fix(security): IDOR, SSRF, space scoping, rate limiting for competitor differentiation

- IDOR: Add space ownership checks to CompetitorController (crawl, alerts, destroyAlert),
  CompetitorSourceController (index, store, show, update, destroy),
  DifferentiationController (index, show, summary), and GraphQL mutations
  (TriggerCompetitorCrawl, DeleteCompetitorSource, DeleteCompetitorAlert, UpdateCompetitorSource)
- SSRF: Add ExternalUrl rule to url/feed_url in StoreCompetitorSourceRequest and
  UpdateCompetitorSourceRequest; add ExternalUrl rule to slack_webhook/webhook_url
  in StoreCompetitorAlertRequest
- Space scoping: Verify space_id access on all collection endpoints
- Rate limiting: Add throttle:5,1 middleware to crawl trigger route
- Quota: Enforce max 50 competitor sources per space in store()
- Pre-existing: Remove duplicate match arm and duplicate extractFromBrief() method
  in ContentFingerprintService (caused phpstan errors)

Author: numen-bot

app/GraphQL/Mutations/DeleteCompetitorAlert.php

@@ -10,7 +10,13 @@ class DeleteCompetitorAlert
     public function __invoke(mixed $root, array $args): ?CompetitorAlert
     {
         $alert = CompetitorAlert::find($args['id']);
-        $alert?->delete();
+
+        if ($alert) {
+            $currentSpace = app()->bound('current_space') ? app('current_space') : null;
+            abort_if($currentSpace && $alert->space_id !== $currentSpace->id, 403);
+
+            $alert->delete();
+        }
 
         return $alert;
     }

app/GraphQL/Mutations/DeleteCompetitorSource.php

@@ -10,7 +10,13 @@ class DeleteCompetitorSource
     public function __invoke(mixed $root, array $args): ?CompetitorSource
     {
         $source = CompetitorSource::find($args['id']);
-        $source?->delete();
+
+        if ($source) {
+            $currentSpace = app()->bound('current_space') ? app('current_space') : null;
+            abort_if($currentSpace && $source->space_id !== $currentSpace->id, 403);
+
+            $source->delete();
+        }
 
         return $source;
     }

app/GraphQL/Mutations/TriggerCompetitorCrawl.php

@@ -11,6 +11,10 @@ class TriggerCompetitorCrawl
     public function __invoke(mixed $root, array $args): bool
     {
         $source = CompetitorSource::findOrFail($args['source_id']);
+
+        $currentSpace = app()->bound('current_space') ? app('current_space') : null;
+        abort_if($currentSpace && $source->space_id !== $currentSpace->id, 403);
+
         CrawlCompetitorSourceJob::dispatch($source);
 
         return true;

app/GraphQL/Mutations/UpdateCompetitorSource.php

@@ -10,6 +10,10 @@ class UpdateCompetitorSource
     public function __invoke(mixed $root, array $args): CompetitorSource
     {
         $source = CompetitorSource::findOrFail($args['id']);
+
+        $currentSpace = app()->bound('current_space') ? app('current_space') : null;
+        abort_if($currentSpace && $source->space_id !== $currentSpace->id, 403);
+
         $source->update($args['input']);
 
         return $source->fresh() ?? $source;

app/Http/Controllers/Api/CompetitorController.php

@@ -28,6 +28,9 @@ public function content(Request $request): AnonymousResourceCollection
             'per_page' => ['nullable', 'integer', 'min:1', 'max:100'],
         ]);
 
+        $currentSpace = app()->bound('current_space') ? app('current_space') : null;
+        abort_if($currentSpace && $validated['space_id'] !== $currentSpace->id, 403);
+
         $query = CompetitorContentItem::query()
             ->whereHas('source', fn ($q) => $q->where('space_id', $validated['space_id']))
             ->with('source')
@@ -50,6 +53,9 @@ public function crawl(string $id): JsonResponse
     {
         $source = CompetitorSource::findOrFail($id);
 
+        $currentSpace = app()->bound('current_space') ? app('current_space') : null;
+        abort_if($currentSpace && $source->space_id !== $currentSpace->id, 403);
+
         CrawlCompetitorSourceJob::dispatch($source);
 
         return response()->json(['message' => 'Crawl job dispatched', 'source_id' => $source->id]);
@@ -65,6 +71,9 @@ public function alerts(Request $request): AnonymousResourceCollection
             'per_page' => ['nullable', 'integer', 'min:1', 'max:100'],
         ]);
 
