Security: Cross-session data leakage via lcm_grep and lcm_describe (auth bypass)

[keylimesoda]

Severity: Critical

Summary

lcm_grep and lcm_describe do not enforce the grant-based authorization model. Any session with these tools can pass conversationId or allConversations=true and search/read data from other sessions — including parent private conversations.

Location

• src/tools/lcm-grep-tool.ts:30-40,109-131
• src/tools/lcm-describe-tool.ts:17-27,72-103
• src/tools/lcm-conversation-scope.ts:50-60

Impact

The delegated grant model only protects lcm_expand. A sub-agent can enumerate or inspect summaries and messages from any conversation stored in the LCM database, including parent/private sessions. In an environment where conversations contain API keys, personal memory, or sensitive context, this is a full data-exposure vector.

Steps to Reproduce

1. Session A stores private conversation data via LCM
2. Session B (sub-agent) has lcm_grep tool
3. Session B calls lcm_grep with allConversations: true or a known conversationId from Session A
4. Session B receives search results from Session A's private conversations

Recommended Fix

Enforce authorization in every retrieval tool, not just lcm_expand:

• For sub-agents, derive allowed conversation scope from the delegated grant
• Reject explicit conversationId/allConversations overrides outside that scope
• Ideally require a capability check at the retrieval layer, not only in tool wrappers

Context

Found during security review for potential adoption. The grant model in expansion-auth.ts is well-designed but only covers the expand path — grep and describe bypass it entirely.