feat: allow link cloaking for Organization accounts in workflow emails

[PeerRich]

What does this PR do?

This PR allows Organization accounts to use cloaked links (URL behind text) in workflow emails, while keeping the restriction for non-Organization accounts.

Context: Previously, PR #26292 prevented all link cloaking in workflow emails to help recipients identify potentially malicious URLs. This change relaxes that restriction for Organization accounts since they are paid accounts with lower spam/scam risk.

Changes:

• Frontend: Conditionally allow the "link" toolbar item in the Editor for Organization accounts
• Backend: Skip replaceCloakedLinksInHtml sanitization for Organization workflows
• Repository: Include team.isOrganization in the workflow reminder query

Implementation Scope:

• The organization check is implemented in EmailWorkflowService.handleSendEmailWorkflowTask (the main tasker-based scheduled email path)
• Other email paths (emailReminderManager, deprecated scheduleEmailReminders.ts) default to sanitizing all links (safer behavior)
• This is intentional: the main scheduled email flow respects org status, while edge cases default to the stricter security posture

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. N/A - no documentation changes needed.
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

1. Organization account test:

   • Log in as a user in an Organization
   • Create/edit a workflow with an email action
   • Verify the "link" toolbar button is available in the Editor
   • Add a cloaked link (e.g., <a href="https://example.com">Click here</a>)
   • Trigger the workflow and verify the email contains the cloaked link (not sanitized)

2. Non-Organization account test:

   • Log in as a user NOT in an Organization
   • Create/edit a workflow with an email action
   • Verify the "link" toolbar button is NOT available in the Editor
   • If a cloaked link exists in the email body, verify it gets sanitized to show the full URL

Human Review Checklist

• Verify the isOrganization prop in WorkflowStepContainer.tsx is derived from the same source as workflow.team?.isOrganization in the backend
• Confirm WorkflowReminderRepository.findByIdIncludeStepAndWorkflow is the query used for tasker-based email sends
• Verify the deprecated scheduleEmailReminders.ts still sanitizes all links (intentional - safer default)
• Review security implications of allowing cloaked links for Organization accounts

---

Link to Devin run: https://app.devin.ai/sessions/c245edc8038c4ac99ae88d65cbe65b71
Requested by: peer@cal.com (@PeerRich)

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

4 Skipped Deployments

Project	Deployment	Review	Updated (UTC)
api-v2	Ignored	Preview	Jan 9, 2026 2:24pm
cal	Ignored		Jan 9, 2026 2:24pm
cal-companion	Ignored	Preview	Jan 9, 2026 2:24pm
cal-eu	Ignored		Jan 9, 2026 2:24pm

[cubic-dev-ai]

No issues found across 3 files

[github-actions]

E2E results are ready!

• Workflow #99351.1 latest results

[github-actions]

Devin AI is resolving merge conflicts

This PR has merge conflicts with the main branch. The existing Devin session has been notified to resolve them.

View Devin Session

Devin will:

1. Merge the latest main into this branch
2. Resolve any conflicts intelligently
3. Run lint/type checks to ensure validity
4. Push the resolved changes

If you prefer to resolve conflicts manually, you can close the Devin session and handle it yourself.

[Ryukemeister]

email reminders and workflow reminders were missing logic for enabling cloaked emails for orgs, updated the code to fix that. all good now!

[cubic-dev-ai]

1 issue found across 3 files (changes from recent commits).

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="packages/features/ee/workflows/api/scheduleEmailReminders.ts">

<violation number="1" location="packages/features/ee/workflows/api/scheduleEmailReminders.ts:360">
P2: This change contradicts the stated security design in the PR description. The description explicitly says this deprecated file should "default to sanitizing all links (safer behavior)" as the intentional security posture for edge cases. Adding the organization check here allows cloaked links for organizations, which is inconsistent with that design. If the stricter default is intended for deprecated paths, remove these organization checks and let all emails have links sanitized in this file.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: This change contradicts the stated security design in the PR description. The description explicitly says this deprecated file should "default to sanitizing all links (safer behavior)" as the intentional security posture for edge cases. Adding the organization check here allows cloaked links for organizations, which is inconsistent with that design. If the stricter default is intended for deprecated paths, remove these organization checks and let all emails have links sanitized in this file.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/features/ee/workflows/api/scheduleEmailReminders.ts, line 360:

<comment>This change contradicts the stated security design in the PR description. The description explicitly says this deprecated file should "default to sanitizing all links (safer behavior)" as the intentional security posture for edge cases. Adding the organization check here allows cloaked links for organizations, which is inconsistent with that design. If the stricter default is intended for deprecated paths, remove these organization checks and let all emails have links sanitized in this file.</comment>

<file context>
@@ -355,10 +355,17 @@ export async function handler(req: NextRequest) {
 
+          // Organization accounts are allowed to use cloaked links (URL behind text)
+          // since they are paid accounts with lower spam/scam risk
+          const isOrganization = reminder.workflowStep?.workflow?.team?.isOrganization ?? false;
+          const processedEmailBody = isOrganization
+            ? emailContent.emailBody
</file context>

_{Fix confidence (alpha): 8/10}

Suggested change

	const isOrganization = reminder.workflowStep?.workflow?.team?.isOrganization ?? false;
	const processedEmailBody = isOrganization
	? emailContent.emailBody
	: replaceCloakedLinksInHtml(emailContent.emailBody);
	const processedEmailBody = replaceCloakedLinksInHtml(emailContent.emailBody);

[github-actions]

Devin AI is addressing Cubic AI's review feedback

A Devin session has been created to address the issues identified by Cubic AI.

View Devin Session

[sean-brydon]

Fixed one of the queries to follow best practise.

LGTM