feat(enterprise): cloud whitelabeling for enterprise orgs (#4047)

* feat(enterprise): cloud whitelabeling for enterprise orgs

* fix(enterprise): scope enterprise plan check to target org in whitelabel PUT

* fix(enterprise): use isOrganizationOnEnterprisePlan for org-scoped enterprise check

* fix(enterprise): allow clearing whitelabel fields and guard against empty update result

* fix(enterprise): remove webp from logo accept attribute to match upload hook validation

* improvement(billing): use isBillingEnabled instead of isProd for plan gate bypasses

* fix(enterprise): show whitelabeling nav item when billing is enabled on non-hosted environments

* fix(enterprise): accept relative paths for logoUrl since upload API returns /api/files/serve/ paths

* fix(whitelabeling): prevent logo flash on refresh by hiding logo while branding loads

* fix(whitelabeling): wire hover color through CSS token on tertiary buttons

* fix(whitelabeling): show sim logo by default, only replace when org logo loads

* fix(whitelabeling): cache org logo url in localstorage to eliminate flash on repeat visits

* feat(whitelabeling): add wordmark support with drag/drop upload

* updated turbo

* fix(whitelabeling): defer localstorage read to effect to prevent hydration mismatch

* fix(whitelabeling): use layout effect for cache read to eliminate logo flash before paint

* fix(whitelabeling): cache theme css to eliminate color flash before org settings resolve

* fix(whitelabeling): deduplicate HEX_COLOR_REGEX into lib/branding and remove mutation from useCallback deps

* fix(whitelabeling): use cookie-based SSR cache to eliminate brand flash on all page loads

* fix(whitelabeling): use !orgSettings condition to fix SSR brand cache injection

React Query returns isLoading: false with data: undefined during SSR, so the
previous brandingLoading condition was always false on the server — initialCache
was never injected into brandConfig. Changing to !orgSettings correctly applies
the cookie cache both during SSR and while the client-side query loads, eliminating
the logo flash on hard refresh.

Author: waleedlatif1

apps/sim/app/_styles/globals.css

@@ -220,6 +220,7 @@ html[data-sidebar-collapsed] .sidebar-container .sidebar-collapse-btn {
     /* Brand & state */
     --brand-secondary: #33b4ff;
     --brand-accent: #33c482;
+    --brand-accent-hover: #2dac72;
     --selection: #1a5cf6;
     --warning: #ea580c;
 
@@ -375,6 +376,7 @@ html[data-sidebar-collapsed] .sidebar-container .sidebar-collapse-btn {
     /* Brand & state */
     --brand-secondary: #33b4ff;
     --brand-accent: #33c482;
+    --brand-accent-hover: #2dac72;
     --selection: #4b83f7;
     --warning: #ff6600;
 

