fix(workflows): harden deployment restore flows

Author: PlaneInABottle

apps/sim/app/api/workflows/[id]/deploy/route.test.ts

@@ -254,6 +254,33 @@ describe('Workflow deploy route', () => {
     )
   })
 
+  it('returns success when webhook cleanup throws after undeploy succeeds', async () => {
+    mockValidateWorkflowAccess.mockResolvedValue({
+      workflow: { id: 'wf-1', name: 'Test Workflow', workspaceId: 'ws-1' },
+      auth: {
+        success: true,
+        userId: 'api-user',
+        userName: 'API Key Actor',
+        userEmail: 'api@example.com',
+        authType: 'api_key',
+      },
+    })
+    mockUndeployWorkflow.mockResolvedValue({ success: true })
+    mockCleanupWebhooksForWorkflow.mockRejectedValue(new Error('cleanup failed'))
+
+    const req = new NextRequest('http://localhost:3000/api/workflows/wf-1/deploy', {
+      method: 'DELETE',
+      headers: { 'x-api-key': 'test-key' },
+    })
+    const response = await DELETE(req, { params: Promise.resolve({ id: 'wf-1' }) })
+
+    expect(response.status).toBe(200)
+    const data = await response.json()
+    expect(data.isDeployed).toBe(false)
+    expect(mockRemoveMcpToolsForWorkflow).toHaveBeenCalledWith('wf-1', 'req-123')
+    expect(mockRecordAudit).toHaveBeenCalled()
+  })
+
   it('checks public API restrictions against hybrid auth userId', async () => {
     mockValidateWorkflowAccess.mockResolvedValue({
       workflow: { id: 'wf-1', name: 'Test Workflow', workspaceId: 'ws-1' },

apps/sim/app/api/workflows/[id]/deploy/route.ts

@@ -373,9 +373,21 @@ export async function DELETE(
       return createErrorResponse(result.error || 'Failed to undeploy workflow', 500)
     }
 
-    await cleanupWebhooksForWorkflow(id, workflowData as Record<string, unknown>, requestId)
+    try {
+      await cleanupWebhooksForWorkflow(id, workflowData as Record<string, unknown>, requestId)
+    } catch (cleanupError) {
+      logger.error(`[${requestId}] Failed to cleanup webhooks after undeploy for workflow ${id}`, {
+        error: cleanupError,
+      })
+    }
 
-    await removeMcpToolsForWorkflow(id, requestId)
+    try {
+      await removeMcpToolsForWorkflow(id, requestId)
+    } catch (cleanupError) {
+      logger.error(`[${requestId}] Failed to cleanup MCP tools after undeploy for workflow ${id}`, {
+        error: cleanupError,
+      })
+    }
 
     logger.info(`[${requestId}] Workflow undeployed successfully: ${id}`)
 

apps/sim/app/api/workflows/[id]/deployed/route.test.ts

@@ -58,4 +58,19 @@ describe('Workflow deployed-state route', () => {
       action: 'read',
     })
   })
+
+  it('returns 500 when deployed-state loading throws', async () => {
+    mockValidateWorkflowAccess.mockResolvedValue({ workflow: { id: 'wf-1' } })
+    mockLoadDeployedWorkflowState.mockRejectedValue(new Error('load failed'))
+
+    const req = new NextRequest('http://localhost:3000/api/workflows/wf-1/deployed', {
+      headers: { 'x-api-key': 'test-key' },
+    })
+    const response = await GET(req, { params: Promise.resolve({ id: 'wf-1' }) })
+
+    expect(response.status).toBe(500)
+    expect(response.headers.get('Cache-Control')).toBe(
+      'no-store, no-cache, must-revalidate, max-age=0'
+    )
+  })
 })

apps/sim/app/api/workflows/[id]/deployed/route.ts

@@ -41,19 +41,13 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
       }
     }
 
