feat: per-user data isolation (ownerId scoping)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

.env.example

@@ -6,8 +6,8 @@ DATABASE_URL=postgres://mika:CHANGEME@l8kogcggsc80sgcgk8kswww4:5432/claudedo
 ZITADEL_ISSUER=https://auth.kuns.dev
 # Comma-separated accepted audiences: web client id, desktop client id, project id
 ZITADEL_AUDIENCE=
-# Comma-separated owner Zitadel user ids (the single owner's `sub`)
+# Zitadel project role required for API access (default: user)
-ALLOWED_USER_IDS=
+REQUIRED_ROLE=user
 # CORS: the web client origin (the app's own origin)
 WEB_ORIGIN=https://claudedo.kuns.dev
 

.gitignore

@@ -9,3 +9,5 @@ node_modules/
 .DS_Store
 .playwright-mcp/
 *.png
+!public/icons/*.png
+.claude/

README.md

@@ -29,16 +29,22 @@ the API, on shared PostgreSQL, behind Zitadel auth, deployed via Coolify.
 ## API
 
 Every `/api/**` route requires a valid Zitadel **access token** (`Authorization: Bearer …`)
-belonging to the owner. Missing/invalid/expired → `401`. No anonymous access.
+carrying the `user` project role. Missing/invalid/expired/role-less → `401`. No anonymous access.
+
+**Ownership:** every row carries `owner_id` = the writer's token `sub`. All reads and writes are
+scoped server-side to the caller (`owner_id = sub OR owner_id IS NULL`); full-replace endpoints
+only replace the caller's partition. `owner_id IS NULL` marks legacy pre-multi-user rows — visible
+to all authorized users and adopted by the next write that touches them. DTOs expose this as a
+nullable `ownerId`; any client-supplied `ownerId` is ignored.
 
 | Method & path | Caller | Behaviour |
 |---|---|---|
 | `PUT /api/lists` | desktop | Body `[{id,name}]` = full catalog. Upserts all, deletes lists not in payload (cascades tasks). → 200 |
-| `GET /api/lists` | web | → 200 `[{id,name}]` |
+| `GET /api/lists` | web | → 200 `[{id,name,ownerId}]` |
 | `GET /api/lists/{id}/tasks` | web | → 200 tasks for the list; 404 if unknown |
 | `POST /api/tasks` | web | Body `{title, description?, listId}`. Server-generated GUID, `source=web`, `consumed=false`. 404 if listId unknown. → 201 with the created task |
 | `PUT /api/tasks/mirror` | desktop | Body `[{id, listId, title, description?}, ...]` = the FULL current Idle backlog (camelCase; `[]` is valid). Full-replace of the desktop-owned partition: upsert each (as `consumed=true`), delete any `consumed=true` task not in the array, leave web-created `consumed=false` tasks untouched. Mirrors `PUT /lists`. → 200 |
-| `GET /api/tasks?consumed=false` | desktop | → 200 `[{id, listId, title, description, createdAt}]` web tasks not yet imported (awaiting pull) |
+| `GET /api/tasks?consumed=false` | desktop | → 200 `[{id, listId, title, description, ownerId, createdAt}]` web tasks not yet imported (awaiting pull) |
 | `POST /api/tasks/{id}/consume` | desktop | Sets `consumed=true` (imports a pulled web task into the desktop partition). Idempotent. → 200; 404 if unknown |
 | `PUT /api/tasks/{id}` · `DELETE /api/tasks/{id}` | desktop | Legacy per-task upsert/delete — **superseded by `PUT /tasks/mirror`**. Kept for compatibility. |
 
@@ -83,7 +89,7 @@ Server-only values are read from `process.env` at runtime (set them in Coolify):
 | `DATABASE_URL` | `postgres://mika:…@l8kogcggsc80sgcgk8kswww4:5432/claudedo` (shared PG, internal host) |
 | `ZITADEL_ISSUER` | `https://auth.kuns.dev` |
 | `ZITADEL_AUDIENCE` | accepted audiences (CSV): web id, desktop id, project id |
-| `ALLOWED_USER_IDS` | owner `sub` allowlist (CSV) |
+| `REQUIRED_ROLE` | Zitadel project role required for API access (default `user`; grant it to accounts in Zitadel) |
 | `WEB_ORIGIN` | CORS allowed origin (`https://claudedo.kuns.dev`) |
 
 Public web-client config is **baked at build time** (non-secret) via Dockerfile build args

app/composables/useAuth.ts

@@ -1,5 +1,15 @@
 import type { ZitadelAuth } from "@kuns/zitadel-auth";
 
+/** API call failure carrying the HTTP status (401 = authenticated but not authorized). */
+export class ApiError extends Error {
+  constructor(
+    message: string,
+    public status: number,
+  ) {
+    super(message);
+  }
+}
+
 // Access the bootstrap-provided Zitadel auth instance + a small JSON helper for /api calls.
 // By the time any component mounts, the plugin has gated auth, so `auth` is authenticated.
 // `auth.fetch` auto-attaches the Bearer access token.
@@ -16,7 +26,7 @@ export function useAuth() {
       } catch {
         // non-JSON error body
       }
-      throw new Error(message);
+      throw new ApiError(message, res.status);
     }
     if (res.status === 204) return undefined as T;
     return (await res.json()) as T;

app/pages/index.vue

@@ -1,7 +1,10 @@
 <script setup lang="ts">
+import { ApiError } from "~/composables/useAuth";
+
 interface List {
   id: string;
   name: string;
+  ownerId?: string | null;
 }
 interface Task {
   id: string;
@@ -10,6 +13,7 @@ interface Task {
   description: string | null;
   source: string;
   consumed: boolean;
+  ownerId?: string | null;
   createdAt: string;
 }
 
@@ -22,12 +26,30 @@ const loadingLists = ref(true);
 const loadingTasks = ref(false);
 const error = ref<string | null>(null);
 
+// Authenticated but the token lacks the required Zitadel project role → API answers 401.
+const missingRole = ref(false);
+
+// Defense-in-depth: the server already scopes every query by the token's sub; additionally
+// hide anything not owned by the current user. Absent ownerId = legacy (pre-multi-user) row.
+const mine = (x: { ownerId?: string | null }) => !x.ownerId || x.ownerId === auth.user?.sub;
+
+function handleApiError(e: unknown) {
+  if (e instanceof ApiError && e.status === 401) {
+    missingRole.value = true;
+  } else {
+    error.value = (e as Error).message;
+  }
+}
+
 const title = ref("");
 const description = ref("");
 const showNote = ref(false);
 const adding = ref(false);
 const titleInput = ref<HTMLInputElement | null>(null);
 
+const sheetOpen = ref(false);
+const expandedId = ref<string | null>(null);
+
 const selectedList = computed(() => lists.value.find((l) => l.id === selectedId.value) ?? null);
 
 const today = new Intl.DateTimeFormat(undefined, {
@@ -40,12 +62,12 @@ async function refreshLists() {
   loadingLists.value = true;
   error.value = null;
   try {
-    lists.value = await api<List[]>("/lists");
+    lists.value = (await api<List[]>("/lists")).filter(mine);
     if (lists.value.length && !lists.value.some((l) => l.id === selectedId.value)) {
       await selectList(lists.value[0]!.id);
     }
   } catch (e) {
-    error.value = (e as Error).message;
+    handleApiError(e);
   } finally {
     loadingLists.value = false;
   }
@@ -53,6 +75,8 @@ async function refreshLists() {
 
 async function selectList(id: string) {
   selectedId.value = id;
+  sheetOpen.value = false;
+  expandedId.value = null;
   await refreshTasks();
 }
 
@@ -61,9 +85,9 @@ async function refreshTasks() {
   loadingTasks.value = true;
   error.value = null;
   try {
-    tasks.value = await api<Task[]>(`/lists/${selectedId.value}/tasks`);
+    tasks.value = (await api<Task[]>(`/lists/${selectedId.value}/tasks`)).filter(mine);
   } catch (e) {
-    error.value = (e as Error).message;
+    handleApiError(e);
   } finally {
     loadingTasks.value = false;
   }
@@ -90,7 +114,7 @@ async function addTask() {
     showNote.value = false;
     titleInput.value?.focus();
   } catch (e) {
-    error.value = (e as Error).message;
+    handleApiError(e);
   } finally {
     adding.value = false;
   }
@@ -101,6 +125,10 @@ function toggleNote() {
   if (!showNote.value) description.value = "";
 }
 
+function toggleTask(t: Task) {
+  expandedId.value = expandedId.value === t.id ? null : t.id;
+}
+
 onMounted(() => {
   // The auth plugin gates before mount, so this is normally authenticated.
   // Safety net: if not, drive login instead of calling the API (no 401 banner).
@@ -119,14 +147,26 @@ onMounted(() => {
           <button class="link" @click="auth.logout()">Sign out</button>
         </div>
       </div>
-      <h1>Inbox</h1>
+      <h1>{{ selectedList?.name ?? "Inbox" }}</h1>
       <p class="date">{{ today }}<template v-if="tasks.length"> · {{ tasks.length }} {{ tasks.length === 1 ? "task" : "tasks" }}</template></p>
     </header>
 
