fix(postgres): prevent cross-tenant memory overwrite in upsert by NeerajCodz · Pull Request #4 · Astraive/nextral

NeerajCodz · 2026-05-04T06:52:09Z

The upsert_memory path previously used ON CONFLICT (id) DO UPDATE and unconditionally reassigned tenant_id/user_id and other fields, allowing a caller-supplied or guessed global id to overwrite another tenant's memory record.
The schema uses a global id primary key, so ownership must be enforced at write time to prevent cross-tenant corruption.

Updated src/adapters/postgres.rs upsert_memory to stop updating tenant_id/user_id on conflict and to add a WHERE nextral_memories.tenant_id = EXCLUDED.tenant_id AND nextral_memories.user_id = EXCLUDED.user_id guard to the ON CONFLICT ... DO UPDATE clause.
Capture the rows_affected returned from execute and return a CoreError::Conflict when no rows were updated, which indicates an id collision with a different tenant/user scope.
Preserves existing behavior for same-tenant updates and otherwise fails the write rather than silently moving ownership.

Ran the unit test suite with cargo test -p nextral --lib and all tests passed (11 passed, 0 failed).

fix(postgres): block cross-tenant memory id overwrite

a08fa7d

NeerajCodz added codex aardvark labels May 4, 2026 — with ChatGPT Codex Connector

NeerajCodz added the codex label May 4, 2026

Provide feedback