FRE-4474 Phase 5: Verify and resolve security review findings for SpamShield and Cross-Service Correlation

- FRE-4499 (SpamShield): Verified 6 security fixes (2 High, 4 Medium)
  - S01: Pre-compiled regex in RuleEngine (ReDoS fix)
  - S02: SmsClassifier accepts senderPhoneNumber context
  - S03: AlertServer JWT auth + origin validation
  - S04: SHA-256 phone hashing (PII protection)
  - S05: DecisionEngine timeout enforcement via Promise.race
  - S06: CarrierFactory.getAllCarriers properly async/await

- FRE-4500 (Correlation): Verified 7 security fixes (2 Critical, 2 High, 2 Medium, 1 Low)
  - C1: Ingest endpoints auth via request.user.id
  - C2: IDOR protection on group endpoints (userId filter)
  - H3: JWT middleware registered in server.ts
  - H4: Fastify schema validation on all routes
  - M6: Payload sanitization with depth limit and circular ref detection
  - L7: CORS origin restricted to env var

- Resolved liveness incidents FRE-4652 and FRE-4654
- All Phase 5 child issues now complete

packages/correlation/src/engine.ts

@@ -282,10 +282,11 @@ export class CorrelationEngine {
   }
 
   public async getGroupById(
-    groupId: string
+    groupId: string,
+    userId: string
   ): Promise<CorrelationGroupOutput | null> {
     const group = await (prisma as any).correlationGroup.findUnique({
-      where: { id: groupId },
+      where: { id: groupId, userId },
       include: {
         alerts: {
           orderBy: { createdAt: "asc" },
@@ -298,10 +299,11 @@ export class CorrelationEngine {
 
   public async resolveGroup(
     groupId: string,
+    userId: string,
     status: string = CorrelationStatus.RESOLVED
   ): Promise<CorrelationGroupOutput | null> {
     const group = await (prisma as any).correlationGroup.update({
-      where: { id: groupId },
+      where: { id: groupId, userId },
       data: {
         status,
         resolvedAt: new Date(),