-    let deployedState = null
-    try {
-      const data = await loadDeployedWorkflowState(id)
-      deployedState = {
-        blocks: data.blocks,
-        edges: data.edges,
-        loops: data.loops,
-        parallels: data.parallels,
-        variables: data.variables,
-      }
-    } catch (error) {
-      logger.warn(`[${requestId}] Failed to load deployed state for workflow ${id}`, { error })
-      deployedState = null
+    const data = await loadDeployedWorkflowState(id)
+    const deployedState = {
+      blocks: data.blocks,
+      edges: data.edges,
+      loops: data.loops,
+      parallels: data.parallels,
+      variables: data.variables,
     }
 
     const response = createSuccessResponse({ deployedState })

apps/sim/app/api/workflows/[id]/deployments/[version]/revert/route.test.ts

@@ -9,26 +9,18 @@ const {
   mockDbFrom,
   mockDbLimit,
   mockDbSelect,
-  mockDbSet,
-  mockDbUpdate,
   mockDbWhere,
-  mockDbWhereUpdate,
   mockRecordAudit,
-  mockSaveWorkflowToNormalizedTables,
-  mockSetWorkflowVariables,
+  mockRestoreWorkflowDraftState,
   mockSyncMcpToolsForWorkflow,
   mockValidateWorkflowAccess,
 } = vi.hoisted(() => ({
   mockDbFrom: vi.fn(),
   mockDbLimit: vi.fn(),
   mockDbSelect: vi.fn(),
-  mockDbSet: vi.fn(),
-  mockDbUpdate: vi.fn(),
   mockDbWhere: vi.fn(),
-  mockDbWhereUpdate: vi.fn(),
   mockRecordAudit: vi.fn(),
-  mockSaveWorkflowToNormalizedTables: vi.fn(),
-  mockSetWorkflowVariables: vi.fn(),
+  mockRestoreWorkflowDraftState: vi.fn(),
   mockSyncMcpToolsForWorkflow: vi.fn(),
   mockValidateWorkflowAccess: vi.fn(),
 }))
@@ -64,9 +56,7 @@ vi.mock('@/lib/core/config/env', async (importOriginal) => {
 vi.mock('@sim/db', () => ({
   db: {
     select: mockDbSelect,
-    update: mockDbUpdate,
   },
-  workflow: { id: 'id' },
   workflowDeploymentVersion: {
     state: 'state',
     workflowId: 'workflowId',
@@ -85,18 +75,13 @@ vi.mock('drizzle-orm', async (importOriginal) => {
 })
 
 vi.mock('@/lib/workflows/persistence/utils', () => ({
-  saveWorkflowToNormalizedTables: (...args: unknown[]) =>
-    mockSaveWorkflowToNormalizedTables(...args),
+  restoreWorkflowDraftState: (...args: unknown[]) => mockRestoreWorkflowDraftState(...args),
 }))
 
 vi.mock('@/lib/mcp/workflow-mcp-sync', () => ({
   syncMcpToolsForWorkflow: (...args: unknown[]) => mockSyncMcpToolsForWorkflow(...args),
 }))
 
-vi.mock('@/lib/workflows/utils', () => ({
-  setWorkflowVariables: (...args: unknown[]) => mockSetWorkflowVariables(...args),
-}))
-
 vi.mock('@/lib/audit/log', () => ({
   AuditAction: { WORKFLOW_DEPLOYMENT_REVERTED: 'WORKFLOW_DEPLOYMENT_REVERTED' },
   AuditResourceType: { WORKFLOW: 'WORKFLOW' },
@@ -121,11 +106,7 @@ describe('Workflow deployment version revert route', () => {
         },
       },
     ])
-    mockDbUpdate.mockReturnValue({ set: mockDbSet })
-    mockDbSet.mockReturnValue({ where: mockDbWhereUpdate })
-    mockDbWhereUpdate.mockResolvedValue(undefined)
-    mockSaveWorkflowToNormalizedTables.mockResolvedValue({ success: true })
-    mockSetWorkflowVariables.mockResolvedValue(undefined)
+    mockRestoreWorkflowDraftState.mockResolvedValue({ success: true })
     mockFetch.mockResolvedValue({ ok: true })
   })
 
