text={[
-        'Are you sure you want to delete ',
-        { text: deletingGroup?.name ?? 'this group', bold: true },
-        '? ',
-        { text: 'All members will be removed from this group.', error: true },
-        ' This action cannot be undone.',
-      ]}
-      confirm={{
-        label: 'Delete',
-        onClick: confirmDelete,
-        pending: deletePermissionGroup.isPending,
-        pendingLabel: 'Deleting...',
-      }}
-    />
-  )
-
-  if (viewingGroup) {
+  if (selectedGroup && organizationId) {
     return (
-      <>
-        <div className='flex h-full flex-col bg-[var(--bg)]'>
-          <div className='flex flex-shrink-0 items-center justify-between bg-[var(--bg)] px-[16px] pt-[8.5px] pb-[8.5px]'>
-            <Chip leftIcon={ArrowLeft} onClick={handleBackToList}>
-              Access Control
-            </Chip>
-            <div className='flex items-center gap-2'>
-              <Chip
-                variant='destructive'
-                onClick={() => handleDeleteClick(viewingGroup)}
-                disabled={deletingGroupIds.has(viewingGroup.id)}
-              >
-                {deletingGroupIds.has(viewingGroup.id) ? 'Deleting...' : 'Delete'}
-              </Chip>
-              <Chip onClick={handleOpenConfigModal}>Configure</Chip>
-            </div>
-          </div>
-
-          <div className='min-h-0 flex-1 overflow-y-auto px-6 [scrollbar-gutter:stable_both-edges]'>
-            <div className='mx-auto flex max-w-[48rem] flex-col gap-7 pb-3'>
-              <div className='flex flex-col gap-1'>
-                <h1 className='font-medium text-[var(--text-body)] text-lg'>{viewingGroup.name}</h1>
-                {viewingGroup.description && (
-                  <p className='text-[var(--text-muted)] text-md'>{viewingGroup.description}</p>
-                )}
-                {!viewingGroup.isDefault && !membersLoading && (
-                  <p className='text-[var(--text-muted)] text-md'>
-                    {viewingGroup.workspaces.length === 0
-                      ? 'Applies to no one yet — add workspaces below to choose who this group governs.'
-                      : members.length === 0
-                        ? 'Applies to all members of its workspaces.'
-                        : `Restricted to ${members.length} member${members.length === 1 ? '' : 's'}.`}
-                  </p>
-                )}
-              </div>
-
-              <SettingsSection label='Default group'>
-                <div className='flex items-center justify-between gap-3'>
-                  <span className='text-[var(--text-muted)] text-small'>
-                    Applies to everyone in the organization not assigned to another group, including
-                    external workspace members
-                  </span>
-                  <Switch
-                    checked={viewingGroup.isDefault}
-                    onCheckedChange={(checked) => handleToggleDefault(checked)}
-                    disabled={updatePermissionGroup.isPending}
-                  />
-                </div>
-              </SettingsSection>
-
-              <SettingsSection label='Workspaces'>
-                {viewingGroup.isDefault ? (
-                  <div className='flex items-center justify-between gap-3'>
-                    <span className='text-[var(--text-muted)] text-small'>
-                      Governs every workspace in the organization
-                    </span>
-                  </div>
-                ) : (
-                  <div className='flex flex-col gap-3'>
-                    <div className='flex items-center justify-between gap-3'>
-                      <span className='min-w-0 text-[var(--text-muted)] text-small'>
-                        {viewingGroup.workspaces.length > 0
-                          ? `Governs ${viewingGroup.workspaces.length} workspace${
-                              viewingGroup.workspaces.length === 1 ? '' : 's'
-                            }`
-                          : 'Select the workspaces this group governs'}
-                      </span>
-                      <WorkspaceSelect
-                        workspaceIds={viewingGroup.workspaces.map((ws) => ws.id)}
-                        onChange={handleScopeChange}
-                        options={workspaceOptions}
-                        isLoading={workspacesLoading}
-                        allowAllWorkspaces={false}
-                        className='flex-shrink-0'
-                      />
-                    </div>
-                    {viewingGroup.workspaces.length > 0 && (
-                      <div className='-mx-2 flex flex-col gap-y-0.5'>
-                        {viewingGroup.workspaces.map((ws) => (
-                          <MemberRow
-                            key={ws.id}
-                            name={ws.name}
-                            email={ws.name}
-                            image={null}
-                            status=''
-                          />
-                        ))}
-                      </div>
-                    )}
-                  </div>
-                )}
-              </SettingsSection>
-            </div>
-          </div>
-        </div>
-
-        <ChipModal
-          open={showConfigModal}
-          onOpenChange={(open) => {
-            if (!open && hasConfigChanges) {
-              setShowUnsavedChanges(true)
-            } else {
-              setShowConfigModal(open)
-              if (!open) {
-                setProviderSearchTerm('')
-                setIntegrationSearchTerm('')
-                setPlatformSearchTerm('')
-              }
-            }
-          }}
-          srTitle='Configure Permissions'
-          size='xl'
-          className='h-[84vh]'
-        >
-          <ChipModalHeader
-            onClose={() => {
-              if (hasConfigChanges) {
-                setShowUnsavedChanges(true)
-              } else {
-                setShowConfigModal(false)
-                setProviderSearchTerm('')
-                setIntegrationSearchTerm('')
-                setPlatformSearchTerm('')
-              }
-            }}
-          >
-            Configure Permissions
-          </ChipModalHeader>
-          <ChipModalBody>
-            <ChipModalTabs
-              tabs={[
-                { value: 'providers', label: 'Model Providers' },
-                { value: 'blocks', label: 'Blocks' },
-                { value: 'platform', label: 'Platform' },
-                ...(viewingGroup.isDefault ? [] : [{ value: 'members', label: 'Members' }]),
-              ]}
-              value={configTab}
-              onChange={(value) =>
-                setConfigTab(value as 'members' | 'providers' | 'blocks' | 'platform')
-              }
-            />
-            {configTab === 'members' && !viewingGroup.isDefault && (
-              <div className='flex min-h-0 flex-1 flex-col gap-3'>
-                <div className='flex items-center justify-between gap-3'>
-                  <span className='text-[var(--text-body)] text-sm'>
-                    {members.length === 0
-                      ? 'Applies to all members'
-                      : `Restricted to ${members.length} member${members.length === 1 ? '' : 's'}`}
-                  </span>
-                  <Chip
-                    variant='primary'
-                    leftIcon={Plus}
-                    onClick={handleOpenAddMembersModal}
-                    className='flex-shrink-0'
-                  >
-                    Add
-                  </Chip>
-                </div>
-                {membersLoading ? (
-                  <div className='-mx-2 flex flex-col gap-y-0.5'>
-                    {[1, 2].map((i) => (
-                      <div key={i} className='flex items-center gap-2.5 p-2'>
-                        <Skeleton className='size-[14px] flex-shrink-0 rounded-full' />
-                        <Skeleton className='h-[14px] w-[180px]' />
-                      </div>
-                    ))}
-                  </div>
-                ) : members.length === 0 ? (
-                  <div className='flex flex-1 items-center justify-center px-6 text-center'>
-                    <span className='max-w-md text-[var(--text-muted)] text-sm'>
-                      This group applies to everyone in its workspaces, including external members.
-                      Add members to restrict it to specific people.
-                    </span>
-                  </div>
-                ) : (
-                  <div className='-mx-2 flex flex-col gap-y-0.5'>
-                    {members.map((member) => (
-                      <MemberRow
-                        key={member.id}
-                        name={member.userName || member.userEmail || 'Unknown'}
-                        email={member.userEmail || member.userName || 'Unknown'}
-                        image={member.userImage}
-                        status={`Added ${new Date(member.assignedAt).toLocaleDateString()}`}
-                        menu={
-                          <DropdownMenu>
-                            <DropdownMenuTrigger asChild>
-                              <button
-                                type='button'
-                                aria-label='Member actions'
-                                className={chipVariants({ flush: true })}
-                              >
-                                <MoreHorizontal className='size-[14px] flex-shrink-0 text-[var(--text-icon)]' />
-                              </button>
-                            </DropdownMenuTrigger>
-                            <DropdownMenuContent align='end'>
-                              <DropdownMenuItem
-                                className='text-[var(--text-error)]'
-                                onSelect={() => handleRemoveMember(member.id)}
-                              >
-                                Remove
-                              </DropdownMenuItem>
-                            </DropdownMenuContent>
-                          </DropdownMenu>
-                        }
-                      />
-                    ))}
-                  </div>
-                )}
-              </div>
-            )}
-            {configTab === 'providers' && (
-              <div>
-                <div className='flex items-center gap-2 pb-3'>
-                  <ChipInput
-                    icon={Search}
-                    placeholder='Search providers...'
-                    value={providerSearchTerm}
-                    onChange={(e) => setProviderSearchTerm(e.target.value)}
-                    className='min-w-0 flex-1'
-                  />
-                  <Chip
-                    onClick={() => {
-                      const allAllowed =
-                        editingConfig?.allowedModelProviders === null ||
-                        allProviderIds.every((id) =>
-                          editingConfig?.allowedModelProviders?.includes(id)
-                        )
-                      setEditingConfig((prev) =>
-                        prev ? { ...prev, allowedModelProviders: allAllowed ? [] : null } : prev
-                      )
-                    }}
-                  >
-                    {editingConfig?.allowedModelProviders === null ||
-                    allProviderIds.every((id) => editingConfig?.allowedModelProviders?.includes(id))
-                      ? 'Deselect All'
-                      : 'Select All'}
-                  </Chip>
-                </div>
-                <div className='flex flex-col gap-0.5'>
-                  {filteredProviders.map((providerId) => (
-                    <ProviderRow
-                      key={providerId}
-                      providerId={providerId}
-                      isProviderAllowed={isProviderAllowed(providerId)}
-                      onToggleProvider={() => toggleProvider(providerId)}
-                      deniedCount={deniedCountByProvider[providerId] ?? 0}
-                      workspaceId={workspaceId}
-                      isModelAllowed={isModelAllowed}
-                      onToggleModel={toggleModel}
-                      onSetModelsDenied={setModelsDenied}
-                    />
-                  ))}
-                </div>
-              </div>
-            )}
-            {configTab === 'blocks' && (
-              <div>
-                <div className='flex items-center gap-2 pb-3'>
-                  <ChipInput
-                    icon={Search}
-                    placeholder='Search blocks...'
-                    value={integrationSearchTerm}
-                    onChange={(e) => setIntegrationSearchTerm(e.target.value)}
-                    className='min-w-0 flex-1'
-                  />
-                  <Chip
-                    onClick={() => {
-                      const allAllowed =
-                        editingConfig?.allowedIntegrations === null ||
-                        allBlocks.every((b) => editingConfig?.allowedIntegrations?.includes(b.type))
-                      setEditingConfig((prev) =>
-                        prev
-                          ? {
-                              ...prev,
-                              allowedIntegrations: allAllowed ? ['start_trigger'] : null,
-                            }
-                          : prev
-                      )
-                    }}
-                  >
-                    {editingConfig?.allowedIntegrations === null ||
-                    allBlocks.every((b) => editingConfig?.allowedIntegrations?.includes(b.type))
-                      ? 'Deselect All'
-                      : 'Select All'}
-                  </Chip>
-                </div>
-                <div className='flex flex-col gap-4'>
-                  {filteredCoreBlocks.length > 0 && (
-                    <div className='flex flex-col gap-1.5'>
-                      <span className='font-medium text-[var(--text-tertiary)] text-xs uppercase tracking-wide'>
-                        Core Blocks
-                      </span>
-                      <div className='grid grid-cols-3 gap-x-2 gap-y-0.5'>
-                        {filteredCoreBlocks.map((block) => {
-                          const BlockIcon = block.icon
-                          const checkboxId = `block-${block.type}`
-                          return (
-                            <label
-                              key={block.type}
-                              htmlFor={checkboxId}
-                              className='flex cursor-pointer items-center gap-2 rounded-md px-2 py-[5px] transition-colors hover-hover:bg-[var(--surface-active)]'
-                            >
-                              <Checkbox
-                                id={checkboxId}
-                                checked={isIntegrationAllowed(block.type)}
-                                onCheckedChange={() => toggleIntegration(block.type)}
-                              />
-                              <div
-                                className='relative flex h-[16px] w-[16px] flex-shrink-0 items-center justify-center overflow-hidden rounded-sm'
-                                style={{ background: block.bgColor }}
-                              >
-                                {BlockIcon && (
-                                  <BlockIcon className='!h-[10px] !w-[10px] text-white' />
-                                )}
-                              </div>
-                              <span className='truncate font-medium text-sm'>{block.name}</span>
-                            </label>
-                          )
-                        })}
-                      </div>
-                    </div>
-                  )}
-                  {filteredToolBlocks.length > 0 && (
-                    <div className='flex flex-col gap-1.5 border-[var(--border)] border-t pt-4'>
-                      <span className='font-medium text-[var(--text-tertiary)] text-xs uppercase tracking-wide'>
-                        Integrations and Triggers
-                      </span>
-                      <div className='grid grid-cols-3 gap-x-2 gap-y-0.5'>
-                        {filteredToolBlocks.map((block) => {
-                          const BlockIcon = block.icon
-                          const checkboxId = `block-${block.type}`
-                          return (
-                            <label
-                              key={block.type}
-                              htmlFor={checkboxId}
-                              className='flex cursor-pointer items-center gap-2 rounded-md px-2 py-[5px] transition-colors hover-hover:bg-[var(--surface-active)]'
-                            >
-                              <Checkbox
-                                id={checkboxId}
-                                checked={isIntegrationAllowed(block.type)}
-                                onCheckedChange={() => toggleIntegration(block.type)}
-                              />
-                              <div
-                                className='relative flex h-[16px] w-[16px] flex-shrink-0 items-center justify-center overflow-hidden rounded-sm'
-                                style={{ background: block.bgColor }}
-                              >
-                                {BlockIcon && (
-                                  <BlockIcon className='!h-[10px] !w-[10px] text-white' />
-                                )}
-                              </div>
-                              <span className='truncate font-medium text-sm'>{block.name}</span>
-                            </label>
-                          )
-                        })}
-                      </div>
-                    </div>
-                  )}
-                </div>
-              </div>
-            )}
-            {configTab === 'platform' && (
-              <div>
-                <div className='flex items-center gap-2 pb-3'>
-                  <ChipInput
-                    icon={Search}
-                    placeholder='Search features...'
-                    value={platformSearchTerm}
-                    onChange={(e) => setPlatformSearchTerm(e.target.value)}
-                    className='min-w-0 flex-1'
-                  />
-                  <Chip
-                    onClick={() => {
-                      const allVisible = platformFeatures.every(
-                        (f) => !editingConfig?.[f.configKey]
-                      )
-                      setEditingConfig((prev) =>
-                        prev
-                          ? {
-                              ...prev,
-                              ...Object.fromEntries(
-                                platformFeatures.map((f) => [f.configKey, allVisible])
-                              ),
-                            }
-                          : prev
-                      )
-                    }}
-                  >
-                    {platformFeatures.every((f) => !editingConfig?.[f.configKey])
-                      ? 'Deselect All'
-                      : 'Select All'}
-                  </Chip>
-                </div>
-                <div className='grid grid-cols-3 gap-x-6'>
-                  {platformCategoryColumns.map((column, columnIndex) => (
-                    <div key={columnIndex} className='flex flex-col gap-8'>
-                      {column.map(({ category, features }) => (
-                        <div key={category} className='flex flex-col gap-1.5'>
-                          <span className='font-medium text-[var(--text-tertiary)] text-xs uppercase tracking-wide'>
-                            {category}
-                          </span>
-                          <div className='flex flex-col gap-0.5'>
-                            {features.map((feature) => (
-                              <label
-                                key={feature.id}
-                                htmlFor={feature.id}
-                                className='flex cursor-pointer items-center gap-2 rounded-md px-2 py-[5px] transition-colors hover-hover:bg-[var(--surface-active)]'
-                              >
-                                <Checkbox
-                                  id={feature.id}
-                                  checked={!editingConfig?.[feature.configKey]}
-                                  onCheckedChange={(checked) =>
-                                    setEditingConfig((prev) =>
-                                      prev
-                                        ? { ...prev, [feature.configKey]: checked !== true }
-                                        : prev
-                                    )
-                                  }
-                                />
-                                <span className='font-normal text-sm'>{feature.label}</span>
-                              </label>
-                            ))}
-                          </div>
-                        </div>
-                      ))}
-                    </div>
-                  ))}
-                </div>
-                <div className='mt-8 flex flex-col gap-1.5'>
-                  <span className='font-medium text-[var(--text-tertiary)] text-xs uppercase tracking-wide'>
-                    Files
-                  </span>
-                  <label
-                    htmlFor='disable-public-file-sharing'
-                    className='flex cursor-pointer items-center gap-2 rounded-md px-2 py-[5px] transition-colors hover-hover:bg-[var(--surface-active)]'
-                  >
-                    <Checkbox
-                      id='disable-public-file-sharing'
-                      checked={!editingConfig?.disablePublicFileSharing}
-                      onCheckedChange={(checked) =>
-                        setEditingConfig((prev) =>
-                          prev ? { ...prev, disablePublicFileSharing: checked !== true } : prev
-                        )
-                      }
-                    />
-                    <span className='font-normal text-sm'>Public Sharing</span>
-                  </label>
-                  <div
-                    className={cn(
-                      'flex flex-col gap-1 pt-1',
-                      editingConfig?.disablePublicFileSharing && 'opacity-50'
-                    )}
-                  >
-                    <span className='px-2 text-[var(--text-secondary)] text-xs'>
-                      Auth modes public file-share links may use
-                    </span>
-                    <div className='flex flex-wrap gap-x-4'>
-                      {FILE_SHARE_AUTH_TYPE_OPTIONS.map(({ value, label }) => (
-                        <label
-                          key={value}
-                          htmlFor={`fsauth-${value}`}
-                          className='flex cursor-pointer items-center gap-2 rounded-md px-2 py-[5px] transition-colors hover-hover:bg-[var(--surface-active)]'
-                        >
-                          <Checkbox
-                            id={`fsauth-${value}`}
-                            checked={isFileShareAuthAllowed(value)}
-                            onCheckedChange={() => toggleFileShareAuthType(value)}
-                            disabled={editingConfig?.disablePublicFileSharing}
-                          />
-                          <span className='font-normal text-sm'>{label}</span>
-                        </label>
-                      ))}
-                    </div>
-                  </div>
-                </div>
-              </div>
-            )}
-          </ChipModalBody>
-          {configTab !== 'members' && (
-            <ChipModalFooter
-              onCancel={handleCloseConfigModal}
-              primaryAction={{
-                label: updatePermissionGroup.isPending ? 'Saving...' : 'Save',
-                onClick: handleSaveConfig,
-                disabled: updatePermissionGroup.isPending || !hasConfigChanges,
-              }}
-            />
-          )}
-        </ChipModal>
-
-        <ChipModal
-          open={showUnsavedChanges}
-          onOpenChange={setShowUnsavedChanges}
-          size='sm'
-          srTitle='Unsaved Changes'
-        >
-          <ChipModalHeader onClose={() => setShowUnsavedChanges(false)}>
-            Unsaved Changes
-          </ChipModalHeader>
-          <ChipModalBody>
-            <p className='px-2 text-[var(--text-secondary)] text-sm'>
-              You have unsaved changes. Do you want to save them before closing?
-            </p>
-          </ChipModalBody>
-          <ChipModalFooter
-            onCancel={() => setShowUnsavedChanges(false)}
-            secondaryActions={[
-              {
-                label: 'Discard Changes',
-                onClick: handleDiscardConfig,
-                variant: 'destructive',
-              },
-            ]}
-            primaryAction={{
-              label: updatePermissionGroup.isPending ? 'Saving...' : 'Save Changes',
-              onClick: handleSaveConfigFromUnsaved,
-              disabled: updatePermissionGroup.isPending,
-            }}
-          />
-        </ChipModal>
-
-        <AddMembersModal
-          open={showAddMembersModal}
-          onOpenChange={(open) => {
-            setShowAddMembersModal(open)
-            if (!open) setAddMembersError(null)
-          }}
-          availableMembers={availableMembersToAdd}
-          selectedMemberIds={selectedMemberIds}
-          setSelectedMemberIds={setSelectedMemberIds}
-          onAddMembers={handleAddSelectedMembers}
-          isAdding={bulkAddMembers.isPending}
-          errorMessage={addMembersError}
-        />
-
-        {deleteConfirmModal}
-      </>
+      <GroupDetail
+        group={selectedGroup}
+        organizationId={organizationId}
+        workspaceId={workspaceId}
+        workspaceOptions={workspaceOptions}
+        organizationWorkspaces={organizationWorkspaces}
+        workspacesLoading={workspacesLoading}
+        onBack={() => setSelectedGroupId(null)}
+        onDeleted={() => setSelectedGroupId(null)}
+      />
     )
   }
 
