90dcb47c25
workspaceSendMessage, workspaceGetMessages, workspaceMarkRead, and workspaceAddFileComment previously trusted the caller-supplied ID and only checked workspaceEnabled. Any user with the MENTOR role could read/post in any workspace, impersonating the assigned mentor and inserting comments under any team's deliverables. All four now run assertWorkspaceAccess (assigned mentor or team member of the project), mirroring the file-handling procedures in the same router. workspaceMarkRead resolves the message -> workspaceId first, and additionally short-circuits when the caller is the sender so unread state stays honest. workspaceAddFileComment resolves the file -> mentorAssignmentId before the access check. Procedures downgraded from mentorProcedure to protectedProcedure since assertWorkspaceAccess is the real gate. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>