fix(workflows): enforce blocker follow-ups

Author: PlaneInABottle

apps/sim/app/api/workflows/[id]/deploy/route.test.ts

@@ -332,6 +332,91 @@ describe('Workflow deploy route', () => {
     expect(mockUndeployWorkflow).toHaveBeenCalledWith({ workflowId: 'wf-1' })
   })
 
+  it('fails redeploy rollback when failed deployment version deletion reports failure', async () => {
+    mockDbLimit.mockResolvedValue([
+      { id: 'prev-1', deployedAt: new Date('2024-01-01T00:00:00.000Z') },
+    ])
+    mockValidateWorkflowAccess.mockResolvedValue({
+      workflow: { id: 'wf-1', name: 'Test Workflow', workspaceId: 'ws-1' },
+      auth: {
+        success: true,
+        userId: 'api-user',
+        userName: 'API Key Actor',
+        userEmail: 'api@example.com',
+        authType: 'api_key',
+      },
+    })
+    mockDeployWorkflow.mockResolvedValue({
+      success: true,
+      deployedAt: '2024-02-01T00:00:00Z',
+      deploymentVersionId: 'dep-failed',
+    })
+    mockSaveTriggerWebhooksForDeploy.mockResolvedValue({
+      success: false,
+      error: { message: 'Failed to save trigger configuration', status: 500 },
+    })
+    mockDeleteDeploymentVersionById.mockResolvedValue({
+      success: false,
+      error: 'delete failed',
+    })
+
+    const req = new NextRequest('http://localhost:3000/api/workflows/wf-1/deploy', {
+      method: 'POST',
+      headers: { 'x-api-key': 'test-key' },
+    })
+    const response = await POST(req, { params: Promise.resolve({ id: 'wf-1' }) })
+
+    expect(response.status).toBe(500)
+    expect(await response.json()).toEqual({ error: 'delete failed', code: 'DELETE_FAILED' })
+    expect(mockReactivateWorkflowVersionForRollback).toHaveBeenCalled()
+    expect(mockDeleteDeploymentVersionById).toHaveBeenCalledWith({
+      workflowId: 'wf-1',
+      deploymentVersionId: 'dep-failed',
+    })
+  })
+
+  it('fails first deploy rollback when failed deployment version deletion reports failure', async () => {
+    mockValidateWorkflowAccess.mockResolvedValue({
+      workflow: { id: 'wf-1', name: 'Test Workflow', workspaceId: 'ws-1' },
+      auth: {
+        success: true,
+        userId: 'api-user',
+        userName: 'API Key Actor',
+        userEmail: 'api@example.com',
+        authType: 'api_key',
+      },
+    })
+    mockDeployWorkflow.mockResolvedValue({
+      success: true,
+      deployedAt: '2024-02-01T00:00:00Z',
+      deploymentVersionId: 'dep-failed',
+    })
+    mockSaveTriggerWebhooksForDeploy.mockResolvedValue({
+      success: false,
+      error: { message: 'Failed to save trigger configuration', status: 500 },
+    })
+    mockDbLimit.mockResolvedValue([])
+    mockUndeployWorkflow.mockResolvedValue({ success: true })
+    mockDeleteDeploymentVersionById.mockResolvedValue({
+      success: false,
+      error: 'delete failed',
+    })
+
+    const req = new NextRequest('http://localhost:3000/api/workflows/wf-1/deploy', {
+      method: 'POST',
+      headers: { 'x-api-key': 'test-key' },
+    })
+    const response = await POST(req, { params: Promise.resolve({ id: 'wf-1' }) })
+
+    expect(response.status).toBe(500)
+    expect(await response.json()).toEqual({ error: 'delete failed', code: 'DELETE_FAILED' })
+    expect(mockUndeployWorkflow).toHaveBeenCalledWith({ workflowId: 'wf-1' })
+    expect(mockDeleteDeploymentVersionById).toHaveBeenCalledWith({
+      workflowId: 'wf-1',
+      deploymentVersionId: 'dep-failed',
+    })
+  })
+
   it('allows API-key auth for undeploy using hybrid auth userId', async () => {
     mockValidateWorkflowAccess.mockResolvedValue({
       workflow: { id: 'wf-1', name: 'Test Workflow', workspaceId: 'ws-1' },

