Finding: SD-AUTHZ-01 (HIGH) | Milestone: M-E2: Identity & Access (#16)
Problem: Any API key can operate on any session regardless of which key created it.
Fix: Add createdByKeyId to SessionInfo. Enforce in sendMessage, approve, reject, kill, interrupt, escape, transcript, capture_pane. Reject 403 if caller keyId does not match.
Files: src/session.ts, src/server.ts, src/api-contracts.ts, src/mcp-server.ts
Acceptance: Key A cannot approve Key Bs session permission prompts; returns 403.
Finding: SD-AUTHZ-01 (HIGH) | Milestone: M-E2: Identity & Access (#16)
Problem: Any API key can operate on any session regardless of which key created it.
Fix: Add createdByKeyId to SessionInfo. Enforce in sendMessage, approve, reject, kill, interrupt, escape, transcript, capture_pane. Reject 403 if caller keyId does not match.
Files: src/session.ts, src/server.ts, src/api-contracts.ts, src/mcp-server.ts
Acceptance: Key A cannot approve Key Bs session permission prompts; returns 403.