@@ -1841,7 +200,7 @@ export function AccessControl() {
                     <button
                       key={group.id}
                       type='button'
-                      onClick={() => setViewingGroup(group)}
+                      onClick={() => setSelectedGroupId(group.id)}
                       className='flex items-center gap-2.5 rounded-lg p-2 text-left transition-colors hover-hover:bg-[var(--surface-active)]'
                     >
                       <div className='flex min-w-0 flex-1 flex-col'>
@@ -1850,9 +209,9 @@ export function AccessControl() {
                             {group.name}
                           </span>
                           {group.isDefault && (
-                            <span className='flex-shrink-0 rounded-sm bg-[var(--surface-3)] px-1.5 py-0.5 text-[var(--text-muted)] text-micro'>
+                            <ChipTag variant='gray' className='flex-shrink-0'>
                               Default
-                            </span>
+                            </ChipTag>
                           )}
                         </div>
                         <span className='truncate text-[12px] text-[var(--text-muted)]'>
@@ -1861,9 +220,7 @@ export function AccessControl() {
                             : `${
                                 group.memberCount === 0
                                   ? 'All members'
-                                  : `${group.memberCount} member${
-                                      group.memberCount === 1 ? '' : 's'
-                                    }`
+                                  : `${group.memberCount} member${group.memberCount === 1 ? '' : 's'}`
                               } · ${group.workspaces.length} workspace${
                                 group.workspaces.length === 1 ? '' : 's'
                               }`}
@@ -1934,7 +291,7 @@ export function AccessControl() {
               {!newGroupIsDefault && (
                 <p className='text-[var(--text-muted)] text-xs'>
                   Applies to all members of the selected workspaces. Restrict to specific people
-                  later from Configure → Members.
+                  later from the group's Members section.
                 </p>
               )}
             </div>
@@ -1953,8 +310,6 @@ export function AccessControl() {
           }}
         />
       </ChipModal>
-
-      {deleteConfirmModal}
     </>
   )
 }
diff --git a/apps/sim/ee/access-control/components/group-detail.tsx b/apps/sim/ee/access-control/components/group-detail.tsx
new file mode 100644
index 00000000000..19ebea7f71c
--- /dev/null
+++ b/apps/sim/ee/access-control/components/group-detail.tsx
@@ -0,0 +1,1738 @@
+'use client'
+
+import { useCallback, useMemo, useRef, useState } from 'react'
+import { createLogger } from '@sim/logger'
+import { getErrorMessage } from '@sim/utils/errors'
+import { ChevronDown, Plus } from 'lucide-react'
+import {
+  Checkbox,
+  Chip,
+  ChipConfirmModal,
+  ChipInput,
+  ChipModal,
+  ChipModalBody,
+  ChipModalError,
+  ChipModalField,
+  ChipModalFooter,
+  ChipModalHeader,
+  ChipModalTabs,
+  ChipTag,
+  chipVariants,
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuTrigger,
+  Info,
+  MoreHorizontal,
+  Search,
+  Skeleton,
+  Switch,
+  toast,
+} from '@/components/emcn'
+import { ArrowLeft } from '@/components/emcn/icons'
+import type { ShareAuthType } from '@/lib/api/contracts/public-shares'
+import { cn } from '@/lib/core/utils/cn'
+import { isBlockTypeAccessControlExempt } from '@/lib/permission-groups/block-access'
+import type { PermissionGroupConfig } from '@/lib/permission-groups/types'
+import {
+  MemberAvatar,
+  MemberRow,
+} from '@/app/workspace/[workspaceId]/settings/components/member-list'
+import { SettingsSection } from '@/app/workspace/[workspaceId]/settings/components/settings-section/settings-section'
+import { getAllBlocks } from '@/blocks'
+import type { BlockConfig } from '@/blocks/types'
+import { WorkspaceSelect } from '@/ee/access-control/components/workspace-select'
+import {
+  type PermissionGroup,
+  type PermissionGroupWorkspaceRef,
+  useBulkAddPermissionGroupMembers,
+  useDeletePermissionGroup,
+  usePermissionGroupMembers,
+  useRemovePermissionGroupMember,
+  useUpdatePermissionGroup,
+} from '@/ee/access-control/hooks/permission-groups'
+import { useBlacklistedProviders } from '@/hooks/queries/allowed-providers'
+import { useOrganizationRoster } from '@/hooks/queries/organization'
+import { useProviderModels } from '@/hooks/queries/providers'
+import {
+  DYNAMIC_MODEL_PROVIDERS,
+  getProviderModels,
+  PROVIDER_DEFINITIONS,
+} from '@/providers/models'
+import type { ProviderId } from '@/providers/types'
+import { getAllProviderIds, getProviderFromModel } from '@/providers/utils'
+import type { ProviderName } from '@/stores/providers'
+import { getTool } from '@/tools/utils'
+
+const logger = createLogger('AccessControlGroupDetail')
+
+type ConfigTab = 'general' | 'providers' | 'blocks' | 'platform'
+
+/** Public-file-share auth modes an admin can allow/disallow. `null` config = all allowed. */
+const FILE_SHARE_AUTH_TYPE_OPTIONS: { value: ShareAuthType; label: string }[] = [
+  { value: 'public', label: 'Anyone with link' },
+  { value: 'password', label: 'Password' },
+  { value: 'email', label: 'Email' },
+  { value: 'sso', label: 'SSO' },
+]
+const ALL_FILE_SHARE_AUTH_TYPES: ShareAuthType[] = FILE_SHARE_AUTH_TYPE_OPTIONS.map((o) => o.value)
+
+interface OrganizationMemberOption {
+  userId: string
+  user: {
+    name: string | null
+    email: string
+    image?: string | null
+  }
+}
+
+interface AddMembersModalProps {
+  open: boolean
+  onOpenChange: (open: boolean) => void
+  availableMembers: OrganizationMemberOption[]
+  selectedMemberIds: Set<string>
+  setSelectedMemberIds: React.Dispatch<React.SetStateAction<Set<string>>>
+  onAddMembers: () => void
+  isAdding: boolean
+  errorMessage: string | null
+}
+
+function AddMembersModal({
+  open,
+  onOpenChange,
+  availableMembers,
+  selectedMemberIds,
+  setSelectedMemberIds,
+  onAddMembers,
+  isAdding,
+  errorMessage,
+}: AddMembersModalProps) {
+  const [searchTerm, setSearchTerm] = useState('')
+
+  const filteredMembers = useMemo(() => {
+    if (!searchTerm.trim()) return availableMembers
+    const query = searchTerm.toLowerCase()
+    return availableMembers.filter((m) => {
+      const name = m.user?.name || ''
+      const email = m.user?.email || ''
+      return name.toLowerCase().includes(query) || email.toLowerCase().includes(query)
+    })
+  }, [availableMembers, searchTerm])
+
+  const allFilteredSelected = useMemo(() => {
+    if (filteredMembers.length === 0) return false
+    return filteredMembers.every((m) => selectedMemberIds.has(m.userId))
+  }, [filteredMembers, selectedMemberIds])
+
+  const handleToggleAll = () => {
+    if (allFilteredSelected) {
+      const filteredIds = new Set(filteredMembers.map((m) => m.userId))
+      setSelectedMemberIds((prev) => {
+        const next = new Set(prev)
+        filteredIds.forEach((id) => next.delete(id))
+        return next
+      })
+    } else {
+      setSelectedMemberIds((prev) => {
+        const next = new Set(prev)
+        filteredMembers.forEach((m) => next.add(m.userId))
+        return next
+      })
+    }
+  }
+
+  const handleToggleMember = (userId: string) => {
+    setSelectedMemberIds((prev) => {
+      const next = new Set(prev)
+      if (next.has(userId)) {
+        next.delete(userId)
+      } else {
+        next.add(userId)
+      }
+      return next
+    })
+  }
+
+  return (
+    <ChipModal
+      open={open}
+      onOpenChange={(o) => {
+        if (!o) setSearchTerm('')
+        onOpenChange(o)
+      }}
+      size='sm'
+      srTitle='Add Members'
+    >
+      <ChipModalHeader onClose={() => onOpenChange(false)}>Add Members</ChipModalHeader>
+      <ChipModalBody>
+        {availableMembers.length === 0 ? (
+          <p className='px-2 text-[var(--text-muted)] text-sm'>
+            All organization members are already in this group.
+          </p>
+        ) : (
+          <ChipModalField type='custom' title='Members'>
+            <div className='flex flex-col gap-3'>
+              <div className='flex items-center gap-2'>
+                <ChipInput
+                  icon={Search}
+                  placeholder='Search members...'
+                  value={searchTerm}
+                  onChange={(e) => setSearchTerm(e.target.value)}
+                  className='min-w-0 flex-1'
+                />
+                <Chip onClick={handleToggleAll}>
+                  {allFilteredSelected ? 'Deselect All' : 'Select All'}
+                </Chip>
+              </div>
+
+              <div className='max-h-[280px] overflow-y-auto'>
+                {filteredMembers.length === 0 ? (
+                  <p className='py-4 text-center text-[var(--text-muted)] text-sm'>
+                    No members found matching "{searchTerm}"
+                  </p>
+                ) : (
+                  <div className='flex flex-col'>
+                    {filteredMembers.map((member) => {
+                      const name = member.user?.name || 'Unknown'
+                      const email = member.user?.email || ''
+                      const isSelected = selectedMemberIds.has(member.userId)
+
+                      return (
+                        <button
+                          key={member.userId}
+                          type='button'
+                          onClick={() => handleToggleMember(member.userId)}
+                          className='flex items-center gap-2.5 rounded-sm p-2 text-left hover-hover:bg-[var(--surface-active)]'
+                        >
+                          <Checkbox checked={isSelected} />
+                          <MemberAvatar name={name} image={member.user?.image ?? null} />
+                          <div className='min-w-0 flex-1'>
+                            <div className='truncate text-[14px] text-[var(--text-body)]'>
+                              {name}
+                            </div>
+                            <div className='truncate text-[12px] text-[var(--text-muted)]'>
+                              {email}
+                            </div>
+                          </div>
+                        </button>
+                      )
+                    })}
+                  </div>
+                )}
+              </div>
+            </div>
+          </ChipModalField>
+        )}
+        <ChipModalError>{errorMessage}</ChipModalError>
+      </ChipModalBody>
+      <ChipModalFooter
+        onCancel={() => {
+          setSearchTerm('')
+          onOpenChange(false)
+        }}
+        primaryAction={{
+          label: isAdding ? 'Adding...' : 'Add Members',
+          onClick: onAddMembers,
+          disabled: selectedMemberIds.size === 0 || isAdding,
+        }}
+      />
+    </ChipModal>
+  )
+}
+
+interface DenylistGridItem {
+  id: string
+  label: string
+}
+
+interface DenylistControls {
+  isAllowed: (id: string) => boolean
+  onToggle: (id: string) => void
+  onSetDenied: (ids: string[], denied: boolean) => void
+}
+
+interface CheckboxGridProps extends DenylistControls {
+  items: DenylistGridItem[]
+  isLoading: boolean
+  searchPlaceholder: string
+  emptyLabel: string
+}
+
+/**
+ * Searchable two-column checkbox grid over a denylist. A checked item is
+ * allowed; unchecking adds it to the denylist. Shared by the model deny-list
+ * (per provider) and the tool deny-list (per integration block).
+ */
+function CheckboxGrid({
+  items,
+  isLoading,
+  searchPlaceholder,
+  emptyLabel,
+  isAllowed,
+  onToggle,
+  onSetDenied,
+}: CheckboxGridProps) {
+  const [search, setSearch] = useState('')
+
+  const sortedItems = useMemo(
+    () => [...items].sort((a, b) => a.label.localeCompare(b.label)),
+    [items]
+  )
+
+  const filteredItems = useMemo(() => {
+    if (!search.trim()) return sortedItems
+    const query = search.toLowerCase()
+    return sortedItems.filter(
+      (item) => item.label.toLowerCase().includes(query) || item.id.toLowerCase().includes(query)
+    )
+  }, [sortedItems, search])
+
+  if (isLoading) {
+    return <div className='px-2 py-3 text-[var(--text-muted)] text-xs'>Loading…</div>
+  }
+
+  if (items.length === 0) {
+    return <div className='px-2 py-3 text-[var(--text-muted)] text-xs'>{emptyLabel}</div>
+  }
+
+  const allFilteredAllowed = filteredItems.every((item) => isAllowed(item.id))
+
+  return (
+    <div className='flex flex-col gap-2'>
+      <div className='flex items-center gap-2'>
+        <ChipInput
+          icon={Search}
+          placeholder={searchPlaceholder}
+          value={search}
+          onChange={(e) => setSearch(e.target.value)}
+          className='min-w-0 flex-1'
+        />
+        <Chip
+          onClick={() =>
+            onSetDenied(
+              filteredItems.map((item) => item.id),
+              allFilteredAllowed
+            )
+          }
+        >
+          {allFilteredAllowed ? 'Block All' : 'Allow All'}
+        </Chip>
+      </div>
+      <div className='grid grid-cols-2 gap-x-2 gap-y-0.5'>
+        {filteredItems.map((item) => {
+          const checkboxId = `denylist-${item.id}`
+          return (
+            <label
+              key={item.id}
+              htmlFor={checkboxId}
+              className='flex cursor-pointer items-center gap-2 rounded-md px-2 py-[5px] transition-colors hover-hover:bg-[var(--surface-active)]'
+            >
+              <Checkbox
+                id={checkboxId}
+                checked={isAllowed(item.id)}
+                onCheckedChange={() => onToggle(item.id)}
+              />
+              <span className='truncate text-sm'>{item.label}</span>
+            </label>
+          )
+        })}
+      </div>
+    </div>
+  )
+}
+
+interface DynamicProviderModelsProps extends DenylistControls {
+  provider: ProviderName
+  workspaceId?: string
+}
+
+function DynamicProviderModels({ provider, workspaceId, ...controls }: DynamicProviderModelsProps) {
+  const { data, isPending } = useProviderModels(provider, workspaceId)
+  const items = useMemo(
+    () => (data?.models ?? []).map((model) => ({ id: model, label: model })),
+    [data?.models]
+  )
+  return (
+    <CheckboxGrid
+      items={items}
+      isLoading={isPending}
+      searchPlaceholder='Search models...'
+      emptyLabel='No models available for this provider.'
+      {...controls}
+    />
+  )
+}
+
+interface StaticProviderModelsProps extends DenylistControls {
+  providerId: ProviderId
+}
+
+function StaticProviderModels({ providerId, ...controls }: StaticProviderModelsProps) {
+  const items = useMemo(
+    () => getProviderModels(providerId).map((model) => ({ id: model, label: model })),
+    [providerId]
+  )
+  return (
+    <CheckboxGrid
+      items={items}
+      isLoading={false}
+      searchPlaceholder='Search models...'
+      emptyLabel='No models available for this provider.'
+      {...controls}
+    />
+  )
+}
+
+interface ProviderRowProps extends DenylistControls {
+  providerId: ProviderId
+  isProviderAllowed: boolean
+  onToggleProvider: () => void
+  deniedCount: number
+  workspaceId?: string
+}
+
+function ProviderRow({
+  providerId,
+  isProviderAllowed,
+  onToggleProvider,
+  deniedCount,
+  workspaceId,
+  ...controls
+}: ProviderRowProps) {
+  const [expanded, setExpanded] = useState(false)
+
+  const ProviderIcon = PROVIDER_DEFINITIONS[providerId]?.icon
+  const providerName =
+    PROVIDER_DEFINITIONS[providerId]?.name ||
+    providerId.replace(/-/g, ' ').replace(/\b\w/g, (c) => c.toUpperCase())
+  const isDynamic = (DYNAMIC_MODEL_PROVIDERS as readonly string[]).includes(providerId)
+  const checkboxId = `provider-${providerId}`
+
+  return (
+    <div>
+      <div className='flex items-center gap-2 rounded-md px-2 py-[5px] transition-colors hover-hover:bg-[var(--surface-active)]'>
+        <Checkbox
+          id={checkboxId}
+          checked={isProviderAllowed}
+          onCheckedChange={() => onToggleProvider()}
+        />
+        <div className='relative flex size-[16px] flex-shrink-0 items-center justify-center'>
+          {ProviderIcon && <ProviderIcon className='!h-[16px] !w-[16px]' />}
+        </div>
+        <button
+          type='button'
+          onClick={() => isProviderAllowed && setExpanded((prev) => !prev)}
+          disabled={!isProviderAllowed}
+          className={cn(
+            'flex flex-1 items-center gap-2 text-left',
+            isProviderAllowed ? 'cursor-pointer' : 'cursor-default opacity-60'
+          )}
+        >
+          <span className='truncate font-medium text-sm'>{providerName}</span>
+          {isProviderAllowed && deniedCount > 0 && (
+            <ChipTag variant='gray' className='flex-shrink-0'>
+              {deniedCount} blocked
+            </ChipTag>
+          )}
+          {isProviderAllowed && (
+            <ChevronDown
+              className={cn(
+                'ml-auto size-[14px] flex-shrink-0 text-[var(--text-tertiary)] transition-transform',
+                expanded && 'rotate-180'
+              )}
+            />
+          )}
+        </button>
+      </div>
+      {expanded && isProviderAllowed && (
+        <div className='border-[var(--border)] border-t px-2 pt-2 pb-3'>
+          {isDynamic ? (
+            <DynamicProviderModels
+              provider={providerId as ProviderName}
+              workspaceId={workspaceId}
+              {...controls}
+            />
+          ) : (
+            <StaticProviderModels providerId={providerId} {...controls} />
+          )}
+        </div>
+      )}
+    </div>
+  )
+}
+
+interface BlockToolRowProps extends DenylistControls {
+  block: BlockConfig
+  isBlockAllowed: boolean
+  onToggleBlock: () => void
+  deniedCount: number
+}
+
+/**
+ * Integration/trigger block row. The checkbox drives whole-block access
+ * (`allowedIntegrations`); when allowed and the block exposes more than one
+ * tool, the row expands to a per-tool deny-list grid (`deniedTools`), mirroring
+ * the provider → models pattern.
+ */
+function BlockToolRow({
+  block,
+  isBlockAllowed,
+  onToggleBlock,
+  deniedCount,
+  ...controls
+}: BlockToolRowProps) {
+  const [expanded, setExpanded] = useState(false)
+  const BlockIcon = block.icon
+  const checkboxId = `block-${block.type}`
+
+  const toolItems = useMemo<DenylistGridItem[]>(
+    () => (block.tools?.access ?? []).map((id) => ({ id, label: getTool(id)?.name ?? id })),
+    [block.tools?.access]
+  )
+  const isExpandable = toolItems.length > 1
+
+  return (
+    <div>
+      <div className='flex items-center gap-2 rounded-md px-2 py-[5px] transition-colors hover-hover:bg-[var(--surface-active)]'>
+        <Checkbox
+          id={checkboxId}
+          checked={isBlockAllowed}
+          onCheckedChange={() => onToggleBlock()}
+        />
+        <div
+          className='relative flex size-[16px] flex-shrink-0 items-center justify-center overflow-hidden rounded-sm'
+          style={{ background: block.bgColor }}
+        >
+          {BlockIcon && <BlockIcon className='!h-[10px] !w-[10px] text-white' />}
+        </div>
+        <button
+          type='button'
+          onClick={() => isBlockAllowed && isExpandable && setExpanded((prev) => !prev)}
+          disabled={!isBlockAllowed || !isExpandable}
+          className={cn(
+            'flex flex-1 items-center gap-2 text-left',
+            isBlockAllowed && isExpandable ? 'cursor-pointer' : 'cursor-default',
+            !isBlockAllowed && 'opacity-60'
+          )}
+        >
+          <span className='truncate font-medium text-sm'>{block.name}</span>
+          {isBlockAllowed && deniedCount > 0 && (
+            <ChipTag variant='gray' className='flex-shrink-0'>
+              {deniedCount} blocked
+            </ChipTag>
+          )}
+          {isBlockAllowed && isExpandable && (
+            <ChevronDown
+              className={cn(
+                'ml-auto size-[14px] flex-shrink-0 text-[var(--text-tertiary)] transition-transform',
+                expanded && 'rotate-180'
+              )}
+            />
+          )}
+        </button>
+      </div>
+      {expanded && isBlockAllowed && isExpandable && (
+        <div className='border-[var(--border)] border-t px-2 pt-2 pb-3'>
+          <CheckboxGrid
+            items={toolItems}
+            isLoading={false}
+            searchPlaceholder='Search tools...'
+            emptyLabel='This integration exposes no configurable tools.'
+            {...controls}
+          />
+        </div>
+      )}
+    </div>
+  )
+}
+
+interface GroupDetailProps {
+  group: PermissionGroup
+  organizationId: string
+  workspaceId?: string
+  workspaceOptions: { value: string; label: string }[]
+  organizationWorkspaces: PermissionGroupWorkspaceRef[]
+  workspacesLoading: boolean
+  onBack: () => void
+  onDeleted: () => void
+}
+
+/**
+ * Full-surface, tabbed configuration view for a single permission group. Owns
+ * its own editing buffer (`editingConfig`), scope/default writes, and member
+ * management — replacing the former cramped configure modal.
+ */
+export function GroupDetail({
+  group,
+  organizationId,
+  workspaceId,
+  workspaceOptions,
+  organizationWorkspaces,
+  workspacesLoading,
+  onBack,
+  onDeleted,
+}: GroupDetailProps) {
+  const updatePermissionGroup = useUpdatePermissionGroup()
+  const deletePermissionGroup = useDeletePermissionGroup()
+  const removeMember = useRemovePermissionGroupMember()
+  const bulkAddMembers = useBulkAddPermissionGroupMembers()
+
+  // Local, authoritative copy of the group while the detail view is open. Seeded
+  // from the prop and re-seeded only when the selected group id changes, so
+  // optimistic scope/default/config writes are not clobbered by list refetches.
+  const [viewingGroup, setViewingGroup] = useState<PermissionGroup>(group)
+  const [editingConfig, setEditingConfig] = useState<PermissionGroupConfig>({ ...group.config })
+  const prevGroupIdRef = useRef(group.id)
+  if (prevGroupIdRef.current !== group.id) {
+    prevGroupIdRef.current = group.id
+    setViewingGroup(group)
+    setEditingConfig({ ...group.config })
+  }
+
+  // Monotonic token for scope-affecting writes (workspace select + default
+  // toggle). Only the most recent write may reconcile or revert the local
+  // group, so rapid multi-select toggles can't settle on a stale response.
+  const scopeWriteSeqRef = useRef(0)
+
+  const [configTab, setConfigTab] = useState<ConfigTab>('general')
+  const [providerSearchTerm, setProviderSearchTerm] = useState('')
+  const [integrationSearchTerm, setIntegrationSearchTerm] = useState('')
+  const [platformSearchTerm, setPlatformSearchTerm] = useState('')
+
+  const [showAddMembersModal, setShowAddMembersModal] = useState(false)
+  const [addMembersError, setAddMembersError] = useState<string | null>(null)
+  const [selectedMemberIds, setSelectedMemberIds] = useState<Set<string>>(() => new Set())
+  const [showDeleteConfirm, setShowDeleteConfirm] = useState(false)
+  const [showUnsavedChanges, setShowUnsavedChanges] = useState(false)
+
+  const { data: members = [], isPending: membersLoading } = usePermissionGroupMembers(
+    organizationId,
+    viewingGroup.id
+  )
+  const { data: roster } = useOrganizationRoster(organizationId)
+  const { data: blacklistedProvidersData } = useBlacklistedProviders({ enabled: true })
+
+  const allBlocks = useMemo(() => {
+    const blocks = getAllBlocks().filter((b) => !isBlockTypeAccessControlExempt(b.type))
+    return blocks.sort((a, b) => {
+      const categoryOrder = { triggers: 0, blocks: 1, tools: 2 }
