Is this private deal leaking?

PRODE-261invest-api · dealsReported in SlackResolved: working as intended

Trigger

Support flagged that a Live-Private deal was appearing in the Live Deals tab — on both web and mobile — for investors who weren't on its private list. A second investor later reported the same thing. On the face of it, an access-control leak.

What the agent saw

The report reproduced. The agent traced the two relevant paths: the live-list filter (getDealsForLiveDealsPage) and the direct-fetch path (getClientDealById) in deals.service.ts.

Investigation

The filter honours a deliberate retention rule: once an investor has been added to a deal's private list — or holds any commitment to it — they keep access even after being removed from the list. An isInvestorCommittedToDeal check short-circuits the access filter. Both reported investors had a prior commitment or were on the list when the deal went private, so retention applied.

Not a bug. The behaviour is correct. The real issue is presentation: a deal you can still access sitting in a tab labelled "Live Deals" reads as if it's open to everyone.

Resolution & outcome

Closed as working-as-intended, with three durable outputs:

The rule, written down and saved to Dosu so the same question self-serves next time it's asked.
A support playbook: before assuming a leak, check the private-deals link history and the commitment table for a prior link to that deal.
A separate ticket to change how private deals are presented on the Live Deals page — fixing the confusion without weakening the access rule.

The value here wasn't a code change. It was a proven answer and a reusable rule — the agent's judgement that not every report is a bug.

Knowledge-graph node

Report "private deal visible" → root cause intentional retention rule (not a bug) → outcome documented rule + Dosu entry + presentation follow-up → affects deals access