refactor(logs): single-scope PII rules with most-specific-wins resolution

Each rule now targets one scope — all workspaces (workspaceId: null) or a single
workspace — with workspaceId unique across rules. Resolution is most-specific-wins
(a workspace's own rule overrides the all rule), not union; an empty specific rule
exempts that workspace. Matches Access Control's resolveWorkspaceGroup precedence.
UI 'Applies to' becomes a single-select; Add rule disables when all scopes are taken.

Author: TheodoreSpeaks

apps/sim/ee/data-retention/components/data-retention-settings.tsx

@@ -8,7 +8,6 @@ import { Plus } from 'lucide-react'
 import {
   Checkbox,
   Chip,
-  ChipDropdown,
   ChipInput,
   ChipModal,
   ChipModalBody,
@@ -35,6 +34,9 @@ import { useWorkspacesQuery } from '@/hooks/queries/workspace'
 
 const logger = createLogger('DataRetentionSettings')
 
+/** Sentinel ChipSelect value representing the all-workspaces scope (`workspaceId: null`). */
+const ALL_WORKSPACES = '__all__'
+
 const DAY_OPTIONS = [
   { value: '1', label: '1 day' },
   { value: '3', label: '3 days' },
@@ -54,8 +56,8 @@ interface RuleDraft {
   id: string
   name: string
   entityTypes: string[]
-  appliesToAllWorkspaces: boolean
-  workspaceIds: string[]
+  /** null = all workspaces; otherwise the single targeted workspace. */
+  workspaceId: string | null
 }
 
 function hoursToDisplayDays(hours: number | null): string {
@@ -72,8 +74,7 @@ function normalizeRule(rule: RuleDraft): string {
   return JSON.stringify({
     name: rule.name.trim(),
     entityTypes: [...rule.entityTypes].sort(),
-    appliesToAllWorkspaces: rule.appliesToAllWorkspaces,
-    workspaceIds: rule.appliesToAllWorkspaces ? [] : [...rule.workspaceIds].sort(),
+    workspaceId: rule.workspaceId,
   })
 }
 
@@ -82,12 +83,6 @@ function entitySummary(rule: RuleDraft): string {
   return `${rule.entityTypes.length} entity type${rule.entityTypes.length === 1 ? '' : 's'}`
 }
 
-function workspaceSummary(rule: RuleDraft): string {
-  if (rule.appliesToAllWorkspaces) return 'All workspaces'
-  const n = rule.workspaceIds.length
-  return `${n} workspace${n === 1 ? '' : 's'}`
-}
-
 interface RetentionSelectProps {
   value: string
   onChange: (value: string) => void
@@ -189,7 +184,8 @@ interface RuleModalProps {
   draft: RuleDraft
   isNew: boolean
   isSaving: boolean
-  workspaceOptions: { value: string; label: string }[]
+  /** Selectable scopes for this rule (excludes scopes taken by other rules). */
+  scopeOptions: { value: string; label: string }[]
   onChange: (draft: RuleDraft) => void
   onClose: () => void
   onSave: () => void
@@ -199,7 +195,7 @@ function RuleModal({
   draft,
   isNew,
   isSaving,
-  workspaceOptions,
+  scopeOptions,
   onChange,
   onClose,
   onSave,
@@ -218,22 +214,12 @@ function RuleModal({
           placeholder='e.g., Mask customer contact info'
         />
         <ChipModalField type='custom' title='Applies to'>
-          <ChipDropdown
-            multiple
-            searchable
-            value={draft.workspaceIds}
-            onChange={(workspaceIds) =>
-              onChange({
-                ...draft,
-                workspaceIds,
-                appliesToAllWorkspaces: workspaceIds.length === 0,
-              })
+          <ChipSelect
+            value={draft.workspaceId ?? ALL_WORKSPACES}
+            onChange={(value) =>
+              onChange({ ...draft, workspaceId: value === ALL_WORKSPACES ? null : value })
             }
-            options={workspaceOptions}
-            allLabel='All workspaces'
-            placeholder='All workspaces'
-            searchPlaceholder='Search workspaces'
-            matchTriggerWidth={false}
+            options={scopeOptions}
             align='start'
           />
         </ChipModalField>
@@ -305,8 +291,7 @@ export function DataRetentionSettings() {
         id: r.id,
         name: r.name ?? '',
         entityTypes: r.entityTypes,
-        appliesToAllWorkspaces: r.appliesToAllWorkspaces,
-        workspaceIds: r.workspaceIds,
+        workspaceId: r.workspaceId,
       }))
     )
     formInitializedRef.current = true
@@ -318,6 +303,27 @@ export function DataRetentionSettings() {
     modalOriginal !== null &&
     normalizeRule(modalDraft) !== normalizeRule(modalOriginal)
 
