feat: scope every API endpoint to the token's sub; expose ownerId in DTOs

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

server/api/tasks/[id].delete.ts

@@ -1,6 +1,6 @@
-// DELETE /api/tasks/:id (desktop) — task left Idle on desktop. Idempotent.
+// DELETE /api/tasks/:id (desktop) — task left Idle on desktop. Idempotent, scoped to the caller's rows.
 export default defineEventHandler(async (event) => {
-  await deleteTask(getSql(), getRouterParam(event, "id")!);
+  await deleteTask(getSql(), ownerOf(event), getRouterParam(event, "id")!);
   setResponseStatus(event, 204);
   return null;
 });

server/api/tasks/[id].put.ts

@@ -1,4 +1,4 @@
-// PUT /api/tasks/:id (desktop) — idempotent upsert mirroring a desktop Idle task.
+// PUT /api/tasks/:id (desktop) — idempotent upsert mirroring a desktop Idle task, owned by the caller.
 export default defineEventHandler(async (event) => {
   const id = getRouterParam(event, "id")!;
   const body = await readBody(event);
@@ -9,12 +9,13 @@ export default defineEventHandler(async (event) => {
   }
   const description = typeof body?.description === "string" ? body.description : null;
 
+  const ownerId = ownerOf(event);
   const sql = getSql();
-  if (!(await listExists(sql, listId))) {
+  if (!(await listExists(sql, ownerId, listId))) {
     throw createError({ statusCode: 404, statusMessage: "list not found" });
   }
 
-  const { created } = await upsertDesktopTask(sql, id, { listId, title, description });
+  const { created } = await upsertDesktopTask(sql, ownerId, id, { listId, title, description });
   setResponseStatus(event, created ? 201 : 200);
   return { id };
 });

server/api/tasks/[id]/consume.post.ts

@@ -1,6 +1,6 @@
-// POST /api/tasks/:id/consume (desktop) — mark a web task imported. Idempotent.
+// POST /api/tasks/:id/consume (desktop) — mark the caller's web task imported. Idempotent.
 export default defineEventHandler(async (event) => {
-  const ok = await consume(getSql(), getRouterParam(event, "id")!);
+  const ok = await consume(getSql(), ownerOf(event), getRouterParam(event, "id")!);
   if (!ok) {
     throw createError({ statusCode: 404, statusMessage: "task not found" });
   }

server/api/tasks/mirror.put.ts

@@ -1,7 +1,8 @@
-// PUT /api/tasks/mirror (desktop) — full-replace of the desktop's current Idle backlog.
+// PUT /api/tasks/mirror (desktop) — full-replace of the caller's desktop Idle backlog.
 // Body: [{ id, listId, title, description? }, ...] (camelCase). An empty array is valid and
-// clears the desktop-owned partition. Mirrors PUT /lists. Web-created tasks awaiting pull
-// (consumed=false) are never touched here.
+// clears the caller's desktop-owned partition. Mirrors PUT /lists. Web-created tasks awaiting
+// pull (consumed=false) and other users' rows are never touched. Any client-supplied ownerId
+// on items is ignored — ownership comes from the verified token.
 export default defineEventHandler(async (event) => {
   const body = await readBody(event);
   if (!Array.isArray(body)) {
@@ -28,16 +29,17 @@ export default defineEventHandler(async (event) => {
     });
   }
 
+  const ownerId = ownerOf(event);
   const sql = getSql();
 
-  // Every referenced list must exist (lists are full-replaced before tasks are mirrored).
+  // Every referenced list must exist for the caller (lists are full-replaced before tasks are mirrored).
   const listIds = [...new Set(items.map((t) => t.listId))];
   for (const id of listIds) {
-    if (!(await listExists(sql, id))) {
+    if (!(await listExists(sql, ownerId, id))) {
       throw createError({ statusCode: 400, statusMessage: `unknown listId: ${id}` });
     }
   }
 
-  await mirrorDesktopTasks(sql, items);
+  await mirrorDesktopTasks(sql, ownerId, items);
   return { ok: true, count: items.length };
 });