fix(misc): keep block-tool params selected across store replace, perms parity for delete

[icecrasher321]

Summary

• Treat synthetic tool-param subblocks as a strictly ephemeral, client-only
  projection of the canonical tool.params
• If write perm to create, need write to delete
• Extract KB ownership helpers

Type of Change

• Bug fix

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Jun 2, 2026 12:31am

[cursor]

PR Summary

Medium Risk
Broad permission tightening on delete and KB/file paths could block users who previously could delete with read or admin-only rules; changes are intentional but warrant regression checks on workspace roles.

Overview
Fixes block-based tool parameters (e.g. knowledge base selectors) clearing when the subblock store is wholesale-replaced, and aligns destructive actions with the permissions already required to create the same resources.

Tool input (editor): Per-tool param fields use shared helpers (buildToolSubBlockId, resolveToolParamSync) so synthetic subblock IDs stay a client-only mirror of canonical tool.params. Store updates that drop a synthetic key reproject from tool.params instead of wiping the param; real clears still mirror through. Collaborative sync skips these IDs so they are not persisted or undo-recorded as separate subblocks. Workflow change detection already filters synthetic IDs; new tests cover comparison behavior.

Permissions: verifyFileAccess gains requireWrite (workspace write/admin for workspace-scoped paths; delete route uses it). Folder delete, workflow delete, MCP server delete, schedule job create, and KB chunk update/delete move from admin-only or read-allowed to write/admin where appropriate; sidebar delete affordances follow canEdit instead of canAdmin. KB upload paths call recordKnowledgeBaseFileOwnership helpers so ownership metadata stays consistent.

^{Reviewed by Cursor Bugbot for commit d915597. Configure here.}

[greptile-apps]

Greptile Summary

This PR fixes two distinct bugs: block-tool param values being lost across store replaces (e.g. workflow switching), and delete operations requiring only read-level membership when they should require the same write permission as creation.

• Synthetic subblock reproject: ToolSubBlockRenderer now detects when a wholesale store replace drops a synthetic key (storeValue === undefined) and restores it from the canonical tool.params instead of clearing the param. Collaborative-workflow mutations filter synthetic IDs from the persistence queue and undo/redo records.
• Write-parity for destructive operations: workflow, folder, MCP server, file, chunk, and schedule creation routes now uniformly require write/admin permission for deletion, with UI delete controls gated on canEdit instead of canAdmin.
• Metadata consolidation: recordKnowledgeBaseFileOwnership[Many] wrappers are introduced to lock the context field so all upload paths (presigned, batch-presigned, multipart) cannot drift.

Confidence Score: 5/5

Safe to merge — both fix tracks are logically sound and well-tested, with no regressions identified in auth or state management paths.

The permission-parity changes are additive restrictions on destructive operations (write required where read was previously sufficient), backed by updated tests. The synthetic-subblock reproject cycle is properly terminated by syncedRef being set before setValue, preventing infinite subscription loops. File ownership short-circuits in verifyRegularFileAccess are preserved so file owners are unaffected by the write gate. No pre-existing undo/redo concern survives — persistedUpdates is now used for both the operation queue and the undo record.

No files require special attention.

Important Files Changed

Filename	Overview
apps/sim/lib/workflows/tool-input/synthetic-subblocks.ts	Adds buildToolSubBlockId, resolveToolParamSync, and refines isSyntheticToolSubBlockId — the core logic for treating synthetic subblock IDs as ephemeral client-only projections
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/tools/sub-block-renderer.tsx	Replaces manual stringification with resolveToolParamSync; adds reproject logic to restore params from canonical store after wholesale replace instead of clearing them
apps/sim/hooks/use-collaborative-workflow.ts	Filters synthetic subblock IDs from the persistence queue and undo/redo records in all three mutation paths
apps/sim/app/api/files/authorization.ts	Adds requireWrite option to verifyFileAccess and all downstream helpers via workspacePermissionSatisfies; correctly preserves ownership-based short-circuit for user-owned files
apps/sim/app/api/files/delete/route.ts	Passes { requireWrite: true } to verifyFileAccess for all non-KB delete operations, aligning delete permission with create permission
apps/sim/app/api/knowledge/utils.ts	Adds checkChunkWriteAccess mirroring checkChunkAccess but gating on checkKnowledgeBaseWriteAccess; used by chunk PUT and DELETE routes
apps/sim/lib/uploads/server/metadata.ts	Adds recordKnowledgeBaseFileOwnership and recordKnowledgeBaseFileOwnershipMany as typed wrappers that fix the context field, preventing callers from drifting
apps/sim/app/api/schedules/route.ts	Tightens schedule creation from any workspace membership to write/admin only, matching the parity theme of the PR
apps/sim/app/api/folders/[id]/route.ts	Relaxes folder delete from admin-only to write-or-admin, consistent with workflow and MCP server delete changes
apps/sim/lib/workflows/comparison/compare.test.ts	Adds four test cases verifying that synthetic subblock keys are ignored during workflow comparison while actual canonical param changes are still detected

_{Reviews (2): Last reviewed commit: "fix tests and extract kb ownership helpe..." | Re-trigger Greptile}

[icecrasher321]

bugbot run

[icecrasher321]

@greptile

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit d915597. Configure here.}