Danny Avila ad08df4db6 🔏 fix: Scope Agent-Author File Access to Attached Files Only (#12251) ... * 🛡️ fix: Scope agent-author file access to attached files only The hasAccessToFilesViaAgent helper short-circuited for agent authors, granting access to all requested file IDs without verifying they were attached to the agent's tool_resources. This enabled an IDOR where any agent author could delete arbitrary files by supplying their agent_id alongside unrelated file IDs. Now both the author and non-author paths check file IDs against the agent's tool_resources before granting access. * chore: Use Object.values/for...of and add JSDoc in getAttachedFileIds * test: Add boundary cases for agent file access authorization - Agent with no tool_resources denies all access (fail-closed) - Files across multiple resource types are all reachable - Author + isDelete: true still scopes to attached files only		2026-03-15 18:54:34 -04:00
..
controllers	🪪 fix: Enforce VIEW ACL on Agent Edge References at Write and Runtime (#12246)	2026-03-15 18:08:57 -04:00
middleware	🛡️ fix: Enforce MULTI_CONVO and agent ACL checks on addedConvo (#12243)	2026-03-15 17:12:45 -04:00
routes	🛡️ refactor: Scope Action Mutations by Parent Resource Ownership (#12237)	2026-03-15 10:19:29 -04:00
services	🔏 fix: Scope Agent-Author File Access to Attached Files Only (#12251)	2026-03-15 18:54:34 -04:00
utils	📏 refactor: Add File Size Limits to Conversation Imports (#12221)	2026-03-14 03:06:29 -04:00
cleanup.js	🪣 fix: Prevent Memory Retention from AsyncLocalStorage Context Propagation (#11942)	2026-02-25 17:41:23 -05:00
experimental.js	🚦 fix: 404 JSON Responses for Unmatched API Routes (#11976)	2026-02-27 22:49:54 -05:00
index.js	🚦 fix: 404 JSON Responses for Unmatched API Routes (#11976)	2026-02-27 22:49:54 -05:00
index.spec.js	🚦 fix: 404 JSON Responses for Unmatched API Routes (#11976)	2026-02-27 22:49:54 -05:00
socialLogins.js	🔒 fix: Secure Cookie Localhost Bypass and OpenID Token Selection in AuthService (#11782)	2026-02-13 10:35:51 -05:00