The codebase collapses "exists but not yours" into 404 across every single-row GET / PATCH / DELETE endpoint (#174 / #188 / #192 / #196 / #200 / #204 / #210 / #214 / #218 / #222 etc.) so a scoped caller can't enumerate another tenant's ID range by status code.
The README never documents this. Operators reading the endpoint table would reasonably expect 403 on a cross-tenant probe and be surprised by 404 — and SDK authors might write retry logic on 404 that assumes "row doesn't exist" when it might be "row in a different scope."
Fix: add a short subsection to the HTTP-conventions block explaining the pattern and that master keys still see all rows.
Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/
The codebase collapses "exists but not yours" into 404 across every single-row GET / PATCH / DELETE endpoint (#174 / #188 / #192 / #196 / #200 / #204 / #210 / #214 / #218 / #222 etc.) so a scoped caller can't enumerate another tenant's ID range by status code.
The README never documents this. Operators reading the endpoint table would reasonably expect 403 on a cross-tenant probe and be surprised by 404 — and SDK authors might write retry logic on 404 that assumes "row doesn't exist" when it might be "row in a different scope."
Fix: add a short subsection to the HTTP-conventions block explaining the pattern and that master keys still see all rows.
Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/