     <main class="content">
       <p v-if="error" class="error" role="alert">{{ error }}</p>
 
-      <template v-if="loadingLists">
+      <template v-if="missingRole">
+        <div class="empty">
+          <p class="empty-mark">⚠</p>
+          <p class="empty-title">No access yet</p>
+          <p class="muted">
+            You're signed in, but your account is missing the “user” role for ClaudeDo.
+            Ask the admin to grant it in Zitadel, then sign in again.
+          </p>
+          <button class="link" @click="auth.logout()">Sign out</button>
+        </div>
+      </template>
+
+      <template v-else-if="loadingLists">
         <p class="muted">Loading lists…</p>
       </template>
 
@@ -139,18 +179,6 @@ onMounted(() => {
       </template>
 
       <template v-else>
-        <nav class="lists" aria-label="Lists">
-          <button
-            v-for="l in lists"
-            :key="l.id"
-            class="chip"
-            :class="{ active: l.id === selectedId }"
-            @click="selectList(l.id)"
-          >
-            {{ l.name }}
-          </button>
-        </nav>
-
         <section class="tasks" aria-label="Tasks">
           <p v-if="loadingTasks" class="muted">Loading…</p>
           <div v-else-if="!tasks.length" class="empty">
@@ -159,16 +187,36 @@ onMounted(() => {
             <p class="muted">Nothing in {{ selectedList?.name }} yet. Capture something below.</p>
           </div>
           <ul v-else class="task-list">
-            <li v-for="(t, i) in tasks" :key="t.id" class="task" :style="{ '--i': i }">
+            <li v-for="(t, i) in tasks" :key="t.id" :style="{ '--i': i }">
+              <button
+                class="task"
+                :class="{ open: expandedId === t.id }"
+                :aria-expanded="expandedId === t.id"
+                @click="toggleTask(t)"
+              >
                 <p class="task-title">{{ t.title }}</p>
                 <p v-if="t.description" class="task-desc">{{ t.description }}</p>
+              </button>
             </li>
           </ul>
         </section>
       </template>
     </main>
 
-    <form v-if="lists.length" class="composer" @submit.prevent="addTask">
+    <footer v-if="lists.length && !missingRole" class="dock">
+      <button
+        v-if="lists.length > 1"
+        class="list-pill"
+        type="button"
+        :aria-expanded="sheetOpen"
+        @click="sheetOpen = !sheetOpen"
+      >
+        <span class="pill-label">List</span>
+        <span class="pill-name">{{ selectedList?.name }}</span>
+        <span class="pill-chevron" :class="{ up: sheetOpen }" aria-hidden="true">▾</span>
+      </button>
+
+      <form class="composer" @submit.prevent="addTask">
         <input
           v-if="showNote"
           v-model="description"
@@ -206,6 +254,27 @@ onMounted(() => {
           </button>
         </div>
       </form>
+    </footer>
+
+    <Transition name="fade">
+      <div v-if="sheetOpen" class="backdrop" @click="sheetOpen = false" />
+    </Transition>
+    <Transition name="slide">
+      <nav v-if="sheetOpen" class="sheet" aria-label="Switch list">
+        <div class="sheet-handle" aria-hidden="true"></div>
+        <p class="sheet-title">Lists</p>
+        <button
+          v-for="l in lists"
+          :key="l.id"
+          class="sheet-item"
+          :class="{ active: l.id === selectedId }"
+          @click="selectList(l.id)"
+        >
+          <span class="sheet-name">{{ l.name }}</span>
+          <span v-if="l.id === selectedId" class="sheet-check" aria-hidden="true">✓</span>
+        </button>
+      </nav>
+    </Transition>
   </div>
 </template>
 
@@ -230,9 +299,9 @@ onMounted(() => {
   -webkit-tap-highlight-color: transparent;
 }
 
-/* ——— Masthead: editorial, mobile-first ——— */
+/* ——— Masthead: compact, title = current list ——— */
 .masthead {
-  padding: max(1rem, env(safe-area-inset-top)) 1.25rem 0.75rem;
+  padding: max(0.85rem, env(safe-area-inset-top)) 1.25rem 0.6rem;
 }
 .masthead-row {
   display: flex;
@@ -249,16 +318,19 @@ onMounted(() => {
   color: var(--accent);
 }
 .masthead h1 {
-  margin: 0.4rem 0 0;
+  margin: 0.35rem 0 0;
   font-family: "Fraunces", Georgia, serif;
   font-weight: 600;
-  font-size: clamp(2.1rem, 9vw, 2.75rem);
+  font-size: clamp(1.6rem, 7vw, 2.1rem);
   line-height: 1.05;
   letter-spacing: -0.02em;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
 }
 .date {
-  margin: 0.3rem 0 0;
+  margin: 0.25rem 0 0;
-  font-size: 0.85rem;
+  font-size: 0.8rem;
   color: var(--muted);
 }
 .who {
@@ -292,7 +364,7 @@ onMounted(() => {
 
 .content {
   flex: 1;
-  padding: 0.5rem 1.25rem 1rem;
+  padding: 0.25rem 1.25rem 1rem;
   display: flex;
   flex-direction: column;
   gap: 0.9rem;
@@ -300,88 +372,82 @@ onMounted(() => {
   overscroll-behavior-y: contain;
 }
 
-/* ——— List chips: edge-to-edge swipe row ——— */
+/* ——— Tasks: dense divided rows, tap to expand ——— */
-.lists {
-  display: flex;
-  gap: 0.5rem;
-  overflow-x: auto;
-  margin: 0 -1.25rem;
-  padding: 0.25rem 1.25rem;
-  scrollbar-width: none;
-  scroll-snap-type: x proximity;
-}
-.lists::-webkit-scrollbar {
-  display: none;
-}
-.chip {
-  flex: 0 0 auto;
-  scroll-snap-align: start;
-  min-height: 44px;
-  padding: 0.55rem 1.1rem;
-  border-radius: 999px;
-  border: 1px solid var(--border);
-  background: var(--card);
-  color: var(--text);
-  font-family: inherit;
-  font-size: 0.9rem;
-  font-weight: 600;
-  cursor: pointer;
-  touch-action: manipulation;
-  transition: background 0.15s, border-color 0.15s, color 0.15s, transform 0.1s;
-}
-.chip:active {
-  transform: scale(0.96);
-}
-.chip.active {
-  background: var(--accent);
-  border-color: var(--accent);
-  color: var(--accent-contrast);
-}
-
-/* ——— Tasks: paper cards with staggered entrance ——— */
 .task-list {
   list-style: none;
   margin: 0;
   padding: 0;
-  display: flex;
-  flex-direction: column;
-  gap: 0.6rem;
-}
-.task {
   background: var(--card);
   border: 1px solid var(--border);
   border-radius: 14px;
-  padding: 0.9rem 1rem;
   box-shadow: var(--shadow);
-  animation: rise 0.35s cubic-bezier(0.2, 0.7, 0.3, 1) both;
+  overflow: hidden;
-  animation-delay: calc(var(--i, 0) * 35ms);
+}
+.task-list li {
+  animation: rise 0.3s cubic-bezier(0.2, 0.7, 0.3, 1) both;
+  animation-delay: calc(var(--i, 0) * 25ms);
+}
+.task-list li + li {
+  border-top: 1px solid var(--border);
 }
 @keyframes rise {
   from {
     opacity: 0;
-    transform: translateY(10px);
+    transform: translateY(8px);
   }
   to {
     opacity: 1;
     transform: none;
   }
 }
+.task {
+  display: block;
+  width: 100%;
+  min-height: 48px;
+  padding: 0.65rem 0.95rem;
+  border: 0;
+  background: none;
+  color: inherit;
+  font: inherit;
+  text-align: left;
+  cursor: pointer;
+  touch-action: manipulation;
+}
+.task:active {
+  background: color-mix(in srgb, var(--accent-soft) 45%, transparent);
+}
 .task-title {
   margin: 0;
-  font-size: 1rem;
+  font-size: 0.95rem;
   font-weight: 500;
   line-height: 1.35;
+  display: -webkit-box;
+  -webkit-box-orient: vertical;
+  -webkit-line-clamp: 2;
+  overflow: hidden;
 }
 .task-desc {
-  margin: 0.35rem 0 0;
+  margin: 0.2rem 0 0;
-  font-size: 0.875rem;
+  font-size: 0.8rem;
   color: var(--muted);
   line-height: 1.45;
   white-space: pre-wrap;
+  display: -webkit-box;
+  -webkit-box-orient: vertical;
+  -webkit-line-clamp: 1;
+  overflow: hidden;
+}
+.task.open .task-title,
+.task.open .task-desc {
+  -webkit-line-clamp: unset;
+  display: block;
+}
+.task.open {
+  background: color-mix(in srgb, var(--accent-soft) 30%, transparent);
 }
 