+      const catA = categoryOrder[a.category] ?? 3
+      const catB = categoryOrder[b.category] ?? 3
+      if (catA !== catB) return catA - catB
+      return a.name.localeCompare(b.name)
+    })
+  }, [])
+
+  const allProviderIds = useMemo(() => {
+    const allIds = getAllProviderIds()
+    const blacklist = blacklistedProvidersData?.blacklistedProviders ?? []
+    if (blacklist.length === 0) return allIds
+    return allIds.filter((id) => !blacklist.includes(id.toLowerCase()))
+  }, [blacklistedProvidersData])
+
+  /** Maps every tool id to the block type that exposes it (for denied-count grouping). */
+  const toolToBlockType = useMemo(() => {
+    const map: Record<string, string> = {}
+    for (const block of allBlocks) {
+      for (const toolId of block.tools?.access ?? []) {
+        map[toolId] = block.type
+      }
+    }
+    return map
+  }, [allBlocks])
+
+  const platformFeatures = useMemo(
+    () => [
+      {
+        id: 'hide-knowledge-base',
+        label: 'Knowledge Base',
+        category: 'Sidebar',
+        configKey: 'hideKnowledgeBaseTab' as const,
+        hint: 'Hide the Knowledge Base module from the sidebar.',
+      },
+      {
+        id: 'hide-tables',
+        label: 'Tables',
+        category: 'Sidebar',
+        configKey: 'hideTablesTab' as const,
+        hint: 'Hide the Tables module from the sidebar.',
+      },
+      {
+        id: 'hide-copilot',
+        label: 'Chat',
+        category: 'Workflow Panel',
+        configKey: 'hideCopilot' as const,
+        hint: 'Hide the Chat panel so users cannot build or edit with natural language.',
+      },
+      {
+        id: 'hide-integrations',
+        label: 'Integrations',
+        category: 'Settings Tabs',
+        configKey: 'hideIntegrationsTab' as const,
+        hint: 'Hide the Integrations settings tab (OAuth connections).',
+      },
+      {
+        id: 'hide-secrets',
+        label: 'Secrets',
+        category: 'Settings Tabs',
+        configKey: 'hideSecretsTab' as const,
+        hint: 'Hide the Secrets (environment variables) settings tab.',
+      },
+      {
+        id: 'hide-api-keys',
+        label: 'API Keys',
+        category: 'Settings Tabs',
+        configKey: 'hideApiKeysTab' as const,
+        hint: 'Hide the API Keys settings tab.',
+      },
+      {
+        id: 'hide-files',
+        label: 'Files',
+        category: 'Settings Tabs',
+        configKey: 'hideFilesTab' as const,
+        hint: 'Hide the Files settings tab.',
+      },
+      {
+        id: 'hide-deploy-api',
+        label: 'API',
+        category: 'Deploy Tabs',
+        configKey: 'hideDeployApi' as const,
+        hint: 'Hide the API deployment option.',
+      },
+      {
+        id: 'hide-deploy-mcp',
+        label: 'MCP',
+        category: 'Deploy Tabs',
+        configKey: 'hideDeployMcp' as const,
+        hint: 'Hide the MCP server deployment option.',
+      },
+      {
+        id: 'hide-deploy-a2a',
+        label: 'A2A',
+        category: 'Deploy Tabs',
+        configKey: 'hideDeployA2a' as const,
+        hint: 'Hide the agent-to-agent deployment option.',
+      },
+      {
+        id: 'hide-deploy-chatbot',
+        label: 'Chat',
+        category: 'Deploy Tabs',
+        configKey: 'hideDeployChatbot' as const,
+        hint: 'Hide the chatbot deployment option.',
+      },
+      {
+        id: 'hide-deploy-template',
+        label: 'Template',
+        category: 'Deploy Tabs',
+        configKey: 'hideDeployTemplate' as const,
+        hint: 'Hide the template publishing option.',
+      },
+      {
+        id: 'disable-mcp',
+        label: 'MCP Tools',
+        category: 'Tools',
+        configKey: 'disableMcpTools' as const,
+        hint: 'Block agents from calling MCP tools.',
+      },
+      {
+        id: 'disable-custom-tools',
+        label: 'Custom Tools',
+        category: 'Tools',
+        configKey: 'disableCustomTools' as const,
+        hint: 'Block agents from calling user-defined custom tools.',
+      },
+      {
+        id: 'disable-skills',
+        label: 'Skills',
+        category: 'Tools',
+        configKey: 'disableSkills' as const,
+        hint: 'Block agents from loading skills.',
+      },
+      {
+        id: 'hide-trace-spans',
+        label: 'Trace Spans',
+        category: 'Logs',
+        configKey: 'hideTraceSpans' as const,
+        hint: 'Hide per-block trace spans in logs.',
+      },
+      {
+        id: 'disable-invitations',
+        label: 'Invitations',
+        category: 'Collaboration',
+        configKey: 'disableInvitations' as const,
+        hint: 'Prevent users from inviting others to workspaces.',
+      },
+      {
+        id: 'hide-inbox',
+        label: 'Sim Mailer',
+        category: 'Features',
+        configKey: 'hideInboxTab' as const,
+        hint: 'Hide the Sim Mailer inbox.',
+      },
+      {
+        id: 'disable-public-api',
+        label: 'Public API',
+        category: 'Features',
+        configKey: 'disablePublicApi' as const,
+        hint: 'Disable public API access to deployed workflows.',
+      },
+    ],
+    []
+  )
+
+  const filteredPlatformFeatures = useMemo(() => {
+    if (!platformSearchTerm.trim()) return platformFeatures
+    const search = platformSearchTerm.toLowerCase()
+    return platformFeatures.filter(
+      (f) => f.label.toLowerCase().includes(search) || f.category.toLowerCase().includes(search)
+    )
+  }, [platformFeatures, platformSearchTerm])
+
+  const platformCategories = useMemo(() => {
+    const categories: Record<string, typeof platformFeatures> = {}
+    for (const feature of filteredPlatformFeatures) {
+      if (!categories[feature.category]) {
+        categories[feature.category] = []
+      }
+      categories[feature.category].push(feature)
+    }
+    return categories
+  }, [filteredPlatformFeatures])
+
+  const platformCategoryColumns = useMemo(() => {
+    const categoryGroups = [
+      ['Sidebar', 'Deploy Tabs', 'Collaboration'],
+      ['Workflow Panel', 'Tools', 'Features'],
+      ['Settings Tabs', 'Logs'],
+    ]
+
+    const assignedCategories = new Set(categoryGroups.flat())
+    const unassigned = Object.keys(platformCategories).filter(
+      (c) => c !== 'Files' && !assignedCategories.has(c)
+    )
+    const groups = unassigned.length > 0 ? [...categoryGroups, unassigned] : categoryGroups
+
+    return groups
+      .map((column) =>
+        column
+          .map((category) => ({
+            category,
+            features: platformCategories[category] ?? [],
+          }))
+          .filter((section) => section.features.length > 0)
+      )
+      .filter((column) => column.length > 0)
+  }, [platformCategories])
+
+  const hasConfigChanges = useMemo(() => {
+    return JSON.stringify(viewingGroup.config) !== JSON.stringify(editingConfig)
+  }, [viewingGroup.config, editingConfig])
+
+  const filteredProviders = useMemo(() => {
+    if (!providerSearchTerm.trim()) return allProviderIds
+    const query = providerSearchTerm.toLowerCase()
+    return allProviderIds.filter((id) => id.toLowerCase().includes(query))
+  }, [allProviderIds, providerSearchTerm])
+
+  const filteredBlocks = useMemo(() => {
+    if (!integrationSearchTerm.trim()) return allBlocks
+    const query = integrationSearchTerm.toLowerCase()
+    return allBlocks.filter((b) => b.name.toLowerCase().includes(query))
+  }, [allBlocks, integrationSearchTerm])
+
+  const filteredCoreBlocks = useMemo(
+    () => filteredBlocks.filter((block) => block.category === 'blocks'),
+    [filteredBlocks]
+  )
+
+  const filteredToolBlocks = useMemo(
+    () =>
+      filteredBlocks
+        .filter((block) => block.category === 'tools' || block.category === 'triggers')
+        .sort((a, b) => a.name.localeCompare(b.name)),
+    [filteredBlocks]
+  )
+
+  const organizationMembers = useMemo<OrganizationMemberOption[]>(() => {
+    if (!roster?.members) return []
+    return roster.members
+      .filter((m) => m.role !== 'external')
+      .map((m) => ({
+        userId: m.userId,
+        user: { name: m.name, email: m.email, image: m.image },
+      }))
+  }, [roster])
+
+  const availableMembersToAdd = useMemo(() => {
+    const existingMemberUserIds = new Set(members.map((m) => m.userId))
+    return organizationMembers.filter((m) => !existingMemberUserIds.has(m.userId))
+  }, [organizationMembers, members])
+
+  const isIntegrationAllowed = useCallback(
+    (blockType: string) =>
+      editingConfig.allowedIntegrations === null ||
+      editingConfig.allowedIntegrations.includes(blockType),
+    [editingConfig.allowedIntegrations]
+  )
+
+  const toggleIntegration = useCallback(
+    (blockType: string) => {
+      setEditingConfig((prev) => {
+        const current = prev.allowedIntegrations
+        if (current === null) {
+          const allExcept = allBlocks.map((b) => b.type).filter((t) => t !== blockType)
+          return { ...prev, allowedIntegrations: allExcept }
+        }
+        if (current.includes(blockType)) {
+          const updated = current.filter((t) => t !== blockType)
+          return {
+            ...prev,
+            allowedIntegrations: updated.length === allBlocks.length ? null : updated,
+          }
+        }
+        const updated = [...current, blockType]
+        return {
+          ...prev,
+          allowedIntegrations: updated.length === allBlocks.length ? null : updated,
+        }
+      })
+    },
+    [allBlocks]
+  )
+
+  /** Allow or deny a whole section's blocks at once, respecting the active filter. */
+  const setBlocksAllowed = useCallback(
+    (blocks: BlockConfig[], allowed: boolean) => {
+      setEditingConfig((prev) => {
+        const allTypes = allBlocks.map((b) => b.type)
+        const current =
+          prev.allowedIntegrations === null ? new Set(allTypes) : new Set(prev.allowedIntegrations)
+        for (const block of blocks) {
+          if (allowed) current.add(block.type)
+          else current.delete(block.type)
+        }
+        const nextArr = allTypes.filter((t) => current.has(t))
+        return {
+          ...prev,
+          allowedIntegrations: nextArr.length === allTypes.length ? null : nextArr,
+        }
+      })
+    },
+    [allBlocks]
+  )
+
+  const isToolAllowed = useCallback(
+    (toolId: string) => !editingConfig.deniedTools.includes(toolId),
+    [editingConfig.deniedTools]
+  )
+
+  const toggleTool = useCallback((toolId: string) => {
+    setEditingConfig((prev) => {
+      const denied = prev.deniedTools.includes(toolId)
+      return {
+        ...prev,
+        deniedTools: denied
+          ? prev.deniedTools.filter((t) => t !== toolId)
+          : [...prev.deniedTools, toolId],
+      }
+    })
+  }, [])
+
+  const setToolsDenied = useCallback((toolIds: string[], denied: boolean) => {
+    setEditingConfig((prev) => {
+      if (denied) {
+        const existing = new Set(prev.deniedTools)
+        const additions = toolIds.filter((t) => !existing.has(t))
+        if (additions.length === 0) return prev
+        return { ...prev, deniedTools: [...prev.deniedTools, ...additions] }
+      }
+      const toRemove = new Set(toolIds)
+      return { ...prev, deniedTools: prev.deniedTools.filter((t) => !toRemove.has(t)) }
+    })
+  }, [])
+
+  const deniedCountByBlock = useMemo(() => {
+    const counts: Record<string, number> = {}
+    for (const toolId of editingConfig.deniedTools) {
+      const blockType = toolToBlockType[toolId]
+      if (blockType) counts[blockType] = (counts[blockType] ?? 0) + 1
+    }
+    return counts
+  }, [editingConfig.deniedTools, toolToBlockType])
+
+  const isProviderAllowed = useCallback(
+    (providerId: string) =>
+      editingConfig.allowedModelProviders === null ||
+      editingConfig.allowedModelProviders.includes(providerId),
+    [editingConfig.allowedModelProviders]
+  )
+
+  const toggleProvider = useCallback(
+    (providerId: string) => {
+      setEditingConfig((prev) => {
+        const current = prev.allowedModelProviders
+        if (current === null) {
+          const allExcept = allProviderIds.filter((p) => p !== providerId)
+          return { ...prev, allowedModelProviders: allExcept }
+        }
+        if (current.includes(providerId)) {
+          const updated = current.filter((p) => p !== providerId)
+          return {
+            ...prev,
+            allowedModelProviders: updated.length === allProviderIds.length ? null : updated,
+          }
+        }
+        const updated = [...current, providerId]
+        return {
+          ...prev,
+          allowedModelProviders: updated.length === allProviderIds.length ? null : updated,
+        }
+      })
+    },
+    [allProviderIds]
+  )
+
+  const isModelAllowed = useCallback(
+    (model: string) => {
+      const normalized = model.toLowerCase()
+      return !editingConfig.deniedModels.some((denied) => denied.toLowerCase() === normalized)
+    },
+    [editingConfig.deniedModels]
+  )
+
+  const toggleModel = useCallback((model: string) => {
+    setEditingConfig((prev) => {
+      const normalized = model.toLowerCase()
+      const isDenied = prev.deniedModels.some((denied) => denied.toLowerCase() === normalized)
+      return {
+        ...prev,
+        deniedModels: isDenied
+          ? prev.deniedModels.filter((denied) => denied.toLowerCase() !== normalized)
+          : [...prev.deniedModels, model],
+      }
+    })
+  }, [])
+
+  const setModelsDenied = useCallback((models: string[], denied: boolean) => {
+    setEditingConfig((prev) => {
+      if (denied) {
+        const existing = new Set(prev.deniedModels.map((m) => m.toLowerCase()))
+        const additions = models.filter((m) => !existing.has(m.toLowerCase()))
+        if (additions.length === 0) return prev
+        return { ...prev, deniedModels: [...prev.deniedModels, ...additions] }
+      }
+      const toRemove = new Set(models.map((m) => m.toLowerCase()))
+      return {
+        ...prev,
+        deniedModels: prev.deniedModels.filter((m) => !toRemove.has(m.toLowerCase())),
+      }
+    })
+  }, [])
+
+  const deniedCountByProvider = useMemo(() => {
+    const counts: Record<string, number> = {}
+    for (const model of editingConfig.deniedModels) {
+      try {
+        const providerId = getProviderFromModel(model)
+        counts[providerId] = (counts[providerId] ?? 0) + 1
+      } catch {
+        // Unknown/blacklisted provider — omit from counts.
+      }
+    }
+    return counts
+  }, [editingConfig.deniedModels])
+
+  const isFileShareAuthAllowed = useCallback(
+    (authType: ShareAuthType) =>
+      editingConfig.allowedFileShareAuthTypes === null ||
+      editingConfig.allowedFileShareAuthTypes.includes(authType),
+    [editingConfig.allowedFileShareAuthTypes]
+  )
+
+  const toggleFileShareAuthType = useCallback((authType: ShareAuthType) => {
+    setEditingConfig((prev) => {
+      const current = prev.allowedFileShareAuthTypes
+      const next =
+        current === null
+          ? ALL_FILE_SHARE_AUTH_TYPES.filter((t) => t !== authType)
+          : current.includes(authType)
+            ? current.filter((t) => t !== authType)
+            : [...current, authType]
+      return {
+        ...prev,
+        allowedFileShareAuthTypes: next.length === ALL_FILE_SHARE_AUTH_TYPES.length ? null : next,
+      }
+    })
+  }, [])
+
+  const handleSaveConfig = useCallback(async () => {
+    try {
+      await updatePermissionGroup.mutateAsync({
+        id: viewingGroup.id,
+        organizationId,
+        config: editingConfig,
+      })
+      setViewingGroup((prev) => ({ ...prev, config: editingConfig }))
+    } catch (error) {
+      logger.error('Failed to update config', error)
+      toast.error("Couldn't save changes", {
+        description: getErrorMessage(error, 'Please try again in a moment.'),
+      })
+    }
+  }, [viewingGroup.id, editingConfig, organizationId, updatePermissionGroup])
+
+  const handleDiscardConfig = useCallback(() => {
+    setEditingConfig({ ...viewingGroup.config })
+  }, [viewingGroup.config])
+
+  const handleBack = useCallback(() => {
+    if (hasConfigChanges) {
+      setShowUnsavedChanges(true)
+      return
+    }
+    onBack()
+  }, [hasConfigChanges, onBack])
+
+  const handleScopeChange = useCallback(
+    async (workspaceIds: string[]) => {
+      const previous = viewingGroup
+      const seq = ++scopeWriteSeqRef.current
+
+      setViewingGroup((prev) => ({
+        ...prev,
+        workspaces: organizationWorkspaces.filter((ws) => workspaceIds.includes(ws.id)),
+      }))
+      try {
+        const result = await updatePermissionGroup.mutateAsync({
+          id: viewingGroup.id,
+          organizationId,
+          workspaceIds,
+        })
+        if (seq !== scopeWriteSeqRef.current) return
+        setViewingGroup((prev) => ({
+          ...prev,
+          workspaces: organizationWorkspaces.filter((ws) =>
+            result.permissionGroup.workspaceIds.includes(ws.id)
+          ),
+        }))
+      } catch (error) {
+        logger.error('Failed to update workspace scope', error)
+        if (seq !== scopeWriteSeqRef.current) return
+        setViewingGroup(previous)
+        toast.error("Couldn't update workspaces", {
+          description: getErrorMessage(error, 'Please try again in a moment.'),
+        })
+      }
+    },
+    [viewingGroup, organizationId, organizationWorkspaces, updatePermissionGroup]
+  )
+
+  const handleToggleDefault = useCallback(
+    async (enabled: boolean) => {
+      const seq = ++scopeWriteSeqRef.current
+      try {
+        const result = await updatePermissionGroup.mutateAsync({
+          id: viewingGroup.id,
+          organizationId,
+          isDefault: enabled,
+        })
+        if (seq !== scopeWriteSeqRef.current) return
+        setViewingGroup((prev) => ({
+          ...prev,
+          isDefault: result.permissionGroup.isDefault,
+          workspaces: result.permissionGroup.isDefault
+            ? []
+            : organizationWorkspaces.filter((ws) =>
+                result.permissionGroup.workspaceIds.includes(ws.id)
+              ),
+        }))
+      } catch (error) {
+        logger.error('Failed to toggle default group', error)
+        toast.error("Couldn't update the default group", {
+          description: getErrorMessage(error, 'Please try again in a moment.'),
+        })
+      }
+    },
+    [viewingGroup.id, organizationId, organizationWorkspaces, updatePermissionGroup]
+  )
+
+  const handleRemoveMember = useCallback(
+    async (memberId: string) => {
+      try {
+        await removeMember.mutateAsync({
+          organizationId,
+          permissionGroupId: viewingGroup.id,
+          memberId,
+        })
+      } catch (error) {
+        logger.error('Failed to remove member', error)
+        toast.error("Couldn't remove member", {
+          description: getErrorMessage(error, 'Please try again in a moment.'),
+        })
+      }
+    },
+    [viewingGroup.id, organizationId, removeMember]
+  )
+
+  const handleOpenAddMembersModal = useCallback(() => {
+    setSelectedMemberIds(new Set())
+    setAddMembersError(null)
+    setShowAddMembersModal(true)
+  }, [])
+
+  const handleAddSelectedMembers = useCallback(async () => {
+    if (selectedMemberIds.size === 0) return
+    setAddMembersError(null)
+    try {
+      await bulkAddMembers.mutateAsync({
+        organizationId,
+        permissionGroupId: viewingGroup.id,
+        userIds: Array.from(selectedMemberIds),
+      })
+      setShowAddMembersModal(false)
+      setSelectedMemberIds(new Set())
+    } catch (error) {
+      logger.error('Failed to add members', error)
+      setAddMembersError(getErrorMessage(error, 'Failed to add members'))
+    }
+  }, [viewingGroup.id, organizationId, selectedMemberIds, bulkAddMembers])
+
+  const confirmDelete = useCallback(async () => {
+    try {
+      await deletePermissionGroup.mutateAsync({
+        permissionGroupId: viewingGroup.id,
+        organizationId,
+      })
+      setShowDeleteConfirm(false)
+      onDeleted()
+    } catch (error) {
+      logger.error('Failed to delete permission group', error)
+      toast.error("Couldn't delete group", {
+        description: getErrorMessage(error, 'Please try again in a moment.'),
+      })
+    }
+  }, [viewingGroup.id, organizationId, deletePermissionGroup, onDeleted])
+
+  const tabs = useMemo(
+    () => [
+      { value: 'general' as const, label: 'General' },
+      { value: 'providers' as const, label: 'Model Providers' },
+      { value: 'blocks' as const, label: 'Blocks' },
+      { value: 'platform' as const, label: 'Platform' },
+    ],
+    []
+  )
+
+  const coreBlocksAllAllowed = filteredCoreBlocks.every((b) => isIntegrationAllowed(b.type))
+  const toolBlocksAllAllowed = filteredToolBlocks.every((b) => isIntegrationAllowed(b.type))
+  const platformAllVisible = platformFeatures.every((f) => !editingConfig[f.configKey])
+
+  return (
+    <>
+      <div className='flex h-full flex-col bg-[var(--bg)]'>
+        <div className='flex flex-shrink-0 items-center justify-between bg-[var(--bg)] px-[16px] pt-[8.5px] pb-[8.5px]'>
+          <Chip leftIcon={ArrowLeft} onClick={handleBack}>
+            Access Control
+          </Chip>
+          <Chip
+            variant='destructive'
+            onClick={() => setShowDeleteConfirm(true)}
+            disabled={deletePermissionGroup.isPending}
+          >
+            {deletePermissionGroup.isPending ? 'Deleting...' : 'Delete'}
+          </Chip>
+        </div>
+
+        <div className='flex flex-shrink-0 justify-center px-6 pb-3'>
+          <div className='w-full max-w-[48rem]'>
+            <ChipModalTabs
+              tabs={tabs}
+              value={configTab}
+              onChange={(value) => setConfigTab(value as ConfigTab)}
+            />
+          </div>
+        </div>
+
+        <div className='min-h-0 flex-1 overflow-y-auto px-6 [scrollbar-gutter:stable_both-edges]'>
+          <div className='mx-auto flex w-full max-w-[48rem] flex-col gap-7 pb-6'>
+            <div className='flex flex-col gap-1'>
+              <h1 className='font-medium text-[var(--text-body)] text-lg'>{viewingGroup.name}</h1>
+              {viewingGroup.description && (
+                <p className='text-[var(--text-muted)] text-md'>{viewingGroup.description}</p>
+              )}
+            </div>
+
+            {configTab === 'general' && (
+              <>
+                <SettingsSection label='Default group'>
+                  <div className='flex items-center justify-between gap-3'>
+                    <span className='text-[var(--text-muted)] text-small'>
+                      Applies to everyone in the organization not assigned to another group,
+                      including external workspace members
+                    </span>
+                    <Switch
+                      checked={viewingGroup.isDefault}
+                      onCheckedChange={(checked) => handleToggleDefault(checked)}
+                      disabled={updatePermissionGroup.isPending}
+                    />
+                  </div>
+                </SettingsSection>
+
+                <SettingsSection label='Workspaces'>
+                  {viewingGroup.isDefault ? (
+                    <div className='flex items-center justify-between gap-3'>
+                      <span className='text-[var(--text-muted)] text-small'>
+                        Governs every workspace in the organization
+                      </span>
+                    </div>
+                  ) : (
+                    <div className='flex flex-col gap-3'>
