Expected Findings
- Agent uses caller's token but operates on `as_user` from the URL.
- No check that the caller has permission to act for `as_user`.
- Returned data includes records belonging to the impersonated user.
Agent on Behalf
Agent Confused Deputy
The agent acts using the requester's bearer token but accepts an `as_user` parameter, so user A can drive the agent to read user B's resources.
CWE-441CWE-285
Confused-deputy probe
Primary Flows
- Act as another user Caller token + foreign user
- Identity context Shows caller vs effective user
Signals
Bug
effective := r.URL.Query().Get("as_user") // not validated against caller