 .empty {
-  margin-top: 14vh;
+  margin-top: 12vh;
   text-align: center;
   padding: 0 1.5rem;
 }
@@ -412,19 +478,64 @@ onMounted(() => {
   margin: 0;
 }
 
-/* ——— Composer: thumb-zone capture bar ——— */
+/* ——— Dock: list switcher + capture, all in the thumb zone ——— */
-.composer {
+.dock {
   position: sticky;
   bottom: 0;
+  z-index: 10;
   display: flex;
   flex-direction: column;
   gap: 0.5rem;
-  padding: 0.65rem 1rem calc(0.65rem + env(safe-area-inset-bottom));
+  padding: 0.6rem 1rem calc(0.6rem + env(safe-area-inset-bottom));
   background: color-mix(in srgb, var(--bg) 88%, transparent);
   backdrop-filter: blur(12px);
   -webkit-backdrop-filter: blur(12px);
   border-top: 1px solid var(--border);
 }
+.list-pill {
+  display: flex;
+  align-items: center;
+  gap: 0.5rem;
+  align-self: flex-start;
+  max-width: 100%;
+  min-height: 40px;
+  padding: 0.4rem 0.9rem;
+  border: 1px solid var(--border);
+  border-radius: 999px;
+  background: var(--card);
+  color: var(--text);
+  font-family: inherit;
+  font-size: 0.85rem;
+  font-weight: 600;
+  cursor: pointer;
+  touch-action: manipulation;
+  box-shadow: var(--shadow);
+}
+.pill-label {
+  font-size: 0.65rem;
+  font-weight: 600;
+  letter-spacing: 0.12em;
+  text-transform: uppercase;
+  color: var(--muted);
+}
+.pill-name {
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+.pill-chevron {
+  color: var(--accent);
+  transition: transform 0.2s;
+}
+.pill-chevron.up {
+  transform: rotate(180deg);
+}
+
+.composer {
+  display: flex;
+  flex-direction: column;
+  gap: 0.5rem;
+}
 .capture {
   display: flex;
   align-items: center;
@@ -510,28 +621,128 @@ onMounted(() => {
   }
 }
 
+/* ——— Bottom sheet: list picker in the thumb zone ——— */
+.backdrop {
+  position: fixed;
+  inset: 0;
+  z-index: 20;
+  background: rgb(20 14 8 / 0.35);
+}
+.sheet {
+  position: fixed;
+  left: 0;
+  right: 0;
+  bottom: 0;
+  z-index: 21;
+  max-width: 28rem;
+  margin: 0 auto;
+  max-height: 70dvh;
+  overflow-y: auto;
+  overscroll-behavior: contain;
+  background: var(--card);
+  border: 1px solid var(--border);
+  border-bottom: 0;
+  border-radius: 20px 20px 0 0;
+  padding: 0.5rem 0.75rem calc(0.75rem + env(safe-area-inset-bottom));
+  box-shadow: 0 -8px 32px rgb(20 14 8 / 0.15);
+}
+.sheet-handle {
+  width: 40px;
+  height: 4px;
+  border-radius: 2px;
+  background: var(--border);
+  margin: 0.25rem auto 0.5rem;
+}
+.sheet-title {
+  margin: 0 0 0.25rem;
+  padding: 0 0.5rem;
+  font-size: 0.7rem;
+  font-weight: 600;
+  letter-spacing: 0.15em;
+  text-transform: uppercase;
+  color: var(--muted);
+}
+.sheet-item {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  gap: 0.75rem;
+  width: 100%;
+  min-height: 52px;
+  padding: 0.7rem 0.85rem;
+  border: 0;
+  border-radius: 12px;
+  background: none;
+  color: var(--text);
+  font-family: inherit;
+  font-size: 1rem;
+  font-weight: 500;
+  text-align: left;
+  cursor: pointer;
+  touch-action: manipulation;
+}
+.sheet-item:active {
+  background: var(--accent-soft);
+}
+.sheet-item.active {
+  color: var(--accent);
+  font-weight: 600;
+}
+.sheet-name {
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+.sheet-check {
+  color: var(--accent);
+}
+
+.fade-enter-active,
+.fade-leave-active {
+  transition: opacity 0.2s;
+}
+.fade-enter-from,
+.fade-leave-to {
+  opacity: 0;
+}
+.slide-enter-active,
+.slide-leave-active {
+  transition: transform 0.25s cubic-bezier(0.2, 0.7, 0.3, 1);
+}
+.slide-enter-from,
+.slide-leave-to {
+  transform: translateY(100%);
+}
+
 /* ——— Larger screens: the enhancement, not the default ——— */
 @media (min-width: 640px) {
   .masthead,
   .content,
-  .composer {
+  .dock {
     padding-left: max(1.25rem, calc(50vw - 19rem));
     padding-right: max(1.25rem, calc(50vw - 19rem));
   }
   .email {
     display: inline;
   }
-  .lists {
+  .sheet {
-    margin: 0;
+    border-radius: 20px;
-    padding: 0.25rem 0;
+    bottom: 1rem;
+    border-bottom: 1px solid var(--border);
   }
 }
 
 @media (prefers-reduced-motion: reduce) {
-  .task,
+  .task-list li,
   .input.note {
     animation: none;
   }
+  .slide-enter-active,
+  .slide-leave-active,
+  .fade-enter-active,
+  .fade-leave-active {
+    transition: none;
+  }
 }
 
 @media (prefers-color-scheme: dark) {
@@ -551,5 +762,8 @@ onMounted(() => {
     border-color: #5a2a22;
     color: #ff9a8d;
   }
+  .backdrop {
+    background: rgb(0 0 0 / 0.5);
+  }
 }
 </style>

app/plugins/pwa.client.ts

@@ -0,0 +1,6 @@
+export default defineNuxtPlugin(() => {
+  if (!("serviceWorker" in navigator)) return;
+  window.addEventListener("load", () => {
+    navigator.serviceWorker.register("/sw.js").catch(() => {});
+  });
+});

nuxt.config.ts

@@ -23,11 +23,15 @@ export default defineNuxtConfig({
         { name: "color-scheme", content: "light dark" },
         { name: "theme-color", media: "(prefers-color-scheme: light)", content: "#f4f1ea" },
         { name: "theme-color", media: "(prefers-color-scheme: dark)", content: "#181410" },
+        { name: "mobile-web-app-capable", content: "yes" },
         { name: "apple-mobile-web-app-capable", content: "yes" },
         { name: "apple-mobile-web-app-status-bar-style", content: "default" },
         { name: "apple-mobile-web-app-title", content: "ClaudeDo" },
       ],
       link: [
+        { rel: "manifest", href: "/manifest.webmanifest" },
+        { rel: "apple-touch-icon", href: "/icons/apple-touch-icon.png" },
+        { rel: "icon", type: "image/png", sizes: "192x192", href: "/icons/icon-192.png" },
         { rel: "preconnect", href: "https://fonts.googleapis.com" },
         { rel: "preconnect", href: "https://fonts.gstatic.com", crossorigin: "" },
         {

public/manifest.webmanifest

@@ -0,0 +1,17 @@
+{
+  "id": "/",
+  "name": "ClaudeDo Inbox",
+  "short_name": "ClaudeDo",
+  "description": "Task inbox for the ClaudeDo backlog",
+  "start_url": "/",
+  "scope": "/",
+  "display": "standalone",
+  "background_color": "#181410",
+  "theme_color": "#181410",
+  "icons": [
+    { "src": "/icons/icon-192.png", "sizes": "192x192", "type": "image/png", "purpose": "any" },
+    { "src": "/icons/icon-512.png", "sizes": "512x512", "type": "image/png", "purpose": "any" },
+    { "src": "/icons/icon-maskable-192.png", "sizes": "192x192", "type": "image/png", "purpose": "maskable" },
+    { "src": "/icons/icon-maskable-512.png", "sizes": "512x512", "type": "image/png", "purpose": "maskable" }
+  ]
+}

public/sw.js

@@ -0,0 +1,6 @@
+// Minimal service worker: enables PWA installability across browsers.
+// Intentionally no caching — the app is a private, auth-gated SPA and stale
+// assets after a deploy are worse than requiring a connection.
+self.addEventListener("install", () => self.skipWaiting());
+self.addEventListener("activate", (event) => event.waitUntil(self.clients.claim()));
+self.addEventListener("fetch", () => {});

scripts/provision-zitadel.ts

@@ -148,7 +148,7 @@ try {
     humans[0] ??
     owner;
 } catch (e) {
-  console.error(`\n(could not list users: ${(e as Error).message}) — set ALLOWED_USER_IDS manually`);
+  console.error(`\n(could not list users: ${(e as Error).message}) — grant the "user" project role manually`);
 }
 
