H-004: Critical Authorization Gap Exposes Core API Endpoints to Unrestricted Access

A critical vulnerability has been identified in the platform's API layer, allowing unauthenticated or unauthorized users to read and modify sensitive resources across multiple endpoint categories. The flaw, catalogued as H-004, affects at least eight separate route groups including notes, agent-groups, features, chatrooms, DNS records, tool-approvals, and pending tools. Security researchers classify this as a classic IDOR (Insecure Direct Object Reference) vulnerability — a pattern where direct access to objects is possible without proper ownership verification.

The root cause stems from middleware-based authentication that fails to protect these specific routes. Even when middleware protections are present, handlers lack explicit `requireAuth()` calls or ownership checks, leaving resource access controls incomplete. Affected endpoints span both list operations (GET, POST on `/api/notes`, `/api/agent-groups`, `/api/features`) and individual resource operations (GET, PUT, DELETE on `/api/notes/[id]`), creating a broad attack surface for data exfiltration or manipulation.

The vulnerability carries direct compliance implications under SOC 2 CC6.3 (Role-Based Access Control) and has been assigned Priority P1 severity. Remediation requires adding `requireAuth()` middleware to all identified endpoints and implementing explicit ownership verification logic within handlers. Organizations using this platform face risk of unauthorized data access, cross-tenant information leakage, and potential regulatory exposure until patches are applied.