some updates

Author: aster-void

docs/knowledges/data-models.md

@@ -1,5 +1,32 @@
 # Data Models
 
+## Database Optimizations
+
+### Better Auth Performance Indexes
+
+Better Auth 推奨のパフォーマンス最適化インデックス（全て実装済み）:
+
+- ✅ `user.email` - unique constraint (自動インデックス)
+- ✅ `session.userId` - `session_userId_idx`
+- ✅ `session.token` - unique constraint (自動インデックス)
+- ✅ `account.userId` - `account_userId_idx`
+- ✅ `verification.identifier` - `verification_identifier_idx`
+
+### Additional Indexes
+
+CMS テーブル用の追加インデックス:
+
+- `member.userId` - `member_userId_idx` (user linkage lookup)
+- `article.authorId` - `article_authorId_idx` (author's articles)
+- `article.published, publishedAt` - `article_published_publishedAt_idx` (published articles sorted by date)
+- `articleSlugRedirect.oldSlug` - `article_slug_redirect_oldSlug_idx` (redirect lookup)
+- `articleSlugRedirect.articleId` - `article_slug_redirect_articleId_idx` (article's redirects)
+- `projectMember.projectId, memberId` - `projectMember_pk` (project-member junction)
+- `viewLog.resourceType, resourceId` - `view_log_resourceType_resourceId_idx` (resource view lookups)
+- `viewLog.viewedAt` - `view_log_viewedAt_idx` (time-series analytics)
+
+参考: [Better Auth Performance Guide](https://www.better-auth.com/docs/guides/optimizing-for-performance#database-optimizations)
+
 ## Schema
 
 ```

docs/knowledges/project-context.md

@@ -1,6 +1,6 @@
 # Project Context & Overview
 
-**Last Updated**: 2025-12-24
+**Last Updated**: 2025-12-26
 
 ## Project Identity
 
@@ -29,10 +29,10 @@ Component → *.remote.ts (DAL) → *.server.ts (DB)
 2. **DAL** (`*.remote.ts`): Auth guards via `getRequestEvent()`, exports `query`/`command`/`form`
 3. **DB** (`*.server.ts`): Pure database queries, no auth logic
 
-**Verification (2025-12-24)**:
+**Verification (2025-12-26)**:
 - ✅ All `*.remote.ts` files contain auth guards (`requireUtCodeMember()`)
 - ✅ All `*.server.ts` files are pure DB/infrastructure (no auth)
-- ✅ `ownership.ts` (renamed from `ownership.server.ts`) is business logic, not DB layer
+- ✅ Trust-based model: No `ownership.ts` needed - all ut.code(); members have full admin access
 - ✅ Exception: `src/routes/(admin)/+layout.server.ts` (SvelteKit route-level auth guard)
 
 ### Remote Functions (`$app/server`)
@@ -108,8 +108,8 @@ bun tidy             # Auto-check + fix (type + format + lint)
 
 Current knowledge documents in `docs/knowledges/`:
 
-1. **security.md** - Comprehensive security audit (2025-12-24)
-   - Ownership-based access control model
+1. **security.md** - Comprehensive security audit (2025-12-26)
+   - Trust-based security model (all ut.code(); members are mutually trusted)
    - All HIGH/MEDIUM security issues resolved
    - Remaining: LOW priority rate limiting and cache TTL
 
@@ -157,13 +157,13 @@ c7ae749 meta: use sops for Docker build secrets
 ## Current Priorities & TODOs
 
 ### Completed
-- ✅ Security audit and ownership controls
+- ✅ Security audit and trust-based access model
 - ✅ File upload validation (MIME whitelist, size limits, WebP compression)
 - ✅ LIKE wildcard escaping in search
-- ✅ Article authorId validation
 - ✅ Project role validation with picklist
 - ✅ Stats endpoint auth protection
 - ✅ All CRUD operations for members, articles, projects
+- ✅ Removed `ownership.ts` (2025-12-26) - trust-based model doesn't need resource-level checks
 
 ### Remaining (LOW Priority)
 - ⏳ Rate limiting on public endpoints (view counting, search)
@@ -176,16 +176,20 @@ c7ae749 meta: use sops for Docker build secrets
 
 ## Security Model
 
-### Access Control
-| Role                     | Read Access                           | Write Access                                            |
-| ------------------------ | ------------------------------------- | ------------------------------------------------------- |
-| Public (unauthenticated) | Published articles, members, projects | None                                                    |
-| ut.code(); members       | All resources (including drafts)      | Own resources only (ownership-based)                    |
+### Trust-Based Access Control
 
-### Ownership Rules
-- **Articles**: Only author can edit/delete/publish/unpublish
-- **Members**: Only the member themselves can edit/delete their profile
-- **Projects**: Only project members (lead or regular) can edit/delete/manage members
+**Core Principle**: All ut.code(); members are mutually trusted.
