Security: CreateCoupon tool missing workspace context/authorization

[Snider]

Issue

The CreateCoupon tool at src/Mcp/Tools/Commerce/CreateCoupon.php does not use the RequiresWorkspaceContext trait that other commerce tools use (like UpgradePlan). This means the tool can potentially be called without proper workspace authorization.

File

src/Mcp/Tools/Commerce/CreateCoupon.php

Impact

• The tool creates coupons globally without workspace scoping
• No authorization check ensures the caller has permission to create coupons
• Potential for unauthorized coupon creation if the MCP endpoint is exposed

Recommendation

1. Add use RequiresWorkspaceContext; trait
2. Verify the caller has permission to create coupons (e.g., admin role check)
3. Consider whether coupons should be workspace-scoped

Severity

High - Authorization bypass vulnerability

[Snider]

Parent: #31

[Snider]

Target branch: epic/31-workspace-isolation-auth (epic #31)

[google-labs-jules]

Jules is on it. When finished, you will see another comment and be able to review a PR.

[google-labs-jules]

Ready for a review! A PR has been created.

[google-labs-jules]

I apologize, but I encountered an unexpected error and wasn't able to complete the task.