+  // Scope availability: at most one all-workspaces rule and one rule per workspace.
+  const allScopeTaken = rules.some((r) => r.workspaceId === null)
+  const takenWorkspaceIds = new Set(
+    rules.flatMap((r) => (r.workspaceId === null ? [] : [r.workspaceId]))
+  )
+  const freeWorkspaces = workspaceOptions.filter((w) => !takenWorkspaceIds.has(w.value))
+  const hasAvailableScope = !allScopeTaken || freeWorkspaces.length > 0
+
+  /** Scopes selectable for `draft` — excludes scopes taken by OTHER rules. */
+  function scopeOptionsForDraft(draft: RuleDraft): { value: string; label: string }[] {
+    const others = rules.filter((r) => r.id !== draft.id)
+    const otherAll = others.some((r) => r.workspaceId === null)
+    const otherWs = new Set(others.flatMap((r) => (r.workspaceId === null ? [] : [r.workspaceId])))
+    const options: { value: string; label: string }[] = []
+    if (!otherAll) options.push({ value: ALL_WORKSPACES, label: 'All workspaces' })
+    for (const w of workspaceOptions) {
+      if (!otherWs.has(w.value)) options.push(w)
+    }
+    return options
+  }
+
   async function persistRules(nextRules: RuleDraft[]) {
     if (!orgId) return
     await updateMutation.mutateAsync({
@@ -328,8 +334,7 @@ export function DataRetentionSettings() {
             id: r.id,
             name: r.name.trim() || undefined,
             entityTypes: r.entityTypes,
-            appliesToAllWorkspaces: r.appliesToAllWorkspaces,
-            workspaceIds: r.appliesToAllWorkspaces ? [] : r.workspaceIds,
+            workspaceId: r.workspaceId,
           })),
         },
       },
@@ -342,8 +347,7 @@ export function DataRetentionSettings() {
       id: generateId(),
       name: '',
       entityTypes: [],
-      appliesToAllWorkspaces: true,
-      workspaceIds: [],
+      workspaceId: allScopeTaken ? (freeWorkspaces[0]?.value ?? null) : null,
     }
     setModalIsNew(true)
     setModalOriginal(blank)
@@ -506,10 +510,10 @@ export function DataRetentionSettings() {
                           {rule.name.trim() || 'Untitled rule'}
                         </span>
                         <span className='truncate text-[var(--text-muted)] text-caption'>
-                          {entitySummary(rule)} ·{' '}
-                          {rule.appliesToAllWorkspaces || rule.workspaceIds.length !== 1
-                            ? workspaceSummary(rule)
-                            : workspaceName(rule.workspaceIds[0])}
+                          {rule.workspaceId === null
+                            ? 'All workspaces'
+                            : workspaceName(rule.workspaceId)}{' '}
+                          · {entitySummary(rule)}
                         </span>
                       </div>
                       <div className='flex flex-shrink-0 items-center gap-2'>
@@ -526,7 +530,7 @@ export function DataRetentionSettings() {
                 </div>
               )}
               <div>
-                <Chip leftIcon={Plus} onClick={openAddRule}>
+                <Chip leftIcon={Plus} onClick={openAddRule} disabled={!hasAvailableScope}>
                   Add rule
                 </Chip>
               </div>
@@ -539,7 +543,7 @@ export function DataRetentionSettings() {
           draft={modalDraft}
           isNew={modalIsNew}
           isSaving={updateMutation.isPending}
-          workspaceOptions={workspaceOptions}
+          scopeOptions={scopeOptionsForDraft(modalDraft)}
           onChange={setModalDraft}
           onClose={requestCloseModal}
           onSave={saveModalRule}

apps/sim/lib/api/contracts/primitives.ts

@@ -85,21 +85,21 @@ export const userFileSchema = z
   })
   .passthrough()
 
