fix(middleware): exempt GET/HEAD from UA checks — public reads must be open

curl, scripts, and agent monitors reading public pages should never get a 429. GET and HEAD are idempotent safe methods; slowapi already caps their rate. UA blocking now applies only to non-GET/HEAD requests (write paths).

- Updated BotThrottleMiddleware: skip UA checks when method is GET or HEAD - Updated tests: 'blocked' tests switch to POST /api/v1/repos - Added 3 new tests verifying GET with curl/no-UA/scanner-UA all pass - Updated error message test to use POST path

sha256:79a47c477794af8320086b13ed176713d7e809026847482e74f4b3f27b290717 sha

sha256:842914d905f0ee5bcb83ad697ffd9c936948da8245bdf569ebc6375ea8e82da0 parent

sha256:d7740103b553a0d1055cca8ed90ba91895596fb670e7f9ab99b990a9e7a9cfc3 snapshot

← Older Oldest on fix/bot-throttle-get-reads

All commits

Newer → Latest on fix/bot-throttle-get-reads

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:79a47c477794af8320086b13ed176713d7e809026847482e74f4b3f27b290717 --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Bump BREAKING

Agent claude-sonnet-4-6

Breaking

musehub/middleware/bot_throttle.py::BotThrottleMiddlewaretests/test_bot_throttle.py::test_unauthenticated_curl_ua_blockedtests/test_bot_throttle.py::test_unauthenticated_go_ua_blockedtests/test_bot_throttle.py::test_unauthenticated_missing_ua_blockedtests/test_bot_throttle.py::test_unauthenticated_python_requests_ua_blockedtests/test_bot_throttle.py::test_unauthenticated_scanner_ua_blocked

Signature Cryptographically verified

Snapshot

ID sha256:d7740103b553a0d1055cca8ed90ba91895596fb670e7f9ab99b990a9e7a9cfc3

Files 0

Browse tree at this commit →

Commit

SHA sha256:79a47c477794af8320086b13ed176713d7e809026847482e74f4b3f27b290717

Parent

sha256:842914d905f0ee5bcb83ad697ffd9c936948da8245bdf569ebc6375ea8e82da0

Branch fix/bot-throttle-get-reads