feat(box): SaaS guard to force a single global sandbox scope

Add system.limitation.force_box_session_id_template: when non-empty it overrides every pipeline's box-session-id-template at resolve time, pinning all queries to one shared sandbox (e.g. {global}). This is the authoritative, unbypassable guard — it runs on every exec call, so editing the pipeline config via API cannot escape it. The web UI locks the Sandbox Scope selector via a combined box_scope_editable flag (box available AND not forced).
2026-06-11 16:26:02 +00:00 · 2026-06-08 06:38:52 -04:00
parent c460bd7814
commit 3b5e89f17f
6 changed files with 138 additions and 20 deletions
--- a/web/src/app/home/pipelines/components/pipeline-form/PipelineFormComponent.tsx
+++ b/web/src/app/home/pipelines/components/pipeline-form/PipelineFormComponent.tsx
@@ -8,6 +8,7 @@ import {
 import DynamicFormComponent from '@/app/home/components/dynamic-form/DynamicFormComponent';
 import N8nAuthFormComponent from '@/app/home/components/dynamic-form/N8nAuthFormComponent';
 import { useBoxStatus } from '@/app/infra/hooks/useBoxStatus';
+import { systemInfo } from '@/app/infra/http';
 import { Button } from '@/components/ui/button';
 import { useForm } from 'react-hook-form';
 import { zodResolver } from '@hookform/resolvers/zod';
@@ -420,9 +421,20 @@ export default function PipelineFormComponent({
    // opt-in via ``disable_if`` + ``disabled_tooltip`` rather than every page
    // hard-coding a banner. Field-level gating keeps unrelated fields
    // untouched.
+    //
+    // ``box_scope_editable`` folds the two reasons the Sandbox Scope selector
+    // can be locked into a single flag the yaml ``disable_if`` consumes:
+    //   1. Box sandbox is unavailable, or
+    //   2. the deployment pins all pipelines to a fixed scope via
+    //      ``system.limitation.force_box_session_id_template`` (SaaS).
+    const boxScopeForced =
+      !!systemInfo.limitation?.force_box_session_id_template;
    const stageSystemContext =
      stage.name === 'local-agent'
-        ? { box_available: boxAvailable }
+        ? {
+            box_available: boxAvailable,
+            box_scope_editable: boxAvailable && !boxScopeForced,
+          }
        : undefined;

    return (
--- a/web/src/app/infra/entities/api/index.ts
+++ b/web/src/app/infra/entities/api/index.ts
@@ -325,6 +325,10 @@ export interface SystemLimitation {
  max_bots: number;
  max_pipelines: number;
  max_extensions: number;
+  /** When non-empty, every pipeline is forced to this Box sandbox-scope
+   *  template (e.g. ``{global}``) and the per-pipeline "Sandbox Scope"
+   *  selector is locked. Used by SaaS deployments. Empty = no restriction. */
+  force_box_session_id_template?: string;
 }

 export interface WizardProgress {