fix(api): add ownership checks and encryption threading for security review

- Add disk ownership validation in DownloadArtifact to prevent cross-project access
- Thread UserKEK through agent skills Create/CreateFromTemplate for encryption
- Validate session_id ownership in DownloadSessionAsset before allowing download

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: GenerQAQ

src/server/api/go/internal/bootstrap/container.go

@@ -356,6 +356,7 @@ func BuildContainer() *do.Injector {
 	do.Provide(inj, func(i *do.Injector) (*handler.ArtifactHandler, error) {
 		return handler.NewArtifactHandler(
 			do.MustInvoke[service.ArtifactService](i),
+			do.MustInvoke[repo.DiskRepo](i),
 			do.MustInvoke[*config.Config](i),
 			do.MustInvoke[*httpclient.CoreClient](i),
 			do.MustInvoke[*blob.S3Deps](i),

src/server/api/go/internal/modules/handler/agent_skills.go

@@ -11,6 +11,7 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 	"github.com/memodb-io/Acontext/internal/infra/httpclient"
+	"github.com/memodb-io/Acontext/internal/middleware"
 	"github.com/memodb-io/Acontext/internal/modules/model"
 	"github.com/memodb-io/Acontext/internal/modules/serializer"
 	"github.com/memodb-io/Acontext/internal/modules/service"
@@ -97,6 +98,7 @@ func (h *AgentSkillsHandler) CreateAgentSkill(c *gin.Context) {
 		UserID:    userID,
 		ZipFile:   fileHeader,
 		Meta:      meta,
+		UserKEK:   middleware.GetUserKEK(c),
 	})
 	if err != nil {
 		// Check if error is a validation error (SKILL.md related)

src/server/api/go/internal/modules/handler/artifact.go

@@ -16,6 +16,7 @@ import (
 	"github.com/memodb-io/Acontext/internal/middleware"
 	"github.com/memodb-io/Acontext/internal/infra/httpclient"
 	"github.com/memodb-io/Acontext/internal/modules/model"
+	"github.com/memodb-io/Acontext/internal/modules/repo"
 	"github.com/memodb-io/Acontext/internal/modules/serializer"
 	"github.com/memodb-io/Acontext/internal/modules/service"
 	"github.com/memodb-io/Acontext/internal/pkg/utils/fileparser"
@@ -24,13 +25,14 @@ import (
 
 type ArtifactHandler struct {
 	svc        service.ArtifactService
+	diskRepo   repo.DiskRepo
 	config     *config.Config
 	coreClient *httpclient.CoreClient
 	s3         *blob.S3Deps
 }
 
-func NewArtifactHandler(s service.ArtifactService, cfg *config.Config, coreClient *httpclient.CoreClient, s3 *blob.S3Deps) *ArtifactHandler {
-	return &ArtifactHandler{svc: s, config: cfg, coreClient: coreClient, s3: s3}
+func NewArtifactHandler(s service.ArtifactService, diskRepo repo.DiskRepo, cfg *config.Config, coreClient *httpclient.CoreClient, s3 *blob.S3Deps) *ArtifactHandler {
+	return &ArtifactHandler{svc: s, diskRepo: diskRepo, config: cfg, coreClient: coreClient, s3: s3}
 }
 
 type CreateArtifactReq struct {
@@ -296,6 +298,12 @@ type DownloadArtifactReq struct {
 //	@Success		200	"File content"
 //	@Router			/disk/{disk_id}/artifact/download [get]
 func (h *ArtifactHandler) DownloadArtifact(c *gin.Context) {
+	project, ok := c.MustGet("project").(*model.Project)
+	if !ok {
+		c.JSON(http.StatusBadRequest, serializer.ParamErr("", errors.New("project not found")))
+		return
+	}
+
 	req := DownloadArtifactReq{}
 	if err := c.ShouldBind(&req); err != nil {
 		c.JSON(http.StatusBadRequest, serializer.ParamErr("", err))
@@ -308,6 +316,12 @@ func (h *ArtifactHandler) DownloadArtifact(c *gin.Context) {
 		return
 	}
 