apps/sim/app/api/organizations/[id]/whitelabel/route.ts

@@ -0,0 +1,213 @@
+import { db } from '@sim/db'
+import { member, organization } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
+import { getSession } from '@/lib/auth'
+import { isOrganizationOnEnterprisePlan } from '@/lib/billing/core/subscription'
+import { HEX_COLOR_REGEX } from '@/lib/branding'
+import type { OrganizationWhitelabelSettings } from '@/lib/branding/types'
+
+const logger = createLogger('WhitelabelAPI')
+
+const updateWhitelabelSchema = z.object({
+  brandName: z
+    .string()
+    .trim()
+    .max(64, 'Brand name must be 64 characters or fewer')
+    .nullable()
+    .optional(),
+  logoUrl: z.string().min(1).nullable().optional(),
+  wordmarkUrl: z.string().min(1).nullable().optional(),
+  primaryColor: z
+    .string()
+    .regex(HEX_COLOR_REGEX, 'Primary color must be a valid hex color (e.g. #701ffc)')
+    .nullable()
+    .optional(),
+  primaryHoverColor: z
+    .string()
+    .regex(HEX_COLOR_REGEX, 'Primary hover color must be a valid hex color')
+    .nullable()
+    .optional(),
+  accentColor: z
+    .string()
+    .regex(HEX_COLOR_REGEX, 'Accent color must be a valid hex color')
+    .nullable()
+    .optional(),
+  accentHoverColor: z
+    .string()
+    .regex(HEX_COLOR_REGEX, 'Accent hover color must be a valid hex color')
+    .nullable()
+    .optional(),
+  supportEmail: z
+    .string()
+    .email('Support email must be a valid email address')
+    .nullable()
+    .optional(),
+  documentationUrl: z.string().url('Documentation URL must be a valid URL').nullable().optional(),
+  termsUrl: z.string().url('Terms URL must be a valid URL').nullable().optional(),
+  privacyUrl: z.string().url('Privacy URL must be a valid URL').nullable().optional(),
+  hidePoweredBySim: z.boolean().optional(),
+})
+
+/**
+ * GET /api/organizations/[id]/whitelabel
+ * Returns the organization's whitelabel settings.
+ * Accessible by any member of the organization.
+ */
+export async function GET(_request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  try {
+    const session = await getSession()
+
+    if (!session?.user?.id) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const { id: organizationId } = await params
+
+    const [memberEntry] = await db
+      .select({ id: member.id })
+      .from(member)
+      .where(and(eq(member.organizationId, organizationId), eq(member.userId, session.user.id)))
+      .limit(1)
+
+    if (!memberEntry) {
+      return NextResponse.json(
+        { error: 'Forbidden - Not a member of this organization' },
+        { status: 403 }
+      )
+    }
+
+    const [org] = await db
+      .select({ whitelabelSettings: organization.whitelabelSettings })
+      .from(organization)
+      .where(eq(organization.id, organizationId))
+      .limit(1)
+
+    if (!org) {
+      return NextResponse.json({ error: 'Organization not found' }, { status: 404 })
+    }
+
+    return NextResponse.json({
+      success: true,
+      data: (org.whitelabelSettings ?? {}) as OrganizationWhitelabelSettings,
+    })
+  } catch (error) {
+    logger.error('Failed to get whitelabel settings', { error })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+/**
+ * PUT /api/organizations/[id]/whitelabel
+ * Updates the organization's whitelabel settings.
+ * Requires enterprise plan and owner/admin role.
+ */
+export async function PUT(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  try {
+    const session = await getSession()
+
+    if (!session?.user?.id) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const { id: organizationId } = await params
+
+    const body = await request.json()
+    const parsed = updateWhitelabelSchema.safeParse(body)
+
+    if (!parsed.success) {
+      return NextResponse.json(
+        { error: parsed.error.errors[0]?.message ?? 'Invalid request body' },
+        { status: 400 }
+      )
+    }
+
+    const [memberEntry] = await db
+      .select({ role: member.role })
+      .from(member)
+      .where(and(eq(member.organizationId, organizationId), eq(member.userId, session.user.id)))
+      .limit(1)
+
+    if (!memberEntry) {
+      return NextResponse.json(
+        { error: 'Forbidden - Not a member of this organization' },
+        { status: 403 }
+      )
+    }
+
+    if (memberEntry.role !== 'owner' && memberEntry.role !== 'admin') {
+      return NextResponse.json(
+        { error: 'Forbidden - Only organization owners and admins can update whitelabel settings' },
+        { status: 403 }
+      )
+    }
+
+    const hasEnterprisePlan = await isOrganizationOnEnterprisePlan(organizationId)
+
+    if (!hasEnterprisePlan) {
+      return NextResponse.json(
+        { error: 'Whitelabeling is available on Enterprise plans only' },
+        { status: 403 }
+      )
+    }
+
+    const [currentOrg] = await db
+      .select({ name: organization.name, whitelabelSettings: organization.whitelabelSettings })
+      .from(organization)
+      .where(eq(organization.id, organizationId))
+      .limit(1)
+
+    if (!currentOrg) {
+      return NextResponse.json({ error: 'Organization not found' }, { status: 404 })
+    }
+
+    const current: OrganizationWhitelabelSettings = currentOrg.whitelabelSettings ?? {}
+    const incoming = parsed.data
+
+    const merged: OrganizationWhitelabelSettings = { ...current }
+
+    for (const key of Object.keys(incoming) as Array<keyof typeof incoming>) {
+      const value = incoming[key]
+      if (value === null) {
+        delete merged[key as keyof OrganizationWhitelabelSettings]
+      } else if (value !== undefined) {
+        ;(merged as Record<string, unknown>)[key] = value
+      }
+    }
+
+    const [updated] = await db
+      .update(organization)
+      .set({ whitelabelSettings: merged, updatedAt: new Date() })
+      .where(eq(organization.id, organizationId))
+      .returning({ whitelabelSettings: organization.whitelabelSettings })
+
+    if (!updated) {
+      return NextResponse.json({ error: 'Organization not found' }, { status: 404 })
+    }
+
+    recordAudit({
+      workspaceId: null,
+      actorId: session.user.id,
+      action: AuditAction.ORGANIZATION_UPDATED,
+      resourceType: AuditResourceType.ORGANIZATION,
+      resourceId: organizationId,
+      actorName: session.user.name ?? undefined,
+      actorEmail: session.user.email ?? undefined,
+      resourceName: currentOrg.name,
+      description: 'Updated organization whitelabel settings',
+      metadata: { changes: Object.keys(incoming) },
+      request,
+    })
+
+    return NextResponse.json({
+      success: true,
+      data: (updated.whitelabelSettings ?? {}) as OrganizationWhitelabelSettings,
+    })
+  } catch (error) {
+    logger.error('Failed to update whitelabel settings', { error })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}

