feat: scope every API endpoint to the token's sub; expose ownerId in DTOs

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

server/api/tasks/mirror.put.ts

@@ -1,7 +1,8 @@
-// PUT /api/tasks/mirror (desktop) — full-replace of the desktop's current Idle backlog.
+// PUT /api/tasks/mirror (desktop) — full-replace of the caller's desktop Idle backlog.
 // Body: [{ id, listId, title, description? }, ...] (camelCase). An empty array is valid and
-// clears the desktop-owned partition. Mirrors PUT /lists. Web-created tasks awaiting pull
-// (consumed=false) are never touched here.
+// clears the caller's desktop-owned partition. Mirrors PUT /lists. Web-created tasks awaiting
+// pull (consumed=false) and other users' rows are never touched. Any client-supplied ownerId
+// on items is ignored — ownership comes from the verified token.
 export default defineEventHandler(async (event) => {
   const body = await readBody(event);
   if (!Array.isArray(body)) {
@@ -28,16 +29,17 @@ export default defineEventHandler(async (event) => {
     });
   }
 
+  const ownerId = ownerOf(event);
   const sql = getSql();
 
-  // Every referenced list must exist (lists are full-replaced before tasks are mirrored).
+  // Every referenced list must exist for the caller (lists are full-replaced before tasks are mirrored).
   const listIds = [...new Set(items.map((t) => t.listId))];
   for (const id of listIds) {
-    if (!(await listExists(sql, id))) {
+    if (!(await listExists(sql, ownerId, id))) {
       throw createError({ statusCode: 400, statusMessage: `unknown listId: ${id}` });
     }
   }
 
-  await mirrorDesktopTasks(sql, items);
+  await mirrorDesktopTasks(sql, ownerId, items);
   return { ok: true, count: items.length };
 });