feat(spaces): end-to-end shared-space sync (membership lookup + plaintext)

Closes the gap between "invite flow UI exists" and "two users in the same space actually see each other's data". Three pieces land together because they're meaningless without each other. mana-auth — new internal endpoint: GET /api/v1/internal/users/:userId/memberships Returns [{organizationId, role}, ...] for the user. mana-sync uses this to populate the multi-member RLS session config. mana-sync — membership lookup: new internal/memberships package with an HTTP client + 5 min per-user cache, fail-open (empty list = pre-Spaces behavior). Config gets MANA_AUTH_URL (default http://localhost:3001). Handler.NewHandler takes the Lookup. Every Push/Pull/Stream call now passes spaceIDsFor(userID) to Store methods. GetChangesSince + GetAllChangesSince extend their WHERE clause: WHERE (user_id = $1 OR space_id = ANY($memberSpaces)) so co-members see each other's rows, not just the author. apps/web — encryption skip for shared-space records: encryptRecord now checks record.spaceId: - `_personal:<userId>` sentinel OR no active shared space → encrypt with user master key (E2E as today). - Active space resolves to non-personal type AND spaceId matches that space → skip encryption; write lands plaintext. decryptRecord is unchanged because its per-field isEncrypted() guard already passes plaintext through. Phase-1 compromise: shared-space data is protected by server RLS only, not E2E. Phase 2 adds per-Space shared keys with per-member wrap — tracked in docs/plans/spaces-foundation.md. Plus docs/plans/shared-space-smoketest.md: step-by-step Zwei-User-Test mit erwarteten Ergebnissen und Debugging-Hinweisen bei Problemen. Build + go test + web check all green. Plan: docs/plans/spaces-foundation.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-23 21:36:41 +02:00 · 2026-04-20 20:46:53 +02:00 · 2026-04-20 20:46:53 +02:00 · 38d35247cd
commit 38d35247cd
parent da373491b8
8 changed files with 365 additions and 18 deletions
--- a/services/mana-sync/internal/sync/handler.go
+++ b/services/mana-sync/internal/sync/handler.go
@ -9,20 +9,34 @@ import (
 	"time"

 	"github.com/mana/mana-sync/internal/auth"
+	"github.com/mana/mana-sync/internal/memberships"
 	"github.com/mana/mana-sync/internal/store"
 	"github.com/mana/mana-sync/internal/ws"
 )

 // Handler handles sync HTTP endpoints.
 type Handler struct {
-	store     *store.Store
-	validator *auth.Validator
-	hub       *ws.Hub
+	store       *store.Store
+	validator   *auth.Validator
+	hub         *ws.Hub
+	memberships *memberships.Lookup
 }

 // NewHandler creates a new sync handler.
-func NewHandler(s *store.Store, v *auth.Validator, h *ws.Hub) *Handler {
-	return &Handler{store: s, validator: v, hub: h}
+// memberships may be nil — if so, the handler treats every user as
+// having no shared-space memberships (same as pre-Spaces behavior).
+func NewHandler(s *store.Store, v *auth.Validator, h *ws.Hub, m *memberships.Lookup) *Handler {
+	return &Handler{store: s, validator: v, hub: h, memberships: m}
+}
+
+// spaceIDsFor returns the Space membership list for the caller, or an
+// empty slice if no lookup is configured. Used to populate the session
+// config the multi-member RLS policy reads.
+func (h *Handler) spaceIDsFor(userID string) []string {
+	if h.memberships == nil {
+		return nil
+	}
+	return h.memberships.For(userID)
 }

 // maxBodySize is the maximum allowed request body (10 MB).
@ -210,7 +224,7 @@ func (h *Handler) HandleSync(w http.ResponseWriter, r *http.Request) {
 	}

 	// Get server changes since client's last sync (excluding client's own changes)
-	serverChanges, err := h.store.GetAllChangesSince(ctx, userID, appID, changeset.Since, clientID)
+	serverChanges, err := h.store.GetAllChangesSince(ctx, userID, appID, changeset.Since, clientID, h.spaceIDsFor(userID))
 	if err != nil {
 		slog.Error("failed to get server changes", "error", err)
 		http.Error(w, "internal error", http.StatusInternalServerError)
@ -275,7 +289,7 @@ func (h *Handler) HandlePull(w http.ResponseWriter, r *http.Request) {

 	ctx := r.Context()
 	const batchLimit = 1000
-	serverChanges, err := h.store.GetChangesSince(ctx, userID, appID, collection, since, clientID, batchLimit+1)
+	serverChanges, err := h.store.GetChangesSince(ctx, userID, appID, collection, since, clientID, batchLimit+1, h.spaceIDsFor(userID))
 	if err != nil {
 		slog.Error("failed to get changes", "error", err)
 		http.Error(w, "internal error", http.StatusInternalServerError)
@ -374,8 +388,9 @@ func (h *Handler) HandleStream(w http.ResponseWriter, r *http.Request) {
 	}

 	// Initial sync: send pending changes since cursor for each collection
+	memberSpaceIDs := h.spaceIDsFor(userID)
 	for _, coll := range collections {
-		changes, err := h.store.GetChangesSince(ctx, userID, appID, coll, since, clientID, batchLimit+1)
+		changes, err := h.store.GetChangesSince(ctx, userID, appID, coll, since, clientID, batchLimit+1, memberSpaceIDs)
 		if err != nil {
 			slog.Error("SSE initial pull failed", "error", err, "collection", coll)
 			cursors[coll] = now // Default to now on error
@ -416,7 +431,7 @@ func (h *Handler) HandleStream(w http.ResponseWriter, r *http.Request) {
 				if cursor == "" {
 					cursor = since
 				}
-				changes, err := h.store.GetChangesSince(ctx, userID, appID, table, cursor, clientID, batchLimit+1)
+				changes, err := h.store.GetChangesSince(ctx, userID, appID, table, cursor, clientID, batchLimit+1, memberSpaceIDs)
 				if err != nil || len(changes) == 0 {
 					continue
 				}