feat(security): blocked-hash check in stream path — Phase 1 of issue #51

Adds a _BlockedHashError sentinel exception and a blocked-hash query inside _flush_batch. Any object whose object_id appears in musehub_blocked_hashes is rejected before any MinIO PUT or DB write; the branch pointer is never advanced. All three flush call sites (mid-batch, OC mid-batch, COMMIT_PACK pre-flush) are wrapped to yield an ERROR frame (403) and return.

5 TDD tests green (test_stream_security_phase1.py); 65 wire_push_stream regression tests still pass.

sha256:ad161dc342a5a864c95565fb8f8649e6eb642a34192a6f2215e3e9c385e32260 sha

sha256:29f2935a56feb415c441b14c6a891ec69e63cf5677ea7cb089b7770b2d2c078e parent

sha256:3816fd5eb1e50138b373b2cce284106eab7f9671fbd765d77f46a51f7cf06278 snapshot

← Older Oldest on task/stream-security-phase1

All commits

Newer → Latest on task/stream-security-phase1

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:ad161dc342a5a864c95565fb8f8649e6eb642a34192a6f2215e3e9c385e32260 --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Bump patch

Agent claude-code

Signature Cryptographically verified

Snapshot

ID sha256:3816fd5eb1e50138b373b2cce284106eab7f9671fbd765d77f46a51f7cf06278

Files 0

Browse tree at this commit →

Commit

SHA sha256:ad161dc342a5a864c95565fb8f8649e6eb642a34192a6f2215e3e9c385e32260

Parent

sha256:29f2935a56feb415c441b14c6a891ec69e63cf5677ea7cb089b7770b2d2c078e

Branch task/stream-security-phase1