fix(gateway): filter projects by ownership — close data privacy leak (#202)

Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>

apps/gateway/src/__tests__/resource-ownership.test.ts

@@ -18,6 +18,7 @@ function createBrain() {
     },
     projects: {
       findAll: vi.fn(),
+      findAllForUser: vi.fn(),
       findById: vi.fn(),
       create: vi.fn(),
       update: vi.fn(),
@@ -67,7 +68,8 @@ describe('Resource ownership checks', () => {
   it('forbids access to another user project', async () => {
     const brain = createBrain();
     brain.projects.findById.mockResolvedValue({ id: 'project-1', ownerId: 'user-2' });
-    const controller = new ProjectsController(brain as never);
+    const teamsService = { canAccessProject: vi.fn().mockResolvedValue(false) };
+    const controller = new ProjectsController(brain as never, teamsService as never);
 
     await expect(controller.findOne('project-1', { id: 'user-1' })).rejects.toBeInstanceOf(
       ForbiddenException,