security: add access control to submit_proposal_review (REST + MCP)

REST: add _guard_write_access to submit_proposal_review — was checking repo existence but not whether the caller has access to the (possibly private) repo.

MCP: add repo existence check + _require_public_or_write_access to execute_submit_proposal_review — any authenticated user could previously submit reviews on private repos they have no access to.

Tests: 3 new MCP tests (forbidden_without_auth, forbidden_on_private_repo, any_user_can_review_public_repo) + 1 new REST test (submit_review_forbidden_on_private_repo_for_non_owner).

sha256:beae6cf63b4c7fd99cb2059908a21007d3ee8f3371f046f2d26e382c6ab5df7e sha

sha256:b52c6cbdd7835160038c284ec5ab828b8c999530f1913d4e17110acbbc153eab parent

sha256:8e91f43350e855005d70f68399974fa544faf64dceb04808b7ca5c290fd5b80a snapshot

← Older Oldest on task/security-proposals-review

All commits

Newer → Latest on task/security-proposals-review

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:beae6cf63b4c7fd99cb2059908a21007d3ee8f3371f046f2d26e382c6ab5df7e --body "your comment"

Provenance signed

gabriel

Bump minor

Signature Cryptographically verified

Snapshot

ID sha256:8e91f43350e855005d70f68399974fa544faf64dceb04808b7ca5c290fd5b80a

Files 0

Browse tree at this commit →

Commit

SHA sha256:beae6cf63b4c7fd99cb2059908a21007d3ee8f3371f046f2d26e382c6ab5df7e

Parent

sha256:b52c6cbdd7835160038c284ec5ab828b8c999530f1913d4e17110acbbc153eab

Branch task/security-proposals-review