fix(security): scope memory tools to session userId — M2-003/004 (#294)

Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>

apps/gateway/src/agent/agent.service.ts

@@ -106,17 +106,22 @@ export class AgentService implements OnModuleDestroy {
   ) {}
 
   /**
-   * Build the full set of custom tools scoped to the given sandbox directory.
+   * Build the full set of custom tools scoped to the given sandbox directory and session user.
    * Brain/coord/memory/web tools are stateless with respect to cwd; file/git/shell
    * tools receive the resolved sandboxDir so they operate within the sandbox.
+   * Memory tools are bound to sessionUserId so the LLM cannot access another user's data.
    */
-  private buildToolsForSandbox(sandboxDir: string): ToolDefinition[] {
+  private buildToolsForSandbox(
+    sandboxDir: string,
+    sessionUserId: string | undefined,
+  ): ToolDefinition[] {
     return [
       ...createBrainTools(this.brain),
       ...createCoordTools(this.coordService),
       ...createMemoryTools(
         this.memory,
         this.embeddingService.available ? this.embeddingService : null,
+        sessionUserId,
       ),
       ...createFileTools(sandboxDir),
       ...createGitTools(sandboxDir),
@@ -216,8 +221,8 @@ export class AgentService implements OnModuleDestroy {
       );
     }
 
-    // Build per-session tools scoped to the sandbox directory
-    const sandboxTools = this.buildToolsForSandbox(sandboxDir);
+    // Build per-session tools scoped to the sandbox directory and authenticated user
+    const sandboxTools = this.buildToolsForSandbox(sandboxDir, mergedOptions?.userId);
 
     // Combine static tools with dynamically discovered MCP client tools and skill tools
     const mcpTools = this.mcpClientService.getToolDefinitions();