From cf8bbf3018d37b71f28ed7a2a9c680e47b7b943a Mon Sep 17 00:00:00 2001
From: Matt <matt@letsbe.solutions>
Date: Sun, 10 May 2026 16:50:02 +0200
Subject: [PATCH] fix(documents): defense-in-depth port_id scope + invisible
 chevron a11y

- renameFolder/moveFolder UPDATE and deleteFolderSoftRescue DELETE now
  carry an explicit port_id predicate so the write is bounded to the
  same tenancy the pre-fetch verified, defending against future
  refactors that drop or reorder the ownership check.
- FolderRow's collapsed-children chevron is `invisible` for layout
  purposes, but it was still in the tab order with a misleading
  Expand/Collapse aria-label. Add aria-hidden + tabIndex=-1 when no
  children so keyboard users skip it.

Surfaced by post-implementation review (subagent code-review pass).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 src/components/documents/folder-tree-sidebar.tsx | 2 ++
 src/lib/services/document-folders.service.ts     | 8 +++++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/components/documents/folder-tree-sidebar.tsx b/src/components/documents/folder-tree-sidebar.tsx
index dff1d558..663cb33e 100644
--- a/src/components/documents/folder-tree-sidebar.tsx
+++ b/src/components/documents/folder-tree-sidebar.tsx
@@ -122,6 +122,8 @@ function FolderRow({
         <button
           type="button"
           aria-label={open ? 'Collapse' : 'Expand'}
+          aria-hidden={!hasChildren}
+          tabIndex={hasChildren ? 0 : -1}
           onClick={() => setOpen((o) => !o)}
           className={cn(
             'flex h-5 w-5 items-center justify-center text-muted-foreground hover:text-foreground',
diff --git a/src/lib/services/document-folders.service.ts b/src/lib/services/document-folders.service.ts
index f3770662..fda8c515 100644
--- a/src/lib/services/document-folders.service.ts
+++ b/src/lib/services/document-folders.service.ts
@@ -136,7 +136,7 @@ export async function renameFolder(
     const [updated] = await db
       .update(documentFolders)
       .set({ name: trimmed, updatedAt: new Date() })
-      .where(eq(documentFolders.id, folderId))
+      .where(and(eq(documentFolders.id, folderId), eq(documentFolders.portId, portId)))
       .returning();
     if (!updated) throw new NotFoundError('Folder');
 
@@ -209,7 +209,7 @@ export async function moveFolder(
     const [updated] = await db
       .update(documentFolders)
       .set({ parentId: newParentId, updatedAt: new Date() })
-      .where(eq(documentFolders.id, folderId))
+      .where(and(eq(documentFolders.id, folderId), eq(documentFolders.portId, portId)))
       .returning();
     if (!updated) throw new NotFoundError('Folder');
 
@@ -262,7 +262,9 @@ export async function deleteFolderSoftRescue(
       .set({ folderId: newParent })
       .where(and(eq(documents.folderId, folderId), eq(documents.portId, portId)));
 
-    await tx.delete(documentFolders).where(eq(documentFolders.id, folderId));
+    await tx
+      .delete(documentFolders)
+      .where(and(eq(documentFolders.id, folderId), eq(documentFolders.portId, portId)));
   });
 
   void createAuditLog({