fix(admin): close OAuth domain bypass, fix stale errors, deduplicate icon

- Add databaseHooks.user.create.before to enforce BLOCKED_SIGNUP_DOMAINS at
  the model level, covering all signup vectors (email, OAuth, social) not just
  /sign-up paths
- Call .reset() on each mutation before firing to clear stale error state from
  previous operations
- Change Admin nav icon from ShieldCheck to Lock to avoid duplicate with
  Access Control tab

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/workspace/[workspaceId]/settings/components/admin/admin.tsx

@@ -209,12 +209,13 @@ export function Admin() {
                         <Button
                           variant='active'
                           className='h-[28px] px-[8px] text-[12px]'
-                          onClick={() =>
+                          onClick={() => {
+                            setUserRole.reset()
                             setUserRole.mutate({
                               userId: u.id,
                               role: u.role === 'admin' ? 'user' : 'admin',
                             })
-                          }
+                          }}
                           disabled={pendingUserIds.has(u.id)}
                         >
                           {u.role === 'admin' ? 'Demote' : 'Promote'}
@@ -223,7 +224,10 @@ export function Admin() {
                           <Button
                             variant='active'
                             className='h-[28px] px-[8px] text-[12px]'
-                            onClick={() => unbanUser.mutate({ userId: u.id })}
+                            onClick={() => {
+                              unbanUser.reset()
+                              unbanUser.mutate({ userId: u.id })
+                            }}
                             disabled={pendingUserIds.has(u.id)}
                           >
                             Unban
@@ -240,6 +244,7 @@ export function Admin() {
                               variant='primary'
                               className='h-[28px] px-[8px] text-[12px]'
                               onClick={() => {
+                                banUser.reset()
                                 banUser.mutate(
                                   {
                                     userId: u.id,

apps/sim/app/workspace/[workspaceId]/settings/navigation.ts

@@ -5,6 +5,7 @@ import {
   HexSimple,
   Key,
   KeySquare,
+  Lock,
   LogIn,
   Mail,
   Send,
@@ -167,7 +168,7 @@ export const allNavigationItems: NavigationItem[] = [
   {
     id: 'admin',
     label: 'Admin',
-    icon: ShieldCheck,
+    icon: Lock,
     section: 'superuser',
     requiresAdminRole: true,
   },

apps/sim/lib/auth/auth.ts

@@ -116,6 +116,15 @@ export const auth = betterAuth({
   databaseHooks: {
     user: {
       create: {
+        before: async (user) => {
+          if (blockedSignupDomains) {
+            const emailDomain = user.email?.split('@')[1]?.toLowerCase()
+            if (emailDomain && blockedSignupDomains.has(emailDomain)) {
+              throw new Error('Sign-ups from this email domain are not allowed.')
+            }
+          }
+          return { data: user }
+        },
         after: async (user) => {
           logger.info('[databaseHooks.user.create.after] User created, initializing stats', {
             userId: user.id,