improdead · esprit-security-scan · Dec 22, 2025 · Dec 22, 2025
diff --git a/backend/prisma/schema.prisma b/backend/prisma/schema.prisma
@@ -16,6 +16,7 @@ enum PageStatus {
 
 model Episode {
   id            String   @id @default(uuid())
+  userId        String   // Owner of this episode
   seedInput     Json
   outline       Json?
   rendererModel String?
@@ -24,12 +25,15 @@ model Episode {
   pages         Page[]
   characters    Character[]
 
+  @@index([userId])
   @@index([createdAt])
   @@index([updatedAt])
+  @@index([userId, createdAt])
 }
 
 model Page {
   id         String     @id @default(uuid())
+  userId     String     // Owner of this page
   episodeId  String
   pageNumber Int
   status     PageStatus
@@ -44,9 +48,11 @@ model Page {
   canvas  Canvas?
 
   @@unique([episodeId, pageNumber])
+  @@index([userId])
   @@index([episodeId])
   @@index([status])
   @@index([episodeId, status])
+  @@index([userId, episodeId])
 }
 
 model Character {
@@ -67,6 +73,7 @@ model Character {
 
 model Canvas {
   id                String              @id @default(uuid())
+userId            String              // Owner of this canvas
   pageId            String              @unique
   canvasData        Json?               // Serialized Fabric.js canvas data
   thumbnailUrl      String?

diff --git a/backend/src/planner/planner.service.ts b/backend/src/planner/planner.service.ts
@@ -18,6 +18,7 @@ import {
 import { generateStubOutline, mergeWithStub } from './planner.fallback';
 import { LoggerService } from '../observability/logger.service';
 import { TracingService } from '../observability/tracing.service';
+import { validateAndSanitizeSeed, containsInjectionPatterns } from './prompt-sanitizer';
 
 /**
  * Error types for better error handling
@@ -130,14 +131,26 @@ export class PlannerService {
    */
   private validateInput(seed: EpisodeSeed): void {
     try {
+      // First validate structure with Zod
       EpisodeSeedSchema.parse(seed);
-      this.logger.debug('Input validation passed');
+
+      // Then sanitize and validate content
+      const sanitized = validateAndSanitizeSeed(seed);
+
+      // Check for injection patterns in original seed (for monitoring)
+      const seedString = JSON.stringify(seed);
+      if (containsInjectionPatterns(seedString)) {
+        this.logger.warn('Potential prompt injection pattern detected in seed input');
+      }
+
+      this.logger.debug('Input validation and sanitization passed');
     } catch (error) {
       if (error instanceof ZodError) {
         const details = formatZodError(error);
         this.logger.error('Input validation failed', undefined, { details });
         throw new PlannerValidationError('Invalid episode seed data', details);
       }
+      this.logger.error('Input sanitization failed', error instanceof Error ? error.stack : undefined);
       throw error;
     }
   }