+
+| Role                     | Read Access                           | Write Access                     |
+| ------------------------ | ------------------------------------- | -------------------------------- |
+| Public (unauthenticated) | Published articles, members, projects | None                             |
+| ut.code(); members       | All resources (including drafts)      | All resources (full admin access)|
+
+### Authorization Model
+- Single auth check: `requireUtCodeMember()` for all private endpoints
+- No resource-level ownership checks needed
+- All authenticated members can create, edit, delete any article, member profile, or project
+- Trust model prioritizes collaboration over granular access control
 
 ### Security Strengths
 - No SQL injection (Drizzle ORM with parameterized queries)

docs/knowledges/security.md

@@ -1,13 +1,23 @@
 # Security Model
 
-## Assumptions
+## Trust Model
+
+**Core Principle**: All ut.code(); members are mutually trusted.
+
+This is an internal CMS for the ut.code(); organization. All authenticated members belong to the same organization and collaborate on shared content. Therefore:
 
-| Role                     | Read Access                           | Write Access                                            |
-| ------------------------ | ------------------------------------- | ------------------------------------------------------- |
-| Public (unauthenticated) | Published articles, members, projects | None                                                    |
-| ut.code(); members       | All resources (including drafts)      | Own resources only (see Ownership Model below)          |
+- **No ownership checks required**: Any ut.code(); member can edit any article, member profile, or project
+- **Authorization is binary**: `requireUtCodeMember()` is the only auth check needed
+- **Mutual trust assumption**: Members are expected to coordinate and communicate, not compete
+
+This model prioritizes collaboration and simplicity over granular access control.
+
+## Assumptions
 
-**Design Decision**: Ownership-based access control. Users can only modify resources they own or are members of.
+| Role                     | Read Access                           | Write Access                     |
+| ------------------------ | ------------------------------------- | -------------------------------- |
+| Public (unauthenticated) | Published articles, members, projects | None                             |
+| ut.code(); members       | All resources (including drafts)      | All resources (full admin access)|
 
 ## Authentication
 
@@ -18,26 +28,20 @@
   - Mock user ID: `"mock"`, mock member ID: `"mock-member"`
   - Mock data returned from `getMemberByUserId`, `getUserPreference`, `setDefaultAuthor`
 
-## Ownership Model
+## Authorization Model
 
-Resource-level access control is enforced via `ownership.ts`:
+All authenticated ut.code(); members have full admin access. Authorization is enforced via:
 
-### Articles
-- **Edit/Delete/Publish/Unpublish**: Only the article author can modify their own articles
-- Enforced by: `requireArticleOwnership(session, articleId)`
-- Creates: Any authenticated ut.code member can create articles (with their own member ID as author)
+- `requireUtCodeMember()` - Single auth check for all private endpoints
+- Returns session with `user.id` and `member.id`
+- No resource-level ownership checks needed
 
-### Members
-- **Edit/Delete**: Only the member themselves can modify their own profile
-- Enforced by: `requireMemberOwnership(session, memberId)`
-- Creates: Any authenticated ut.code member can create member profiles
+### Resource Access
 
-### Projects
-- **Edit/Delete**: Only project members (lead or regular members) can modify the project
-- **Add/Remove Members**: Only existing project members can add or remove other members
-- **Transfer Lead**: Only the current project lead can transfer leadership
-- Enforced by: `requireProjectOwnership(session, projectId)`
-- Creates: Any authenticated ut.code member can create projects (they become the lead)
+All authenticated members can:
+- **Articles**: Create, edit, delete, publish/unpublish any article
+- **Members**: Create, edit, delete any member profile
+- **Projects**: Create, edit, delete, manage members of any project
 
 ## Endpoint Classification
 
@@ -72,7 +76,6 @@ Resource-level access control is enforced via `ownership.ts`:
 - **S3 Key Validation**: Regex prevents path traversal on delete (`S3KeySchema`)
 - **Session Management**: Better Auth handles session security
 - **CSRF**: SvelteKit Remote Functions use POST with same-origin enforcement
-- **AuthorId Validation**: Article `authorId` must be null or match authenticated user's member ID
 
 ## Known Issues
 
@@ -98,19 +101,16 @@ Now uses `v.picklist(["lead", "member"])` validation.