 const result = {
@@ -159,7 +159,8 @@ const result = {
   ownerUserName: owner.userName,
   env: {
     ZITADEL_AUDIENCE: [webClientId, desktopClientId, projectId].filter(Boolean).join(","),
-    ALLOWED_USER_IDS: owner.id,
+    // Access is role-based: grant the project role below to each allowed account in Zitadel.
+    REQUIRED_ROLE: "user",
     NUXT_PUBLIC_ZITADEL_CLIENT_ID: webClientId,
     PROJECT_AUDIENCE_SCOPE: `urn:zitadel:iam:org:project:id:${projectId}:aud`,
   },

server/api/lists.get.ts

@@ -1,4 +1,5 @@
-// GET /api/lists (web) — all lists.
+// GET /api/lists (web) — the caller's lists (plus legacy unowned).
-export default defineEventHandler(async () => {
+export default defineEventHandler(async (event) => {
-  return getLists(getSql());
+  const rows = await getLists(getSql(), ownerOf(event));
+  return rows.map((r) => ({ id: r.id, name: r.name, ownerId: r.owner_id }));
 });

server/api/lists.put.ts

@@ -1,4 +1,6 @@
-// PUT /api/lists (desktop) — full-replace catalog. Upsert all supplied; delete the rest.
+// PUT /api/lists (desktop) — full-replace of the caller's catalog. Upsert all supplied;
+// delete the caller's lists not present. Any client-supplied ownerId is ignored — the
+// server stamps ownership from the verified token.
 export default defineEventHandler(async (event) => {
   const body = await readBody(event);
   if (
@@ -9,6 +11,7 @@ export default defineEventHandler(async (event) => {
   }
   await replaceLists(
     getSql(),
+    ownerOf(event),
     body.map((l) => ({ id: l.id, name: l.name })),
   );
   return { ok: true };

server/api/lists/[id]/tasks.get.ts

@@ -1,10 +1,11 @@
-// GET /api/lists/:id/tasks (web) — Idle tasks for a list. 404 if the list is unknown.
+// GET /api/lists/:id/tasks (web) — the caller's Idle tasks for a list. 404 if the list is unknown (to the caller).
 export default defineEventHandler(async (event) => {
   const id = getRouterParam(event, "id")!;
+  const ownerId = ownerOf(event);
   const sql = getSql();
-  if (!(await listExists(sql, id))) {
+  if (!(await listExists(sql, ownerId, id))) {
     throw createError({ statusCode: 404, statusMessage: "list not found" });
   }
-  const rows = await getTasksForList(sql, id);
+  const rows = await getTasksForList(sql, ownerId, id);
   return rows.map(toTaskDto);
 });

server/api/tasks.get.ts

@@ -1,11 +1,12 @@
-// GET /api/tasks?consumed=false (desktop) — web-created tasks not yet imported.
+// GET /api/tasks?consumed=false (desktop) — the caller's web-created tasks not yet imported.
-export default defineEventHandler(async () => {
+export default defineEventHandler(async (event) => {
-  const rows = await getUnconsumed(getSql());
+  const rows = await getUnconsumed(getSql(), ownerOf(event));
   return rows.map((r) => ({
     id: r.id,
     listId: r.list_id,
     title: r.title,
     description: r.description,
+    ownerId: r.owner_id,
     createdAt: new Date(r.created_at).toISOString(),
   }));
 });

server/api/tasks.post.ts

@@ -1,4 +1,4 @@
-// POST /api/tasks (web) — create an Idle task with a server-generated GUID.
+// POST /api/tasks (web) — create an Idle task with a server-generated GUID, owned by the caller.
 export default defineEventHandler(async (event) => {
   const body = await readBody(event);
   const title = typeof body?.title === "string" ? body.title.trim() : "";
@@ -9,12 +9,13 @@ export default defineEventHandler(async (event) => {
   const description =
     typeof body?.description === "string" && body.description.trim() ? body.description : null;
 
+  const ownerId = ownerOf(event);
   const sql = getSql();
-  if (!(await listExists(sql, listId))) {
+  if (!(await listExists(sql, ownerId, listId))) {
     throw createError({ statusCode: 404, statusMessage: "list not found" });
   }
 
-  const row = await createWebTask(sql, { listId, title, description });
+  const row = await createWebTask(sql, ownerId, { listId, title, description });
   setResponseStatus(event, 201);
   return toTaskDto(row);
 });

server/api/tasks/[id].delete.ts

@@ -1,6 +1,6 @@
-// DELETE /api/tasks/:id (desktop) — task left Idle on desktop. Idempotent.
+// DELETE /api/tasks/:id (desktop) — task left Idle on desktop. Idempotent, scoped to the caller's rows.
 export default defineEventHandler(async (event) => {
-  await deleteTask(getSql(), getRouterParam(event, "id")!);
+  await deleteTask(getSql(), ownerOf(event), getRouterParam(event, "id")!);
   setResponseStatus(event, 204);
   return null;
 });

server/api/tasks/[id].put.ts

@@ -1,4 +1,4 @@
-// PUT /api/tasks/:id (desktop) — idempotent upsert mirroring a desktop Idle task.
+// PUT /api/tasks/:id (desktop) — idempotent upsert mirroring a desktop Idle task, owned by the caller.
 export default defineEventHandler(async (event) => {
   const id = getRouterParam(event, "id")!;
   const body = await readBody(event);
@@ -9,12 +9,13 @@ export default defineEventHandler(async (event) => {
   }
   const description = typeof body?.description === "string" ? body.description : null;
 
+  const ownerId = ownerOf(event);
   const sql = getSql();
-  if (!(await listExists(sql, listId))) {
+  if (!(await listExists(sql, ownerId, listId))) {
     throw createError({ statusCode: 404, statusMessage: "list not found" });
   }
 
-  const { created } = await upsertDesktopTask(sql, id, { listId, title, description });
+  const { created } = await upsertDesktopTask(sql, ownerId, id, { listId, title, description });
   setResponseStatus(event, created ? 201 : 200);
   return { id };
 });

server/api/tasks/[id]/consume.post.ts

@@ -1,6 +1,6 @@
-// POST /api/tasks/:id/consume (desktop) — mark a web task imported. Idempotent.
+// POST /api/tasks/:id/consume (desktop) — mark the caller's web task imported. Idempotent.
 export default defineEventHandler(async (event) => {
-  const ok = await consume(getSql(), getRouterParam(event, "id")!);
+  const ok = await consume(getSql(), ownerOf(event), getRouterParam(event, "id")!);
   if (!ok) {
     throw createError({ statusCode: 404, statusMessage: "task not found" });
   }

server/api/tasks/mirror.put.ts

@@ -1,7 +1,8 @@
-// PUT /api/tasks/mirror (desktop) — full-replace of the desktop's current Idle backlog.
+// PUT /api/tasks/mirror (desktop) — full-replace of the caller's desktop Idle backlog.
 // Body: [{ id, listId, title, description? }, ...] (camelCase). An empty array is valid and
-// clears the desktop-owned partition. Mirrors PUT /lists. Web-created tasks awaiting pull
+// clears the caller's desktop-owned partition. Mirrors PUT /lists. Web-created tasks awaiting
-// (consumed=false) are never touched here.
+// pull (consumed=false) and other users' rows are never touched. Any client-supplied ownerId
+// on items is ignored — ownership comes from the verified token.
 export default defineEventHandler(async (event) => {
   const body = await readBody(event);
   if (!Array.isArray(body)) {
@@ -28,16 +29,17 @@ export default defineEventHandler(async (event) => {
     });
   }
 
+  const ownerId = ownerOf(event);
   const sql = getSql();
 
-  // Every referenced list must exist (lists are full-replaced before tasks are mirrored).
+  // Every referenced list must exist for the caller (lists are full-replaced before tasks are mirrored).
   const listIds = [...new Set(items.map((t) => t.listId))];
   for (const id of listIds) {
-    if (!(await listExists(sql, id))) {
+    if (!(await listExists(sql, ownerId, id))) {
       throw createError({ statusCode: 400, statusMessage: `unknown listId: ${id}` });
     }
   }
 
-  await mirrorDesktopTasks(sql, items);
+  await mirrorDesktopTasks(sql, ownerId, items);
   return { ok: true, count: items.length };
 });

server/middleware/1.auth.ts

@@ -27,14 +27,15 @@ export default defineEventHandler(async (event) => {
       let claims: Record<string, unknown> = {};
       try {
         const c = decodeJwt(token);
-        claims = { iss: c.iss, sub: c.sub, aud: c.aud, azp: c.azp, exp: c.exp, alg_present: true };
+        const roleClaims = Object.keys(c).filter((k) => k.includes(":project:") && k.endsWith(":roles"));
+        claims = { iss: c.iss, sub: c.sub, aud: c.aud, azp: c.azp, exp: c.exp, roleClaims, alg_present: true };
       } catch (de) {
         claims = { not_a_jwt: String(de).slice(0, 80) };
       }
       console.error(
         "[auth] verify failed:", (e as Error).message,
         "| claims:", JSON.stringify(claims),
-        "| ALLOWED_USER_IDS:", process.env.ALLOWED_USER_IDS,
+        "| REQUIRED_ROLE:", process.env.REQUIRED_ROLE || "user",
         "| ZITADEL_AUDIENCE:", process.env.ZITADEL_AUDIENCE,
       );
     }

server/utils/auth.ts

@@ -6,15 +6,31 @@ export interface VerifierConfig {
   issuer: string;
   /** Token is accepted if its `aud` includes at least one of these. */
   audiences: string[];
-  /** Token `sub` must be one of these (the single owner). */
+  /** Token must carry this Zitadel project role (granted in Zitadel, asserted into the access token). */
-  allowedSubs: string[];
+  requiredRole: string;
   /** Test seam: resolve the verification key directly instead of fetching JWKS. */
   keyResolver?: (token: string) => Promise<KeyInput>;
 }
 
