Fix Dev API and KG locked data bypass (#6146)

backend/routers/developer.py

@@ -306,6 +306,8 @@ def delete_memory(
     memory = memories_db.get_memory(uid, memory_id)
     if not memory:
         raise HTTPException(status_code=404, detail="Memory not found")
+    if memory.get('is_locked', False):
+        raise HTTPException(status_code=402, detail="A paid plan is required to access this memory.")
 
     memories_db.delete_memory(uid, memory_id)
     return {"success": True}
@@ -329,6 +331,8 @@ def update_memory(
     memory = memories_db.get_memory(uid, memory_id)
     if not memory:
         raise HTTPException(status_code=404, detail="Memory not found")
+    if memory.get('is_locked', False):
+        raise HTTPException(status_code=402, detail="A paid plan is required to access this memory.")
 
     if request.content is None and request.visibility is None and request.tags is None and request.category is None:
         raise HTTPException(
@@ -534,8 +538,13 @@ def delete_action_item(
 
     - **action_item_id**: The ID of the action item to delete
     """
-    if not action_items_db.delete_action_item(uid, action_item_id):
+    action_item = action_items_db.get_action_item(uid, action_item_id)
+    if not action_item:
         raise HTTPException(status_code=404, detail="Action item not found")
+    if action_item.get('is_locked', False):
+        raise HTTPException(status_code=402, detail="A paid plan is required to access this action item.")
+
+    action_items_db.delete_action_item(uid, action_item_id)
     return {"success": True}
 
 
@@ -557,6 +566,8 @@ def update_action_item(
     action_item = action_items_db.get_action_item(uid, action_item_id)
     if not action_item:
         raise HTTPException(status_code=404, detail="Action item not found")
+    if action_item.get('is_locked', False):
+        raise HTTPException(status_code=402, detail="A paid plan is required to access this action item.")
 
     # Build update data from non-None fields
     update_data = {}
@@ -1028,6 +1039,8 @@ def delete_conversation_endpoint(
     conversation = conversations_db.get_conversation(uid, conversation_id)
     if not conversation:
         raise HTTPException(status_code=404, detail="Conversation not found")
+    if conversation.get('is_locked', False):
+        raise HTTPException(status_code=402, detail="A paid plan is required to access this conversation.")
 
     conversations_db.delete_conversation(uid, conversation_id)
     return {"success": True}
@@ -1049,6 +1062,8 @@ def update_conversation_endpoint(
     conversation = conversations_db.get_conversation(uid, conversation_id)
     if not conversation:
         raise HTTPException(status_code=404, detail="Conversation not found")
+    if conversation.get('is_locked', False):
+        raise HTTPException(status_code=402, detail="A paid plan is required to access this conversation.")
 
     if request.title is None and request.discarded is None:
         raise HTTPException(status_code=422, detail="At least one field (title or discarded) must be provided")

backend/routers/knowledge_graph.py

@@ -46,6 +46,7 @@ def get_knowledge_graph(uid: str = Depends(auth.get_current_user_uid)):
 
 def _rebuild_graph_task(uid: str, user_name: str):
     memories = memories_db.get_memories(uid, limit=500)
+    memories = [m for m in memories if not m.get('is_locked', False)]
     rebuild_knowledge_graph(uid, memories, user_name)
 
 

backend/test.sh

@@ -66,6 +66,7 @@ pytest tests/unit/test_fair_use_free_tier.py -v
 pytest tests/unit/test_timeout_middleware.py -v
 pytest tests/unit/test_pusher_circuit_breaker.py -v
 pytest tests/unit/test_lock_bypass_fixes.py -v
+pytest tests/unit/test_dev_api_lock_bypass.py -v
 
 # Fair-use integration tests (require Redis; skip gracefully if unavailable)
 if redis-cli ping >/dev/null 2>&1; then