sec: gate super-admin invite minting, OCR settings, and alert mutations

Three findings from the branch security review:

1. HIGH — Privilege escalation via super-admin invite. POST
   /api/v1/admin/invitations was gated only by manage_users (held by the
   port-scoped director role). The body schema accepted isSuperAdmin
   from the request, createCrmInvite persisted it verbatim, and
   consumeCrmInvite copied it into userProfiles.isSuperAdmin — granting
   the new account cross-tenant access. Now the route rejects
   isSuperAdmin=true unless ctx.isSuperAdmin, and createCrmInvite
   requires invitedBy.isSuperAdmin as defense-in-depth.

2. HIGH — Receipt-image exfiltration via OCR settings. The route
   /api/v1/admin/ocr-settings (and the sibling /test) were wrapped only
   in withAuth — any port role including viewer could PUT a swapped
   provider apiKey + flip aiEnabled, redirecting every subsequent
   receipt scan to attacker infrastructure. Both are now wrapped in
   withPermission('admin','manage_settings',…) matching the sibling
   admin routes (ai-budget, settings).

3. MEDIUM — Cross-tenant alert IDOR. dismissAlert / acknowledgeAlert
   issued UPDATE … WHERE id=? with no portId predicate. Any
   authenticated user with a foreign alert UUID could mutate it. Both
   service functions now require portId and add it to the WHERE; the
   route handlers pass ctx.portId.

The dev-trigger-crm-invite script passes a synthetic super-admin caller
identity since it runs out-of-band.

The two public-form tests randomize their IP prefix per run so a fresh
test process doesn't collide with leftover redis sliding-window entries
from a prior run (publicForm limiter pexpires after 1h).

Two new regression test files cover the fixes (6 tests).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/app/api/v1/admin/invitations/route.ts

@@ -3,7 +3,7 @@ import { z } from 'zod';
 
 import { withAuth, withPermission } from '@/lib/api/helpers';
 import { parseBody } from '@/lib/api/route-helpers';
-import { errorResponse } from '@/lib/errors';
+import { errorResponse, ForbiddenError } from '@/lib/errors';
 import { createCrmInvite, listCrmInvites } from '@/lib/services/crm-invite.service';
 
 export const GET = withAuth(
@@ -24,10 +24,17 @@ const createInviteSchema = z.object({
 });
 
 export const POST = withAuth(
-  withPermission('admin', 'manage_users', async (req, _ctx) => {
+  withPermission('admin', 'manage_users', async (req, ctx) => {
     try {
       const body = await parseBody(req, createInviteSchema);
-      const result = await createCrmInvite(body);
+      // Only existing super-admins can mint super-admin invitations. The
+      // manage_users permission is granted to port-scoped director roles,
+      // which must not be able to elevate themselves cross-tenant by
+      // inviting a fresh super_admin.
+      if (body.isSuperAdmin && !ctx.isSuperAdmin) {
+        throw new ForbiddenError('Only super admins can mint super-admin invitations');
+      }
+      const result = await createCrmInvite({ ...body, invitedBy: ctx });
       return NextResponse.json({ data: result }, { status: 201 });
     } catch (error) {
       return errorResponse(error);

src/app/api/v1/admin/ocr-settings/route.ts

@@ -1,7 +1,7 @@
 import { NextResponse } from 'next/server';
 import { z } from 'zod';
 
-import { withAuth } from '@/lib/api/helpers';
+import { withAuth, withPermission } from '@/lib/api/helpers';
 import { parseBody } from '@/lib/api/route-helpers';
 import { errorResponse } from '@/lib/errors';
 import { getPublicOcrConfig, saveOcrConfig, OCR_MODELS } from '@/lib/services/ocr-config.service';
@@ -17,47 +17,56 @@ const saveSchema = z.object({
   aiEnabled: z.boolean().optional(),
 });
 