+        $currentSpace = app()->bound('current_space') ? app('current_space') : null;
+        abort_if($currentSpace && $validated['space_id'] !== $currentSpace->id, 403);
+
         $alerts = CompetitorAlert::where('space_id', $validated['space_id'])
             ->orderByDesc('created_at')
             ->paginate((int) ($validated['per_page'] ?? 20));
@@ -88,6 +97,10 @@ public function storeAlert(StoreCompetitorAlertRequest $request): JsonResponse
     public function destroyAlert(string $id): JsonResponse
     {
         $alert = CompetitorAlert::findOrFail($id);
+
+        $currentSpace = app()->bound('current_space') ? app('current_space') : null;
+        abort_if($currentSpace && $alert->space_id !== $currentSpace->id, 403);
+
         $alert->delete();
 
         return response()->json(null, 204);

app/Http/Controllers/Api/CompetitorSourceController.php

@@ -23,6 +23,9 @@ public function index(Request $request): AnonymousResourceCollection
             'per_page' => ['nullable', 'integer', 'min:1', 'max:100'],
         ]);
 
+        $currentSpace = app()->bound('current_space') ? app('current_space') : null;
+        abort_if($currentSpace && $validated['space_id'] !== $currentSpace->id, 403);
+
         $sources = CompetitorSource::where('space_id', $validated['space_id'])
             ->orderByDesc('created_at')
             ->paginate((int) ($validated['per_page'] ?? 20));
@@ -35,7 +38,16 @@ public function index(Request $request): AnonymousResourceCollection
      */
     public function store(StoreCompetitorSourceRequest $request): JsonResponse
     {
-        $source = CompetitorSource::create($request->validated());
+        $validated = $request->validated();
+        $spaceId = $validated['space_id'];
+
+        $currentSpace = app()->bound('current_space') ? app('current_space') : null;
+        abort_if($currentSpace && $spaceId !== $currentSpace->id, 403);
+
+        $count = CompetitorSource::where('space_id', $spaceId)->count();
+        abort_if($count >= 50, 422, 'Maximum 50 competitor sources per space');
+
+        $source = CompetitorSource::create($validated);
 
         return response()->json(['data' => new CompetitorSourceResource($source)], 201);
     }
@@ -47,6 +59,9 @@ public function show(string $id): JsonResponse
     {
         $source = CompetitorSource::findOrFail($id);
 
+        $currentSpace = app()->bound('current_space') ? app('current_space') : null;
+        abort_if($currentSpace && $source->space_id !== $currentSpace->id, 403);
+
         return response()->json(['data' => new CompetitorSourceResource($source)]);
     }
 
@@ -56,6 +71,10 @@ public function show(string $id): JsonResponse
     public function update(UpdateCompetitorSourceRequest $request, string $id): JsonResponse
     {
         $source = CompetitorSource::findOrFail($id);
+
+        $currentSpace = app()->bound('current_space') ? app('current_space') : null;
+        abort_if($currentSpace && $source->space_id !== $currentSpace->id, 403);
+
         $source->update($request->validated());
 
         return response()->json(['data' => new CompetitorSourceResource($source)]);
@@ -67,6 +86,10 @@ public function update(UpdateCompetitorSourceRequest $request, string $id): Json
     public function destroy(string $id): JsonResponse
     {
         $source = CompetitorSource::findOrFail($id);
+
+        $currentSpace = app()->bound('current_space') ? app('current_space') : null;
+        abort_if($currentSpace && $source->space_id !== $currentSpace->id, 403);
+
         $source->delete();
 
         return response()->json(null, 204);

app/Http/Controllers/Api/DifferentiationController.php

@@ -25,6 +25,9 @@ public function index(Request $request): AnonymousResourceCollection
             'per_page' => ['nullable', 'integer', 'min:1', 'max:100'],
         ]);
 
