fix: tenant-scoped dedup, import validation, query-string auth removal

- Scope dedup check by client_id + type to prevent cross-client collisions
- Add validation + credential scrubbing to import path (was bypassed)
- Remove query-string API key support (leaks secrets in logs/referrers)
- Add client_id filter to listStatuses in both SQLite and Postgres
- Add missing idx_statuses_client index (events/facts had one, statuses didn't)
- Remove duplicate entity_relationships schema block in SQLite init
- Pass task type to embed() in import path for correct Gemini embeddings

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Skiipy11

api/src/middleware/auth.js

@@ -59,7 +59,7 @@ export function authMiddleware(req, res, next) {
     return res.status(429).json({ error: 'Too many failed attempts. Try again later.' });
   }
 
-  const key = req.headers['x-api-key'] || req.query.key;
+  const key = req.headers['x-api-key'];
   if (!key) {
     recordFailure(ip);
     return res.status(401).json({ error: 'Missing API key' });

api/src/routes/export.js

@@ -3,6 +3,8 @@ import crypto from 'crypto';
 import { scrollPoints, upsertPoint, findByPayload } from '../services/qdrant.js';
 import { embed } from '../services/embedders/interface.js';
 import { isStoreAvailable, createEvent, upsertFact, upsertStatus } from '../services/stores/interface.js';
+import { scrubCredentials } from '../services/scrub.js';
+import { validateMemoryInput } from '../middleware/validate.js';
 
 export const exportRouter = Router();
 
@@ -96,24 +98,44 @@ exportRouter.post('/import', async (req, res) => {
       // Process each record in the batch sequentially
       for (const record of batch) {
         try {
-          const content = record.content || record.text || '';
-          if (!content) {
+          const rawContent = record.content || record.text || '';
+          if (!rawContent) {
             errors++;
             continue;
           }
 
-          // Compute content hash (SHA-256, first 16 hex chars — matches memory.js pattern)
+          // Validate input (same rules as POST /memory)
+          const validationError = validateMemoryInput({
+            type: record.type || 'event',
+            content: rawContent,
+            source_agent: record.source_agent || 'import',
+            importance: record.importance,
+            client_id: record.client_id,
+          });
+          if (validationError) {
+            errors++;
+            continue;
+          }
+
+          // Scrub credentials (same as POST /memory)
+          const content = scrubCredentials(rawContent);
+
+          // Compute content hash from scrubbed content
           const contentHash = crypto.createHash('sha256').update(content).digest('hex').slice(0, 16);
 
-          // Check for existing memory with same content hash
-          const existing = await findByPayload('content_hash', contentHash);
+          // Check for existing memory with same content hash, scoped by tenant + type
+          const existing = await findByPayload('content_hash', contentHash, {
+            active: true,
+            client_id: record.client_id || 'global',
+            type: record.type || 'event',
+          });
           if (existing.length > 0) {
             skipped++;
             continue;
           }
 
           // Embed and generate ID
-          const vector = await embed(content);
+          const vector = await embed(content, 'store');
           const pointId = record.id || crypto.randomUUID();
           const now = new Date().toISOString();
 

api/src/routes/memory.js

@@ -56,7 +56,7 @@ memoryRouter.post('/', async (req, res) => {
     const contentHash = crypto.createHash('sha256').update(cleanContent).digest('hex').slice(0, 16);
 
     // --- Deduplication check ---
-    const duplicates = await findByPayload('content_hash', contentHash, { active: true });
+    const duplicates = await findByPayload('content_hash', contentHash, { active: true, client_id: client_id || 'global', type });
     if (duplicates.length > 0) {
       const existing = duplicates[0];
       const existingObservedBy = existing.payload.observed_by || [existing.payload.source_agent];

api/src/services/stores/postgres.js

@@ -59,6 +59,7 @@ export class PostgresStore {
       CREATE INDEX IF NOT EXISTS idx_facts_key ON facts(key);
       CREATE INDEX IF NOT EXISTS idx_facts_client ON facts(client_id);
       CREATE INDEX IF NOT EXISTS idx_statuses_subject ON statuses(subject);
+      CREATE INDEX IF NOT EXISTS idx_statuses_client ON statuses(client_id);
     `);
 
     // Migrate: add knowledge_category to existing tables (safe if already exists)
@@ -241,6 +242,7 @@ export class PostgresStore {
 
     if (filters.source_agent) { sql += ` AND source_agent = $${i++}`; params.push(filters.source_agent); }
     if (filters.category) { sql += ` AND category = $${i++}`; params.push(filters.category); }
+    if (filters.client_id) { sql += ` AND client_id = $${i++}`; params.push(filters.client_id); }
     if (filters.subject) { sql += ` AND subject ILIKE $${i++}`; params.push(`%${filters.subject}%`); }
 
     sql += ' ORDER BY updated_at DESC LIMIT 50';

api/src/services/stores/sqlite.js

@@ -67,6 +67,7 @@ export class SQLiteStore {
       CREATE INDEX IF NOT EXISTS idx_facts_key ON facts(key);
       CREATE INDEX IF NOT EXISTS idx_facts_client ON facts(client_id);
       CREATE INDEX IF NOT EXISTS idx_statuses_subject ON statuses(subject);
+      CREATE INDEX IF NOT EXISTS idx_statuses_client ON statuses(client_id);
 
       CREATE TABLE IF NOT EXISTS entities (
         id INTEGER PRIMARY KEY AUTOINCREMENT,
@@ -126,23 +127,6 @@ export class SQLiteStore {
       }
     }
 
-    // Entity relationships table
-    this.db.exec(`
-      CREATE TABLE IF NOT EXISTS entity_relationships (
-        id INTEGER PRIMARY KEY AUTOINCREMENT,
-        source_entity_id INTEGER REFERENCES entities(id),
-        target_entity_id INTEGER REFERENCES entities(id),
-        relationship_type TEXT NOT NULL DEFAULT 'co_occurrence',
-        strength INTEGER DEFAULT 1,
-        created_at TEXT DEFAULT (datetime('now')),
-        updated_at TEXT DEFAULT (datetime('now')),
-        UNIQUE(source_entity_id, target_entity_id, relationship_type)
-      );
-
-      CREATE INDEX IF NOT EXISTS idx_er_source ON entity_relationships(source_entity_id);
-      CREATE INDEX IF NOT EXISTS idx_er_target ON entity_relationships(target_entity_id);
-    `);
-
     // FTS5 virtual table for keyword search (BM25)
     try {
       this.db.exec(`
@@ -294,6 +278,7 @@ export class SQLiteStore {
 
     if (filters.source_agent) { sql += ' AND source_agent = @source_agent'; params.source_agent = filters.source_agent; }
     if (filters.category) { sql += ' AND category = @category'; params.category = filters.category; }
+    if (filters.client_id) { sql += ' AND client_id = @client_id'; params.client_id = filters.client_id; }
     if (filters.subject) { sql += ' AND subject LIKE @subject'; params.subject = `%${filters.subject}%`; }
 
     sql += ' ORDER BY updated_at DESC LIMIT 50';