-export const GET = withAuth(async (req, ctx) => {
-  try {
-    const url = new URL(req.url);
-    const scope = url.searchParams.get('scope') ?? 'port';
-    if (scope === 'global' && !ctx.isSuperAdmin) {
-      return NextResponse.json({ error: 'Super admin only' }, { status: 403 });
+// Only role tiers that hold `admin.manage_settings` (director / super_admin)
+// may read or write the OCR config: the apiKey is stored encrypted but is
+// passed straight into the receipt-scan handler, so a swapped key would
+// exfiltrate every subsequent receipt image to whatever endpoint that key
+// authenticates with.
+export const GET = withAuth(
+  withPermission('admin', 'manage_settings', async (req, ctx) => {
+    try {
+      const url = new URL(req.url);
+      const scope = url.searchParams.get('scope') ?? 'port';
+      if (scope === 'global' && !ctx.isSuperAdmin) {
+        return NextResponse.json({ error: 'Super admin only' }, { status: 403 });
+      }
+      const config = await getPublicOcrConfig(scope === 'global' ? null : ctx.portId);
+      return NextResponse.json({ data: config, models: OCR_MODELS });
+    } catch (error) {
+      return errorResponse(error);
     }
-    const config = await getPublicOcrConfig(scope === 'global' ? null : ctx.portId);
-    return NextResponse.json({ data: config, models: OCR_MODELS });
-  } catch (error) {
-    return errorResponse(error);
-  }
-});
+  }),
+);
 
-export const PUT = withAuth(async (req, ctx) => {
-  try {
-    const body = await parseBody(req, saveSchema);
-    if (body.scope === 'global' && !ctx.isSuperAdmin) {
-      return NextResponse.json({ error: 'Super admin only' }, { status: 403 });
-    }
-    const validModels = OCR_MODELS[body.provider];
-    if (!validModels.includes(body.model)) {
-      return NextResponse.json(
-        { error: `Invalid model for provider ${body.provider}` },
-        { status: 400 },
+export const PUT = withAuth(
+  withPermission('admin', 'manage_settings', async (req, ctx) => {
+    try {
+      const body = await parseBody(req, saveSchema);
+      if (body.scope === 'global' && !ctx.isSuperAdmin) {
+        return NextResponse.json({ error: 'Super admin only' }, { status: 403 });
+      }
+      const validModels = OCR_MODELS[body.provider];
+      if (!validModels.includes(body.model)) {
+        return NextResponse.json(
+          { error: `Invalid model for provider ${body.provider}` },
+          { status: 400 },
+        );
+      }
+      await saveOcrConfig(
+        body.scope === 'global' ? null : ctx.portId,
+        {
+          provider: body.provider,
+          model: body.model,
+          apiKey: body.apiKey,
+          clearApiKey: body.clearApiKey,
+          useGlobal: body.useGlobal,
+          aiEnabled: body.aiEnabled,
+        },
+        ctx.userId,
       );
+      return NextResponse.json({ ok: true });
+    } catch (error) {
+      return errorResponse(error);
     }
-    await saveOcrConfig(
-      body.scope === 'global' ? null : ctx.portId,
-      {
-        provider: body.provider,
-        model: body.model,
-        apiKey: body.apiKey,
-        clearApiKey: body.clearApiKey,
-        useGlobal: body.useGlobal,
-        aiEnabled: body.aiEnabled,
-      },
-      ctx.userId,
-    );
-    return NextResponse.json({ ok: true });
-  } catch (error) {
-    return errorResponse(error);
-  }
-});
+  }),
+);

src/app/api/v1/admin/ocr-settings/test/route.ts

@@ -1,7 +1,7 @@
 import { NextResponse } from 'next/server';
 import { z } from 'zod';
 
-import { withAuth } from '@/lib/api/helpers';
+import { withAuth, withPermission } from '@/lib/api/helpers';
 import { parseBody } from '@/lib/api/route-helpers';
 import { errorResponse } from '@/lib/errors';
 import { OCR_MODELS } from '@/lib/services/ocr-config.service';
@@ -13,15 +13,19 @@ const schema = z.object({
   apiKey: z.string().min(1),
 });
 
