fix: scope bundle list aggregates to API key environment

list_bundle_names() and get_bundle_enrichment() now accept an optional
env parameter. When an env-scoped API key calls GET /bundles, the
version_count, latest_version, last_updated, contract_count, and
last_deployed_at are all scoped to versions deployed in the key's
environment. Prevents cross-env metadata leakage (e.g. staging key
learning production has 7 newer versions).

Author: acartag7

src/edictum_server/routes/bundles.py

@@ -102,19 +102,17 @@ async def list_bundles(
     When accessed via API key, only bundles deployed to the key's environment
     are returned.
     """
-    names = await list_bundle_names(db, auth.tenant_id)
+    env_filter = auth.env if (auth.auth_type == "api_key" and auth.env) else None
+    names = await list_bundle_names(db, auth.tenant_id, env=env_filter)
     envs_by_name = await get_deployed_envs_by_bundle_name(db, auth.tenant_id)
-    enrichment = await get_bundle_enrichment(db, auth.tenant_id)
+    enrichment = await get_bundle_enrichment(db, auth.tenant_id, env=env_filter)
     result: list[BundleSummaryResponse] = []
     for entry in names:
         bname = str(entry["name"])
         deployed_envs = envs_by_name.get(bname, [])
-        # API key auth: only return bundles deployed to the key's env
-        if auth.auth_type == "api_key" and auth.env:
-            if auth.env not in deployed_envs:
-                continue
-            # Narrow deployed_envs to only the key's env
-            deployed_envs = [auth.env]
+        # API key auth: narrow visible envs to the key's env
+        if env_filter:
+            deployed_envs = [env_filter] if env_filter in deployed_envs else []
         enrich = enrichment.get(bname, {})
         result.append(
             BundleSummaryResponse(

src/edictum_server/services/bundle_service.py

@@ -135,19 +135,46 @@ async def list_tenant_bundles(
 async def list_bundle_names(
     db: AsyncSession,
     tenant_id: uuid.UUID,
+    *,
+    env: str | None = None,
 ) -> list[dict[str, object]]:
-    """Return distinct bundle names with aggregates (version_count, latest_version)."""
-    result = await db.execute(
-        select(
-            Bundle.name,
-            func.count(Bundle.id).label("version_count"),
-            func.max(Bundle.version).label("latest_version"),
-            func.max(Bundle.created_at).label("last_updated"),
+    """Return distinct bundle names with aggregates (version_count, latest_version).
+
+    When *env* is provided, only versions deployed to that environment are
+    counted — prevents cross-env metadata leakage for env-scoped API keys.
+    """
+    if env is not None:
+        # Scoped: only count versions that have a deployment to this env
+        stmt = (
+            select(
+                Bundle.name,
+                func.count(func.distinct(Bundle.id)).label("version_count"),
+                func.max(Bundle.version).label("latest_version"),
+                func.max(Bundle.created_at).label("last_updated"),
+            )
+            .join(
+                Deployment,
+                (Bundle.tenant_id == Deployment.tenant_id)
+                & (Bundle.name == Deployment.bundle_name)
+                & (Bundle.version == Deployment.bundle_version),
+            )
+            .where(Bundle.tenant_id == tenant_id, Deployment.env == env)
+            .group_by(Bundle.name)
+            .order_by(func.max(Bundle.created_at).desc())
         )
-        .where(Bundle.tenant_id == tenant_id)
-        .group_by(Bundle.name)
-        .order_by(func.max(Bundle.created_at).desc())
-    )
+    else:
+        stmt = (
+            select(
+                Bundle.name,
+                func.count(Bundle.id).label("version_count"),
+                func.max(Bundle.version).label("latest_version"),
+                func.max(Bundle.created_at).label("last_updated"),
+            )
+            .where(Bundle.tenant_id == tenant_id)
+            .group_by(Bundle.name)
+            .order_by(func.max(Bundle.created_at).desc())
+        )
+    result = await db.execute(stmt)
     return [
         {
             "name": row.name,
@@ -235,9 +262,7 @@ async def get_deployed_envs_by_bundle_name(
         .subquery()
     )
 
-    result = await db.execute(
-        select(ranked.c.bundle_name, ranked.c.env).where(ranked.c.rn == 1)
-    )
+    result = await db.execute(select(ranked.c.bundle_name, ranked.c.env).where(ranked.c.rn == 1))
 
     mapping: dict[str, list[str]] = defaultdict(list)
     for name, env in result.all():
@@ -250,28 +275,48 @@ async def get_deployed_envs_by_bundle_name(
 async def get_bundle_enrichment(
     db: AsyncSession,
     tenant_id: uuid.UUID,
+    *,
+    env: str | None = None,
 ) -> dict[str, dict[str, object]]:
     """Return contract_count and last_deployed_at per bundle name.
 
-    contract_count is parsed from the latest version's YAML.
+    contract_count is parsed from the latest deployed version's YAML.
     last_deployed_at comes from the deployments table.
+
+    When *env* is provided, both the "latest version" subquery and the
+    deployment timestamp are scoped to that environment — prevents
+    cross-env metadata leakage for env-scoped API keys.
     """
-    # Get latest version per bundle name
-    latest_subq = (
-        select(
-            Bundle.name,
-            func.max(Bundle.version).label("max_version"),
+    # Get latest version per bundle name (optionally scoped to env)
+    if env is not None:
+        # Latest version deployed to this specific env
+        latest_subq = (
+            select(
+                Deployment.bundle_name.label("name"),
+                func.max(Deployment.bundle_version).label("max_version"),
+            )
+            .where(Deployment.tenant_id == tenant_id, Deployment.env == env)
+            .group_by(Deployment.bundle_name)
+            .subquery()
+        )
+    else:
+        # Latest version across all envs (dashboard view)
+        latest_subq = (
+            select(
+                Bundle.name,
+                func.max(Bundle.version).label("max_version"),
+            )
+            .where(Bundle.tenant_id == tenant_id)
+            .group_by(Bundle.name)
+            .subquery()
         )
-        .where(Bundle.tenant_id == tenant_id)
-        .group_by(Bundle.name)
-        .subquery()
-    )
     latest_bundles = await db.execute(
-        select(Bundle).join(
+        select(Bundle)
+        .join(
             latest_subq,
-            (Bundle.name == latest_subq.c.name)
-            & (Bundle.version == latest_subq.c.max_version),
-        ).where(Bundle.tenant_id == tenant_id)
+            (Bundle.name == latest_subq.c.name) & (Bundle.version == latest_subq.c.max_version),
+        )
+        .where(Bundle.tenant_id == tenant_id)
     )
 
     enrichment: dict[str, dict[str, object]] = {}
@@ -287,13 +332,16 @@ async def get_bundle_enrichment(
             pass
         enrichment[bundle.name] = {"contract_count": contract_count, "last_deployed_at": None}
 
-    # Get last deployment date per bundle name
+    # Get last deployment date per bundle name (scoped to env if provided)
+    dep_filters = [Deployment.tenant_id == tenant_id]
+    if env is not None:
+        dep_filters.append(Deployment.env == env)
     dep_result = await db.execute(
         select(
             Deployment.bundle_name,
             func.max(Deployment.created_at).label("last_deployed_at"),
         )
-        .where(Deployment.tenant_id == tenant_id)
+        .where(*dep_filters)
         .group_by(Deployment.bundle_name)
     )
     for row in dep_result.all():