apps/sim/app/api/workflows/[id]/deploy/route.ts

@@ -131,6 +131,21 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
     const previousDeployedAt = currentActiveVersion?.deployedAt ?? null
 
     const rollbackDeployment = async (failedDeploymentVersionId?: string) => {
+      const ensureFailedDeploymentVersionDeleted = async () => {
+        if (!failedDeploymentVersionId) {
+          return
+        }
+
+        const deleteResult = await deleteDeploymentVersionById({
+          workflowId: id,
+          deploymentVersionId: failedDeploymentVersionId,
+        })
+
+        if (!deleteResult.success) {
+          throw new Error(deleteResult.error || 'Failed to delete failed deployment version')
+        }
+      }
+
       if (previousVersionId) {
         await restorePreviousVersionWebhooks({
           request,
@@ -150,24 +165,13 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
               deploymentVersionId: previousVersionId,
             })
         if (reactivateResult.success) {
-          if (failedDeploymentVersionId) {
-            await deleteDeploymentVersionById({
-              workflowId: id,
-              deploymentVersionId: failedDeploymentVersionId,
-            })
-          }
+          await ensureFailedDeploymentVersionDeleted()
           return
         }
       }
 
-      if (failedDeploymentVersionId) {
-        await deleteDeploymentVersionById({
-          workflowId: id,
-          deploymentVersionId: failedDeploymentVersionId,
-        })
-      }
-
       await undeployWorkflow({ workflowId: id })
+      await ensureFailedDeploymentVersionDeleted()
     }
 
     const deployResult = await deployWorkflow({

apps/sim/app/api/workflows/[id]/route.test.ts

@@ -19,6 +19,7 @@ import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 const mockCheckHybridAuth = vi.fn()
 const mockCheckSessionOrInternalAuth = vi.fn()
 const mockLoadWorkflowFromNormalizedTables = vi.fn()
+const mockGetActiveWorkflowContext = vi.fn()
 const mockGetWorkflowById = vi.fn()
 const mockAuthorizeWorkflowByWorkspacePermission = vi.fn()
 const mockArchiveWorkflow = vi.fn()
@@ -77,6 +78,10 @@ vi.mock('@/lib/workflows/persistence/utils', () => ({
     mockLoadWorkflowFromNormalizedTables(workflowId),
 }))
 
+vi.mock('@/lib/workflows/active-context', () => ({
+  getActiveWorkflowContext: (workflowId: string) => mockGetActiveWorkflowContext(workflowId),
+}))
+
 vi.mock('@/app/api/workflows/middleware', () => ({
   validateWorkflowAccess: (...args: unknown[]) => mockValidateWorkflowAccess(...args),
 }))
@@ -113,6 +118,7 @@ describe('Workflow By ID API Route', () => {
     })
 
     mockLoadWorkflowFromNormalizedTables.mockResolvedValue(null)
+    mockGetActiveWorkflowContext.mockResolvedValue(null)
   })
 
   afterEach(() => {
@@ -201,7 +207,10 @@ describe('Workflow By ID API Route', () => {
         success: true,
         authType: 'internal_jwt',
       })
-      mockGetWorkflowById.mockResolvedValue(mockWorkflow)
+      mockGetActiveWorkflowContext.mockResolvedValue({
+        workflow: mockWorkflow,
+        workspaceId: 'workspace-456',
+      })
       mockLoadWorkflowFromNormalizedTables.mockResolvedValue(mockNormalizedData)
 
       const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123', {
@@ -217,9 +226,38 @@ describe('Workflow By ID API Route', () => {
       expect(data.data.state.blocks).toEqual(mockNormalizedData.blocks)
       expect(data.data.variables).toEqual({})
       expect(mockValidateWorkflowAccess).not.toHaveBeenCalled()
+      expect(mockGetActiveWorkflowContext).toHaveBeenCalledWith('workflow-123')
       expect(mockAuthorizeWorkflowByWorkspacePermission).not.toHaveBeenCalled()
     })
 