-export const POST = withAuth(async (req) => {
-  try {
-    const body = await parseBody(req, schema);
-    if (!OCR_MODELS[body.provider].includes(body.model)) {
-      return NextResponse.json({ error: 'Invalid model' }, { status: 400 });
+// `manage_settings`-gated for parity with the parent OCR settings route —
+// triggers outbound AI provider auth requests using a caller-supplied key.
+export const POST = withAuth(
+  withPermission('admin', 'manage_settings', async (req) => {
+    try {
+      const body = await parseBody(req, schema);
+      if (!OCR_MODELS[body.provider].includes(body.model)) {
+        return NextResponse.json({ error: 'Invalid model' }, { status: 400 });
+      }
+      const result = await testProvider(body.provider, body.apiKey, body.model);
+      return NextResponse.json(result);
+    } catch (error) {
+      return errorResponse(error);
     }
-    const result = await testProvider(body.provider, body.apiKey, body.model);
-    return NextResponse.json(result);
-  } catch (error) {
-    return errorResponse(error);
-  }
-});
+  }),
+);

src/app/api/v1/alerts/[id]/acknowledge/route.ts

@@ -6,6 +6,6 @@ import { acknowledgeAlert } from '@/lib/services/alerts.service';
 export const POST = withAuth(async (_req, ctx, params) => {
   const id = params.id;
   if (!id) return NextResponse.json({ error: 'Missing id' }, { status: 400 });
-  await acknowledgeAlert(id, ctx.userId);
+  await acknowledgeAlert(id, ctx.portId, ctx.userId);
   return NextResponse.json({ ok: true });
 });

src/app/api/v1/alerts/[id]/dismiss/route.ts

@@ -6,6 +6,6 @@ import { dismissAlert } from '@/lib/services/alerts.service';
 export const POST = withAuth(async (_req, ctx, params) => {
   const id = params.id;
   if (!id) return NextResponse.json({ error: 'Missing id' }, { status: 400 });
-  await dismissAlert(id, ctx.userId);
+  await dismissAlert(id, ctx.portId, ctx.userId);
   return NextResponse.json({ ok: true });
 });

src/lib/services/alerts.service.ts

@@ -98,22 +98,28 @@ export async function reconcileAlertsForPort(
   }
 }
 
-export async function dismissAlert(alertId: string, userId: string): Promise<void> {
+export async function dismissAlert(alertId: string, portId: string, userId: string): Promise<void> {
+  // Tenant scope: the WHERE on portId means a foreign-tenant alert UUID
+  // returns zero rows rather than mutating someone else's alert.
   const [row] = await db
     .update(alerts)
     .set({ dismissedAt: sql`now()`, dismissedBy: userId })
-    .where(eq(alerts.id, alertId))
+    .where(and(eq(alerts.id, alertId), eq(alerts.portId, portId)))
     .returning({ id: alerts.id, portId: alerts.portId });
   if (row) {
     emitToRoom(`port:${row.portId}`, 'alert:dismissed', { alertId: row.id, portId: row.portId });
   }
 }
 
-export async function acknowledgeAlert(alertId: string, userId: string): Promise<void> {
+export async function acknowledgeAlert(
+  alertId: string,
+  portId: string,
+  userId: string,
+): Promise<void> {
   await db
     .update(alerts)
     .set({ acknowledgedAt: sql`now()`, acknowledgedBy: userId })
-    .where(eq(alerts.id, alertId));
+    .where(and(eq(alerts.id, alertId), eq(alerts.portId, portId)));
 }
 
 export interface ListAlertsOptions {

src/lib/services/crm-invite.service.ts

@@ -19,10 +19,20 @@ export async function createCrmInvite(args: {
   email: string;
   name?: string;
   isSuperAdmin?: boolean;
+  /**
+   * Caller identity. Required when minting a super-admin invitation so the
+   * service can fail closed if the caller isn't already a super-admin —
+   * defense-in-depth for the route's authorization gate.
+   */
+  invitedBy?: { userId: string; isSuperAdmin: boolean };
 }): Promise<{ inviteId: string; link: string }> {
   const email = args.email.toLowerCase().trim();
   const isSuperAdmin = args.isSuperAdmin ?? false;
 
+  if (isSuperAdmin && !args.invitedBy?.isSuperAdmin) {
+    throw new ValidationError('Only super admins can mint super-admin invitations');
+  }
+
   // Reject if there's already a better-auth user with this email — they
   // should reset their password instead.
   const sql = postgres(env.DATABASE_URL);