+        $currentSpace = app()->bound('current_space') ? app('current_space') : null;
+        abort_if($currentSpace && $validated['space_id'] !== $currentSpace->id, 403);
+
         $query = DifferentiationAnalysis::where('space_id', $validated['space_id'])
             ->with('competitorContent')
             ->orderByDesc('analyzed_at');
@@ -54,6 +57,9 @@ public function show(string $id): JsonResponse
     {
         $analysis = DifferentiationAnalysis::with('competitorContent')->findOrFail($id);
 
+        $currentSpace = app()->bound('current_space') ? app('current_space') : null;
+        abort_if($currentSpace && $analysis->space_id !== $currentSpace->id, 403);
+
         return response()->json(['data' => new DifferentiationAnalysisResource($analysis)]);
     }
 
@@ -67,6 +73,9 @@ public function summary(Request $request): JsonResponse
             'space_id' => ['required', 'string'],
         ]);
 
+        $currentSpace = app()->bound('current_space') ? app('current_space') : null;
+        abort_if($currentSpace && $validated['space_id'] !== $currentSpace->id, 403);
+
         /** @var object{total_analyses: int|string, avg_differentiation_score: float|string|null, avg_similarity_score: float|string|null, max_differentiation_score: float|string|null, min_differentiation_score: float|string|null, last_analyzed_at: string|null}|null $summary */
         $summary = DifferentiationAnalysis::where('space_id', $validated['space_id'])
             ->selectRaw('

app/Http/Requests/StoreCompetitorAlertRequest.php

@@ -2,6 +2,7 @@
 
 namespace App\Http\Requests;
 
+use App\Rules\ExternalUrl;
 use Illuminate\Foundation\Http\FormRequest;
 
 class StoreCompetitorAlertRequest extends FormRequest
@@ -27,8 +28,8 @@ public function rules(): array
             'notify_channels' => ['nullable', 'array'],
             'notify_channels.email' => ['sometimes', 'array'],
             'notify_channels.email.*' => ['email'],
-            'notify_channels.slack_webhook' => ['sometimes', 'url', 'max:2048'],
-            'notify_channels.webhook_url' => ['sometimes', 'url', 'max:2048'],
+            'notify_channels.slack_webhook' => ['sometimes', 'url', 'max:2048', new ExternalUrl],
+            'notify_channels.webhook_url' => ['sometimes', 'url', 'max:2048', new ExternalUrl],
         ];
     }
 }

app/Http/Requests/StoreCompetitorSourceRequest.php

@@ -2,6 +2,7 @@
 
 namespace App\Http\Requests;
 
+use App\Rules\ExternalUrl;
 use Illuminate\Foundation\Http\FormRequest;
 
 class StoreCompetitorSourceRequest extends FormRequest
@@ -17,8 +18,8 @@ public function rules(): array
         return [
             'space_id' => ['required', 'string', 'exists:spaces,id'],
             'name' => ['required', 'string', 'max:255'],
-            'url' => ['required', 'url', 'max:2048'],
-            'feed_url' => ['nullable', 'url', 'max:2048'],
+            'url' => ['required', 'url', 'max:2048', new ExternalUrl],
+            'feed_url' => ['nullable', 'url', 'max:2048', new ExternalUrl],
             'crawler_type' => ['required', 'in:rss,sitemap,scrape,api'],
             'config' => ['nullable', 'array'],
             'is_active' => ['boolean'],

app/Http/Requests/UpdateCompetitorSourceRequest.php

@@ -2,6 +2,7 @@
 
 namespace App\Http\Requests;
 
+use App\Rules\ExternalUrl;
 use Illuminate\Foundation\Http\FormRequest;
 
 class UpdateCompetitorSourceRequest extends FormRequest
@@ -16,8 +17,8 @@ public function rules(): array
     {
         return [
             'name' => ['sometimes', 'string', 'max:255'],
-            'url' => ['sometimes', 'url', 'max:2048'],
-            'feed_url' => ['nullable', 'url', 'max:2048'],
+            'url' => ['sometimes', 'url', 'max:2048', new ExternalUrl],
+            'feed_url' => ['nullable', 'url', 'max:2048', new ExternalUrl],
             'crawler_type' => ['sometimes', 'in:rss,sitemap,scrape,api'],
             'config' => ['nullable', 'array'],
             'is_active' => ['sometimes', 'boolean'],