+/**
+ * Zitadel asserts project roles into JWT access tokens as
+ * `urn:zitadel:iam:org:project:roles` (and a `…:project:<id>:roles` variant),
+ * each an object keyed by role key.
+ */
+export function rolesFromClaims(payload: JWTPayload): Set<string> {
+  const roles = new Set<string>();
+  for (const [claim, value] of Object.entries(payload)) {
+    if (!/^urn:zitadel:iam:org:project:(\d+:)?roles$/.test(claim)) continue;
+    if (value && typeof value === "object" && !Array.isArray(value)) {
+      for (const role of Object.keys(value)) roles.add(role);
+    }
+  }
+  return roles;
+}
+
 /**
  * Build a Zitadel access-token verifier. Verifies signature + issuer + expiry via JWKS,
- * then enforces audience and owner-sub allowlists. Throws on any failure.
+ * then enforces the audience and the required project role. Throws on any failure.
  */
 export function makeVerifier(cfg: VerifierConfig) {
   const jwks: JWTVerifyGetKey | null = cfg.keyResolver
@@ -29,8 +45,8 @@ export function makeVerifier(cfg: VerifierConfig) {
     if (!cfg.audiences.some((a) => aud.includes(a))) {
       throw new Error("token audience not accepted");
     }
-    if (!cfg.allowedSubs.includes(String(payload.sub))) {
+    if (!rolesFromClaims(payload).has(cfg.requiredRole)) {
-      throw new Error("subject not allowed");
+      throw new Error(`required role "${cfg.requiredRole}" not granted`);
     }
     return payload;
   };
@@ -51,7 +67,7 @@ export function getVerifier() {
     _cached = makeVerifier({
       issuer: process.env.ZITADEL_ISSUER || "https://auth.kuns.dev",
       audiences: splitCsv(process.env.ZITADEL_AUDIENCE),
-      allowedSubs: splitCsv(process.env.ALLOWED_USER_IDS),
+      requiredRole: process.env.REQUIRED_ROLE || "user",
     });
   }
   return _cached;

server/utils/dto.ts

@@ -7,6 +7,7 @@ export interface TaskDto {
   description: string | null;
   source: string;
   consumed: boolean;
+  ownerId: string | null;
   createdAt: string;
 }
 
@@ -18,6 +19,7 @@ export function toTaskDto(row: TaskRow): TaskDto {
     description: row.description,
     source: row.source,
     consumed: row.consumed,
+    ownerId: row.owner_id,
     createdAt: new Date(row.created_at).toISOString(),
   };
 }

server/utils/repo.ts

@@ -6,6 +6,7 @@ type Sql = ReturnType<typeof postgres>;
 export interface ListRow {
   id: string;
   name: string;
+  owner_id: string | null;
 }
 
 export interface TaskRow {
@@ -15,52 +16,68 @@ export interface TaskRow {
   description: string | null;
   source: string;
   consumed: boolean;
+  owner_id: string | null;
   created_at: Date;
   updated_at: Date;
 }
 
-export async function getLists(sql: Sql): Promise<ListRow[]> {
+// Ownership model: every read/write is scoped to the caller's Zitadel sub (ownerId).
-  return sql<ListRow[]>`select id, name from lists order by name`;
+// owner_id NULL = legacy row from before multi-user — visible to every authorized user
+// and adopted (stamped with the caller's sub) by the caller's next write that touches it.
+// Upserts use `on conflict … where` so they can never modify a row owned by someone else.
+
+export async function getLists(sql: Sql, ownerId: string): Promise<ListRow[]> {
+  return sql<ListRow[]>`
+    select id, name, owner_id from lists
+    where owner_id = ${ownerId} or owner_id is null
+    order by name`;
 }
 
-/** Full-replace catalog: upsert all supplied, delete any list not present (cascades tasks). */
+/** Full-replace of the caller's catalog: upsert all supplied, delete the caller's (and legacy) lists not present (cascades tasks). */
 export async function replaceLists(
   sql: Sql,
+  ownerId: string,
   lists: { id: string; name: string }[],
 ): Promise<void> {
   await sql.begin(async (tx) => {
     for (const l of lists) {
       await tx`
-        insert into lists (id, name, updated_at)
+        insert into lists (id, name, owner_id, updated_at)
-        values (${l.id}, ${l.name}, now())
+        values (${l.id}, ${l.name}, ${ownerId}, now())
-        on conflict (id) do update set name = excluded.name, updated_at = now()`;
+        on conflict (id) do update set name = excluded.name, owner_id = ${ownerId}, updated_at = now()
+        where lists.owner_id = ${ownerId} or lists.owner_id is null`;
     }
-    if (lists.length) {
     const ids = lists.map((l) => l.id);
-      await tx`delete from lists where id <> all(${ids})`;
+    if (ids.length) {
+      await tx`delete from lists where (owner_id = ${ownerId} or owner_id is null) and id <> all(${ids})`;
     } else {
-      await tx`delete from lists`;
+      await tx`delete from lists where owner_id = ${ownerId} or owner_id is null`;
     }
   });
 }
 
-export async function listExists(sql: Sql, id: string): Promise<boolean> {
+export async function listExists(sql: Sql, ownerId: string, id: string): Promise<boolean> {
-  const rows = await sql`select 1 from lists where id = ${id}`;
+  const rows = await sql`
+    select 1 from lists where id = ${id} and (owner_id = ${ownerId} or owner_id is null)`;
   return rows.length > 0;
 }
 
-export async function getTasksForList(sql: Sql, listId: string): Promise<TaskRow[]> {
+export async function getTasksForList(sql: Sql, ownerId: string, listId: string): Promise<TaskRow[]> {
-  return sql<TaskRow[]>`select * from tasks where list_id = ${listId} order by created_at`;
+  return sql<TaskRow[]>`
+    select * from tasks
+    where list_id = ${listId} and (owner_id = ${ownerId} or owner_id is null)
+    order by created_at`;
 }
 
 export async function createWebTask(
   sql: Sql,
+  ownerId: string,
   t: { listId: string; title: string; description: string | null },
 ): Promise<TaskRow> {
   const id = randomUUID();
   const [row] = await sql<TaskRow[]>`
-    insert into tasks (id, list_id, title, description, source, consumed)
+    insert into tasks (id, list_id, title, description, source, consumed, owner_id)
-    values (${id}, ${t.listId}, ${t.title}, ${t.description}, 'web', false)
+    values (${id}, ${t.listId}, ${t.title}, ${t.description}, 'web', false, ${ownerId})
     returning *`;
   return row;
 }
@@ -68,64 +85,76 @@ export async function createWebTask(
 /** Idempotent upsert of a desktop Idle task by id. Returns whether a row was inserted. */
 export async function upsertDesktopTask(
   sql: Sql,
+  ownerId: string,
   id: string,
   t: { listId: string; title: string; description?: string | null },
 ): Promise<{ created: boolean }> {
   const [row] = await sql<{ created: boolean }[]>`
-    insert into tasks (id, list_id, title, description, source)
+    insert into tasks (id, list_id, title, description, source, owner_id)
-    values (${id}, ${t.listId}, ${t.title}, ${t.description ?? null}, 'desktop')
+    values (${id}, ${t.listId}, ${t.title}, ${t.description ?? null}, 'desktop', ${ownerId})
     on conflict (id) do update set
       list_id = excluded.list_id,
       title = excluded.title,
       description = excluded.description,
+      owner_id = ${ownerId},
       updated_at = now()
+    where tasks.owner_id = ${ownerId} or tasks.owner_id is null
     returning (xmax = 0) as created`;
-  return { created: row.created };
+  // row is undefined when the id exists but belongs to another user: blocked no-op.
+  return { created: row?.created ?? false };
 }
 