+                      <div className='flex items-center justify-between gap-3'>
+                        <span className='min-w-0 text-[var(--text-muted)] text-small'>
+                          {viewingGroup.workspaces.length > 0
+                            ? `Governs ${viewingGroup.workspaces.length} workspace${
+                                viewingGroup.workspaces.length === 1 ? '' : 's'
+                              }`
+                            : 'Select the workspaces this group governs'}
+                        </span>
+                        <WorkspaceSelect
+                          workspaceIds={viewingGroup.workspaces.map((ws) => ws.id)}
+                          onChange={handleScopeChange}
+                          options={workspaceOptions}
+                          isLoading={workspacesLoading}
+                          allowAllWorkspaces={false}
+                          className='flex-shrink-0'
+                        />
+                      </div>
+                      {viewingGroup.workspaces.length > 0 && (
+                        <div className='-mx-2 flex flex-col gap-y-0.5'>
+                          {viewingGroup.workspaces.map((ws) => (
+                            <MemberRow
+                              key={ws.id}
+                              name={ws.name}
+                              email={ws.name}
+                              image={null}
+                              status=''
+                            />
+                          ))}
+                        </div>
+                      )}
+                    </div>
+                  )}
+                </SettingsSection>
+
+                {!viewingGroup.isDefault && (
+                  <SettingsSection label='Members'>
+                    <div className='flex flex-col gap-3'>
+                      <div className='flex items-center justify-between gap-3'>
+                        <span className='text-[var(--text-muted)] text-small'>
+                          {members.length === 0
+                            ? 'Applies to all members of its workspaces. Add members to restrict it to specific people.'
+                            : `Restricted to ${members.length} member${members.length === 1 ? '' : 's'}`}
+                        </span>
+                        <Chip
+                          variant='primary'
+                          leftIcon={Plus}
+                          onClick={handleOpenAddMembersModal}
+                          className='flex-shrink-0'
+                        >
+                          Add
+                        </Chip>
+                      </div>
+                      {membersLoading ? (
+                        <div className='-mx-2 flex flex-col gap-y-0.5'>
+                          {[1, 2].map((i) => (
+                            <div key={i} className='flex items-center gap-2.5 p-2'>
+                              <Skeleton className='size-[14px] flex-shrink-0 rounded-full' />
+                              <Skeleton className='h-[14px] w-[180px]' />
+                            </div>
+                          ))}
+                        </div>
+                      ) : (
+                        members.length > 0 && (
+                          <div className='-mx-2 flex flex-col gap-y-0.5'>
+                            {members.map((member) => (
+                              <MemberRow
+                                key={member.id}
+                                name={member.userName || member.userEmail || 'Unknown'}
+                                email={member.userEmail || member.userName || 'Unknown'}
+                                image={member.userImage}
+                                status={`Added ${new Date(member.assignedAt).toLocaleDateString()}`}
+                                menu={
+                                  <DropdownMenu>
+                                    <DropdownMenuTrigger asChild>
+                                      <button
+                                        type='button'
+                                        aria-label='Member actions'
+                                        className={chipVariants({ flush: true })}
+                                      >
+                                        <MoreHorizontal className='size-[14px] flex-shrink-0 text-[var(--text-icon)]' />
+                                      </button>
+                                    </DropdownMenuTrigger>
+                                    <DropdownMenuContent align='end'>
+                                      <DropdownMenuItem
+                                        className='text-[var(--text-error)]'
+                                        onSelect={() => handleRemoveMember(member.id)}
+                                      >
+                                        Remove
+                                      </DropdownMenuItem>
+                                    </DropdownMenuContent>
+                                  </DropdownMenu>
+                                }
+                              />
+                            ))}
+                          </div>
+                        )
+                      )}
+                    </div>
+                  </SettingsSection>
+                )}
+              </>
+            )}
+
+            {configTab === 'providers' && (
+              <div>
+                <div className='flex items-center gap-2 pb-3'>
+                  <ChipInput
+                    icon={Search}
+                    placeholder='Search providers...'
+                    value={providerSearchTerm}
+                    onChange={(e) => setProviderSearchTerm(e.target.value)}
+                    className='min-w-0 flex-1'
+                  />
+                  <Chip
+                    onClick={() => {
+                      const allAllowed =
+                        editingConfig.allowedModelProviders === null ||
+                        allProviderIds.every((id) =>
+                          editingConfig.allowedModelProviders?.includes(id)
+                        )
+                      setEditingConfig((prev) => ({
+                        ...prev,
+                        allowedModelProviders: allAllowed ? [] : null,
+                      }))
+                    }}
+                  >
+                    {editingConfig.allowedModelProviders === null ||
+                    allProviderIds.every((id) => editingConfig.allowedModelProviders?.includes(id))
+                      ? 'Deselect All'
+                      : 'Select All'}
+                  </Chip>
+                </div>
+                <div className='flex flex-col gap-0.5'>
+                  {filteredProviders.map((providerId) => (
+                    <ProviderRow
+                      key={providerId}
+                      providerId={providerId}
+                      isProviderAllowed={isProviderAllowed(providerId)}
+                      onToggleProvider={() => toggleProvider(providerId)}
+                      deniedCount={deniedCountByProvider[providerId] ?? 0}
+                      workspaceId={workspaceId}
+                      isAllowed={isModelAllowed}
+                      onToggle={toggleModel}
+                      onSetDenied={setModelsDenied}
+                    />
+                  ))}
+                </div>
+              </div>
+            )}
+
+            {configTab === 'blocks' && (
+              <div>
+                <div className='flex items-center gap-2 pb-3'>
+                  <ChipInput
+                    icon={Search}
+                    placeholder='Search blocks...'
+                    value={integrationSearchTerm}
+                    onChange={(e) => setIntegrationSearchTerm(e.target.value)}
+                    className='min-w-0 flex-1'
+                  />
+                </div>
+                <div className='flex flex-col gap-4'>
+                  {filteredCoreBlocks.length > 0 && (
+                    <div className='flex flex-col gap-1.5'>
+                      <div className='flex items-center justify-between'>
+                        <span className='font-medium text-[var(--text-muted)] text-small'>
+                          Core Blocks
+                        </span>
+                        <Chip
+                          flush
+                          onClick={() =>
+                            setBlocksAllowed(filteredCoreBlocks, !coreBlocksAllAllowed)
+                          }
+                        >
+                          {coreBlocksAllAllowed ? 'Deselect All' : 'Select All'}
+                        </Chip>
+                      </div>
+                      <div className='grid grid-cols-3 gap-x-2 gap-y-0.5'>
+                        {filteredCoreBlocks.map((block) => {
+                          const BlockIcon = block.icon
+                          const checkboxId = `block-${block.type}`
+                          return (
+                            <label
+                              key={block.type}
+                              htmlFor={checkboxId}
+                              className='flex cursor-pointer items-center gap-2 rounded-md px-2 py-[5px] transition-colors hover-hover:bg-[var(--surface-active)]'
+                            >
+                              <Checkbox
+                                id={checkboxId}
+                                checked={isIntegrationAllowed(block.type)}
+                                onCheckedChange={() => toggleIntegration(block.type)}
+                              />
+                              <div
+                                className='relative flex h-[16px] w-[16px] flex-shrink-0 items-center justify-center overflow-hidden rounded-sm'
+                                style={{ background: block.bgColor }}
+                              >
+                                {BlockIcon && (
+                                  <BlockIcon className='!h-[10px] !w-[10px] text-white' />
+                                )}
+                              </div>
+                              <span className='truncate font-medium text-sm'>{block.name}</span>
+                            </label>
+                          )
+                        })}
+                      </div>
+                    </div>
+                  )}
+                  {filteredToolBlocks.length > 0 && (
+                    <div className='flex flex-col gap-1.5 border-[var(--border)] border-t pt-4'>
+                      <div className='flex items-center justify-between'>
+                        <div className='flex items-center gap-1.5'>
+                          <span className='font-medium text-[var(--text-muted)] text-small'>
+                            Integrations and Triggers
+                          </span>
+                          <Info side='top'>
+                            Allow a whole integration with its checkbox, then expand it to deny
+                            specific tools while keeping the rest available.
+                          </Info>
+                        </div>
+                        <Chip
+                          flush
+                          onClick={() =>
+                            setBlocksAllowed(filteredToolBlocks, !toolBlocksAllAllowed)
+                          }
+                        >
+                          {toolBlocksAllAllowed ? 'Deselect All' : 'Select All'}
+                        </Chip>
+                      </div>
+                      <div className='flex flex-col gap-0.5'>
+                        {filteredToolBlocks.map((block) => (
+                          <BlockToolRow
+                            key={block.type}
+                            block={block}
+                            isBlockAllowed={isIntegrationAllowed(block.type)}
+                            onToggleBlock={() => toggleIntegration(block.type)}
+                            deniedCount={deniedCountByBlock[block.type] ?? 0}
+                            isAllowed={isToolAllowed}
+                            onToggle={toggleTool}
+                            onSetDenied={setToolsDenied}
+                          />
+                        ))}
+                      </div>
+                    </div>
+                  )}
+                </div>
+              </div>
+            )}
+
+            {configTab === 'platform' && (
+              <div>
+                <div className='flex items-center gap-2 pb-3'>
+                  <ChipInput
+                    icon={Search}
+                    placeholder='Search features...'
+                    value={platformSearchTerm}
+                    onChange={(e) => setPlatformSearchTerm(e.target.value)}
+                    className='min-w-0 flex-1'
+                  />
+                  <Chip
+                    onClick={() =>
+                      setEditingConfig((prev) => ({
+                        ...prev,
+                        ...Object.fromEntries(
+                          platformFeatures.map((f) => [f.configKey, platformAllVisible])
+                        ),
+                      }))
+                    }
+                  >
+                    {platformAllVisible ? 'Deselect All' : 'Select All'}
+                  </Chip>
+                </div>
+                <div className='grid grid-cols-3 gap-x-6'>
+                  {platformCategoryColumns.map((column, columnIndex) => (
+                    <div key={columnIndex} className='flex flex-col gap-8'>
+                      {column.map(({ category, features }) => (
+                        <div key={category} className='flex flex-col gap-1.5'>
+                          <span className='font-medium text-[var(--text-muted)] text-small'>
+                            {category}
+                          </span>
+                          <div className='flex flex-col gap-0.5'>
+                            {features.map((feature) => (
+                              <div key={feature.id} className='flex items-center gap-1.5'>
+                                <label
+                                  htmlFor={feature.id}
+                                  className='flex flex-1 cursor-pointer items-center gap-2 rounded-md px-2 py-[5px] transition-colors hover-hover:bg-[var(--surface-active)]'
+                                >
+                                  <Checkbox
+                                    id={feature.id}
+                                    checked={!editingConfig[feature.configKey]}
+                                    onCheckedChange={(checked) =>
+                                      setEditingConfig((prev) => ({
+                                        ...prev,
+                                        [feature.configKey]: checked !== true,
+                                      }))
+                                    }
+                                  />
+                                  <span className='font-normal text-sm'>{feature.label}</span>
+                                </label>
+                                <Info side='top'>{feature.hint}</Info>
+                              </div>
+                            ))}
+                          </div>
+                        </div>
+                      ))}
+                    </div>
+                  ))}
+                </div>
+                <div className='mt-8 flex flex-col gap-1.5'>
+                  <span className='font-medium text-[var(--text-muted)] text-small'>Files</span>
+                  <label
+                    htmlFor='disable-public-file-sharing'
+                    className='flex cursor-pointer items-center gap-2 rounded-md px-2 py-[5px] transition-colors hover-hover:bg-[var(--surface-active)]'
+                  >
+                    <Checkbox
+                      id='disable-public-file-sharing'
+                      checked={!editingConfig.disablePublicFileSharing}
+                      onCheckedChange={(checked) =>
+                        setEditingConfig((prev) => ({
+                          ...prev,
+                          disablePublicFileSharing: checked !== true,
+                        }))
+                      }
+                    />
+                    <span className='font-normal text-sm'>Public Sharing</span>
+                  </label>
+                  <div
+                    className={cn(
+                      'flex flex-col gap-1 pt-1',
+                      editingConfig.disablePublicFileSharing && 'opacity-50'
+                    )}
+                  >
+                    <span className='px-2 text-[var(--text-secondary)] text-xs'>
+                      Auth modes public file-share links may use
+                    </span>
+                    <div className='flex flex-wrap gap-x-4'>
+                      {FILE_SHARE_AUTH_TYPE_OPTIONS.map(({ value, label }) => (
+                        <label
+                          key={value}
+                          htmlFor={`fsauth-${value}`}
+                          className='flex cursor-pointer items-center gap-2 rounded-md px-2 py-[5px] transition-colors hover-hover:bg-[var(--surface-active)]'
+                        >
+                          <Checkbox
+                            id={`fsauth-${value}`}
+                            checked={isFileShareAuthAllowed(value)}
+                            onCheckedChange={() => toggleFileShareAuthType(value)}
+                            disabled={editingConfig.disablePublicFileSharing}
+                          />
+                          <span className='font-normal text-sm'>{label}</span>
+                        </label>
+                      ))}
+                    </div>
+                  </div>
+                </div>
+              </div>
+            )}
+          </div>
+        </div>
+
+        {hasConfigChanges && (
+          <div className='flex flex-shrink-0 items-center justify-end gap-2 border-[var(--border)] border-t bg-[var(--surface-3)] px-6 py-2.5'>
+            <span className='mr-auto text-[var(--text-muted)] text-small'>Unsaved changes</span>
+            <Chip onClick={handleDiscardConfig} disabled={updatePermissionGroup.isPending}>
+              Discard
+            </Chip>
+            <Chip
+              variant='primary'
+              onClick={handleSaveConfig}
+              disabled={updatePermissionGroup.isPending}
+            >
+              {updatePermissionGroup.isPending ? 'Saving...' : 'Save'}
+            </Chip>
+          </div>
+        )}
+      </div>
+
+      <AddMembersModal
+        open={showAddMembersModal}
+        onOpenChange={(open) => {
+          setShowAddMembersModal(open)
+          if (!open) setAddMembersError(null)
+        }}
+        availableMembers={availableMembersToAdd}
+        selectedMemberIds={selectedMemberIds}
+        setSelectedMemberIds={setSelectedMemberIds}
+        onAddMembers={handleAddSelectedMembers}
+        isAdding={bulkAddMembers.isPending}
+        errorMessage={addMembersError}
+      />
+
+      <ChipConfirmModal
+        open={showDeleteConfirm}
+        onOpenChange={() => setShowDeleteConfirm(false)}
+        srTitle='Delete Permission Group'
+        title='Delete Permission Group'
+        text={[
+          'Are you sure you want to delete ',
+          { text: viewingGroup.name, bold: true },
+          '? ',
+          { text: 'All members will be removed from this group.', error: true },
+          ' This action cannot be undone.',
+        ]}
+        confirm={{
+          label: 'Delete',
+          onClick: confirmDelete,
+          pending: deletePermissionGroup.isPending,
+          pendingLabel: 'Deleting...',
+        }}
+      />
+
+      <ChipModal
+        open={showUnsavedChanges}
+        onOpenChange={setShowUnsavedChanges}
+        size='sm'
+        srTitle='Unsaved Changes'
+      >
+        <ChipModalHeader onClose={() => setShowUnsavedChanges(false)}>
+          Unsaved Changes
+        </ChipModalHeader>
+        <ChipModalBody>
+          <p className='px-2 text-[var(--text-secondary)] text-sm'>
+            You have unsaved changes. Do you want to save them before leaving?
+          </p>
+        </ChipModalBody>
+        <ChipModalFooter
+          onCancel={() => setShowUnsavedChanges(false)}
+          secondaryActions={[
+            {
+              label: 'Discard Changes',
+              onClick: () => {
+                setShowUnsavedChanges(false)
+                onBack()
+              },
+              variant: 'destructive',
+            },
+          ]}
+          primaryAction={{
+            label: updatePermissionGroup.isPending ? 'Saving...' : 'Save Changes',
+            onClick: async () => {
+              await handleSaveConfig()
+              setShowUnsavedChanges(false)
+              onBack()
+            },
+            disabled: updatePermissionGroup.isPending,
+          }}
+        />
+      </ChipModal>
+    </>
+  )
+}
diff --git a/apps/sim/ee/access-control/components/workspace-select.tsx b/apps/sim/ee/access-control/components/workspace-select.tsx
new file mode 100644
index 00000000000..f8f2496aa13
--- /dev/null
+++ b/apps/sim/ee/access-control/components/workspace-select.tsx
@@ -0,0 +1,58 @@
+'use client'
+
+import { ChipDropdown } from '@/components/emcn'
+
+interface WorkspaceSelectProps {
+  workspaceIds: string[]
+  onChange: (ids: string[]) => void
+  options: { value: string; label: string }[]
+  disabled?: boolean
+  isLoading?: boolean
+  fullWidth?: boolean
+  className?: string
+  /**
+   * When false, the "All workspaces" reset option is hidden and an empty
+   * selection reads as a prompt. Non-default groups must target ≥1 workspace.
+   */
+  allowAllWorkspaces?: boolean
+}
+
+/**
+ * Workspace scope multi-select. With `allowAllWorkspaces` an empty selection
+ * reads as "All workspaces" (the default group); otherwise it prompts for a
+ * selection, since non-default groups must target specific workspaces.
+ */
+export function WorkspaceSelect({
+  workspaceIds,
+  onChange,
+  options,
+  disabled = false,
+  isLoading = false,
+  fullWidth = false,
+  className,
+  allowAllWorkspaces = true,
+}: WorkspaceSelectProps) {
+  return (
+    <ChipDropdown
+      multiple
+      searchable
+      align={fullWidth ? 'start' : 'end'}
+      matchTriggerWidth={fullWidth}
+      options={options}
+      value={workspaceIds}
+      onChange={onChange}
+      disabled={disabled || isLoading}
+      showAllOption={allowAllWorkspaces}
+      allLabel={
+        isLoading
+          ? 'Loading workspaces…'
+          : allowAllWorkspaces
+            ? 'All workspaces'
+            : 'Select workspaces…'
+      }
+      searchPlaceholder='Search workspaces…'
+      fullWidth={fullWidth}
+      className={className}
+    />
+  )
+}
diff --git a/apps/sim/ee/access-control/utils/permission-check.test.ts b/apps/sim/ee/access-control/utils/permission-check.test.ts
index d78ba101395..8c24c396706 100644
--- a/apps/sim/ee/access-control/utils/permission-check.test.ts
+++ b/apps/sim/ee/access-control/utils/permission-check.test.ts
@@ -17,6 +17,7 @@ const {
     allowedIntegrations: null,
     allowedModelProviders: null,
     deniedModels: [],
+    deniedTools: [],
     hideTraceSpans: false,
     hideKnowledgeBaseTab: false,
     hideTablesTab: false,
@@ -142,6 +143,7 @@ import {
   ProviderNotAllowedError,
   PublicFileSharingNotAllowedError,
   SkillsNotAllowedError,
+  ToolNotAllowedError,
   validateBlockType,
   validateMcpToolsAllowed,
   validateModelProvider,
@@ -597,6 +599,69 @@ describe('assertPermissionsAllowed', () => {
     })
   })
 