 ~~User input with `%`, `_`, or `\` characters not escaped in LIKE patterns.~~
 Now uses `escapeLikePattern()` utility in all search functions and redirect lookups.
 
-### ~~MEDIUM: Article authorId not validated~~ FIXED
+### INFO: No resource-level access control (by design)
 
-~~Users could set `authorId` to any member ID when creating/editing articles.~~
-Now validates that `authorId` is either null or matches authenticated user's member ID via `validateAuthorId()` helper.
+This is **not a security issue** - it's the intended trust model.
 
-### ~~HIGH: No ownership verification on edits~~ FIXED
+All authenticated ut.code(); members can edit/delete any resource (articles, members, projects). This is intentional because:
+- All members belong to the same organization
+- Collaboration and flexibility are prioritized over access restrictions
+- Members are expected to coordinate via communication, not technical barriers
 
-~~Any authenticated member could edit/delete any article, member profile, or project.~~
-Now enforces ownership checks:
-- Articles: Only author can edit/delete/publish/unpublish
-- Members: Only the member themselves can edit/delete their profile
-- Projects: Only project members can edit/delete/manage members
-Implementation: `ownership.ts` with `requireArticleOwnership()`, `requireMemberOwnership()`, `requireProjectOwnership()`
+**Implementation**: No `ownership.ts` module needed - `requireUtCodeMember()` is the only authorization check.
 
 ### LOW: No rate limiting
 
@@ -128,13 +128,11 @@ GitHub org membership cached 24h. Removed members retain access.
 | Priority   | Issue              | Fix                                                     | Status  |
 | ---------- | ------------------ | ------------------------------------------------------- | ------- |
 | ~~HIGH~~   | stats endpoint     | Add `requireUtCodeMember()` or filter to published only | ✅ DONE |
-| ~~HIGH~~   | ownership controls | Add ownership verification for edit/delete operations   | ✅ DONE |
 | ~~MEDIUM~~ | File upload        | Add MIME whitelist, folder allowlist, WebP compression  | ✅ DONE |
 | ~~MEDIUM~~ | Project role       | Use `v.picklist(["lead", "member"])`                    | ✅ DONE |
-| ~~MEDIUM~~ | Article authId     | Validate authorId matches user's member ID              | ✅ DONE |
 | LOW        | Rate limiting      | Add to public endpoints                                 | TODO    |
 | LOW        | Cache TTL          | Reduce to 4h or add invalidation                        | TODO    |
 
 ## Audit Date
 
-2024-12-15 (Updated: 2025-12-24 - Added ownership verification model)
+2024-12-15 (Updated: 2025-12-26 - Updated to trust-based security model)

src/lib/data/private/articles.remote.ts

@@ -1,7 +1,5 @@
-import { error } from "@sveltejs/kit";
 import * as v from "valibot";
 import { command, query } from "$app/server";
-import { validateAuthorId } from "$lib/server/database/article-validation";
 import {
   createArticle,
   deleteArticle,
@@ -12,8 +10,6 @@ import {
   updateArticle,
 } from "$lib/server/database/articles.server";
 import { requireUtCodeMember } from "$lib/server/database/auth.server";
-import { getMemberByUserId } from "$lib/server/database/members.server";
-import { requireArticleOwnership } from "$lib/server/database/ownership";
 import { purgeCache } from "$lib/server/services/cloudflare/cache.server";
 import { DB_LARGE_LIMIT } from "$lib/shared/constants";
 
@@ -38,13 +34,7 @@ export const saveArticle = command(
     publishedAt: v.nullable(v.date()),
   }),
