MC-3570

Luci dispatching this ticket to Larry (background worker via SSH).

Larry: Planning — reading ticket and storage layer to scope the changePROGRESS: Designing — add optional userId param; verify ownership via JOIN; update route callers, leave internal/cron callers unchangedPROGRESS: Building — adding userId parameter to storage.getDocuments with ownership check + INNER JOINPROGRESS: Building — writing test for MC-3570 then implementing storage changeNow implement the storage changes.Now add the error class. Let me find a good location.PROGRESS: Testing — running typecheck and the new testPROGRESS: Building — wiring userId into route callers that already have it in scopeNow the documents.ts and fileSearch.ts callers.PROGRESS: Testing — typecheck + relevant tests after wiring userId into route callersAll failures pre-existing and unrelated to my change. Committing.

Larry: Review gate — running pre-landing reviewPROGRESS: Done — committed MC-3570 with storage-layer ownership enforcement + caller wiring + test

Completed on Larry: Added optional `userId` parameter to `storage.getDocuments` — when provided, verifies project ownership via a projects-table lookup and throws a typed `ProjectAccessDeniedError` on mismatch. Wired `userId` through 13 route call sites that already had it in scope (projects, documents, fileSearch, chatTimeline, reports, customFields, documentContent, batchAnalysis, api-v1). Internal/system callers (syncService, indexer) keep the unscoped signature. New test `mc3570-getdocuments-ownership.test.ts` passes; pre-existing unrelated suite failures confirmed unchanged. Committed as `79bafdf`.

Larry: Triggering post-completion code review...

Code review (Larry reviewer via claude/opus): missed route-level check would surface as a 500 instead of a 403. Acce ptable as the route checks still exist (the throw is the safety net), but a centralized error handler mapping this to 403 would close the loop. MINOR: `server/storage.ts:292` — returning `[]` when the project doesn't exist (with userId prov ided) silently diverges from the non-userId branch which would also return `[]` (no matching documents), so beh avior is consistent but slightly opaque. Fine. MINOR: Test asserts impl ementation details via regex on source text rather than behavior. Brittle to ref actor, but adequate for a defense-in-depth invariant. VERDICT: PASS Defense-in-depth ownership check at storage layer, wired through authenticated route callers; tests pass. MINOR: `server/storage.ts:291` — `ProjectAccessDeniedError` is thrown but no route catches it, so a missed route-level check would surface as a 500 instead of a 403. Acceptable as the route checks still exist (the throw is the safety net), but a centralized error handler mapping this to 403 would close the loop. MINOR: `server/storage.ts:292` — returning `[]` when the project doesn't exist (with userId provided) silently diverges from the non-userId branch which would also return `[]` (no matching documents), so behavior is consistent but slightly opaque. Fine. MINOR: Test asserts implementation details via regex on source text rather than behavior. Brittle to refactor, but adequate for a defense-in-depth invariant. VERDICT: PASS

Larry shipped with clean code review. Auto-dispatching Luci-reviewer (verdict: clean). Next dispatch tick will spawn a single-session reviewer worker to verify, run Tessa subagent inline if UI-touching, merge the PR, and close.

Completed: DONE: MC-3570 redone — the prior `79bafdf` commit was never pushed (its /tmp clone was deleted), so I reimplemented on a fresh LegalMind clone. Added optional `userId` param to `storage.getDocuments` with a projects-table ownership lookup that throws the new typed `ProjectAccessDeniedError` on mismatch (defense-in-depth); wired `userId` through 16 authenticated route call sites; internal callers (syncService, indexer, extractionHelpers) keep the unscoped signature. New test `mc3570-getdocuments-ownership.test.ts` passes (6 tests), `tsc` error count unchanged (29 pre-existing), full vitest failing-file set identical to baseline (zero regressions). Pushed branch `autofix/mc-3570-getdocuments-ownership`, opened PR #414 (https://github.com/conrelma/LegalMind-Explorer/pull/414) for GitHub CI.

Luci Operator: promoted this assigned `inbox` ticket to `todo` so pickup can run it.