security: defense-in-depth auth checks for all MCP write tools and REST endpoints

- MCP issues: add _require_public_or_write_access to create_issue, create_issue_comment; add _require_write_access + actor param to update_issue - MCP proposals: add _require_public_or_write_access to create_proposal, create_proposal_comment - MCP repos: guard create_repo against empty owner_user_id (unauthenticated callers) - REST webhooks: add _guard_repo_owner to redeliver_delivery (was auth-only, not authz) - REST labels: add _guard_repo_owner to assign_labels_to_proposal and remove_label_from_proposal (were scope-only, no repo-level ownership check) - Dispatcher: pass actor=user_id to execute_update_issue (was missing) - Tests: 20+ new auth tests covering forbidden paths for all affected executors

sha256:b52c6cbdd7835160038c284ec5ab828b8c999530f1913d4e17110acbbc153eab sha

sha256:f4abfa2a48e891e8daac08544a196429c07cd91993320e9cdcbd189354a14dfe parent

sha256:14500c2377a9d71e8040d1ef6493ab0a02945944d3dffc33abe458eda8da04b3 snapshot

← Older Oldest on task/security-depth-sweep

All commits

Newer → Latest on task/security-depth-sweep

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:b52c6cbdd7835160038c284ec5ab828b8c999530f1913d4e17110acbbc153eab --body "your comment"

Provenance signed

gabriel

Bump BREAKING

Breaking

musehub/api/routes/musehub/webhooks.py::redeliver_deliverymusehub/mcp/write_tools/issues.py::execute_update_issuetests/test_mcp_write_tools.py::TestDataIntegrityIssue

Signature Cryptographically verified

Snapshot

ID sha256:14500c2377a9d71e8040d1ef6493ab0a02945944d3dffc33abe458eda8da04b3

Files 0

Browse tree at this commit →

Commit

SHA sha256:b52c6cbdd7835160038c284ec5ab828b8c999530f1913d4e17110acbbc153eab

Parent

sha256:f4abfa2a48e891e8daac08544a196429c07cd91993320e9cdcbd189354a14dfe

Branch task/security-depth-sweep