fix(lock): add lock validation to block rename operations

Defense-in-depth: although the UI disables rename for locked blocks,
the collaborative layer and server now also validate locks.

- collaborativeUpdateBlockName: checks if block is locked or inside
  locked container before attempting rename
- UPDATE_NAME server handler: checks lock status and parent lock
  before performing database update

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/hooks/use-collaborative-workflow.ts

@@ -744,6 +744,23 @@ export function useCollaborativeWorkflow() {
 
   const collaborativeUpdateBlockName = useCallback(
     (id: string, name: string): { success: boolean; error?: string } => {
+      const blocks = useWorkflowStore.getState().blocks
+      const block = blocks[id]
+
+      if (block) {
+        const parentId = block.data?.parentId
+        const isParentLocked = parentId ? blocks[parentId]?.locked : false
+        if (block.locked || isParentLocked) {
+          logger.error('Cannot rename locked block')
+          useNotificationStore.getState().addNotification({
+            level: 'info',
+            message: 'Cannot rename locked blocks',
+            workflowId: activeWorkflowId || undefined,
+          })
+          return { success: false, error: 'Block is locked' }
+        }
+      }
+
       const trimmedName = name.trim()
       const normalizedNewName = normalizeName(trimmedName)
 
@@ -1021,7 +1038,6 @@ export function useCollaborativeWorkflow() {
 
       const blocks = useWorkflowStore.getState().blocks
 
-      // Helper to check if a block is protected (locked or inside locked parent)
       const isProtected = (blockId: string): boolean => {
         const block = blocks[blockId]
         if (!block) return false
@@ -1036,7 +1052,6 @@ export function useCollaborativeWorkflow() {
 
       for (const id of ids) {
         const block = blocks[id]
-        // Skip locked blocks and blocks inside locked containers
         if (block && !isProtected(id)) {
           previousStates[id] = block.horizontalHandles ?? false
           validIds.push(id)

apps/sim/socket/database/operations.ts

@@ -263,18 +263,51 @@ async function handleBlockOperationTx(
         throw new Error('Missing required fields for update name operation')
       }
 
-      const updateResult = await tx
+      // Check if block is protected (locked or inside locked parent)
+      const blockToRename = await tx
+        .select({
+          id: workflowBlocks.id,
+          locked: workflowBlocks.locked,
+          data: workflowBlocks.data,
+        })
+        .from(workflowBlocks)
+        .where(and(eq(workflowBlocks.id, payload.id), eq(workflowBlocks.workflowId, workflowId)))
+        .limit(1)
+
+      if (blockToRename.length === 0) {
+        throw new Error(`Block ${payload.id} not found in workflow ${workflowId}`)
+      }
+
+      const block = blockToRename[0]
+      const parentId = (block.data as Record<string, unknown> | null)?.parentId as
+        | string
+        | undefined
+
+      if (block.locked) {
+        logger.info(`Skipping rename of locked block ${payload.id}`)
+        break
+      }
+
+      if (parentId) {
+        const parentBlock = await tx
+          .select({ locked: workflowBlocks.locked })
+          .from(workflowBlocks)
+          .where(and(eq(workflowBlocks.id, parentId), eq(workflowBlocks.workflowId, workflowId)))
+          .limit(1)
+
+        if (parentBlock.length > 0 && parentBlock[0].locked) {
+          logger.info(`Skipping rename of block ${payload.id} - parent ${parentId} is locked`)
+          break
+        }
+      }
+
+      await tx
         .update(workflowBlocks)
         .set({
           name: payload.name,
           updatedAt: new Date(),
         })
         .where(and(eq(workflowBlocks.id, payload.id), eq(workflowBlocks.workflowId, workflowId)))
-        .returning({ id: workflowBlocks.id })
-
-      if (updateResult.length === 0) {
-        throw new Error(`Block ${payload.id} not found in workflow ${workflowId}`)
-      }
 
       logger.debug(`Updated block name: ${payload.id} -> "${payload.name}"`)
       break