Merge pull request 'MCP _INSTRUCTIONS: multi-user sharing ACL guard' (#58) from dev into main
This commit was merged in pull request #58.
This commit is contained in:
@@ -122,6 +122,13 @@ X process" or otherwise references a saved process, call list_processes() /
|
||||
get_process(name) and follow the returned prompt verbatim, including any
|
||||
"clarify first" steps it contains. Author a new one with create_process(title,
|
||||
body); edit with update_process.
|
||||
|
||||
When you are developing Scribe itself (not just using it as a data store),
|
||||
honor the multi-user sharing ACL: every read or mutation of user data must
|
||||
scope by owner + direct shares + group shares through services/access.py
|
||||
(can_read_* / can_write_* / can_admin_*) — never assume a single operator. An
|
||||
unscoped query (a fetch-by-id with no ownership check) is a cross-user data
|
||||
leak; "works for one user" is not done.
|
||||
"""
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user