multi-tenant: belt-and-suspenders hardening on agent + attach paths

Audit-driven tightenings.  No real cross-org leak vectors today, but
all four are cheap defence-in-depth around the boundaries where a
leaked agent key, a future schema change, or a TOCTOU race could
turn a benign assumption into a real leak.

- require_sentinel_agent: switch from `!=` to hmac.compare_digest so
  a timing side-channel can't reveal prefix matches against the
  configured secret.  Empty-header short-circuit preserved (avoids
  type-mismatch issues with compare_digest on len-zero in some
  Python builds).

- /complete: cross-check that body.incident_id belongs to the run's
  org before stamping it on the row.  Today the agent is trusted
  single-tenant infrastructure; this prevents a leaked-key holder
  from writing a foreign org's incident id into another org's run
  drawer.

- attach_snapshot / attach_clip: pin org_id on the second-session
  Incident touch (the parent-row updated_at bump).  The first
  session already verified ownership and Incident.org_id is
  functionally immutable in this codebase, so this is a benign
  TOCTOU today — but the touch silently no-ops instead of mutating
  if anything ever changes.

Author: Sbussiso

backend/app/api/sentinel.py

@@ -27,6 +27,7 @@
     (matches email-prefs at notifications.py:1110).
 """
 
+import hmac
 import logging
 from datetime import UTC, datetime
 from typing import Optional
@@ -45,7 +46,7 @@
     dispatch_manual_run,
     runs_used_this_month,
 )
-from app.models.models import SentinelConfig, SentinelRun
+from app.models.models import Incident, SentinelConfig, SentinelRun
 
 logger = logging.getLogger(__name__)
 router = APIRouter(prefix="/api/sentinel", tags=["sentinel"])
@@ -131,7 +132,13 @@ async def require_sentinel_agent(
     """
     if not settings.SENTINEL_AGENT_KEY:
         raise HTTPException(401, "agent auth not configured")
-    if not x_sentinel_agent_key or x_sentinel_agent_key != settings.SENTINEL_AGENT_KEY:
+    # Constant-time compare so a timing side-channel can't reveal
+    # prefix matches against the configured secret.  Empty header
+    # short-circuits before the compare (compare_digest on length-zero
+    # is False but raises on type mismatch in some Python builds).
+    if not x_sentinel_agent_key or not hmac.compare_digest(
+        x_sentinel_agent_key, settings.SENTINEL_AGENT_KEY
+    ):
         raise HTTPException(401, "invalid agent key")
 
 
@@ -445,6 +452,24 @@ async def post_run_complete(
         # Idempotent no-op — agent retried.
         return row.to_dict(include_trace=True)
 
+    # Cross-check that the agent isn't pointing the run at an incident
+    # outside the run's org.  The agent is trusted infrastructure (single
+    # shared key) but a leaked key would let the holder write
+    # `incident_id=<some other org's id>` into a run row, which would
+    # surface as a wrong/foreign deep-link in that org's run drawer.
+    # Defence-in-depth: only accept incident IDs that belong to row.org_id.
+    if body.outcome == "incident" and body.incident_id is not None:
+        owned = (
+            db.query(Incident.id)
+            .filter_by(id=body.incident_id, org_id=row.org_id)
+            .first()
+        )
+        if owned is None:
+            raise HTTPException(
+                400,
+                "incident_id does not belong to this run's org",
+            )
+
     now = datetime.now(tz=UTC).replace(tzinfo=None)
     row.outcome = body.outcome
     row.severity = body.severity if body.outcome == "incident" else None

backend/app/mcp/server.py

@@ -1426,8 +1426,17 @@ async def attach_snapshot(
             data_mime="image/jpeg",
         )
         db.add(evidence)
-        # Touch parent
-        incident = db.query(Incident).filter_by(id=incident_id).first()
+        # Touch parent.  Org filter is belt-and-suspenders here — the
+        # first session at line ~1408 already verified ownership and
+        # Incident.org_id is functionally immutable in this codebase —
+        # but pinning it on the second-session lookup makes the touch
+        # silently no-op rather than mutate the wrong row in any
+        # future where org_id ever becomes mutable.
+        incident = (
+            db.query(Incident)
+            .filter_by(id=incident_id, org_id=org_id)
+            .first()
+        )
         if incident:
             incident.updated_at = datetime.now(tz=UTC).replace(tzinfo=None)
         db.commit()
@@ -1541,7 +1550,14 @@ def attach_clip(
             data_mime=f"video/mp2t;duration={approx_duration}",
         )
         db.add(evidence)
-        incident = db.query(Incident).filter_by(id=incident_id).first()
+        # Touch parent.  Pin org_id on the lookup as belt-and-suspenders;
+        # the first session at line ~1492 already verified ownership and
+        # Incident.org_id is functionally immutable.
+        incident = (
+            db.query(Incident)
+            .filter_by(id=incident_id, org_id=org_id)
+            .first()
+        )
         if incident:
             incident.updated_at = datetime.now(tz=UTC).replace(tzinfo=None)
         db.commit()