+  it('throws ToolNotAllowedError when the tool is on the denylist', async () => {
+    mockWorkspaceGroups.value = [{ config: { deniedTools: ['slack_canvas'] } }]
+
+    await expect(
+      assertPermissionsAllowed({
+        userId: 'user-123',
+        workspaceId: 'workspace-1',
+        toolId: 'slack_canvas',
+      })
+    ).rejects.toBeInstanceOf(ToolNotAllowedError)
+  })
+
+  it('allows a tool that is not on the denylist', async () => {
+    mockWorkspaceGroups.value = [{ config: { deniedTools: ['slack_canvas'] } }]
+
+    await assertPermissionsAllowed({
+      userId: 'user-123',
+      workspaceId: 'workspace-1',
+      toolId: 'slack_message',
+    })
+  })
+
+  it('allows every tool when the denylist is empty', async () => {
+    mockWorkspaceGroups.value = [{ config: { deniedTools: [] } }]
+
+    await assertPermissionsAllowed({
+      userId: 'user-123',
+      workspaceId: 'workspace-1',
+      toolId: 'slack_canvas',
+    })
+  })
+
+  it('denies a tool even when its block is allowed by the integration allowlist', async () => {
+    mockWorkspaceGroups.value = [
+      { config: { allowedIntegrations: ['slack'], deniedTools: ['slack_canvas'] } },
+    ]
+
+    await expect(
+      assertPermissionsAllowed({
+        userId: 'user-123',
+        workspaceId: 'workspace-1',
+        blockType: 'slack',
+        toolId: 'slack_canvas',
+      })
+    ).rejects.toBeInstanceOf(ToolNotAllowedError)
+  })
+
+  it('still enforces the tool denylist for an exempt block type', async () => {
+    mockWorkspaceGroups.value = [{ config: { deniedTools: ['slack_canvas'] } }]
+    mockGetBlock.mockImplementation((type) =>
+      type === 'slack' ? { hideFromToolbar: true } : undefined
+    )
+
+    await expect(
+      assertPermissionsAllowed({
+        userId: 'user-123',
+        workspaceId: 'workspace-1',
+        blockType: 'slack',
+        toolId: 'slack_canvas',
+      })
+    ).rejects.toBeInstanceOf(ToolNotAllowedError)
+  })
+
   it('throws CustomToolsNotAllowedError when custom tools are disabled', async () => {
     mockWorkspaceGroups.value = [{ config: { disableCustomTools: true } }]
 
