Fix project plugin config get/update

[0xcucumbersalad]

What is this contribution about?

Fix a cross-organization data access vulnerability in project plugin configs.

Previously, the get and upsert methods on ProjectPluginConfigsStorage did not scope queries by organization. This meant a caller with a valid projectId and pluginId could read or modify plugin configs belonging to a project in a different organization — bypassing tenant isolation.

This fix:

• Adds a required organizationId parameter to get() and upsert() in both the storage port interface and the implementation.
• Joins the projects table and filters by projects.organization_id so that queries are scoped to the caller's organization.
• Updates all call sites (plugin-config-get.ts, plugin-config-update.ts) to pass ctx.organization!.id.
• Fixes internal this.get() calls within upsert (for existing-check, post-update, and post-create reads) that were previously missing the organization scope.

How to Test

1. Set up two organizations (e.g., org_A and org_B) each with at least one project that has a plugin config.
2. Authenticate as a user in org_A.
3. Call PROJECT_PLUGIN_CONFIG_GET with a projectId belonging to org_B.
4. Expected: Returns null / config not found (previously would have returned org_B's config).
5. Call PROJECT_PLUGIN_CONFIG_UPDATE targeting a project in org_B.
6. Expected: Fails to find/update the config (previously would have succeeded).
7. Repeat steps 3–6 using valid project IDs within org_A.
8. Expected: Get and update work normally.

---

Summary by cubic

Scoped project plugin config get/update and project slug lookups to the current organization to fix cross-tenant access. Prevents reading or editing configs or projects across orgs.

• Bug Fixes
  • Added required organizationId to ProjectPluginConfigStoragePort.get/upsert and scoped queries by projects.organization_id.
  • PROJECT_PLUGIN_CONFIG_GET/UPDATE now use ctx.organization.id and throw if no organization context is present.
  • Fixed upsert’s internal reads to use org scope.
  • PROJECT_GET: removed organizationId input; getBySlug uses session org to prevent IDOR.

^{Written for commit 4600428. Summary will update on new commits.}

[github-actions]

🧪 Benchmark

Should we run the Virtual MCP strategy benchmark for this PR?

React with 👍 to run the benchmark.

Reaction	Action
👍	Run quick benchmark (10 & 128 tools)

Benchmark will run on the next push after you react.

[github-actions]

Release Options

Should a new version be published when this PR is merged?

React with an emoji to vote on the release type:

Reaction	Type	Next Version
👍	Prerelease	2.115.1-alpha.1
🎉	Patch	2.115.1
❤️	Minor	2.116.0
🚀	Major	3.0.0

Current version: 2.115.0

Deployment

• Deploy to production (triggers ArgoCD sync after Docker image is published)

[cubic-dev-ai]

No issues found across 5 files