--- taskmaster_id: "2.1" status: "done" priority: "high" depends_on: [] parent_id: "2" source: "taskmaster" generated_at: "2026-05-24T07:15:25.199Z" --- # 2.1 - Secure unauthenticated endpoints and owner enforcement - [x] 2.1 - Secure unauthenticated endpoints and owner enforcement #taskmaster #priority/high #status/done ⏫ 🆔 tm-2-1 ## Metadata | Field | Value | | --- | --- | | Taskmaster ID | 2.1 | | Status | done | | Priority | high | | Dependencies | None | | Parent | 2 - Implement platform audit remediation plan | ## Description Require authenticateToken and owner/admin checks on exposed payment, AI, and legacy notification routes. ## Details Derive notification userId from authenticated principal. Protect payment history and mutation endpoints. Restrict AI calls to authenticated users with per-user budgets. Add denied-access audit logs. ## Verification Unauthorized callers receive 401/403; users cannot access or mutate other users' payments/notifications; admins retain authorized access.