diff --git a/apps/sim/ee/access-control/utils/permission-check.ts b/apps/sim/ee/access-control/utils/permission-check.ts
index 03c41369ecc..611ea077b45 100644
--- a/apps/sim/ee/access-control/utils/permission-check.ts
+++ b/apps/sim/ee/access-control/utils/permission-check.ts
@@ -50,6 +50,13 @@ export class IntegrationNotAllowedError extends Error {
   }
 }
 
+export class ToolNotAllowedError extends Error {
+  constructor(toolId: string) {
+    super(`Tool "${toolId}" is not allowed based on your permission group settings`)
+    this.name = 'ToolNotAllowedError'
+  }
+}
+
 export class McpToolsNotAllowedError extends Error {
   constructor() {
     super('MCP tools are not allowed based on your permission group settings')
@@ -566,6 +573,12 @@ interface PermissionAssertion {
   workspaceId: string | undefined
   model?: string
   blockType?: string
+  /**
+   * Concrete tool ID being executed (e.g. `slack_canvas`). Checked against the
+   * group's `deniedTools` denylist so an admin can allow an integration but deny
+   * specific operations within it. Pass the normalized tool id.
+   */
+  toolId?: string
   toolKind?: ToolKind
   ctx?: ExecutionContext
 }
@@ -581,11 +594,11 @@ interface PermissionAssertion {
  * callsite covers every future config field.
  */
 export async function assertPermissionsAllowed(req: PermissionAssertion): Promise<void> {
-  const { userId, workspaceId, model, blockType, toolKind, ctx } = req
+  const { userId, workspaceId, model, blockType, toolId, toolKind, ctx } = req
 
