_⚠️ Potential issue_ | _🟠 Major_

_⚠️ Potential issue_ | _🟠 Major_

**Executive summary and report endpoints don’t enforce investigation ownership.**

The reporting endpoints:

- `POST /forensics/investigations/:id/generate-summary`
- `POST /forensics/investigations/:id/reports`
- `GET /forensics/investigations/:id/reports`

all:

- Are unauthenticated.
- Use only the path `:id` to scope operations, without confirming that the investigation belongs to the caller.
- For creation routes, accept `req.body` directly (no Zod validation), despite the presence of `insertForensicReportSchema`.

For a forensic/reporting system, these should:

- Require auth.
- Verify investigation ownership before generating/creating/fetching reports.
- Validate report creation payloads via `insertForensicReportSchema` and return 400s on invalid data.


Based on learnings, forensic reports should be both tenant‑scoped and schema‑validated for defensibility.





_Originally posted by @coderabbitai[bot] in https://github.com/chittyapps/chittyfinance/pull/5#discussion_r2591436015_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

_⚠️ Potential issue_ | _🟠 Major_ #8

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

_⚠️ Potential issue_ | _🟠 Major_ #8

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions