Summary
The runs table and router currently have no user_id ownership column, so any authenticated user can read, cancel, or modify any other user's run. Cross-user isolation is a missing security boundary.
Background
test_user_cannot_access_other_users_run in tests/test_api_integration.py documents this gap with an xfail marker. The test will auto-pass once user_id ownership is added.
Work needed
- Add a user_id column to the runs table (new Alembic migration)
- Populate user_id from the JWT payload when a run is created via POST /api/v1/runs
- Scope GET/DELETE/POST run endpoints to the owning user — return 404 for cross-user access
- Optionally scope GET /runs list to the calling user's own runs
- The xfail test should pass automatically once these changes land
Acceptance criteria
- test_user_cannot_access_other_users_run passes without the xfail marker
- X-API-Key callers retain full visibility across all runs
Summary
The runs table and router currently have no user_id ownership column, so any authenticated user can read, cancel, or modify any other user's run. Cross-user isolation is a missing security boundary.
Background
test_user_cannot_access_other_users_run in tests/test_api_integration.py documents this gap with an xfail marker. The test will auto-pass once user_id ownership is added.
Work needed
Acceptance criteria