diff --git a/__tests__/api/notifications-stream.test.ts b/__tests__/api/notifications-stream.test.ts
index bf76547..53fc590 100644
--- a/__tests__/api/notifications-stream.test.ts
+++ b/__tests__/api/notifications-stream.test.ts
@@ -37,6 +37,10 @@ beforeEach(() => {
   vi.clearAllMocks()
 })
 
+import { productAccessFilter } from '@/lib/product-access'
+
+const mockProductAccessFilter = productAccessFilter as ReturnType<typeof vi.fn>
+
 describe('GET /api/realtime/notifications', () => {
   it('401 zonder iron-session cookie, geen DB-call', async () => {
     mockGetSession.mockResolvedValue({ userId: undefined, isDemo: false })
@@ -44,6 +48,35 @@ describe('GET /api/realtime/notifications', () => {
     expect(res.status).toBe(401)
     expect(mockPrisma.product.findMany).not.toHaveBeenCalled()
   })
+
+  it('access-isolation: productAccessFilter wordt met de juiste userId aangeroepen', async () => {
+    // ST-1106: cross-product-isolatie zit in de productAccessFilter-Set die we
+    // bij connect opbouwen. We mocken de filter zodat product.findMany wel
+    // aangeroepen wordt maar geen producten retourneert; daarna stoppen we
+    // vóór de pg-stream-setup (DIRECT_URL ontbreekt → 500).
+    mockGetSession.mockResolvedValue({ userId: 'user-A', isDemo: false })
+    mockProductAccessFilter.mockReturnValue({ user_id: 'user-A' })
+    mockPrisma.product.findMany.mockResolvedValue([])
+
+    // We laten de stream zelf falen door DIRECT_URL/DATABASE_URL niet te zetten.
+    const before = { ...process.env }
+    delete process.env.DIRECT_URL
+    delete process.env.DATABASE_URL
+    try {
+      const res = await GET(makeReq())
+      expect(res.status).toBe(500)
+    } finally {
+      process.env.DIRECT_URL = before.DIRECT_URL
+      process.env.DATABASE_URL = before.DATABASE_URL
+    }
+
+    // De filter is met de echte userId aangeroepen (cross-user lekt niet)
+    expect(mockProductAccessFilter).toHaveBeenCalledWith('user-A')
+    expect(mockPrisma.product.findMany).toHaveBeenCalledWith({
+      where: { archived: false, user_id: 'user-A' },
+      select: { id: true },
+    })
+  })
 })
 
 // Solo-route filter (entity='question' uitgesloten) is een 1-regel-fix in