   const blockTypeExempt = blockType ? isBlockTypeAccessControlExempt(blockType) : false
 
-  if (blockTypeExempt && !model && !toolKind) {
+  if (blockTypeExempt && !model && !toolKind && !toolId) {
     return
   }
 
@@ -634,6 +647,11 @@ export async function assertPermissionsAllowed(req: PermissionAssertion): Promis
     }
   }
 
+  if (toolId && config?.deniedTools?.includes(toolId)) {
+    logger.warn('Tool blocked by permission group', { userId, workspaceId, toolId })
+    throw new ToolNotAllowedError(toolId)
+  }
+
   if (toolKind && config) {
     if (toolKind === 'mcp' && config.disableMcpTools) {
       logger.warn('MCP tools blocked by permission group', { userId, workspaceId })
diff --git a/apps/sim/ee/data-retention/components/data-retention-settings.tsx b/apps/sim/ee/data-retention/components/data-retention-settings.tsx
index 7d48ae631ea..a72ca616a09 100644
--- a/apps/sim/ee/data-retention/components/data-retention-settings.tsx
+++ b/apps/sim/ee/data-retention/components/data-retention-settings.tsx
@@ -18,6 +18,7 @@ import {
   ChipModalHeader,
   ChipSelect,
   ChipSwitch,
+  ChipTag,
   Search,
   toast,
 } from '@/components/emcn'
@@ -767,9 +768,9 @@ export function DataRetentionSettings() {
                       <span className='truncate text-[14px] text-[var(--text-body)]'>
                         Organization
                       </span>
-                      <span className='flex-shrink-0 rounded-sm bg-[var(--surface-3)] px-1.5 py-0.5 text-[var(--text-muted)] text-micro'>
+                      <ChipTag variant='gray' className='flex-shrink-0'>
                         Default
-                      </span>
+                      </ChipTag>
                     </div>
                     <span className='truncate text-[12px] text-[var(--text-muted)]'>
                       {orgRowSummary()}
diff --git a/apps/sim/hooks/use-permission-config.ts b/apps/sim/hooks/use-permission-config.ts
index 330e502c78a..3513c4c167d 100644
--- a/apps/sim/hooks/use-permission-config.ts
+++ b/apps/sim/hooks/use-permission-config.ts
@@ -23,6 +23,7 @@ export interface PermissionConfigResult {
   isBlockAllowed: (blockType: string) => boolean
   isProviderAllowed: (providerId: string) => boolean
   isModelAllowed: (model: string) => boolean
+  isToolAllowed: (toolId: string) => boolean
   isInvitationsDisabled: boolean
   isPublicApiDisabled: boolean
 }
@@ -113,6 +114,13 @@ export function usePermissionConfig(): PermissionConfigResult {
     }
   }, [config.deniedModels])
 
+  const isToolAllowed = useMemo(() => {
+    return (toolId: string) => {
+      if (config.deniedTools.length === 0) return true
+      return !config.deniedTools.includes(toolId)
+    }
+  }, [config.deniedTools])
+
   const filterBlocks = useMemo(() => {
     return <T extends { type: string }>(blocks: T[]): T[] => {
       if (mergedAllowedIntegrations === null) return blocks
@@ -156,6 +164,7 @@ export function usePermissionConfig(): PermissionConfigResult {
       isBlockAllowed,
       isProviderAllowed,
       isModelAllowed,
+      isToolAllowed,
       isInvitationsDisabled,
       isPublicApiDisabled,
     }),
@@ -168,6 +177,7 @@ export function usePermissionConfig(): PermissionConfigResult {
       isBlockAllowed,
       isProviderAllowed,
       isModelAllowed,
+      isToolAllowed,
       isInvitationsDisabled,
       isPublicApiDisabled,
     ]
diff --git a/apps/sim/lib/api/contracts/permission-groups.ts b/apps/sim/lib/api/contracts/permission-groups.ts
index b2f2d7fa7fd..a1e55c3d9ea 100644
--- a/apps/sim/lib/api/contracts/permission-groups.ts
+++ b/apps/sim/lib/api/contracts/permission-groups.ts
@@ -8,6 +8,7 @@ export const permissionGroupFullConfigSchema = z.object({
   allowedIntegrations: z.array(z.string()).nullable(),
   allowedModelProviders: z.array(z.string()).nullable(),
   deniedModels: z.array(z.string()).default([]),
+  deniedTools: z.array(z.string()).default([]),
   hideTraceSpans: z.boolean(),
   hideKnowledgeBaseTab: z.boolean(),
   hideTablesTab: z.boolean(),
diff --git a/apps/sim/lib/permission-groups/types.ts b/apps/sim/lib/permission-groups/types.ts
index 3269ec69459..76c18c0b9b1 100644
--- a/apps/sim/lib/permission-groups/types.ts
+++ b/apps/sim/lib/permission-groups/types.ts
@@ -21,6 +21,7 @@ export const permissionGroupConfigSchema = z.object({
   allowedIntegrations: z.array(z.string()).nullable().optional(),
   allowedModelProviders: z.array(z.string()).nullable().optional(),
   deniedModels: z.array(z.string()).optional(),
+  deniedTools: z.array(z.string()).optional(),
   hideTraceSpans: z.boolean().optional(),
   hideKnowledgeBaseTab: z.boolean().optional(),
   hideTablesTab: z.boolean().optional(),
@@ -52,6 +53,13 @@ export interface PermissionGroupConfig {
    * group, checked after `allowedModelProviders`. Empty means nothing is blocked.
    */
   deniedModels: string[]
+  /**
+   * Snake_case tool IDs (e.g. `slack_canvas`) blocked for this group, checked
+   * after the block-level `allowedIntegrations` gate. Lets an admin allow an
+   * integration but deny specific operations within it. Empty means nothing is
+   * blocked.
+   */
+  deniedTools: string[]
   hideTraceSpans: boolean
   hideKnowledgeBaseTab: boolean
   hideTablesTab: boolean
@@ -80,6 +88,7 @@ export const DEFAULT_PERMISSION_GROUP_CONFIG: PermissionGroupConfig = {
   allowedIntegrations: null,
   allowedModelProviders: null,
   deniedModels: [],
+  deniedTools: [],
   hideTraceSpans: false,
   hideKnowledgeBaseTab: false,
   hideTablesTab: false,
@@ -116,6 +125,9 @@ export function parsePermissionGroupConfig(config: unknown): PermissionGroupConf
     deniedModels: Array.isArray(c.deniedModels)
       ? c.deniedModels.filter((m): m is string => typeof m === 'string')
       : [],
+    deniedTools: Array.isArray(c.deniedTools)
+      ? c.deniedTools.filter((t): t is string => typeof t === 'string')
+      : [],
     hideTraceSpans: typeof c.hideTraceSpans === 'boolean' ? c.hideTraceSpans : false,
     hideKnowledgeBaseTab:
       typeof c.hideKnowledgeBaseTab === 'boolean' ? c.hideKnowledgeBaseTab : false,
diff --git a/apps/sim/tools/index.ts b/apps/sim/tools/index.ts
index 1f7e554c324..7f3cdc1b56e 100644
--- a/apps/sim/tools/index.ts
+++ b/apps/sim/tools/index.ts
@@ -936,10 +936,15 @@ export async function executeTool(
             ? 'mcp'
             : undefined
 
-    if (toolKind && scope.userId && scope.workspaceId) {
+    // Single chokepoint for every tool execution. Asserts both the tool-kind
+    // gates (mcp/custom/skill) and the per-tool denylist (`deniedTools`), so an
+    // admin can allow an integration block yet deny specific operations within
+    // it. Runs for all tools, not just kinded ones.
+    if (scope.userId && scope.workspaceId) {
       await assertPermissionsAllowed({
         userId: scope.userId,
         workspaceId: scope.workspaceId,
+        toolId: normalizedToolId,
         toolKind,
         ctx: executionContext,
       })

From 166e764be940cc834161d2455e3636a57f093e19 Mon Sep 17 00:00:00 2001
From: waleed <walif6@gmail.com>
Date: Thu, 25 Jun 2026 15:04:24 -0700
Subject: [PATCH 2/8] fix(access-control): don't leave the detail view when an
 unsaved-changes save fails
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The unsaved-changes dialog's Save action navigated back unconditionally after handleSaveConfig, but that helper swallows mutation errors — so a failed save still exited the view and silently dropped the edits. handleSaveConfig now returns success, and the dialog only closes + navigates back when the save actually succeeded.
---
 .../ee/access-control/components/group-detail.tsx | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/apps/sim/ee/access-control/components/group-detail.tsx b/apps/sim/ee/access-control/components/group-detail.tsx
index 19ebea7f71c..1ccb732d278 100644
--- a/apps/sim/ee/access-control/components/group-detail.tsx
+++ b/apps/sim/ee/access-control/components/group-detail.tsx
@@ -1065,7 +1065,8 @@ export function GroupDetail({
     })
   }, [])
 
-  const handleSaveConfig = useCallback(async () => {
+  /** Persists the editing buffer. Returns whether the save succeeded so callers can decide whether to navigate away. */
+  const handleSaveConfig = useCallback(async (): Promise<boolean> => {
     try {
       await updatePermissionGroup.mutateAsync({
         id: viewingGroup.id,
@@ -1073,11 +1074,13 @@ export function GroupDetail({
         config: editingConfig,
       })
       setViewingGroup((prev) => ({ ...prev, config: editingConfig }))
+      return true
     } catch (error) {
       logger.error('Failed to update config', error)
       toast.error("Couldn't save changes", {
         description: getErrorMessage(error, 'Please try again in a moment.'),
       })
+      return false
     }
   }, [viewingGroup.id, editingConfig, organizationId, updatePermissionGroup])
 
@@ -1725,9 +1728,13 @@ export function GroupDetail({
           primaryAction={{
             label: updatePermissionGroup.isPending ? 'Saving...' : 'Save Changes',
             onClick: async () => {
-              await handleSaveConfig()
-              setShowUnsavedChanges(false)
-              onBack()
+              // Only leave once the save actually succeeds; a failed save keeps
+              // the dialog open with the edits intact (error surfaced via toast).
+              const saved = await handleSaveConfig()
+              if (saved) {
+                setShowUnsavedChanges(false)
+                onBack()
+              }
             },
             disabled: updatePermissionGroup.isPending,
           }}

From b161dd35bccb41c34462372869b003020f677b59 Mon Sep 17 00:00:00 2001
From: waleed <walif6@gmail.com>
Date: Thu, 25 Jun 2026 15:08:24 -0700
Subject: [PATCH 3/8] fix(access-control): prune deniedTools for blocks that
 get disabled

deniedTools only matters while a block is allowed, but toggleIntegration/setBlocksAllowed left a disabled block's denied tools in the config. Disabling then re-enabling an integration would silently re-apply the old per-tool denials. Both handlers now prune deniedTools to the set of allowed blocks, keeping the invariant that deniedTools only holds tools of currently-allowed integrations.
---
 .../components/group-detail.tsx               | 47 ++++++++++++++-----
 1 file changed, 34 insertions(+), 13 deletions(-)

diff --git a/apps/sim/ee/access-control/components/group-detail.tsx b/apps/sim/ee/access-control/components/group-detail.tsx
index 1ccb732d278..90134c748f7 100644
--- a/apps/sim/ee/access-control/components/group-detail.tsx
+++ b/apps/sim/ee/access-control/components/group-detail.tsx
@@ -875,29 +875,48 @@ export function GroupDetail({
     [editingConfig.allowedIntegrations]
   )
 
+  /**
+   * Drops denied tools whose integration is no longer allowed, keeping the
+   * invariant that `deniedTools` only holds tools of currently-allowed blocks.
+   * Without this, disabling then re-enabling an integration would silently
+   * re-apply stale per-tool denials. Tools we can't attribute to a known block
+   * are preserved.
+   */
+  const pruneDeniedTools = useCallback(
+    (allowedIntegrations: string[] | null, deniedTools: string[]) => {
+      if (allowedIntegrations === null) return deniedTools
+      const allowed = new Set(allowedIntegrations)
+      const pruned = deniedTools.filter((toolId) => {
+        const blockType = toolToBlockType[toolId]
+        return !blockType || allowed.has(blockType)
+      })
+      return pruned.length === deniedTools.length ? deniedTools : pruned
+    },
+    [toolToBlockType]
+  )
+
   const toggleIntegration = useCallback(
     (blockType: string) => {
       setEditingConfig((prev) => {
         const current = prev.allowedIntegrations
+        let nextAllowed: string[] | null
         if (current === null) {
-          const allExcept = allBlocks.map((b) => b.type).filter((t) => t !== blockType)
-          return { ...prev, allowedIntegrations: allExcept }
-        }
-        if (current.includes(blockType)) {
+          nextAllowed = allBlocks.map((b) => b.type).filter((t) => t !== blockType)
+        } else if (current.includes(blockType)) {
           const updated = current.filter((t) => t !== blockType)
-          return {
-            ...prev,
-            allowedIntegrations: updated.length === allBlocks.length ? null : updated,
-          }
+          nextAllowed = updated.length === allBlocks.length ? null : updated
+        } else {
+          const updated = [...current, blockType]
+          nextAllowed = updated.length === allBlocks.length ? null : updated
         }
-        const updated = [...current, blockType]
         return {
           ...prev,
-          allowedIntegrations: updated.length === allBlocks.length ? null : updated,
+          allowedIntegrations: nextAllowed,
+          deniedTools: pruneDeniedTools(nextAllowed, prev.deniedTools),
         }
       })
     },
-    [allBlocks]
+    [allBlocks, pruneDeniedTools]
   )
 
   /** Allow or deny a whole section's blocks at once, respecting the active filter. */
@@ -912,13 +931,15 @@ export function GroupDetail({
           else current.delete(block.type)
         }
         const nextArr = allTypes.filter((t) => current.has(t))
+        const nextAllowed = nextArr.length === allTypes.length ? null : nextArr
         return {
           ...prev,
-          allowedIntegrations: nextArr.length === allTypes.length ? null : nextArr,
+          allowedIntegrations: nextAllowed,
+          deniedTools: pruneDeniedTools(nextAllowed, prev.deniedTools),
         }
       })
     },
-    [allBlocks]
+    [allBlocks, pruneDeniedTools]
   )
 
   const isToolAllowed = useCallback(

From ae1abfa308c6793df90cb331b2172244d3a52da6 Mon Sep 17 00:00:00 2001
From: waleed <walif6@gmail.com>
Date: Thu, 25 Jun 2026 15:16:00 -0700
Subject: [PATCH 4/8] fix(access-control): attribute denied tools to all
 exposing blocks when pruning

A tool id can appear in more than one block's tools.access. The single tool->block map meant pruneDeniedTools (and the per-block denied count) attributed a shared tool to only one block, so disabling that block could drop a denial while the tool was still exposed by another allowed block. Tools now map to all exposing block types; a denial is pruned only when no allowed block exposes the tool, and the per-block count is derived from each block's own tool list.
---
 .../components/group-detail.tsx               | 28 +++++++++++--------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/apps/sim/ee/access-control/components/group-detail.tsx b/apps/sim/ee/access-control/components/group-detail.tsx
index 90134c748f7..d6b9c67b0fd 100644
--- a/apps/sim/ee/access-control/components/group-detail.tsx
+++ b/apps/sim/ee/access-control/components/group-detail.tsx
@@ -630,12 +630,12 @@ export function GroupDetail({
     return allIds.filter((id) => !blacklist.includes(id.toLowerCase()))
   }, [blacklistedProvidersData])
 
