From d9445034a8ac65798952f1d199e176bd7a6cbecf Mon Sep 17 00:00:00 2001
From: decobot <capy@deco.cx>
Date: Tue, 24 Feb 2026 00:58:19 +0800
Subject: [PATCH 1/4] fix IDOR cross organization PROJECT_GET

---
 apps/mesh/src/tools/projects/get.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/apps/mesh/src/tools/projects/get.ts b/apps/mesh/src/tools/projects/get.ts
index 04b124ebc6..5b6f64ae49 100644
--- a/apps/mesh/src/tools/projects/get.ts
+++ b/apps/mesh/src/tools/projects/get.ts
@@ -48,6 +48,10 @@ export const PROJECT_GET = defineTool({
 
     let project = null;
 
+    if (input.organizationId !== ctx.organization?.id) {
+      throw new Error("Organization ID does not match authenticated organization");
+    }
+
     if (input.projectId) {
       project = await ctx.storage.projects.get(input.projectId);
     } else if (input.slug) {

From 036203fd0a34123f6a54db36052d0f5a37f23008 Mon Sep 17 00:00:00 2001
From: decobot <capy@deco.cx>
Date: Tue, 24 Feb 2026 23:09:43 +0800
Subject: [PATCH 2/4] delete organizationId input, and replace it with current
 session org

---
 apps/mesh/src/tools/projects/get.ts | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/apps/mesh/src/tools/projects/get.ts b/apps/mesh/src/tools/projects/get.ts
index 5b6f64ae49..fc98899db0 100644
--- a/apps/mesh/src/tools/projects/get.ts
+++ b/apps/mesh/src/tools/projects/get.ts
@@ -21,7 +21,6 @@ export const PROJECT_GET = defineTool({
   },
   inputSchema: z
     .object({
-      organizationId: z.string().describe("Organization ID"),
       projectId: z
         .string()
         .optional()
@@ -48,15 +47,12 @@ export const PROJECT_GET = defineTool({
 
     let project = null;
 
-    if (input.organizationId !== ctx.organization?.id) {
-      throw new Error("Organization ID does not match authenticated organization");
-    }
-
+    
     if (input.projectId) {
       project = await ctx.storage.projects.get(input.projectId);
     } else if (input.slug) {
       project = await ctx.storage.projects.getBySlug(
-        input.organizationId,
+        ctx.organization!.id,
         input.slug,
       );
     }

From 53f387068dfb2330611b323b5bc03fb17400e53c Mon Sep 17 00:00:00 2001
From: decobot <capy@deco.cx>
Date: Wed, 25 Feb 2026 04:25:29 +0800
Subject: [PATCH 3/4] fix format test

---
 apps/mesh/src/tools/projects/get.ts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/apps/mesh/src/tools/projects/get.ts b/apps/mesh/src/tools/projects/get.ts
index fc98899db0..9d841c91bc 100644
--- a/apps/mesh/src/tools/projects/get.ts
+++ b/apps/mesh/src/tools/projects/get.ts
@@ -47,7 +47,6 @@ export const PROJECT_GET = defineTool({
 
     let project = null;
 
-    
     if (input.projectId) {
       project = await ctx.storage.projects.get(input.projectId);
     } else if (input.slug) {

From e5a78e1492d28afe97649af1e5e2fead7d2e7162 Mon Sep 17 00:00:00 2001
From: decobot <capy@deco.cx>
Date: Wed, 25 Feb 2026 20:29:39 +0800
Subject: [PATCH 4/4] throw error if theres no organization context

---
 apps/mesh/src/tools/projects/get.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/apps/mesh/src/tools/projects/get.ts b/apps/mesh/src/tools/projects/get.ts
index 9d841c91bc..0242e94650 100644
--- a/apps/mesh/src/tools/projects/get.ts
+++ b/apps/mesh/src/tools/projects/get.ts
@@ -47,11 +47,19 @@ export const PROJECT_GET = defineTool({
 
     let project = null;
 
+    let organizationId = null;
+
+    if (ctx.organization?.id) {
+      organizationId = ctx.organization.id;
+    } else {
+      throw new Error("Organization context is required");
+    }
+
     if (input.projectId) {
       project = await ctx.storage.projects.get(input.projectId);
     } else if (input.slug) {
       project = await ctx.storage.projects.getBySlug(
-        ctx.organization!.id,
+        organizationId,
         input.slug,
       );
     }