-/** A single PII redaction rule targeting a set of workspaces. */
+/** A single PII redaction rule targeting one scope (all workspaces, or one). */
 export const piiRedactionRuleSchema = z.object({
   id: z.string().min(1),
   name: z.string().max(100).optional(),
-  /** Presidio entity types to mask. Empty = redact all detected PII. */
+  /** Presidio entity types to mask. Empty = redact nothing for this scope. */
   entityTypes: z.array(z.string().min(1, 'Entity type cannot be empty')).max(100),
-  appliesToAllWorkspaces: z.boolean(),
-  workspaceIds: z.array(z.string().min(1)).max(1000),
+  /** null = all workspaces; otherwise the single targeted workspace. */
+  workspaceId: z.string().min(1).nullable(),
 })
 
 export type PiiRedactionRule = z.output<typeof piiRedactionRuleSchema>
 
 /** Enterprise PII redaction policy applied to workflow logs on persist. */
 export const piiRedactionSettingsSchema = z.object({
-  rules: z.array(piiRedactionRuleSchema).max(100),
+  rules: z.array(piiRedactionRuleSchema).max(1000),
 })
 
 export type PiiRedactionSettings = z.output<typeof piiRedactionSettingsSchema>

apps/sim/lib/billing/retention.test.ts

@@ -0,0 +1,60 @@
+/**
+ * @vitest-environment node
+ */
+import type { DataRetentionSettings, PiiRedactionRule } from '@sim/db/schema'
+import { describe, expect, it } from 'vitest'
+import { resolveEffectivePiiRedaction } from '@/lib/billing/retention'
+
+function settings(rules: PiiRedactionRule[]): DataRetentionSettings {
+  return { piiRedaction: { rules } }
+}
+
+describe('resolveEffectivePiiRedaction', () => {
+  const allRule: PiiRedactionRule = {
+    id: 'r-all',
+    entityTypes: ['EMAIL_ADDRESS', 'PHONE_NUMBER'],
+    workspaceId: null,
+  }
+
+  it('applies the all-workspaces rule when the workspace has no specific rule', () => {
+    const result = resolveEffectivePiiRedaction({
+      orgSettings: settings([allRule]),
+      workspaceId: 'ws-1',
+    })
+    expect(result).toEqual({ enabled: true, entityTypes: ['EMAIL_ADDRESS', 'PHONE_NUMBER'] })
+  })
+
+  it('lets a workspace-specific rule override the all rule', () => {
+    const result = resolveEffectivePiiRedaction({
+      orgSettings: settings([allRule, { id: 'r-1', entityTypes: ['US_SSN'], workspaceId: 'ws-1' }]),
+      workspaceId: 'ws-1',
+    })
+    expect(result).toEqual({ enabled: true, entityTypes: ['US_SSN'] })
+  })
+
+  it('exempts a workspace when its specific rule has no entity types', () => {
+    const result = resolveEffectivePiiRedaction({
+      orgSettings: settings([allRule, { id: 'r-1', entityTypes: [], workspaceId: 'ws-1' }]),
+      workspaceId: 'ws-1',
+    })
+    expect(result).toEqual({ enabled: false, entityTypes: [] })
+  })
+
+  it('is disabled when no rule matches and there is no all rule', () => {
+    const result = resolveEffectivePiiRedaction({
+      orgSettings: settings([{ id: 'r-1', entityTypes: ['US_SSN'], workspaceId: 'ws-2' }]),
+      workspaceId: 'ws-1',
+    })
+    expect(result).toEqual({ enabled: false, entityTypes: [] })
+  })
+
+  it('is disabled when there are no rules', () => {
+    expect(
+      resolveEffectivePiiRedaction({ orgSettings: settings([]), workspaceId: 'ws-1' })
+    ).toEqual({ enabled: false, entityTypes: [] })
+    expect(resolveEffectivePiiRedaction({ orgSettings: null, workspaceId: 'ws-1' })).toEqual({
+      enabled: false,
+      entityTypes: [],
+    })
+  })
+})