+    it('should deny internal compatibility reads for deprecated personal workflows', async () => {
+      mockCheckHybridAuth.mockResolvedValue({
+        success: true,
+        authType: 'internal_jwt',
+      })
+      mockGetActiveWorkflowContext.mockResolvedValue(null)
+      mockGetWorkflowById.mockResolvedValue({
+        id: 'workflow-123',
+        userId: 'other-user',
+        name: 'Personal Workflow',
+        workspaceId: null,
+      })
+
+      const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123', {
+        headers: { authorization: 'Bearer internal-token' },
+      })
+      const params = Promise.resolve({ id: 'workflow-123' })
+
+      const response = await GET(req, { params })
+
+      expect(response.status).toBe(403)
+      expect(await response.json()).toEqual({
+        error:
+          'This workflow is not attached to a workspace. Personal workflows are deprecated and cannot be accessed.',
+      })
+      expect(mockValidateWorkflowAccess).not.toHaveBeenCalled()
+    })
+
     it('should deny personal api key reads when middleware rejects workspace policy', async () => {
       mockCheckHybridAuth.mockResolvedValue({
         success: true,

apps/sim/app/api/workflows/[id]/route.ts

@@ -8,6 +8,7 @@ import { getAuditActorMetadata } from '@/lib/audit/actor-metadata'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { AuthType, checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { getActiveWorkflowContext } from '@/lib/workflows/active-context'
 import { archiveWorkflow } from '@/lib/workflows/lifecycle'
 import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
 import { getWorkflowById } from '@/lib/workflows/utils'
@@ -23,6 +24,40 @@ const UpdateWorkflowSchema = z.object({
   sortOrder: z.number().int().min(0).optional(),
 })
 
+async function getVisibleWorkflowForInternalCompatibility(workflowId: string) {
+  const context = await getActiveWorkflowContext(workflowId)
+  if (context) {
+    return { workflow: context.workflow }
+  }
+
+  const workflow = await getWorkflowById(workflowId, { includeArchived: true })
+  if (!workflow) {
+    return {
+      error: {
+        message: 'Workflow not found',
+        status: 404,
+      },
+    }
+  }
+
+  if (!workflow.workspaceId) {
+    return {
+      error: {
+        message:
+          'This workflow is not attached to a workspace. Personal workflows are deprecated and cannot be accessed.',
+        status: 403,
+      },
+    }
+  }
+
+  return {
+    error: {
+      message: 'Workflow not found',
+      status: 404,
+    },
+  }
+}
+
 /**
  * GET /api/workflows/[id]
  * Fetch a single workflow by ID
@@ -45,13 +80,18 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
     let workflowData
 
     if (internalNoUserPrecheck) {
-      workflowData = await getWorkflowById(workflowId)
-
-      if (!workflowData) {
-        logger.warn(`[${requestId}] Workflow ${workflowId} not found`)
-        return NextResponse.json({ error: 'Workflow not found' }, { status: 404 })
+      const workflowResult = await getVisibleWorkflowForInternalCompatibility(workflowId)
+      if (workflowResult.error || !workflowResult.workflow) {
+        logger.warn(
+          `[${requestId}] Workflow ${workflowId} not available for internal compatibility read`
+        )
+        return NextResponse.json(
+          { error: workflowResult.error?.message || 'Workflow not found' },
+          { status: workflowResult.error?.status || 404 }
+        )
       }
 
+      workflowData = workflowResult.workflow
       logger.info(`[${requestId}] Internal bearer compatibility read for workflow ${workflowId}`)
     } else {
       const validation = await validateWorkflowAccess(request, workflowId, {