fix(security): anchor KB file ownership to earliest document in any state

A KB file's owner is now the earliest document referencing its key regardless of
state (active/archived/deleted/excluded); access is granted only when that owning
document is still active. Closes the residual where an attacker could plant an
active document to claim a file whose original document was archived or deleted.

Author: waleedlatif1

apps/sim/app/api/files/authorization.test.ts

@@ -149,6 +149,33 @@ describe('verifyKBFileAccess', () => {
     )
   })
 
+  it('denies a planted active document when the original owner document is archived', async () => {
+    // The earliest (victim) document is archived, so the file is retired; the attacker's
+    // later active document must not become the owner and grant cross-tenant access.
+    dbChainMockFns.limit.mockResolvedValueOnce([
+      { workspaceId: 'ws-victim', fileUrl: internalUrlFor(VICTIM_KEY), archivedAt: new Date() },
+      { workspaceId: 'ws-attacker', fileUrl: internalUrlFor(VICTIM_KEY) },
+    ])
+    mockGetUserEntityPermissions.mockResolvedValue('admin')
+
+    const granted = await verifyFileAccess(VICTIM_KEY, ATTACKER_USER, undefined, 'knowledge-base')
+
+    expect(granted).toBe(false)
+    expect(mockGetUserEntityPermissions).not.toHaveBeenCalled()
+  })
+
+  it('denies access when the owning document is soft-deleted (retired file not served)', async () => {
+    dbChainMockFns.limit.mockResolvedValueOnce([
+      { workspaceId: 'ws-owner', fileUrl: internalUrlFor(VICTIM_KEY), deletedAt: new Date() },
+    ])
+    mockGetUserEntityPermissions.mockResolvedValue('admin')
+
+    const granted = await verifyFileAccess(VICTIM_KEY, 'owner-user', undefined, 'knowledge-base')
+
+    expect(granted).toBe(false)
+    expect(mockGetUserEntityPermissions).not.toHaveBeenCalled()
+  })
+
   it('denies access when a substring document points at a different key', async () => {
     dbChainMockFns.limit.mockResolvedValueOnce([
       { workspaceId: 'ws-attacker', fileUrl: internalUrlFor(`${VICTIM_KEY}-decoy`) },

apps/sim/app/api/files/authorization.ts

@@ -432,49 +432,62 @@ function resolveInternalKbKey(fileUrl: string | null, allowedOrigins: Set<string
  * KB files: kb/filename
  *
  * Access is authorized against the workspace that *owns* the storage object,
- * never against an arbitrary document that merely references it. Ownership is
- * resolved by requiring a document's `fileUrl` to canonically resolve to the
- * exact requested storage key (not a substring/`LIKE` match), and by pinning to
- * the earliest such document — so a later document planted in another workspace
- * cannot authorize the planting user against another tenant's file.
+ * never against an arbitrary document that merely references it. The owner is the
+ * earliest document (in any state) whose `fileUrl` canonically resolves to the
+ * exact requested key — not a substring/`LIKE` match. Access is granted only when
+ * that owning document is still active; an archived or deleted owner keeps the file
+ * retired, and a document planted later in another workspace can never become the
+ * owner.
  */
 async function verifyKBFileAccess(
   cloudKey: string,
   userId: string,
   customConfig?: StorageConfig
 ): Promise<boolean> {
   try {
-    // LIKE only narrows candidates; ownership is decided below, pinned to the earliest upload.
+    // Ownership spans every document state: the earliest document to reference the key owns
+    // it, so a document planted later in another workspace can never claim a file whose
+    // original document was archived or deleted. LIKE only narrows candidates; the exact
+    // owner is resolved below.
     const candidateDocuments = await db
       .select({
         workspaceId: knowledgeBase.workspaceId,
         fileUrl: document.fileUrl,
+        archivedAt: document.archivedAt,
+        deletedAt: document.deletedAt,
+        userExcluded: document.userExcluded,
+        kbDeletedAt: knowledgeBase.deletedAt,
       })
       .from(document)
       .innerJoin(knowledgeBase, eq(document.knowledgeBaseId, knowledgeBase.id))
       .where(
-        and(
-          eq(document.userExcluded, false),
-          isNull(document.archivedAt),
-          isNull(document.deletedAt),
-          isNull(knowledgeBase.deletedAt),
-          or(
-            like(document.fileUrl, `%${cloudKey}%`),
-            like(document.fileUrl, `%${encodeURIComponent(cloudKey)}%`)
-          )
+        or(
+          like(document.fileUrl, `%${cloudKey}%`),
+          like(document.fileUrl, `%${encodeURIComponent(cloudKey)}%`)
         )
       )
       .orderBy(asc(document.uploadedAt))
       .limit(50)
 
-    // Owner is the earliest document whose fileUrl resolves to EXACTLY this key; substring
-    // matches and cross-workspace references never establish ownership.
     const allowedOrigins = getInternalServeOrigins()
     const owningDocument = candidateDocuments.find(
       (doc) => resolveInternalKbKey(doc.fileUrl, allowedOrigins) === cloudKey
     )
 
     if (owningDocument) {
+      const isActive =
+        !owningDocument.archivedAt &&
+        !owningDocument.deletedAt &&
+        !owningDocument.userExcluded &&
+        !owningDocument.kbDeletedAt
+
+      // The owning document is archived/deleted/excluded: the file is retired and not served,
+      // and the attacker's later active document is not the owner, so it cannot claim it.
+      if (!isActive) {
+        logger.warn('KB file access denied: owning document is not active', { userId, cloudKey })
+        return false
+      }
+
       if (!owningDocument.workspaceId) {
         logger.warn('KB file access denied: owning document has no workspace', {
           userId,