apps/sim/lib/billing/retention.ts

@@ -13,10 +13,11 @@ export const DEFAULT_PII_REDACTION: EffectivePiiRedaction = {
 
 /**
  * Resolve the effective PII redaction policy for a workspace from the org-level
- * rules list: the entity types of every rule targeting the workspace are
- * unioned. A rule with no entity types selected redacts nothing (it contributes
- * nothing to the union), so an empty effective set means "redact nothing" —
- * never "redact everything". Defensive about the loosely-typed JSON column.
+ * rules list, most-specific-wins (never unioned): the workspace's own rule takes
+ * precedence over the all-workspaces rule (`workspaceId: null`). A resolved rule
+ * with no entity types redacts nothing — so a workspace-specific empty rule
+ * exempts that workspace, overriding the all rule. Defensive about the
+ * loosely-typed JSON column.
  */
 export function resolveEffectivePiiRedaction(params: {
   orgSettings: DataRetentionSettings | null | undefined
@@ -25,19 +26,13 @@ export function resolveEffectivePiiRedaction(params: {
   const rules = params.orgSettings?.piiRedaction?.rules
   if (!Array.isArray(rules) || rules.length === 0) return DEFAULT_PII_REDACTION
 
-  const applicable = rules.filter(
-    (rule) =>
-      rule?.appliesToAllWorkspaces === true ||
-      (Array.isArray(rule?.workspaceIds) && rule.workspaceIds.includes(params.workspaceId))
-  )
+  const rule =
+    rules.find((r) => r?.workspaceId === params.workspaceId) ??
+    rules.find((r) => r?.workspaceId == null)
 
-  const union = new Set<string>()
-  for (const rule of applicable) {
-    if (!Array.isArray(rule.entityTypes)) continue
-    for (const t of rule.entityTypes) {
-      if (typeof t === 'string') union.add(t)
-    }
-  }
-  if (union.size === 0) return DEFAULT_PII_REDACTION
-  return { enabled: true, entityTypes: [...union] }
+  const types = Array.isArray(rule?.entityTypes)
+    ? rule.entityTypes.filter((t): t is string => typeof t === 'string')
+    : []
+  if (types.length === 0) return DEFAULT_PII_REDACTION
+  return { enabled: true, entityTypes: types }
 }

packages/db/schema.ts

@@ -1065,19 +1065,18 @@ export const chat = pgTable(
 
 /**
  * A single PII redaction rule. Lives in the org-level
- * {@link DataRetentionSettings.piiRedaction} rules list. A workflow log is
- * redacted on persist if any rule targets its workspace; the applicable rules'
- * entity types are unioned (an empty `entityTypes` means "redact all").
+ * {@link DataRetentionSettings.piiRedaction} rules list. Each rule targets one
+ * scope — all workspaces (`workspaceId: null`) or a single workspace — and
+ * `workspaceId` is unique across rules. Resolution is most-specific-wins: a
+ * workspace's own rule overrides the all-workspaces rule (never unioned).
  */
 export interface PiiRedactionRule {
   id: string
   name?: string
-  /** Presidio entity types to mask. Empty = redact all detected PII. */
+  /** Presidio entity types to mask. Empty = redact nothing for this scope. */
   entityTypes: string[]
-  /** When true the rule covers every workspace in the org. */
-  appliesToAllWorkspaces: boolean
-  /** Targeted workspace ids when `appliesToAllWorkspaces` is false. */
-  workspaceIds: string[]
+  /** `null` = all workspaces; otherwise the single targeted workspace. */
+  workspaceId: string | null
 }
 
 /**