fix: allow shebangs in script files; fix JSONValue ForwardRef in ORM Mapped[]

magic_bytes.py: add _SHEBANG_ALLOWED_EXTENSIONS — .py/.sh/.rb/etc. legitimately start with #! and are not polyglot attacks. Shebang is still blocked for binary extensions (.mid, .mp3, .png, etc.).

ORM models: import JSONValue alongside JSONObject so SQLAlchemy's get_type_hints() can resolve the ForwardRef('JSONValue') inside JSONObject's recursive union when evaluating Mapped[JSONObject].

Tests: 4 new shebang cases in TestMagicBytes (2 allowed, 2 blocked). All 47 security hardening tests pass.

sha256:81d0cf7541eef99804fa907faaf67e2d2c8075a29a9a9ee40f9d32ff645660c8 sha

sha256:92f5ed9399578b9af221e2b9c8071fdb6f7183c70f17b6be7b55c2610e24f9ea parent

sha256:c7f479192db7ea381816c5312dc6037673cb12853e522e05707eaf13beac041c snapshot

← Older Oldest on dev

All commits

Newer → Latest on dev

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:81d0cf7541eef99804fa907faaf67e2d2c8075a29a9a9ee40f9d32ff645660c8 --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Bump minor

Agent claude-sonnet-4-6

Signature Cryptographically verified

Snapshot

ID sha256:c7f479192db7ea381816c5312dc6037673cb12853e522e05707eaf13beac041c

Files 0

Browse tree at this commit →

Commit

SHA sha256:81d0cf7541eef99804fa907faaf67e2d2c8075a29a9a9ee40f9d32ff645660c8

Parent

sha256:92f5ed9399578b9af221e2b9c8071fdb6f7183c70f17b6be7b55c2610e24f9ea

Branch dev