fix: prevent cross-tenant memory id overwrite by NeerajCodz · Pull Request #6 · Astraive/nextral

NeerajCodz · 2026-05-04T06:52:24Z

The codebase introduced tenant_id and tenant-scoped reads while writes still upsert by global id, enabling a cross-tenant overwrite when an attacker supplies an existing memory id from another tenant.
The change aims to restore tenant isolation by ensuring writes cannot silently replace a memory owned by a different (tenant_id, user_id) scope.

Add a pre-flight collision check to the in-memory TestMemoryStore::upsert_memory that returns CoreError::Conflict if an existing record with the same id belongs to a different tenant_id or user_id and only updates when id, tenant_id, and user_id all match (src/testkit/mod.rs).
Modify Postgres upsert_memory to restrict the ON CONFLICT (id) DO UPDATE to rows where nextral_memories.tenant_id = EXCLUDED.tenant_id AND nextral_memories.user_id = EXCLUDED.user_id, and return a CoreError::Conflict when no rows are affected (indicating a cross-tenant id collision) (src/adapters/postgres.rs).
Add a regression test that ingests a record as tenant_a with a caller-supplied id, then verifies that an ingest from tenant_b using the same id is rejected with a Conflict and that the original tenant_a record remains intact (src/lib.rs tests).

fix: prevent cross-tenant memory id overwrite

b9b6ea9

NeerajCodz added aardvark codex labels May 4, 2026 — with ChatGPT Codex Connector

NeerajCodz added aardvark codex labels May 4, 2026

Provide feedback