security: restrict webhook listing to owner/collaborators (REST + MCP)

Webhook URLs may embed credentials or internal endpoint paths. Listing them was previously gated only on authentication, allowing any valid token holder to enumerate all webhook subscriptions on any repo.

REST: replace require_valid_token with _guard_repo_owner on list_webhooks. MCP: replace bare actor-empty check with _require_write_access on execute_list_webhooks.

Tests: 2 new MCP forbidden tests + 1 new REST forbidden test.

sha256:01b6e4fdecaebc437111316a9bc28a2faa91c27ec35bb6966fa8bb61350f0ab2 sha

sha256:beae6cf63b4c7fd99cb2059908a21007d3ee8f3371f046f2d26e382c6ab5df7e parent

sha256:99d91e91171582ef08ca97313d0f9a53cdfca586c3d9c7967312b7b3d473d557 snapshot

← Older Oldest on task/security-webhook-list

All commits

Newer → Latest on task/security-webhook-list

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:01b6e4fdecaebc437111316a9bc28a2faa91c27ec35bb6966fa8bb61350f0ab2 --body "your comment"

Provenance signed

gabriel

Bump BREAKING

Breaking

musehub/api/routes/musehub/webhooks.py::list_webhooks

Signature Cryptographically verified

Snapshot

ID sha256:99d91e91171582ef08ca97313d0f9a53cdfca586c3d9c7967312b7b3d473d557

Files 0

Browse tree at this commit →

Commit

SHA sha256:01b6e4fdecaebc437111316a9bc28a2faa91c27ec35bb6966fa8bb61350f0ab2

Parent

sha256:beae6cf63b4c7fd99cb2059908a21007d3ee8f3371f046f2d26e382c6ab5df7e

Branch task/security-webhook-list