# Task Ownership Gap Fix Scratchpad ## Metadata - Date: 2026-03-13 - Worktree: `/home/jwoltje/src/mosaic-mono-v1-worktrees/fix-task-ownership` - Branch: `fix/task-mission-ownership` - Scope: Fix ownership checks in TasksController/MissionsController and extend gateway ownership tests - Related tracker: worker task only; `docs/TASKS.md` is orchestrator-owned and left unchanged - Budget assumption: no explicit token cap; keep scope limited to requested gateway permission fixes ## Objective Close ownership gaps so task listing/creation and mission creation enforce project/mission ownership and reject cross-user access. ## Acceptance Criteria 1. TasksController `list()` enforces ownership for `projectId` and `missionId`, and does not return cross-user data when neither filter is provided. 2. TasksController `create()` rejects unowned `projectId` and `missionId` references. 3. MissionsController `create()` rejects unowned `projectId` references. 4. Gateway ownership tests cover forbidden task creation and forbidden task listing by unowned project. ## Plan 1. Inspect current controller and ownership test patterns. 2. Add failing permission tests first. 3. Patch controller methods with existing ownership helpers. 4. Run targeted gateway tests, then gateway typecheck/lint/full test. 5. Perform independent review, record evidence, then complete the requested git/PR workflow. ## TDD Notes - Required: yes. This is auth/permission logic and a bugfix. - Strategy: add failing tests in `resource-ownership.test.ts`, verify red, then implement minimal controller changes. ## Verification Log - `pnpm --filter @mosaicstack/gateway test -- src/__tests__/resource-ownership.test.ts` - Red: failed with 2 expected permission-path failures before controller changes. - Green: passed after wiring ownership checks and adding owned-task filtering coverage. - `pnpm --filter @mosaicstack/gateway typecheck` - Pass on 2026-03-13 after fixing parameter ordering and mission project nullability. - `pnpm --filter @mosaicstack/gateway lint` - Pass on 2026-03-13. - `pnpm --filter @mosaicstack/gateway test` - Pass on 2026-03-13 with 3 test files and 23 tests passing. - `pnpm format:check` - Pass on 2026-03-13. ## Review Log - Manual review: checked for auth regressions, cross-user list leakage, and dashboard behavior impact; kept unfiltered task list functional by filtering to owned projects/missions instead of returning an empty list. - Automated review: `~/.config/mosaic/tools/codex/codex-code-review.sh --uncommitted` running/re-run for independent review evidence. ## Risks / Blockers - Repository-wide Mosaic instructions require merge/issue closure, but the user explicitly instructed PR-only and no merge; follow the user instruction. - `docs/TASKS.md` is orchestrator-owned and will not be edited from this worker task.