@@ -152,7 +133,7 @@ describe('Workflow deployment version revert route', () => {
       requireDeployment: false,
       action: 'admin',
     })
-    expect(mockSaveWorkflowToNormalizedTables).toHaveBeenCalled()
+    expect(mockRestoreWorkflowDraftState).toHaveBeenCalled()
     expect(mockSyncMcpToolsForWorkflow).toHaveBeenCalled()
     expect(mockRecordAudit).toHaveBeenCalledWith(
       expect.objectContaining({
@@ -195,9 +176,14 @@ describe('Workflow deployment version revert route', () => {
 
     await POST(req, { params: Promise.resolve({ id: 'wf-1', version: '3' }) })
 
-    expect(mockSetWorkflowVariables).toHaveBeenCalledWith('wf-1', {
-      var1: { id: 'var1', name: 'API Token', type: 'string', value: 'secret' },
-    })
+    expect(mockRestoreWorkflowDraftState).toHaveBeenCalledWith(
+      expect.objectContaining({
+        workflowId: 'wf-1',
+        variables: {
+          var1: { id: 'var1', name: 'API Token', type: 'string', value: 'secret' },
+        },
+      })
+    )
   })
 
   it('defaults variables safely when missing from the deployment snapshot', async () => {
@@ -219,7 +205,12 @@ describe('Workflow deployment version revert route', () => {
 
     await POST(req, { params: Promise.resolve({ id: 'wf-1', version: '3' }) })
 
-    expect(mockSetWorkflowVariables).toHaveBeenCalledWith('wf-1', {})
+    expect(mockRestoreWorkflowDraftState).toHaveBeenCalledWith(
+      expect.objectContaining({
+        workflowId: 'wf-1',
+        variables: {},
+      })
+    )
   })
 
   it('returns success when MCP sync throws after revert succeeds', async () => {

apps/sim/app/api/workflows/[id]/deployments/[version]/revert/route.ts

@@ -1,4 +1,4 @@
-import { db, workflow, workflowDeploymentVersion } from '@sim/db'
+import { db, workflowDeploymentVersion } from '@sim/db'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
@@ -7,8 +7,7 @@ import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { env } from '@/lib/core/config/env'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { syncMcpToolsForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
-import { saveWorkflowToNormalizedTables } from '@/lib/workflows/persistence/utils'
-import { setWorkflowVariables } from '@/lib/workflows/utils'
+import { restoreWorkflowDraftState } from '@/lib/workflows/persistence/utils'
 import { validateWorkflowAccess } from '@/app/api/workflows/middleware'
 import { createErrorResponse, createSuccessResponse } from '@/app/api/workflows/utils'
 
@@ -85,27 +84,23 @@ export async function POST(
       return createErrorResponse('Invalid deployed state structure', 500)
     }
 
-    const saveResult = await saveWorkflowToNormalizedTables(id, {
-      blocks: deployedState.blocks,
-      edges: deployedState.edges,
-      loops: deployedState.loops || {},
-      parallels: deployedState.parallels || {},
+    const restoredAt = new Date()
+    const saveResult = await restoreWorkflowDraftState({
+      workflowId: id,
+      state: {
+        blocks: deployedState.blocks,
+        edges: deployedState.edges,
+        loops: deployedState.loops || {},
+        parallels: deployedState.parallels || {},
+      },
       variables: deployedState.variables || {},
-      lastSaved: Date.now(),
-      deploymentStatuses: deployedState.deploymentStatuses || {},
+      restoredAt,
     })
 
     if (!saveResult.success) {
       return createErrorResponse(saveResult.error || 'Failed to save deployed state', 500)
     }
 