-  /** Maps every tool id to the block type that exposes it (for denied-count grouping). */
-  const toolToBlockType = useMemo(() => {
-    const map: Record<string, string> = {}
+  /** Maps every tool id to ALL block types that expose it (some tools are shared across blocks). */
+  const toolBlockTypes = useMemo(() => {
+    const map: Record<string, string[]> = {}
     for (const block of allBlocks) {
       for (const toolId of block.tools?.access ?? []) {
-        map[toolId] = block.type
+        ;(map[toolId] ??= []).push(block.type)
       }
     }
     return map
@@ -887,12 +887,14 @@ export function GroupDetail({
       if (allowedIntegrations === null) return deniedTools
       const allowed = new Set(allowedIntegrations)
       const pruned = deniedTools.filter((toolId) => {
-        const blockType = toolToBlockType[toolId]
-        return !blockType || allowed.has(blockType)
+        const blockTypes = toolBlockTypes[toolId]
+        // Keep the denial while ANY block exposing the tool is still allowed;
+        // preserve tools we can't attribute to a known block.
+        return !blockTypes || blockTypes.some((bt) => allowed.has(bt))
       })
       return pruned.length === deniedTools.length ? deniedTools : pruned
     },
-    [toolToBlockType]
+    [toolBlockTypes]
   )
 
   const toggleIntegration = useCallback(
@@ -973,13 +975,17 @@ export function GroupDetail({
   }, [])
 
   const deniedCountByBlock = useMemo(() => {
+    const denied = new Set(editingConfig.deniedTools)
     const counts: Record<string, number> = {}
-    for (const toolId of editingConfig.deniedTools) {
-      const blockType = toolToBlockType[toolId]
-      if (blockType) counts[blockType] = (counts[blockType] ?? 0) + 1
+    for (const block of allBlocks) {
+      let count = 0
+      for (const toolId of block.tools?.access ?? []) {
+        if (denied.has(toolId)) count++
+      }
+      if (count > 0) counts[block.type] = count
     }
     return counts
-  }, [editingConfig.deniedTools, toolToBlockType])
+  }, [editingConfig.deniedTools, allBlocks])
 
   const isProviderAllowed = useCallback(
     (providerId: string) =>

From a0fae05a63473283d2bd881ba3167e5862c7fe73 Mon Sep 17 00:00:00 2001
From: waleed <walif6@gmail.com>
Date: Thu, 25 Jun 2026 15:24:49 -0700
Subject: [PATCH 5/8] fix(access-control): scope Platform Select/Deselect All
 to the search filter

The Platform tab's bulk Select/Deselect All toggled every feature regardless of the active search, unlike the Blocks tab which scopes its per-section toggle to the filtered view. Both the all-visible check and the bulk update now operate on filteredPlatformFeatures for consistent behavior while searching.
---
 apps/sim/ee/access-control/components/group-detail.tsx | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/sim/ee/access-control/components/group-detail.tsx b/apps/sim/ee/access-control/components/group-detail.tsx
index d6b9c67b0fd..80dc73ef0d8 100644
--- a/apps/sim/ee/access-control/components/group-detail.tsx
+++ b/apps/sim/ee/access-control/components/group-detail.tsx
@@ -1255,7 +1255,7 @@ export function GroupDetail({
 
   const coreBlocksAllAllowed = filteredCoreBlocks.every((b) => isIntegrationAllowed(b.type))
   const toolBlocksAllAllowed = filteredToolBlocks.every((b) => isIntegrationAllowed(b.type))
-  const platformAllVisible = platformFeatures.every((f) => !editingConfig[f.configKey])
+  const platformAllVisible = filteredPlatformFeatures.every((f) => !editingConfig[f.configKey])
 
   return (
     <>
@@ -1580,7 +1580,7 @@ export function GroupDetail({
                       setEditingConfig((prev) => ({
                         ...prev,
                         ...Object.fromEntries(
-                          platformFeatures.map((f) => [f.configKey, platformAllVisible])
+                          filteredPlatformFeatures.map((f) => [f.configKey, platformAllVisible])
                         ),
                       }))
                     }

From 58e8895d5ed3bed7629475adf61dbf682d4db781 Mon Sep 17 00:00:00 2001
From: waleed <walif6@gmail.com>
Date: Thu, 25 Jun 2026 15:32:54 -0700
Subject: [PATCH 6/8] fix(access-control): scope Model Providers
 Select/Deselect All to the search filter

Like the Platform fix, the Providers tab's bulk action toggled every provider via allProviderIds regardless of the active search. Added setProvidersAllowed (mirroring setBlocksAllowed) so the bulk toggle and its label operate on filteredProviders, keeping all three tabs (Blocks/Platform/Providers) consistent while searching.
---
 .../components/group-detail.tsx               | 42 ++++++++++++-------
 1 file changed, 27 insertions(+), 15 deletions(-)

diff --git a/apps/sim/ee/access-control/components/group-detail.tsx b/apps/sim/ee/access-control/components/group-detail.tsx
index 80dc73ef0d8..de05b670185 100644
--- a/apps/sim/ee/access-control/components/group-detail.tsx
+++ b/apps/sim/ee/access-control/components/group-detail.tsx
@@ -1019,6 +1019,28 @@ export function GroupDetail({
     [allProviderIds]
   )
 
+  /** Allow or deny a set of providers at once, respecting the active search filter. */
+  const setProvidersAllowed = useCallback(
+    (providerIds: string[], allowed: boolean) => {
+      setEditingConfig((prev) => {
+        const current =
+          prev.allowedModelProviders === null
+            ? new Set(allProviderIds)
+            : new Set(prev.allowedModelProviders)
+        for (const id of providerIds) {
+          if (allowed) current.add(id)
+          else current.delete(id)
+        }
+        const nextArr = allProviderIds.filter((id) => current.has(id))
+        return {
+          ...prev,
+          allowedModelProviders: nextArr.length === allProviderIds.length ? null : nextArr,
+        }
+      })
+    },
+    [allProviderIds]
+  )
+
   const isModelAllowed = useCallback(
     (model: string) => {
       const normalized = model.toLowerCase()
@@ -1253,6 +1275,7 @@ export function GroupDetail({
     []
   )
 
+  const filteredProvidersAllAllowed = filteredProviders.every((id) => isProviderAllowed(id))
   const coreBlocksAllAllowed = filteredCoreBlocks.every((b) => isIntegrationAllowed(b.type))
   const toolBlocksAllAllowed = filteredToolBlocks.every((b) => isIntegrationAllowed(b.type))
   const platformAllVisible = filteredPlatformFeatures.every((f) => !editingConfig[f.configKey])
@@ -1431,22 +1454,11 @@ export function GroupDetail({
                     className='min-w-0 flex-1'
                   />
                   <Chip
-                    onClick={() => {
-                      const allAllowed =
-                        editingConfig.allowedModelProviders === null ||
-                        allProviderIds.every((id) =>
-                          editingConfig.allowedModelProviders?.includes(id)
-                        )
-                      setEditingConfig((prev) => ({
-                        ...prev,
-                        allowedModelProviders: allAllowed ? [] : null,
-                      }))
-                    }}
+                    onClick={() =>
+                      setProvidersAllowed(filteredProviders, !filteredProvidersAllAllowed)
+                    }
                   >
-                    {editingConfig.allowedModelProviders === null ||
-                    allProviderIds.every((id) => editingConfig.allowedModelProviders?.includes(id))
-                      ? 'Deselect All'
-                      : 'Select All'}
+                    {filteredProvidersAllAllowed ? 'Deselect All' : 'Select All'}
                   </Chip>
                 </div>
                 <div className='flex flex-col gap-0.5'>

From 887e0097227440580037b9945db3d9b64b935a42 Mon Sep 17 00:00:00 2001
From: waleed <walif6@gmail.com>
Date: Thu, 25 Jun 2026 15:44:14 -0700
Subject: [PATCH 7/8] fix(access-control): don't seed a denied operation as a
 block's default

The operation dropdown hides denied tools from the picker, but defaultOptionValue returned the block's defaultValue without checking deniedOperationIds, so a new block could start on an operation the user isn't allowed to run. It now falls back to the first allowed option when the configured default is denied. Existing stored operation values are intentionally left untouched (auto-rewriting a user's saved block would be destructive; the server remains the authoritative gate).
---
 .../sub-block/components/dropdown/dropdown.tsx   | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/dropdown/dropdown.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/dropdown/dropdown.tsx
index 1aad573c91c..0e212c45609 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/dropdown/dropdown.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/dropdown/dropdown.tsx
@@ -260,17 +260,19 @@ export const Dropdown = memo(function Dropdown({
 
   const defaultOptionValue = useMemo(() => {
     if (multiSelect) return undefined
-    if (defaultValue !== undefined) {
-      return defaultValue
-    }
 
     const firstSelectable = comboboxOptions.find((opt) => !opt.hidden)
-    if (firstSelectable) {
-      return firstSelectable.value
+    if (defaultValue !== undefined) {
+      // Never seed a permission-denied operation as the default; fall back to the
+      // first allowed option so a new block doesn't start on a disallowed value.
+      if (deniedOperationIds.has(defaultValue)) {
+        return firstSelectable?.value
+      }
+      return defaultValue
     }
 
-    return undefined
-  }, [defaultValue, comboboxOptions, multiSelect])
+    return firstSelectable?.value
+  }, [defaultValue, comboboxOptions, deniedOperationIds, multiSelect])
 
   useEffect(() => {
     if (multiSelect || defaultOptionValue === undefined) {

From f9627ede6a34937e44c3b4b4a1430aaefa9fd976 Mon Sep 17 00:00:00 2001
From: waleed <walif6@gmail.com>
Date: Thu, 25 Jun 2026 15:54:26 -0700
Subject: [PATCH 8/8] chore(access-control): prefer TSDoc over inline comments

Convert declaration-level rationale comments to TSDoc (/** */) and trim redundant/verbose inline comments added during review, per the project's TSDoc convention.
---
 .../components/dropdown/dropdown.tsx          |  6 ++----
 .../components/access-control.tsx             | 10 ++++++----
 .../components/group-detail.tsx               | 20 +++++++++----------
 apps/sim/tools/index.ts                       |  6 ++----
 4 files changed, 20 insertions(+), 22 deletions(-)

diff --git a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/dropdown/dropdown.tsx b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/dropdown/dropdown.tsx
index 0e212c45609..edf87395914 100644
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/dropdown/dropdown.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/dropdown/dropdown.tsx
@@ -233,8 +233,7 @@ export const Dropdown = memo(function Dropdown({
         const toolId = selectTool({ operation: optionId })
         if (toolId && !isToolAllowed(toolId)) denied.add(optionId)
       } catch {
-        // Selector couldn't resolve a tool from the operation alone — leave the
-        // option visible; runtime enforcement still applies.
+        // Unresolvable from the operation alone — leave it visible; the server still enforces.
       }
     }
     return denied
@@ -263,8 +262,7 @@ export const Dropdown = memo(function Dropdown({
 
     const firstSelectable = comboboxOptions.find((opt) => !opt.hidden)
     if (defaultValue !== undefined) {
-      // Never seed a permission-denied operation as the default; fall back to the
-      // first allowed option so a new block doesn't start on a disallowed value.
+      // Don't seed a denied operation as the default; use the first allowed option.
       if (deniedOperationIds.has(defaultValue)) {
         return firstSelectable?.value
       }
diff --git a/apps/sim/ee/access-control/components/access-control.tsx b/apps/sim/ee/access-control/components/access-control.tsx
index 91be65dfdb4..6ac886fec28 100644
--- a/apps/sim/ee/access-control/components/access-control.tsx
+++ b/apps/sim/ee/access-control/components/access-control.tsx
@@ -35,10 +35,12 @@ export function AccessControl() {
   const params = useParams()
   const workspaceId = typeof params?.workspaceId === 'string' ? params.workspaceId : undefined
 
-  // Access control is governed by the workspace's OWNING organization, which may
-  // differ from the caller's active org (e.g. external members). Resolve the org
-  // id and the caller's admin status server-side from the workspace so gating is
-  // never keyed off the session's active org.
+  /**
+   * Access control is governed by the workspace's OWNING organization, which may
+   * differ from the caller's active org (e.g. external members). Resolve the org
+   * id and the caller's admin status server-side from the workspace so gating is
+   * never keyed off the session's active org.
+   */
   const { data: userPermissionConfig, isPending: entitlementLoading } =
     useUserPermissionConfig(workspaceId)
   const organizationId = userPermissionConfig?.organizationId ?? undefined
diff --git a/apps/sim/ee/access-control/components/group-detail.tsx b/apps/sim/ee/access-control/components/group-detail.tsx
index de05b670185..5477c7a0fa9 100644
--- a/apps/sim/ee/access-control/components/group-detail.tsx
+++ b/apps/sim/ee/access-control/components/group-detail.tsx
@@ -577,9 +577,11 @@ export function GroupDetail({
   const removeMember = useRemovePermissionGroupMember()
   const bulkAddMembers = useBulkAddPermissionGroupMembers()
 
-  // Local, authoritative copy of the group while the detail view is open. Seeded
-  // from the prop and re-seeded only when the selected group id changes, so
-  // optimistic scope/default/config writes are not clobbered by list refetches.
+  /**
+   * Local, authoritative copy of the group while the detail view is open. Seeded
+   * from the prop and re-seeded only when the selected group id changes, so
+   * optimistic scope/default/config writes are not clobbered by list refetches.
+   */
   const [viewingGroup, setViewingGroup] = useState<PermissionGroup>(group)
   const [editingConfig, setEditingConfig] = useState<PermissionGroupConfig>({ ...group.config })
   const prevGroupIdRef = useRef(group.id)
@@ -589,9 +591,11 @@ export function GroupDetail({
     setEditingConfig({ ...group.config })
   }
 
-  // Monotonic token for scope-affecting writes (workspace select + default
-  // toggle). Only the most recent write may reconcile or revert the local
-  // group, so rapid multi-select toggles can't settle on a stale response.
+  /**
+   * Monotonic token for scope-affecting writes (workspace select + default
+   * toggle). Only the most recent write may reconcile or revert the local
+   * group, so rapid multi-select toggles can't settle on a stale response.
+   */
   const scopeWriteSeqRef = useRef(0)
 
   const [configTab, setConfigTab] = useState<ConfigTab>('general')
@@ -888,8 +892,6 @@ export function GroupDetail({
       const allowed = new Set(allowedIntegrations)
       const pruned = deniedTools.filter((toolId) => {
         const blockTypes = toolBlockTypes[toolId]
-        // Keep the denial while ANY block exposing the tool is still allowed;
-        // preserve tools we can't attribute to a known block.
         return !blockTypes || blockTypes.some((bt) => allowed.has(bt))
       })
       return pruned.length === deniedTools.length ? deniedTools : pruned
@@ -1767,8 +1769,6 @@ export function GroupDetail({
           primaryAction={{
             label: updatePermissionGroup.isPending ? 'Saving...' : 'Save Changes',
             onClick: async () => {
-              // Only leave once the save actually succeeds; a failed save keeps
-              // the dialog open with the edits intact (error surfaced via toast).
               const saved = await handleSaveConfig()
               if (saved) {
                 setShowUnsavedChanges(false)
diff --git a/apps/sim/tools/index.ts b/apps/sim/tools/index.ts
index 7f3cdc1b56e..2ee548a4324 100644
--- a/apps/sim/tools/index.ts
+++ b/apps/sim/tools/index.ts
@@ -936,10 +936,8 @@ export async function executeTool(
             ? 'mcp'
             : undefined
 
-    // Single chokepoint for every tool execution. Asserts both the tool-kind
-    // gates (mcp/custom/skill) and the per-tool denylist (`deniedTools`), so an
-    // admin can allow an integration block yet deny specific operations within
-    // it. Runs for all tools, not just kinded ones.
+    // Runs for ALL tools (not just kinded ones) so the per-tool `deniedTools`
+    // denylist is enforced alongside the existing mcp/custom/skill gates.
     if (scope.userId && scope.workspaceId) {
       await assertPermissionsAllowed({
         userId: scope.userId,