fix(security): close verifyFileAccess bypass, thread workflowId to processQueuedResumes, fix log level

- Fail closed in WordPress upload when userFile.key is present but authResult.userId is absent, preventing silent bypass of ownership check via JWT fallback path
- Thread workflowId into processQueuedResumes in the async resume error-recovery path and in pause-persistence.ts to close residual cross-tenant gap
- Change logger.error to logger.warn for credential access denial in OneDrive folder route to match all other routes in this PR

Author: waleedlatif1

apps/sim/app/api/resume/[workflowId]/[executionId]/[contextId]/route.ts

@@ -250,7 +250,7 @@ export const POST = withRouteHandler(
             contextId: enqueueResult.contextId,
             failureReason: 'Failed to queue async resume execution',
           })
-          await PauseResumeManager.processQueuedResumes(executionId)
+          await PauseResumeManager.processQueuedResumes(executionId, workflowId)
           return NextResponse.json(
             { error: 'Failed to queue resume execution. Please try again.' },
             { status: 503 }

apps/sim/app/api/tools/onedrive/folder/route.ts

@@ -39,7 +39,7 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
       requireWorkflowIdForInternal: false,
     })
     if (!credAccess.ok || !credAccess.credentialOwnerUserId) {
-      logger.error(`[${requestId}] Credential access denied`, { error: credAccess.error })
+      logger.warn(`[${requestId}] Credential access denied`, { error: credAccess.error })
       return NextResponse.json({ error: credAccess.error || 'Unauthorized' }, { status: 401 })
     }
 

apps/sim/app/api/tools/wordpress/upload/route.ts

@@ -79,20 +79,18 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       )
     }
 
-    if (userFile.key && authResult.userId) {
+    if (userFile.key) {
+      if (!authResult.userId) {
+        logger.warn(`[${requestId}] File access check requires userId but none available`)
+        return NextResponse.json({ success: false, error: 'File not found' }, { status: 404 })
+      }
       const hasAccess = await verifyFileAccess(userFile.key, authResult.userId)
       if (!hasAccess) {
         logger.warn(`[${requestId}] File access denied for user`, {
           userId: authResult.userId,
           key: userFile.key,
         })
-        return NextResponse.json(
-          {
-            success: false,
-            error: 'File not found',
-          },
-          { status: 404 }
-        )
+        return NextResponse.json({ success: false, error: 'File not found' }, { status: 404 })
       }
     }
 

apps/sim/lib/workflows/executor/pause-persistence.ts

@@ -54,7 +54,7 @@ export async function handlePostExecutionPauseState({
     }
   } else {
     try {
-      await PauseResumeManager.processQueuedResumes(executionId)
+      await PauseResumeManager.processQueuedResumes(executionId, workflowId)
     } catch (resumeError) {
       logger.error('Failed to process queued resumes', {
         executionId,