99bd92a3ca
CRITICAL SECURITY FIX: Removed client-provided TenantId parameter from CreateProjectCommand to prevent tenant impersonation attacks. Changes: - Removed TenantId property from CreateProjectCommand - Injected ITenantContext into CreateProjectCommandHandler - Now retrieves authenticated TenantId from JWT token via TenantContext - Prevents malicious users from creating projects under other tenants Security Impact: - Before: Client could provide any TenantId (HIGH RISK) - After: TenantId extracted from authenticated JWT token (SECURE) Note: CreateEpic, CreateStory, and CreateTask commands were already secure as they inherit TenantId from parent entities loaded via Global Query Filters. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>