fix: add companyId filter to metadata update + export CompanySkillUpdateAuth type

- Scope metadata update WHERE clause to companyId for defence-in-depth
- Add CompanySkillUpdateAuth inferred type export to match other schemas

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

packages/shared/src/validators/company-skill.ts

@@ -138,3 +138,4 @@ export type CompanySkillImport = z.infer<typeof companySkillImportSchema>;
 export type CompanySkillProjectScan = z.infer<typeof companySkillProjectScanRequestSchema>;
 export type CompanySkillCreate = z.infer<typeof companySkillCreateSchema>;
 export type CompanySkillFileUpdate = z.infer<typeof companySkillFileUpdateSchema>;
+export type CompanySkillUpdateAuth = z.infer<typeof companySkillUpdateAuthSchema>;

packages/shared/src/validators/index.ts

@@ -56,6 +56,7 @@ export {
   type CompanySkillProjectScan,
   type CompanySkillCreate,
   type CompanySkillFileUpdate,
+  type CompanySkillUpdateAuth,
 } from "./company-skill.js";
 export {
   agentSkillStateSchema,

server/src/services/company-skills.ts

@@ -2354,7 +2354,7 @@ export function companySkillService(db: Db) {
         await db
           .update(companySkills)
           .set({ metadata: meta, updatedAt: new Date() })
-          .where(eq(companySkills.id, skill.id));
+          .where(and(eq(companySkills.id, skill.id), eq(companySkills.companyId, companyId)));
       }
     }