+	// Verify disk belongs to the authenticated project
+	if _, err := h.diskRepo.GetByProjectAndID(c.Request.Context(), project.ID, diskID); err != nil {
+		c.JSON(http.StatusForbidden, serializer.Err(http.StatusForbidden, "access denied: disk does not belong to this project", nil))
+		return
+	}
+
 	filePath, filename := path.SplitFilePath(req.FilePath)
 	if err := path.ValidatePath(filePath); err != nil {
 		c.JSON(http.StatusBadRequest, serializer.ParamErr("invalid path", err))

src/server/api/go/internal/modules/handler/artifact_test.go

@@ -15,6 +15,7 @@ import (
 	"github.com/google/uuid"
 	"github.com/memodb-io/Acontext/internal/config"
 	"github.com/memodb-io/Acontext/internal/modules/model"
+	"github.com/memodb-io/Acontext/internal/modules/repo"
 	"github.com/memodb-io/Acontext/internal/modules/serializer"
 	"github.com/memodb-io/Acontext/internal/modules/service"
 	"github.com/memodb-io/Acontext/internal/pkg/utils/fileparser"
@@ -133,6 +134,40 @@ func (m *MockArtifactService) CreateFromBytes(ctx context.Context, in service.Cr
 	return args.Get(0).(*model.Artifact), args.Error(1)
 }
 
+// MockDiskRepo is a mock implementation of DiskRepo
+type MockDiskRepo struct {
+	mock.Mock
+}
+
+func (m *MockDiskRepo) Create(ctx context.Context, d *model.Disk) error {
+	args := m.Called(ctx, d)
+	return args.Error(0)
+}
+
+func (m *MockDiskRepo) Delete(ctx context.Context, projectID uuid.UUID, diskID uuid.UUID) error {
+	args := m.Called(ctx, projectID, diskID)
+	return args.Error(0)
+}
+
+func (m *MockDiskRepo) GetByProjectAndID(ctx context.Context, projectID uuid.UUID, diskID uuid.UUID) (*model.Disk, error) {
+	args := m.Called(ctx, projectID, diskID)
+	if args.Get(0) == nil {
+		return nil, args.Error(1)
+	}
+	return args.Get(0).(*model.Disk), args.Error(1)
+}
+
+func (m *MockDiskRepo) ListWithCursor(ctx context.Context, projectID uuid.UUID, userIdentifier string, afterCreatedAt time.Time, afterID uuid.UUID, limit int, timeDesc bool) ([]*model.Disk, error) {
+	args := m.Called(ctx, projectID, userIdentifier, afterCreatedAt, afterID, limit, timeDesc)
+	if args.Get(0) == nil {
+		return nil, args.Error(1)
+	}
+	return args.Get(0).([]*model.Disk), args.Error(1)
+}
+
+// Verify MockDiskRepo implements repo.DiskRepo
+var _ repo.DiskRepo = (*MockDiskRepo)(nil)
+
 // createTestConfig creates a test config with default artifact settings
 func createTestConfig(maxUploadSizeBytes int64) *config.Config {
 	return &config.Config{
@@ -260,7 +295,7 @@ func TestArtifactHandler_UpsertArtifact(t *testing.T) {
 			tt.mockSetup(mockService, tt.diskID, projectID)
 
 			testConfig := createTestConfig(tt.maxUploadSize)
-			handler := NewArtifactHandler(mockService, testConfig, nil, nil)
+			handler := NewArtifactHandler(mockService, nil, testConfig, nil, nil)
 
 			// Create multipart form data
 			body := &bytes.Buffer{}
@@ -356,7 +391,7 @@ func TestArtifactHandler_DeleteArtifact(t *testing.T) {
 			tt.mockSetup(mockService, tt.diskID, tt.filePath, projectID)
 
 			testConfig := createDefaultTestConfig() // Default 16MB
-			handler := NewArtifactHandler(mockService, testConfig, nil, nil)
+			handler := NewArtifactHandler(mockService, nil, testConfig, nil, nil)
 