 /**
- * Full-replace of the desktop-owned partition (the desktop's current Idle backlog).
+ * Full-replace of the caller's desktop-owned partition (their current Idle backlog).
  * Mirrors `replaceLists`: upsert every supplied task as desktop-owned (consumed=true), and
- * delete any desktop-owned (consumed=true) task not in the payload. Web-created tasks still
+ * delete any of the caller's (or legacy) desktop-owned tasks not in the payload. Web-created
- * awaiting pull (consumed=false) are left untouched. An empty array clears the partition.
+ * tasks still awaiting pull (consumed=false) and other users' rows are left untouched.
  */
 export async function mirrorDesktopTasks(
   sql: Sql,
+  ownerId: string,
   items: { id: string; listId: string; title: string; description?: string | null }[],
 ): Promise<void> {
   await sql.begin(async (tx) => {
     for (const t of items) {
       await tx`
-        insert into tasks (id, list_id, title, description, source, consumed)
+        insert into tasks (id, list_id, title, description, source, consumed, owner_id)
-        values (${t.id}, ${t.listId}, ${t.title}, ${t.description ?? null}, 'desktop', true)
+        values (${t.id}, ${t.listId}, ${t.title}, ${t.description ?? null}, 'desktop', true, ${ownerId})
         on conflict (id) do update set
           list_id = excluded.list_id,
           title = excluded.title,
           description = excluded.description,
           source = 'desktop',
           consumed = true,
-          updated_at = now()`;
+          owner_id = ${ownerId},
+          updated_at = now()
+        where tasks.owner_id = ${ownerId} or tasks.owner_id is null`;
     }
     const ids = items.map((t) => t.id);
     if (ids.length) {
-      await tx`delete from tasks where consumed = true and id <> all(${ids})`;
+      await tx`delete from tasks
+        where consumed = true and (owner_id = ${ownerId} or owner_id is null) and id <> all(${ids})`;
     } else {
-      await tx`delete from tasks where consumed = true`;
+      await tx`delete from tasks where consumed = true and (owner_id = ${ownerId} or owner_id is null)`;
     }
   });
 }
 
-/** Web-created tasks the desktop has not yet imported. */
+/** The caller's web-created tasks the desktop has not yet imported. */
-export async function getUnconsumed(sql: Sql): Promise<TaskRow[]> {
+export async function getUnconsumed(sql: Sql, ownerId: string): Promise<TaskRow[]> {
   return sql<TaskRow[]>`
-    select * from tasks where source = 'web' and consumed = false order by created_at`;
+    select * from tasks
+    where source = 'web' and consumed = false and (owner_id = ${ownerId} or owner_id is null)
+    order by created_at`;
 }
 
-export async function consume(sql: Sql, id: string): Promise<boolean> {
+export async function consume(sql: Sql, ownerId: string, id: string): Promise<boolean> {
-  const res = await sql`update tasks set consumed = true, updated_at = now() where id = ${id}`;
+  const res = await sql`
+    update tasks set consumed = true, updated_at = now()
+    where id = ${id} and (owner_id = ${ownerId} or owner_id is null)`;
   return res.count > 0;
 }
 
-export async function deleteTask(sql: Sql, id: string): Promise<void> {
+export async function deleteTask(sql: Sql, ownerId: string, id: string): Promise<void> {
-  await sql`delete from tasks where id = ${id}`;
+  await sql`delete from tasks where id = ${id} and (owner_id = ${ownerId} or owner_id is null)`;
 }

server/utils/schema.ts

@@ -20,4 +20,8 @@ create table if not exists tasks (
 
 create index if not exists idx_tasks_list_id on tasks(list_id);
 create index if not exists idx_tasks_unconsumed on tasks(consumed) where consumed = false;
+
+-- Multi-user plumbing: rows are owned by a Zitadel sub. NULL = legacy/unowned (pre-multi-user).
+alter table lists add column if not exists owner_id text;
+alter table tasks add column if not exists owner_id text;
 `;

server/utils/session.ts

@@ -0,0 +1,10 @@
+import { createError, type H3Event } from "h3";
+
+/** The authenticated caller's Zitadel sub — the ownership key for all row scoping. */
+export function ownerOf(event: H3Event): string {
+  const sub = (event.context.user as { sub?: unknown } | undefined)?.sub;
+  if (typeof sub !== "string" || !sub) {
+    throw createError({ statusCode: 401, statusMessage: "Unauthorized" });
+  }
+  return sub;
+}

tests/auth.test.ts

@@ -1,15 +1,17 @@
 import { describe, expect, it } from "vitest";
 import { SignJWT, generateKeyPair } from "jose";
-import { makeVerifier } from "../server/utils/auth";
+import { makeVerifier, rolesFromClaims } from "../server/utils/auth";
 
 const ISS = "https://auth.kuns.dev";
+const ROLES_CLAIM = "urn:zitadel:iam:org:project:roles";
+const SCOPED_ROLES_CLAIM = "urn:zitadel:iam:org:project:376787351902355727:roles";
 
 async function setup() {
   const { publicKey, privateKey } = await generateKeyPair("RS256");
   const verify = makeVerifier({
     issuer: ISS,
     audiences: ["aud-web", "proj-1"],
-    allowedSubs: ["owner-1"],
+    requiredRole: "user",
     keyResolver: async () => publicKey,
   });
   const sign = (claims: Record<string, unknown>) =>
@@ -23,27 +25,33 @@ async function setup() {
 }
 
 describe("token verification", () => {
-  it("accepts an owner token with a valid audience", async () => {
+  it("accepts a token with the user role and a valid audience", async () => {
     const { verify, sign } = await setup();
-    const t = await sign({ sub: "owner-1", aud: ["aud-web"] });
+    const t = await sign({ sub: "u1", aud: ["aud-web"], [ROLES_CLAIM]: { user: { org: "kuns.dev" } } });
-    await expect(verify(t)).resolves.toMatchObject({ sub: "owner-1" });
+    await expect(verify(t)).resolves.toMatchObject({ sub: "u1" });
   });
 
-  it("accepts when aud is a single string in the allowed set", async () => {
+  it("accepts the role from the project-scoped claim variant", async () => {
     const { verify, sign } = await setup();
-    const t = await sign({ sub: "owner-1", aud: "proj-1" });
+    const t = await sign({ sub: "u1", aud: "proj-1", [SCOPED_ROLES_CLAIM]: { user: { org: "kuns.dev" } } });
-    await expect(verify(t)).resolves.toMatchObject({ sub: "owner-1" });
+    await expect(verify(t)).resolves.toMatchObject({ sub: "u1" });
   });
 
-  it("rejects a non-owner sub", async () => {
+  it("rejects a token without the required role", async () => {
     const { verify, sign } = await setup();
-    const t = await sign({ sub: "intruder", aud: ["aud-web"] });
+    const t = await sign({ sub: "u1", aud: ["aud-web"] });
-    await expect(verify(t)).rejects.toThrow();
+    await expect(verify(t)).rejects.toThrow(/required role/);
+  });
+
+  it("rejects a token whose roles do not include the required one", async () => {
+    const { verify, sign } = await setup();
+    const t = await sign({ sub: "u1", aud: ["aud-web"], [ROLES_CLAIM]: { viewer: { org: "kuns.dev" } } });
+    await expect(verify(t)).rejects.toThrow(/required role/);
   });
 
   it("rejects a token with no accepted audience", async () => {
     const { verify, sign } = await setup();
-    const t = await sign({ sub: "owner-1", aud: ["other"] });
+    const t = await sign({ sub: "u1", aud: ["other"], [ROLES_CLAIM]: { user: { org: "kuns.dev" } } });
     await expect(verify(t)).rejects.toThrow();
   });
 
@@ -52,10 +60,10 @@ describe("token verification", () => {
     const verify = makeVerifier({
       issuer: ISS,
       audiences: ["aud-web"],
-      allowedSubs: ["owner-1"],
+      requiredRole: "user",
       keyResolver: async () => publicKey,
     });
-    const t = await new SignJWT({ sub: "owner-1", aud: ["aud-web"] })
+    const t = await new SignJWT({ sub: "u1", aud: ["aud-web"], [ROLES_CLAIM]: { user: {} } })
       .setProtectedHeader({ alg: "RS256" })
       .setIssuer("https://evil.example")
       .setExpirationTime("5m")
@@ -63,3 +71,22 @@ describe("token verification", () => {
     await expect(verify(t)).rejects.toThrow();
   });
 });
+
+describe("rolesFromClaims", () => {
+  it("merges generic and project-scoped role claims", () => {
+    const roles = rolesFromClaims({
+      [ROLES_CLAIM]: { user: {} },
+      [SCOPED_ROLES_CLAIM]: { admin: {} },
+    });
+    expect(roles).toEqual(new Set(["user", "admin"]));
+  });
+
+  it("ignores malformed role claims and unrelated keys", () => {
+    const roles = rolesFromClaims({
+      [ROLES_CLAIM]: "not-an-object",
+      "urn:zitadel:iam:org:project:roles:extra": { nope: {} },
+      sub: "u1",
+    } as never);
+    expect(roles.size).toBe(0);
+  });
+});

tests/repo.test.ts

@@ -4,6 +4,9 @@ import * as repo from "../server/utils/repo";
 
 const sql = postgres(process.env.DATABASE_URL!, { max: 1, onnotice: () => {} });
 
