Problem
In internal/store/memstore, DeleteResource(), DeletePolicy(), and DeregisterConnector() all share the same pattern:
```go
if r, ok := m.resources[id]; ok && !matchesOrgScope(ctx, r.OrgID) {
return nil
}
delete(m.resources, id)
```
If a resource exists but belongs to a different org, the function returns nil (success) without deleting anything. This silently hides cross-org deletion attempts instead of returning an error or "not found."
While memstore is used for testing, this logic bug could mask real authorization issues in tests — a test that accidentally crosses org boundaries would pass silently.
Fix
Return an appropriate error (e.g., store.ErrNotFound or a permission error) when org scope doesn't match, rather than returning nil.
Acceptance Criteria
Problem
In
internal/store/memstore,DeleteResource(),DeletePolicy(), andDeregisterConnector()all share the same pattern:```go
if r, ok := m.resources[id]; ok && !matchesOrgScope(ctx, r.OrgID) {
return nil
}
delete(m.resources, id)
```
If a resource exists but belongs to a different org, the function returns
nil(success) without deleting anything. This silently hides cross-org deletion attempts instead of returning an error or "not found."While memstore is used for testing, this logic bug could mask real authorization issues in tests — a test that accidentally crosses org boundaries would pass silently.
Fix
Return an appropriate error (e.g.,
store.ErrNotFoundor a permission error) when org scope doesn't match, rather than returning nil.Acceptance Criteria