 			// Create request with query parameters
 			req := httptest.NewRequest(http.MethodDelete, fmt.Sprintf("/disk/%s/artifact?file_path=%s", tt.diskID, tt.filePath), nil)
@@ -482,7 +517,7 @@ func TestArtifactHandler_UpdateArtifact(t *testing.T) {
 			tt.mockSetup(mockService, tt.diskID)
 
 			testConfig := createDefaultTestConfig() // Default 16MB
-			handler := NewArtifactHandler(mockService, testConfig, nil, nil)
+			handler := NewArtifactHandler(mockService, nil, testConfig, nil, nil)
 
 			// Create JSON request body
 			requestBody := map[string]string{
@@ -629,7 +664,7 @@ func TestArtifactHandler_GetArtifact(t *testing.T) {
 			tt.mockSetup(mockService, tt.diskID, tt.filePath)
 
 			testConfig := createDefaultTestConfig() // Default 16MB
-			handler := NewArtifactHandler(mockService, testConfig, nil, nil)
+			handler := NewArtifactHandler(mockService, nil, testConfig, nil, nil)
 
 			// Create request with query parameters
 			url := fmt.Sprintf("/disk/%s/artifact?file_path=%s", tt.diskID, tt.filePath)
@@ -750,7 +785,7 @@ func TestArtifactHandler_GrepArtifacts(t *testing.T) {
 			mockSvc := new(MockArtifactService)
 			tt.setupMock(mockSvc)
 
-			handler := NewArtifactHandler(mockSvc, createTestConfig(10*1024*1024), nil, nil)
+			handler := NewArtifactHandler(mockSvc, nil, createTestConfig(10*1024*1024), nil, nil)
 
 			w := httptest.NewRecorder()
 			c, _ := gin.CreateTestContext(w)
@@ -835,7 +870,7 @@ func TestArtifactHandler_GlobArtifacts(t *testing.T) {
 			mockSvc := new(MockArtifactService)
 			tt.setupMock(mockSvc)
 
-			handler := NewArtifactHandler(mockSvc, createTestConfig(10*1024*1024), nil, nil)
+			handler := NewArtifactHandler(mockSvc, nil, createTestConfig(10*1024*1024), nil, nil)
 
 			w := httptest.NewRecorder()
 			c, _ := gin.CreateTestContext(w)
@@ -857,3 +892,74 @@ func TestArtifactHandler_GlobArtifacts(t *testing.T) {
 		})
 	}
 }
+
+func TestArtifactHandler_DownloadArtifact(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+
+	t.Run("returns 403 when disk belongs to different project", func(t *testing.T) {
+		mockService := new(MockArtifactService)
+		mockDiskRepo := new(MockDiskRepo)
+
+		projectID := uuid.New()
+		diskID := uuid.New()
+
+		// Disk not found for this project
+		mockDiskRepo.On("GetByProjectAndID", mock.Anything, projectID, diskID).
+			Return(nil, fmt.Errorf("record not found"))
+
+		handler := NewArtifactHandler(mockService, mockDiskRepo, createDefaultTestConfig(), nil, nil)
+
+		w := httptest.NewRecorder()
+		c, _ := gin.CreateTestContext(w)
+		c.Set("project", &model.Project{ID: projectID})
+		c.Request = httptest.NewRequest("GET", "/disk/"+diskID.String()+"/artifact/download?file_path=/test/file.txt", nil)
+		c.Params = gin.Params{{Key: "disk_id", Value: diskID.String()}}
+
+		handler.DownloadArtifact(c)
+
+		assert.Equal(t, http.StatusForbidden, w.Code)
+		mockService.AssertNotCalled(t, "GetByPath")
+		mockDiskRepo.AssertExpectations(t)
+	})
+
+	t.Run("succeeds when disk belongs to authenticated project", func(t *testing.T) {
+		mockService := new(MockArtifactService)
+		mockDiskRepo := new(MockDiskRepo)
+
+		projectID := uuid.New()
+		diskID := uuid.New()
+
+		// Disk found for this project
+		mockDiskRepo.On("GetByProjectAndID", mock.Anything, projectID, diskID).
+			Return(&model.Disk{ID: diskID, ProjectID: projectID}, nil)
+
+		artifact := &model.Artifact{
+			ID:       uuid.New(),
+			DiskID:   diskID,
+			Path:     "/test/",
+			Filename: "file.txt",
+			AssetMeta: datatypes.NewJSONType(model.Asset{
+				Bucket: "test-bucket",
+				S3Key:  "test-key",
+				MIME:   "text/plain",
+			}),
+		}
+		mockService.On("GetByPath", mock.Anything, diskID, "/test/", "file.txt").Return(artifact, nil)
+		mockService.On("DownloadRawContent", mock.Anything, artifact).Return([]byte("content"), "text/plain", nil)
+
+		handler := NewArtifactHandler(mockService, mockDiskRepo, createDefaultTestConfig(), nil, nil)
+
+		w := httptest.NewRecorder()
+		c, _ := gin.CreateTestContext(w)
+		c.Set("project", &model.Project{ID: projectID})
+		c.Request = httptest.NewRequest("GET", "/disk/"+diskID.String()+"/artifact/download?file_path=/test/file.txt", nil)
+		c.Params = gin.Params{{Key: "disk_id", Value: diskID.String()}}
+
+		handler.DownloadArtifact(c)
+
+		assert.Equal(t, http.StatusOK, w.Code)
+		assert.Equal(t, "content", w.Body.String())
+		mockDiskRepo.AssertExpectations(t)
+		mockService.AssertExpectations(t)
+	})
+}