+const U1 = "user-1";
+const U2 = "user-2";
+
 beforeEach(async () => {
   await sql`truncate lists cascade`;
 });
@@ -14,54 +17,56 @@ afterAll(async () => {
 
 describe("lists", () => {
   it("full-replace upserts supplied and deletes missing", async () => {
-    await repo.replaceLists(sql, [
+    await repo.replaceLists(sql, U1, [
       { id: "a", name: "A" },
       { id: "b", name: "B" },
     ]);
-    await repo.replaceLists(sql, [{ id: "a", name: "A2" }]); // b removed, a renamed
+    await repo.replaceLists(sql, U1, [{ id: "a", name: "A2" }]); // b removed, a renamed
-    const got = await repo.getLists(sql);
+    const got = await repo.getLists(sql, U1);
-    expect(got).toEqual([{ id: "a", name: "A2" }]);
+    expect(got).toEqual([{ id: "a", name: "A2", owner_id: U1 }]);
   });
 
-  it("empty payload clears all lists", async () => {
+  it("empty payload clears all my lists", async () => {
-    await repo.replaceLists(sql, [{ id: "a", name: "A" }]);
+    await repo.replaceLists(sql, U1, [{ id: "a", name: "A" }]);
-    await repo.replaceLists(sql, []);
+    await repo.replaceLists(sql, U1, []);
-    expect(await repo.getLists(sql)).toEqual([]);
+    expect(await repo.getLists(sql, U1)).toEqual([]);
   });
 
   it("deleting a list cascades its tasks", async () => {
-    await repo.replaceLists(sql, [{ id: "a", name: "A" }]);
+    await repo.replaceLists(sql, U1, [{ id: "a", name: "A" }]);
-    await repo.upsertDesktopTask(sql, "t1", { listId: "a", title: "x" });
+    await repo.upsertDesktopTask(sql, U1, "t1", { listId: "a", title: "x" });
-    await repo.replaceLists(sql, []); // removes a + cascades t1
+    await repo.replaceLists(sql, U1, []); // removes a + cascades t1
-    expect(await repo.getUnconsumed(sql)).toEqual([]);
+    expect(await repo.getUnconsumed(sql, U1)).toEqual([]);
   });
 
-  it("listExists validates listId", async () => {
+  it("listExists validates listId within the caller's scope", async () => {
-    await repo.replaceLists(sql, [{ id: "L", name: "List" }]);
+    await repo.replaceLists(sql, U1, [{ id: "L", name: "List" }]);
-    expect(await repo.listExists(sql, "L")).toBe(true);
+    expect(await repo.listExists(sql, U1, "L")).toBe(true);
-    expect(await repo.listExists(sql, "ghost")).toBe(false);
+    expect(await repo.listExists(sql, U1, "ghost")).toBe(false);
+    expect(await repo.listExists(sql, U2, "L")).toBe(false); // not my list
   });
 });
 
 describe("tasks", () => {
   beforeEach(async () => {
-    await repo.replaceLists(sql, [{ id: "L", name: "List" }]);
+    await repo.replaceLists(sql, U1, [{ id: "L", name: "List" }]);
   });
 
-  it("web create returns generated GUID, source=web, consumed=false", async () => {
+  it("web create returns generated GUID, source=web, consumed=false, stamped owner", async () => {
-    const t = await repo.createWebTask(sql, { listId: "L", title: "buy milk", description: null });
+    const t = await repo.createWebTask(sql, U1, { listId: "L", title: "buy milk", description: null });
     expect(t.id).toMatch(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/);
     expect(t.source).toBe("web");
     expect(t.consumed).toBe(false);
     expect(t.title).toBe("buy milk");
+    expect(t.owner_id).toBe(U1);
   });
 
   it("desktop upsert is idempotent by id; source=desktop on insert", async () => {
-    const a = await repo.upsertDesktopTask(sql, "fixed-id", { listId: "L", title: "one" });
+    const a = await repo.upsertDesktopTask(sql, U1, "fixed-id", { listId: "L", title: "one" });
     expect(a.created).toBe(true);
-    const b = await repo.upsertDesktopTask(sql, "fixed-id", { listId: "L", title: "two", description: "d" });
+    const b = await repo.upsertDesktopTask(sql, U1, "fixed-id", { listId: "L", title: "two", description: "d" });
     expect(b.created).toBe(false);
-    const tasks = await repo.getTasksForList(sql, "L");
+    const tasks = await repo.getTasksForList(sql, U1, "L");
     expect(tasks).toHaveLength(1);
     expect(tasks[0].title).toBe("two");
     expect(tasks[0].description).toBe("d");
@@ -69,90 +74,165 @@ describe("tasks", () => {
   });
 
   it("getUnconsumed returns only web tasks with consumed=false", async () => {
-    await repo.createWebTask(sql, { listId: "L", title: "web1", description: null });
+    await repo.createWebTask(sql, U1, { listId: "L", title: "web1", description: null });
-    await repo.upsertDesktopTask(sql, "d1", { listId: "L", title: "desk1" });
+    await repo.upsertDesktopTask(sql, U1, "d1", { listId: "L", title: "desk1" });
-    const u = await repo.getUnconsumed(sql);
+    const u = await repo.getUnconsumed(sql, U1);
     expect(u).toHaveLength(1);
     expect(u[0].title).toBe("web1");
   });
 
   it("consume sets consumed=true and is reflected in getUnconsumed", async () => {
-    const t = await repo.createWebTask(sql, { listId: "L", title: "c", description: null });
+    const t = await repo.createWebTask(sql, U1, { listId: "L", title: "c", description: null });
-    expect(await repo.consume(sql, t.id)).toBe(true);
+    expect(await repo.consume(sql, U1, t.id)).toBe(true);
-    expect(await repo.getUnconsumed(sql)).toEqual([]);
+    expect(await repo.getUnconsumed(sql, U1)).toEqual([]);
   });
 
   it("consume on unknown id returns false", async () => {
-    expect(await repo.consume(sql, "nope")).toBe(false);
+    expect(await repo.consume(sql, U1, "nope")).toBe(false);
   });
 
   it("deleteTask is idempotent", async () => {
-    const t = await repo.createWebTask(sql, { listId: "L", title: "c", description: null });
+    const t = await repo.createWebTask(sql, U1, { listId: "L", title: "c", description: null });
-    await repo.deleteTask(sql, t.id);
+    await repo.deleteTask(sql, U1, t.id);
-    await repo.deleteTask(sql, t.id); // no throw on absent
+    await repo.deleteTask(sql, U1, t.id); // no throw on absent
-    expect(await repo.getTasksForList(sql, "L")).toEqual([]);
+    expect(await repo.getTasksForList(sql, U1, "L")).toEqual([]);
   });
 });
 
 describe("mirrorDesktopTasks (desktop Idle full-replace)", () => {
   beforeEach(async () => {
-    await repo.replaceLists(sql, [
+    await repo.replaceLists(sql, U1, [
       { id: "L", name: "List" },
       { id: "L2", name: "List 2" },
     ]);
   });
 
-  it("inserts items as desktop-owned (consumed=true, source=desktop)", async () => {
+  it("inserts items as desktop-owned (consumed=true, source=desktop, stamped owner)", async () => {
-    await repo.mirrorDesktopTasks(sql, [
+    await repo.mirrorDesktopTasks(sql, U1, [
       { id: "m1", listId: "L", title: "one", description: "d1" },
       { id: "m2", listId: "L2", title: "two" },
     ]);
-    const t = await repo.getTasksForList(sql, "L");
+    const t = await repo.getTasksForList(sql, U1, "L");
     expect(t).toHaveLength(1);
-    expect(t[0]).toMatchObject({ id: "m1", title: "one", description: "d1", source: "desktop", consumed: true });
+    expect(t[0]).toMatchObject({ id: "m1", title: "one", description: "d1", source: "desktop", consumed: true, owner_id: U1 });
-    expect(await repo.getTasksForList(sql, "L2")).toHaveLength(1);
+    expect(await repo.getTasksForList(sql, U1, "L2")).toHaveLength(1);
   });
 
   it("upserts existing items by id (title/listId/description)", async () => {
-    await repo.mirrorDesktopTasks(sql, [{ id: "m1", listId: "L", title: "one" }]);
+    await repo.mirrorDesktopTasks(sql, U1, [{ id: "m1", listId: "L", title: "one" }]);
-    await repo.mirrorDesktopTasks(sql, [{ id: "m1", listId: "L2", title: "renamed", description: "x" }]);
+    await repo.mirrorDesktopTasks(sql, U1, [{ id: "m1", listId: "L2", title: "renamed", description: "x" }]);
-    const onL = await repo.getTasksForList(sql, "L");
+    const onL = await repo.getTasksForList(sql, U1, "L");
-    const onL2 = await repo.getTasksForList(sql, "L2");
+    const onL2 = await repo.getTasksForList(sql, U1, "L2");
     expect(onL).toHaveLength(0);
     expect(onL2).toHaveLength(1);
     expect(onL2[0]).toMatchObject({ title: "renamed", description: "x" });
   });
 
   it("deletes desktop tasks whose id is not in the array", async () => {
-    await repo.mirrorDesktopTasks(sql, [
+    await repo.mirrorDesktopTasks(sql, U1, [
       { id: "m1", listId: "L", title: "one" },
       { id: "m2", listId: "L", title: "two" },
     ]);
-    await repo.mirrorDesktopTasks(sql, [{ id: "m1", listId: "L", title: "one" }]); // m2 dropped
+    await repo.mirrorDesktopTasks(sql, U1, [{ id: "m1", listId: "L", title: "one" }]); // m2 dropped
-    const t = await repo.getTasksForList(sql, "L");
+    const t = await repo.getTasksForList(sql, U1, "L");
     expect(t.map((x) => x.id)).toEqual(["m1"]);
   });
 
