Quick fix · Audit: docs/security/security-consistency-audit-2026-06-09.md (F4)
#439 (internet-hardening cluster, May 2026) replaced get_current_user with get_current_active_user on artifacts/programs/grants reads. api/app/routes/query_definitions.py:37,116 still imports and uses get_current_user — disabled accounts can still call query-definition endpoints. Either the file was missed in #439's sweep or it regressed since.
Two-line fix; also the motivating example for the route-contract lint (#499), which would have caught this mechanically.
Acceptance criteria
Quick fix · Audit:
docs/security/security-consistency-audit-2026-06-09.md(F4)#439 (internet-hardening cluster, May 2026) replaced
get_current_userwithget_current_active_useron artifacts/programs/grants reads.api/app/routes/query_definitions.py:37,116still imports and usesget_current_user— disabled accounts can still call query-definition endpoints. Either the file was missed in #439's sweep or it regressed since.Two-line fix; also the motivating example for the route-contract lint (#499), which would have caught this mechanically.
Acceptance criteria
query_definitions.pyusesget_current_active_user(or theCurrentUseralias) on all endpointsget_current_userdirectly