src/server/api/go/internal/modules/handler/session.go

@@ -579,6 +579,23 @@ func (h *SessionHandler) DownloadSessionAsset(c *gin.Context) {
 		return
 	}
 
+	// Validate session_id from path and verify it belongs to the project
+	sessionID, err := uuid.Parse(c.Param("session_id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, serializer.ParamErr("invalid session_id", err))
+		return
+	}
+
+	session, err := h.svc.GetByID(c.Request.Context(), &model.Session{ID: sessionID})
+	if err != nil {
+		c.JSON(http.StatusNotFound, serializer.Err(http.StatusNotFound, "session not found", nil))
+		return
+	}
+	if session.ProjectID != project.ID {
+		c.JSON(http.StatusForbidden, serializer.Err(http.StatusForbidden, "access denied: session does not belong to this project", nil))
+		return
+	}
+
 	s3Key := c.Query("s3_key")
 	if s3Key == "" {
 		c.JSON(http.StatusBadRequest, serializer.ParamErr("", errors.New("s3_key is required")))

src/server/api/go/internal/modules/handler/session_test.go

@@ -4091,3 +4091,98 @@ func TestSessionHandler_CopySession_InternalError(t *testing.T) {
 
 	mockService.AssertExpectations(t)
 }
+
+func TestSessionHandler_DownloadSessionAsset(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+
+	t.Run("returns 400 for invalid session_id", func(t *testing.T) {
+		mockService := new(MockSessionService)
+		handler := NewSessionHandler(mockService, nil, getMockSessionCoreClient())
+
+		projectID := uuid.New()
+
+		w := httptest.NewRecorder()
+		c, _ := gin.CreateTestContext(w)
+		c.Set("project", &model.Project{ID: projectID})
+		c.Request = httptest.NewRequest("GET", "/session/invalid-uuid/asset/download?s3_key=assets/"+projectID.String()+"/file.txt", nil)
+		c.Params = gin.Params{{Key: "session_id", Value: "invalid-uuid"}}
+
+		handler.DownloadSessionAsset(c)
+
+		assert.Equal(t, http.StatusBadRequest, w.Code)
+	})
+
+	t.Run("returns 404 when session not found", func(t *testing.T) {
+		mockService := new(MockSessionService)
+		handler := NewSessionHandler(mockService, nil, getMockSessionCoreClient())
+
+		projectID := uuid.New()
+		sessionID := uuid.New()
+
+		mockService.On("GetByID", mock.Anything, mock.MatchedBy(func(s *model.Session) bool {
+			return s.ID == sessionID
+		})).Return(nil, errors.New("not found"))
+
+		w := httptest.NewRecorder()
+		c, _ := gin.CreateTestContext(w)
+		c.Set("project", &model.Project{ID: projectID})
+		c.Request = httptest.NewRequest("GET", "/session/"+sessionID.String()+"/asset/download?s3_key=assets/"+projectID.String()+"/file.txt", nil)
+		c.Params = gin.Params{{Key: "session_id", Value: sessionID.String()}}
+
+		handler.DownloadSessionAsset(c)
+
+		assert.Equal(t, http.StatusNotFound, w.Code)
+		mockService.AssertExpectations(t)
+	})
+
+	t.Run("returns 403 when session belongs to different project", func(t *testing.T) {
+		mockService := new(MockSessionService)
+		handler := NewSessionHandler(mockService, nil, getMockSessionCoreClient())
+
+		projectID := uuid.New()