-  it("empty array deletes all desktop tasks", async () => {
+  it("empty array deletes all my desktop tasks", async () => {
-    await repo.mirrorDesktopTasks(sql, [{ id: "m1", listId: "L", title: "one" }]);
+    await repo.mirrorDesktopTasks(sql, U1, [{ id: "m1", listId: "L", title: "one" }]);
-    await repo.mirrorDesktopTasks(sql, []);
+    await repo.mirrorDesktopTasks(sql, U1, []);
-    expect(await repo.getTasksForList(sql, "L")).toEqual([]);
+    expect(await repo.getTasksForList(sql, U1, "L")).toEqual([]);
   });
 
   it("does NOT touch web-created tasks awaiting pull (consumed=false)", async () => {
-    const web = await repo.createWebTask(sql, { listId: "L", title: "web", description: null });
+    const web = await repo.createWebTask(sql, U1, { listId: "L", title: "web", description: null });
-    await repo.mirrorDesktopTasks(sql, [{ id: "m1", listId: "L", title: "desk" }]);
+    await repo.mirrorDesktopTasks(sql, U1, [{ id: "m1", listId: "L", title: "desk" }]);
-    // web task survives the mirror (and is still unconsumed)
+    const unconsumed = await repo.getUnconsumed(sql, U1);
-    const unconsumed = await repo.getUnconsumed(sql);
     expect(unconsumed.map((x) => x.id)).toEqual([web.id]);
-    expect((await repo.getTasksForList(sql, "L")).map((x) => x.id).sort()).toEqual([web.id, "m1"].sort());
+    expect((await repo.getTasksForList(sql, U1, "L")).map((x) => x.id).sort()).toEqual([web.id, "m1"].sort());
   });
 
   it("claims a web task when its id is mirrored (becomes consumed=true)", async () => {
-    const web = await repo.createWebTask(sql, { listId: "L", title: "web", description: null });
+    const web = await repo.createWebTask(sql, U1, { listId: "L", title: "web", description: null });
-    await repo.mirrorDesktopTasks(sql, [{ id: web.id, listId: "L", title: "web (imported)" }]);
+    await repo.mirrorDesktopTasks(sql, U1, [{ id: web.id, listId: "L", title: "web (imported)" }]);
-    expect(await repo.getUnconsumed(sql)).toEqual([]); // no longer awaiting pull
+    expect(await repo.getUnconsumed(sql, U1)).toEqual([]); // no longer awaiting pull
-    const t = await repo.getTasksForList(sql, "L");
+    const t = await repo.getTasksForList(sql, U1, "L");
     expect(t[0]).toMatchObject({ id: web.id, title: "web (imported)", consumed: true });
   });
 });
+
+describe("owner isolation", () => {
+  it("lists are invisible to other users; legacy (NULL owner) lists visible to everyone", async () => {
+    await repo.replaceLists(sql, U1, [{ id: "mine", name: "Mine" }]);
+    await sql`insert into lists (id, name) values ('legacy', 'Old')`; // pre-multi-user row
+    expect((await repo.getLists(sql, U1)).map((l) => l.id).sort()).toEqual(["legacy", "mine"]);
+    expect((await repo.getLists(sql, U2)).map((l) => l.id)).toEqual(["legacy"]);
+  });
+
+  it("replaceLists never deletes or renames another user's lists", async () => {
+    await repo.replaceLists(sql, U1, [{ id: "a", name: "A" }]);
+    await repo.replaceLists(sql, U2, [{ id: "b", name: "B" }]); // U2's full catalog: just b
+    expect((await repo.getLists(sql, U1)).map((l) => l.id)).toEqual(["a"]);
+    expect((await repo.getLists(sql, U2)).map((l) => l.id)).toEqual(["b"]);
+    // U2 upserting U1's id must not steal/rename it
+    await repo.replaceLists(sql, U2, [{ id: "a", name: "stolen" }, { id: "b", name: "B" }]);
+    const u1Lists = await repo.getLists(sql, U1);
+    expect(u1Lists).toEqual([{ id: "a", name: "A", owner_id: U1 }]);
+  });
+
+  it("replaceLists adopts legacy lists (stamps the caller as owner)", async () => {
+    await sql`insert into lists (id, name) values ('legacy', 'Old')`;
+    await repo.replaceLists(sql, U1, [{ id: "legacy", name: "Old" }]);
+    expect((await repo.getLists(sql, U2)).map((l) => l.id)).toEqual([]); // no longer legacy
+    expect((await repo.getLists(sql, U1))[0]).toMatchObject({ id: "legacy", owner_id: U1 });
+  });
+
+  it("tasks are invisible to other users; legacy tasks visible to everyone", async () => {
+    await repo.replaceLists(sql, U1, [{ id: "L", name: "List" }]);
+    await repo.createWebTask(sql, U1, { listId: "L", title: "mine", description: null });
+    await sql`insert into tasks (id, list_id, title, source) values ('legacy-t', 'L', 'old', 'web')`;
+    expect((await repo.getUnconsumed(sql, U2)).map((t) => t.id)).toEqual(["legacy-t"]);
+    expect((await repo.getTasksForList(sql, U2, "L")).map((t) => t.id)).toEqual(["legacy-t"]);
+    expect(await repo.getUnconsumed(sql, U1)).toHaveLength(2);
+  });
+
+  it("one user's mirror never deletes another user's desktop tasks", async () => {
+    await repo.replaceLists(sql, U1, [{ id: "L1", name: "U1 List" }]);
+    await repo.replaceLists(sql, U2, [{ id: "L2", name: "U2 List" }]);
+    await repo.mirrorDesktopTasks(sql, U1, [{ id: "m1", listId: "L1", title: "u1 task" }]);
+    await repo.mirrorDesktopTasks(sql, U2, [{ id: "m2", listId: "L2", title: "u2 task" }]);
+    // U2's full-replace (only m2) must not have wiped U1's m1:
+    expect((await repo.getTasksForList(sql, U1, "L1")).map((t) => t.id)).toEqual(["m1"]);
+    // and an empty mirror from U2 clears only U2's partition:
+    await repo.mirrorDesktopTasks(sql, U2, []);
+    expect((await repo.getTasksForList(sql, U1, "L1")).map((t) => t.id)).toEqual(["m1"]);
+    expect(await repo.getTasksForList(sql, U2, "L2")).toEqual([]);
+  });
+
+  it("mirror upsert cannot claim another user's task by id", async () => {
+    await repo.replaceLists(sql, U1, [{ id: "L1", name: "U1 List" }]);
+    await repo.replaceLists(sql, U2, [{ id: "L2", name: "U2 List" }]);
+    const web = await repo.createWebTask(sql, U1, { listId: "L1", title: "u1 web", description: null });
+    await repo.mirrorDesktopTasks(sql, U2, [{ id: web.id, listId: "L2", title: "hijack" }]);
+    // U1's web task is untouched and still awaiting pull:
+    const u1 = await repo.getUnconsumed(sql, U1);
+    expect(u1.map((t) => t.id)).toEqual([web.id]);
+    expect(u1[0].title).toBe("u1 web");
+  });
+
+  it("upsertDesktopTask cannot overwrite another user's task", async () => {
+    await repo.replaceLists(sql, U1, [{ id: "L", name: "List" }]);
+    await repo.upsertDesktopTask(sql, U1, "shared-id", { listId: "L", title: "u1 owns this" });
+    const res = await repo.upsertDesktopTask(sql, U2, "shared-id", { listId: "L", title: "u2 steal" });
+    expect(res.created).toBe(false);
+    expect((await repo.getTasksForList(sql, U1, "L"))[0].title).toBe("u1 owns this");
+  });
+
+  it("consume and delete are scoped to the caller", async () => {
+    await repo.replaceLists(sql, U1, [{ id: "L", name: "List" }]);
+    const t = await repo.createWebTask(sql, U1, { listId: "L", title: "w", description: null });
+    expect(await repo.consume(sql, U2, t.id)).toBe(false);
+    await repo.deleteTask(sql, U2, t.id); // no-op for U2
+    expect((await repo.getUnconsumed(sql, U1)).map((x) => x.id)).toEqual([t.id]);
+  });
+});