apps/sim/app/workspace/[workspaceId]/layout.tsx

@@ -1,3 +1,4 @@
+import { cookies } from 'next/headers'
 import { ToastProvider } from '@/components/emcn'
 import { NavTour } from '@/app/workspace/[workspaceId]/components/product-tour'
 import { ImpersonationBanner } from '@/app/workspace/[workspaceId]/impersonation-banner'
@@ -7,31 +8,45 @@ import { SettingsLoader } from '@/app/workspace/[workspaceId]/providers/settings
 import { WorkspacePermissionsProvider } from '@/app/workspace/[workspaceId]/providers/workspace-permissions-provider'
 import { WorkspaceScopeSync } from '@/app/workspace/[workspaceId]/providers/workspace-scope-sync'
 import { Sidebar } from '@/app/workspace/[workspaceId]/w/components/sidebar/sidebar'
+import {
+  BRAND_COOKIE_NAME,
+  type BrandCache,
+  BrandingProvider,
+} from '@/ee/whitelabeling/components/branding-provider'
+
+export default async function WorkspaceLayout({ children }: { children: React.ReactNode }) {
+  const cookieStore = await cookies()
+  let initialCache: BrandCache | null = null
+  try {
+    const raw = cookieStore.get(BRAND_COOKIE_NAME)?.value
+    if (raw) initialCache = JSON.parse(decodeURIComponent(raw))
+  } catch {}
 
-export default function WorkspaceLayout({ children }: { children: React.ReactNode }) {
   return (
-    <ToastProvider>
-      <SettingsLoader />
-      <ProviderModelsLoader />
-      <GlobalCommandsProvider>
-        <div className='flex h-screen w-full flex-col overflow-hidden bg-[var(--surface-1)]'>
-          <ImpersonationBanner />
-          <WorkspacePermissionsProvider>
-            <WorkspaceScopeSync />
-            <div className='flex min-h-0 flex-1'>
-              <div className='shrink-0' suppressHydrationWarning>
-                <Sidebar />
-              </div>
-              <div className='flex min-w-0 flex-1 flex-col p-[8px] pl-0'>
-                <div className='flex-1 overflow-hidden rounded-[8px] border border-[var(--border)] bg-[var(--bg)]'>
-                  {children}
+    <BrandingProvider initialCache={initialCache}>
+      <ToastProvider>
+        <SettingsLoader />
+        <ProviderModelsLoader />
+        <GlobalCommandsProvider>
+          <div className='flex h-screen w-full flex-col overflow-hidden bg-[var(--surface-1)]'>
+            <ImpersonationBanner />
+            <WorkspacePermissionsProvider>
+              <WorkspaceScopeSync />
+              <div className='flex min-h-0 flex-1'>
+                <div className='shrink-0' suppressHydrationWarning>
+                  <Sidebar />
+                </div>
+                <div className='flex min-w-0 flex-1 flex-col p-[8px] pl-0'>
+                  <div className='flex-1 overflow-hidden rounded-[8px] border border-[var(--border)] bg-[var(--bg)]'>
+                    {children}
+                  </div>
                 </div>
               </div>
-            </div>
-            <NavTour />
-          </WorkspacePermissionsProvider>
-        </div>
-      </GlobalCommandsProvider>
-    </ToastProvider>
+              <NavTour />
+            </WorkspacePermissionsProvider>
+          </div>
+        </GlobalCommandsProvider>
+      </ToastProvider>
+    </BrandingProvider>
   )
 }

apps/sim/app/workspace/[workspaceId]/settings/[section]/settings.tsx

@@ -156,6 +156,13 @@ const AccessControl = dynamic(
 const SSO = dynamic(() => import('@/ee/sso/components/sso-settings').then((m) => m.SSO), {
   loading: () => <SettingsSectionSkeleton />,
 })
+const WhitelabelingSettings = dynamic(
+  () =>
+    import('@/ee/whitelabeling/components/whitelabeling-settings').then(
+      (m) => m.WhitelabelingSettings
+    ),
+  { loading: () => <SettingsSectionSkeleton /> }
+)
 
 interface SettingsPageProps {
   section: SettingsSection
@@ -198,6 +205,7 @@ export function SettingsPage({ section }: SettingsPageProps) {
       {isBillingEnabled && effectiveSection === 'subscription' && <Subscription />}
       {isBillingEnabled && effectiveSection === 'team' && <TeamManagement />}
       {effectiveSection === 'sso' && <SSO />}
+      {effectiveSection === 'whitelabeling' && <WhitelabelingSettings />}
       {effectiveSection === 'byok' && <BYOK />}
       {effectiveSection === 'copilot' && <Copilot />}
       {effectiveSection === 'mcp' && <MCP initialServerId={mcpServerId} />}