Context
From QA sweep qa-open-prs on #1 (merged 2026-04-18).
Issue
views/notes/service/index.ts subscribes to khal.*.notes.* (wildcard matches any org), but CRUD handlers key off userId from the message body rather than extracting the orgId from the subject.
In a multi-tenant kernel, a client in Org B addressing Org A's subject would be served if they know a valid userId — the * segment is silently ignored.
Ask
- Extract
orgId from the subject (NATS subject tokens: msg.subject.split('.')[1] or SDK-provided helper)
- Scope the in-memory `store` by `(orgId, userId)` instead of `userId` alone
- Reject (or error-respond) when the subject's `orgId` doesn't match the request body's claimed org (if the body carries one)
References
Priority
P2 — scaffolding stage, no production tenants yet. Harden before multi-tenant cutover.
Context
From QA sweep
qa-open-prson #1 (merged 2026-04-18).Issue
views/notes/service/index.tssubscribes tokhal.*.notes.*(wildcard matches any org), but CRUD handlers key offuserIdfrom the message body rather than extracting theorgIdfrom the subject.In a multi-tenant kernel, a client in Org B addressing Org A's subject would be served if they know a valid
userId— the*segment is silently ignored.Ask
orgIdfrom the subject (NATS subject tokens:msg.subject.split('.')[1]or SDK-provided helper)References
Priority
P2 — scaffolding stage, no production tenants yet. Harden before multi-tenant cutover.