Fix budget auth and monthly spend rollups

server/src/routes/costs.ts

@@ -250,6 +250,7 @@ export function costRoutes(db: Db) {
   router.patch("/companies/:companyId/budgets", validate(updateBudgetSchema), async (req, res) => {
     assertBoard(req);
     const companyId = req.params.companyId as string;
+    assertCompanyAccess(req, companyId);
     const company = await companies.update(companyId, { budgetMonthlyCents: req.body.budgetMonthlyCents });
     if (!company) {
       res.status(404).json({ error: "Company not found" });
@@ -288,6 +289,8 @@ export function costRoutes(db: Db) {
       return;
     }
 
+    assertCompanyAccess(req, agent.companyId);
+
     if (req.actor.type === "agent") {
       if (req.actor.agentId !== agentId) {
         res.status(403).json({ error: "Agent can only change its own budget" });