From the review (https://github.com/v-code01/ledge/blob/main/AUDIT.md §F-3, R-4). Cross-tenant object/LFS confidentiality rests on ObjectId-unguessability + ref-reachability, not per-object ACLs; an out-of-band oid leak permits a cross-tenant read of that object. Refs/workspaces ARE isolated. Closes it: per-object/owner ACLs on the object/LFS read paths. Severity: Medium.
From the review (https://github.com/v-code01/ledge/blob/main/AUDIT.md §F-3, R-4). Cross-tenant object/LFS confidentiality rests on ObjectId-unguessability + ref-reachability, not per-object ACLs; an out-of-band oid leak permits a cross-tenant read of that object. Refs/workspaces ARE isolated. Closes it: per-object/owner ACLs on the object/LFS read paths. Severity: Medium.