+		otherProjectID := uuid.New()
+		sessionID := uuid.New()
+
+		mockService.On("GetByID", mock.Anything, mock.MatchedBy(func(s *model.Session) bool {
+			return s.ID == sessionID
+		})).Return(&model.Session{ID: sessionID, ProjectID: otherProjectID}, nil)
+
+		w := httptest.NewRecorder()
+		c, _ := gin.CreateTestContext(w)
+		c.Set("project", &model.Project{ID: projectID})
+		c.Request = httptest.NewRequest("GET", "/session/"+sessionID.String()+"/asset/download?s3_key=assets/"+projectID.String()+"/file.txt", nil)
+		c.Params = gin.Params{{Key: "session_id", Value: sessionID.String()}}
+
+		handler.DownloadSessionAsset(c)
+
+		assert.Equal(t, http.StatusForbidden, w.Code)
+		mockService.AssertExpectations(t)
+	})
+
+	t.Run("succeeds with valid session_id and matching project", func(t *testing.T) {
+		mockService := new(MockSessionService)
+		handler := NewSessionHandler(mockService, nil, getMockSessionCoreClient())
+
+		projectID := uuid.New()
+		sessionID := uuid.New()
+		s3Key := "assets/" + projectID.String() + "/file.txt"
+
+		mockService.On("GetByID", mock.Anything, mock.MatchedBy(func(s *model.Session) bool {
+			return s.ID == sessionID
+		})).Return(&model.Session{ID: sessionID, ProjectID: projectID}, nil)
+
+		mockService.On("DownloadAsset", mock.Anything, s3Key).Return([]byte("file-content"), nil)
+
+		w := httptest.NewRecorder()
+		c, _ := gin.CreateTestContext(w)
+		c.Set("project", &model.Project{ID: projectID})
+		c.Request = httptest.NewRequest("GET", "/session/"+sessionID.String()+"/asset/download?s3_key="+s3Key, nil)
+		c.Params = gin.Params{{Key: "session_id", Value: sessionID.String()}}
+
+		handler.DownloadSessionAsset(c)
+
+		assert.Equal(t, http.StatusOK, w.Code)
+		assert.Equal(t, "file-content", w.Body.String())
+		mockService.AssertExpectations(t)
+	})
+}

src/server/api/go/internal/modules/repo/disk.go

@@ -13,6 +13,7 @@ import (
 type DiskRepo interface {
 	Create(ctx context.Context, d *model.Disk) error
 	Delete(ctx context.Context, projectID uuid.UUID, diskID uuid.UUID) error
+	GetByProjectAndID(ctx context.Context, projectID uuid.UUID, diskID uuid.UUID) (*model.Disk, error)
 	ListWithCursor(ctx context.Context, projectID uuid.UUID, userIdentifier string, afterCreatedAt time.Time, afterID uuid.UUID, limit int, timeDesc bool) ([]*model.Disk, error)
 }
 
@@ -29,6 +30,14 @@ func (r *diskRepo) Create(ctx context.Context, d *model.Disk) error {
 	return r.db.WithContext(ctx).Create(d).Error
 }
 
+func (r *diskRepo) GetByProjectAndID(ctx context.Context, projectID uuid.UUID, diskID uuid.UUID) (*model.Disk, error) {
+	var disk model.Disk
+	if err := r.db.WithContext(ctx).Where("id = ? AND project_id = ?", diskID, projectID).First(&disk).Error; err != nil {
+		return nil, err
+	}
+	return &disk, nil
+}
+
 func (r *diskRepo) Delete(ctx context.Context, projectID uuid.UUID, diskID uuid.UUID) error {
 	// Use transaction to ensure atomicity
 	return r.db.WithContext(ctx).Transaction(func(tx *gorm.DB) error {