v0.6.1: added better auth admin plugin

[waleedlatif1]

• fix(mothership): fix tool call scheduling (fix(mothership): fix tool call scheduling #3635)
• feat(auth): migrate to better-auth admin plugin with unified Admin tab (feat(auth): migrate to better-auth admin plugin with unified Admin tab #3612)

[cursor]

You have used all Bugbot PR reviews included in your free trial for your GitHub account on this workspace.

To continue using Bugbot reviews, enable Bugbot for your team in the Cursor dashboard.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Mar 17, 2026 10:07pm

[greptile-apps]

Greptile Summary

This PR migrates the admin/super-user system from a custom isSuperUser boolean field to the better-auth admin plugin, giving a unified Admin tab in settings with user management (list, ban/unban, promote/demote), workflow import, and super-admin mode toggle. It also includes a fix for tool-call scheduling in the copilot SSE orchestrator and adds BLOCKED_SIGNUP_DOMAINS support.

Key changes:

• DB migration (0177_wise_puma.sql) replaces is_super_user with a role text column (user/admin), backfilling existing super-users, and adds banned/ban_reason/ban_expires + session.impersonated_by columns for the admin plugin.
• All previous isSuperUser checks (API route, hooks, server-side verifyEffectiveSuperUser, templates page) are replaced with role === 'admin'.
• The custom /api/user/super-user endpoint and useSuperUserStatus hook are deleted in favour of the session token carrying the role field — eliminating a redundant round-trip on every page load.
• superUserModeEnabled default corrected from true → false to prevent unintended admin mode activation.
• One issue found: In settings.tsx, the admin-section redirect guard evaluates to false while sessionLoading is true, causing <Admin /> (or its skeleton) to render transiently for non-admin users who navigate directly to /settings/admin. The fix is to include sessionLoading in the redirect condition.

Confidence Score: 4/5

• Safe to merge with a minor fix — all admin API calls are server-side protected, but the UI transiently shows the Admin skeleton to non-admin users during session load.
• The migration is well-structured: the DB data migration is correct, server-side permission checks use the new role field consistently, and the better-auth admin plugin handles API-level auth for all admin actions. The main concern is a one-liner UX/security-in-depth issue in the client-side route guard. The tool-call scheduling fix is correct and clearly scoped.
• apps/sim/app/workspace/[workspaceId]/settings/[section]/settings.tsx — admin section guard needs sessionLoading included in the redirect condition.

Important Files Changed

Filename	Overview
apps/sim/app/workspace/[workspaceId]/settings/[section]/settings.tsx	Replaces Debug with the new Admin section; adds session-based role guard, but Admin component transiently renders for non-admin users while the session is still loading.
apps/sim/app/workspace/[workspaceId]/settings/components/admin/admin.tsx	New Admin panel combining super-user mode toggle, workflow import, and paginated user management with ban/unban/promote actions; minor type-assertion issue in pendingUserIds memo.
apps/sim/lib/auth/auth.ts	Adds admin() plugin, BLOCKED_SIGNUP_DOMAINS env-var enforcement via both onRequest middleware and a databaseHooks.user.create.before hook for defence-in-depth; looks correct.
apps/sim/hooks/queries/admin-users.ts	New query/mutation hooks wrapping client.admin for listing, role-setting, banning, and unbanning users; follows established query-key factory pattern correctly.
packages/db/migrations/0177_wise_puma.sql	Migrates is_super_user boolean to the better-auth role text column (seeding existing super-users as admin), adds banned/ban_reason/ban_expires columns, and adds impersonated_by to sessions. Data migration is correct.
apps/sim/lib/copilot/orchestrator/sse/handlers/handlers.ts	Fixes tool-call scheduling: client-executable tools that are also available server-side now use fireToolExecution() instead of waiting for client completion, preventing scheduling deadlocks.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[User navigates to /settings/admin] --> B{sessionLoading?}
    B -- true --> C[effectiveSection = 'admin'\nAdmin skeleton renders ⚠️]
    C --> D{Session resolves}
    D -- role === 'admin' --> E[Admin panel loads fully]
    D -- role !== 'admin' --> F[Redirect → effectiveSection = 'general']
    B -- false --> G{role === 'admin'?}
    G -- yes --> E
    G -- no --> F

    E --> H[Super-admin mode toggle\nuseGeneralSettings]
    E --> I[Workflow import\nuseImportWorkflow]
    E --> J[User management\nuseAdminUsers via client.admin.listUsers]
    J --> K[Promote / Demote\nclient.admin.setRole]
    J --> L[Ban / Unban\nclient.admin.banUser / unbanUser]

    style C fill:#ffcccc,stroke:#ff0000

Loading

_{Last reviewed commit: 25a03f1}

[greptile-apps]

Admin section renders briefly for non-admin users

When sessionLoading is true and section === 'admin', the condition section === 'admin' && !sessionLoading && !isAdminRole evaluates to false (because !sessionLoading is false), so effectiveSection stays as 'admin' and <Admin /> is rendered — showing its skeleton to a potentially non-admin user until the session resolves.

This means a non-admin user who navigates directly to /settings/admin will briefly see the AdminSkeleton before being redirected to general. A safer pattern is to treat a loading session the same as a non-admin session for this section:

Suggested change

	const effectiveSection =
	!isBillingEnabled && (section === 'subscription' || section === 'team') ? 'general' : section
	!isBillingEnabled && (section === 'subscription' || section === 'team')
	? 'general'
	: section === 'admin' && !sessionLoading && !isAdminRole
	? 'general'
	: section
	const effectiveSection =
	!isBillingEnabled && (section === 'subscription' || section === 'team')
	? 'general'
	: section === 'admin' && (sessionLoading || !isAdminRole)
	? 'general'
	: section

This ensures non-admin users never see any part of the Admin UI, even transiently. Admins will still see the General section skeleton briefly while the session loads, but that is less sensitive than leaking the Admin skeleton.

[greptile-apps]

Unnecessary type assertions on mutation variables

TanStack Query v5 types variables as TVariables | undefined when a mutation is in-flight, but the hook already knows the shape. The explicit casts to { userId?: string } and { userId: string } bypass the inferred types and can silently hide future mismatches. Since setUserRole.isPending already guards the path, you can rely on the inferred types directly:

Suggested change

	const pendingUserIds = useMemo(() => {
	const ids = new Set<string>()
	if (setUserRole.isPending && (setUserRole.variables as { userId?: string })?.userId)
	ids.add((setUserRole.variables as { userId: string }).userId)
	if (banUser.isPending && (banUser.variables as { userId?: string })?.userId)
	ids.add((banUser.variables as { userId: string }).userId)
	if (unbanUser.isPending && (unbanUser.variables as { userId?: string })?.userId)
	ids.add((unbanUser.variables as { userId: string }).userId)
	return ids
	}, [
	setUserRole.isPending,
	setUserRole.variables,
	banUser.isPending,
	banUser.variables,
	unbanUser.isPending,
	unbanUser.variables,
	])
	const pendingUserIds = useMemo(() => {
	const ids = new Set<string>()
	if (setUserRole.isPending && setUserRole.variables?.userId)
	ids.add(setUserRole.variables.userId)
	if (banUser.isPending && banUser.variables?.userId)
	ids.add(banUser.variables.userId)
	if (unbanUser.isPending && unbanUser.variables?.userId)
	ids.add(unbanUser.variables.userId)
	return ids
	}, [
	setUserRole.isPending,
	setUserRole.variables,
	banUser.isPending,
	banUser.variables,
	unbanUser.isPending,
	unbanUser.variables,
	])