---
id: add-cross-project-dep-guard
name: Add DB-level guard for cross-project task dependencies
status: completed
depends_on: []
scope: narrow
risk: medium
impact: component
level: implementation
---

## Description

"Tasks can only depend on tasks within the same project" is declared in `tasks.md:217` but only "enforced at the application level." `task_dependencies` has FK columns with no `projectId` or check constraint. Application-level enforcement is vulnerable to race conditions, direct SQL access, or bugs.

Choose one:
- **(A)** Add a DB trigger that checks `dependsOnTaskId` and `taskId` belong to the same project
- **(B)** Add a denormalized `projectId` column to `task_dependencies` with a composite FK
- **(C)** Document the risk explicitly and specify that the sync operation validates project scope within a transaction (SELECT FOR SHARE)

## Acceptance Criteria

- [ ] The chosen enforcement mechanism is documented in `tasks.md`
- [ ] If option A: trigger definition is specified; `tasks.md` notes the trigger name and behavior
- [ ] If option B: `projectId` column is added to `task_dependencies` schema; composite FK documented; `table-reference.md` updated
- [ ] If option C: the risk is documented and the sync validation pattern is specified (SELECT FOR SHARE + INSERT in same transaction)
- [ ] The cross-project dependency invariant is restated in `tasks.md` with the enforcement mechanism

## References

- docs/reviews/storage-architecture-review-2026-04-21.md#C09
- docs/architecture/storage/tasks.md:217
- docs/architecture/storage/tasks.md:357

## Notes

> To be filled by implementation agent

## Summary

> To be filled on completion