ofiere-openclaw-plugin 4.56.8 → 4.56.9

package/dist/src/tools.js

@@ -1038,12 +1038,15 @@ async function handleUpdateTask(supabase, userId, params) {
                 updates.subagent_id = subCheck.subagentId;
             }
         }
-        // If task is being marked DONE or FAILED, auto-complete any linked scheduler events
+        // If task is being marked DONE or FAILED, auto-complete any linked scheduler events.
+        // A-4 plugin parity (2026-05-18) — scope by user_id so cross-tenant task_id
+        // can't trigger foreign scheduler flip via plugin tool path.
         if (params.status === "DONE" || params.status === "FAILED") {
             try {
                 await supabase
                     .from("scheduler_events")
                     .update({ status: "completed", next_run_at: null, updated_at: new Date().toISOString() })
+                    .eq("user_id", userId)
                     .eq("task_id", params.task_id);
             }
             catch (_schedErr) {
@@ -2313,7 +2316,9 @@ function registerWorkflowOps(api, supabase, userId) {
                     const wfId = (params.id || params.workflow_id);
                     if (!wfId)
                         return err("Missing required: id");
-                    await supabase.from("workflow_runs").delete().eq("workflow_id", wfId);
+                    // A-4 plugin parity (2026-05-18) — scope cascade so cross-tenant
+                    // workflow_id can't trigger foreign workflow_runs wipe via plugin.
+                    await supabase.from("workflow_runs").delete().eq("user_id", userId).eq("workflow_id", wfId);
                     const { error } = await supabase.from("workflows").delete().eq("id", wfId).eq("user_id", userId);
                     if (error)
                         return err(error.message);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ofiere-openclaw-plugin",
-  "version": "4.56.8",
+  "version": "4.56.9",
   "type": "module",
   "description": "OpenClaw plugin for Ofiere PM - 18 meta-tools covering tasks, agents, projects, scheduling, knowledge, workflows, notifications, memory, prompts, constellation, space file management, execution plan builder, SOP management, agent brain, talent management, corporate frameworks, agent office canvas, and PM gate approvals",
   "keywords": [

package/src/tools.ts

@@ -1147,12 +1147,15 @@ async function handleUpdateTask(
       }
     }
 
-    // If task is being marked DONE or FAILED, auto-complete any linked scheduler events
+    // If task is being marked DONE or FAILED, auto-complete any linked scheduler events.
+    // A-4 plugin parity (2026-05-18) — scope by user_id so cross-tenant task_id
+    // can't trigger foreign scheduler flip via plugin tool path.
     if (params.status === "DONE" || params.status === "FAILED") {
       try {
         await supabase
           .from("scheduler_events")
           .update({ status: "completed", next_run_at: null, updated_at: new Date().toISOString() })
+          .eq("user_id", userId)
           .eq("task_id", params.task_id as string);
       } catch (_schedErr) {
         // Non-fatal: task update should still proceed
@@ -2464,7 +2467,9 @@ function registerWorkflowOps(
         case "delete": {
           const wfId = (params.id || params.workflow_id) as string;
           if (!wfId) return err("Missing required: id");
-          await supabase.from("workflow_runs").delete().eq("workflow_id", wfId);
+          // A-4 plugin parity (2026-05-18) — scope cascade so cross-tenant
+          // workflow_id can't trigger foreign workflow_runs wipe via plugin.
+          await supabase.from("workflow_runs").delete().eq("user_id", userId).eq("workflow_id", wfId);
           const { error } = await supabase.from("workflows").delete().eq("id", wfId).eq("user_id", userId);
           if (error) return err(error.message);
           return ok({ message: "Workflow and associated runs deleted", ok: true });