   async (data) => {
-    const session = await requireUtCodeMember();
-
-    // Validate authorId matches authenticated user's member ID
-    const currentMember = await getMemberByUserId(session.user.id);
-    if (!validateAuthorId(data.authorId, currentMember?.id ?? null)) {
-      throw error(403, "Cannot set authorId to another user");
-    }
+    await requireUtCodeMember();
 
     const result = await createArticle(data);
     purgeCache().catch(console.error);
@@ -67,18 +57,7 @@ export const editArticle = command(
     createRedirect: v.optional(v.boolean()),
   }),
   async ({ id, data, createRedirect }) => {
-    const session = await requireUtCodeMember();
-
-    // Check ownership: only the author can edit the article
-    await requireArticleOwnership(session, id);
-
-    // Validate authorId matches authenticated user's member ID (only if provided)
-    if (data.authorId !== undefined) {
-      const currentMember = await getMemberByUserId(session.user.id);
-      if (!validateAuthorId(data.authorId, currentMember?.id ?? null)) {
-        throw error(403, "Cannot set authorId to another user");
-      }
-    }
+    await requireUtCodeMember();
 
     // Create redirect if slug is changing and createRedirect is true
     if (data.slug !== undefined && createRedirect) {
@@ -100,31 +79,22 @@ export const editArticle = command(
 );
 
 export const removeArticle = command(v.string(), async (id) => {
-  const session = await requireUtCodeMember();
-
-  // Check ownership: only the author can delete the article
-  await requireArticleOwnership(session, id);
+  await requireUtCodeMember();
 
   await deleteArticle(id);
   purgeCache().catch(console.error);
 });
 
 export const publish = command(v.string(), async (id) => {
-  const session = await requireUtCodeMember();
-
-  // Check ownership: only the author can publish the article
-  await requireArticleOwnership(session, id);
+  await requireUtCodeMember();
 
   const result = await publishArticle(id);
   purgeCache().catch(console.error);
   return result;
 });
 
 export const unpublish = command(v.string(), async (id) => {
-  const session = await requireUtCodeMember();
-
-  // Check ownership: only the author can unpublish the article
-  await requireArticleOwnership(session, id);
+  await requireUtCodeMember();
 
   const result = await unpublishArticle(id);
   purgeCache().catch(console.error);

src/lib/data/private/members.remote.ts

@@ -8,7 +8,6 @@ import {
   listMembers,
   updateMember,
 } from "$lib/server/database/members.server";
-import { requireMemberOwnership } from "$lib/server/database/ownership";
 import { purgeCache } from "$lib/server/services/cloudflare/cache.server";
 import { DB_MEMBERS_LIMIT } from "$lib/shared/constants";
 
@@ -50,10 +49,7 @@ export const editMember = command(
     }),
   }),
   async ({ id, data }) => {
-    const session = await requireUtCodeMember();
-
-    // Check ownership: only the member themselves can edit their profile
-    await requireMemberOwnership(session, id);
+    await requireUtCodeMember();
 
     const result = await updateMember(id, data);
     purgeCache().catch(console.error);
@@ -62,10 +58,7 @@ export const editMember = command(
 );
 
 export const removeMember = command(v.string(), async (id) => {
-  const session = await requireUtCodeMember();
-
-  // Check ownership: only the member themselves can delete their profile
-  await requireMemberOwnership(session, id);
+  await requireUtCodeMember();
 
   await deleteMember(id);
   purgeCache().catch(console.error);