-    await setWorkflowVariables(id, deployedState.variables || {})
-
-    await db
-      .update(workflow)
-      .set({ lastSynced: new Date(), updatedAt: new Date() })
-      .where(eq(workflow.id, id))
-
     try {
       await syncMcpToolsForWorkflow({
         workflowId: id,
@@ -150,7 +145,7 @@ export async function POST(
 
     return createSuccessResponse({
       message: 'Reverted to deployment version',
-      lastSaved: Date.now(),
+      lastSaved: restoredAt.getTime(),
     })
   } catch (error: any) {
     logger.error('Error reverting to deployment version', error)

apps/sim/app/api/workflows/middleware.ts

@@ -118,7 +118,7 @@ export async function validateWorkflowAccess(
       return { workflow, auth }
     }
 
-    if (requireDeployment) {
+    {
       const internalSecret = request.headers.get('X-Internal-Secret')
       const hasValidInternalSecret =
         allowInternalSecret && env.INTERNAL_API_SECRET && internalSecret === env.INTERNAL_API_SECRET
@@ -197,13 +197,6 @@ export async function validateWorkflowAccess(
 
       return { workflow }
     }
-
-    return {
-      error: {
-        message: 'Internal server error',
-        status: 500,
-      },
-    }
   } catch (error) {
     logger.error('Validation error:', { error })
     return {

apps/sim/lib/workflows/persistence/utils.test.ts

@@ -1165,6 +1165,59 @@ describe('Database Helpers', () => {
     })
   })
 
+  describe('restoreWorkflowDraftState', () => {
+    it('rolls back normalized graph restore when workflow variable update fails', async () => {
+      const txDeleteWhere = vi.fn().mockResolvedValue(undefined)
+      const txInsertValues = vi.fn().mockResolvedValue(undefined)
+      const txUpdateWhere = vi.fn().mockRejectedValue(new Error('workflow update failed'))
+      const txUpdateSet = vi.fn().mockReturnValue({ where: txUpdateWhere })
+      const tx = {
+        delete: vi.fn().mockReturnValue({ where: txDeleteWhere }),
+        insert: vi.fn().mockReturnValue({ values: txInsertValues }),
+        update: vi.fn().mockReturnValue({ set: txUpdateSet }),
+      }
+
+      mockDb.transaction = vi.fn().mockImplementation(async (callback) => callback(tx))
+
+      const result = await dbHelpers.restoreWorkflowDraftState({
+        workflowId: mockWorkflowId,
+        state: {
+          blocks: asAppState(mockWorkflowState).blocks,
+          edges: asAppState(mockWorkflowState).edges,
+          loops: asAppState(mockWorkflowState).loops,
+          parallels: asAppState(mockWorkflowState).parallels,
+        },
+        variables: {
+          apiToken: {
+            id: 'apiToken',
+            name: 'API Token',
+            type: 'string',
+            value: 'secret',
+          },
+        },
+        restoredAt: new Date('2024-01-01T00:00:00.000Z'),
+      })
+
+      expect(result).toEqual({ success: false, error: 'workflow update failed' })
+      expect(mockDb.transaction).toHaveBeenCalledTimes(1)
+      expect(tx.delete).toHaveBeenCalledTimes(3)
+      expect(tx.insert).toHaveBeenCalledTimes(3)
+      expect(tx.update).toHaveBeenCalledWith({})
+      expect(txUpdateSet).toHaveBeenCalledWith({
+        variables: {
+          apiToken: {
+            id: 'apiToken',
+            name: 'API Token',
+            type: 'string',
+            value: 'secret',
+          },
+        },
+        lastSynced: new Date('2024-01-01T00:00:00.000Z'),
+        updatedAt: new Date('2024-01-01T00:00:00.000Z'),
+      })
+    })
+  })
+
   describe('migrateAgentBlocksToMessagesFormat', () => {
     it('should migrate agent block with both systemPrompt and userPrompt', () => {
       const blocks = {