Security audit findings and fixes:
M2-001 — searchByEmbedding: confirmed already user-scoped via WHERE user_id
M2-002 — findByUser: confirmed already user-scoped
M2-002 — decayOldInsights: was global (no userId filter); now requires userId
param and scopes UPDATE to eq(insights.userId, userId). Added decayAllInsights
as a separate system-only method for cron tier management.
Additional unscoped operations fixed:
- findById: added userId param + AND eq(userId) to prevent cross-user read
- update: added userId param + AND eq(userId) to prevent cross-user write
- remove: added userId param + AND eq(userId) to prevent cross-user delete
- memory.controller getInsight/removeInsight: now pass user.id for ownership
- summarization.service: switched tier-management cron to decayAllInsights
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Jason Woltje
b5d600e39b