security: enforce write-access checks on all label and issue-label MCP/REST operations

- execute_remove_issue_label: add repo fetch + _require_write_access guard (matches other 4 issue executors) - labels.py REST: add _guard_repo_owner helper; apply to create_label, update_label, delete_label - write_tools/labels.py MCP: import _require_write_access; apply to execute_create_label, execute_update_label, execute_delete_label (with repo fetch for update/delete) - test_mcp_write_tools.py: fix existing label tests to pass actor='alice'; add TestLabelWriteAccessGuard with 4 forbidden tests - test_musehub_labels.py: add 2 REST 403 tests (non-owner create/delete label)

sha256:d3ae4478c0410dbb6ee5f0e3c33739ed3e5329d10f45fa29c56be010d1dfd1ef sha

sha256:3c970c31e3f83085b6d8fcafe5ee0f74b64f4c621e1c297aac81b61df2e3283d parent

sha256:0fbe3125ab29f515eb0ebe9a400389f2edd4b55b0094cd8ac323ae21aa4bcf2d snapshot

← Older Oldest on fix/issue-label-auth-security

All commits

Newer → Latest on fix/issue-label-auth-security

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:d3ae4478c0410dbb6ee5f0e3c33739ed3e5329d10f45fa29c56be010d1dfd1ef --body "your comment"

Provenance signed

gabriel

Bump BREAKING

Breaking

tests/test_mcp_write_tools.py::TestIntegrationCreateLabeltests/test_mcp_write_tools.py::TestIntegrationDeleteLabeltests/test_mcp_write_tools.py::TestIntegrationListLabelstests/test_mcp_write_tools.py::TestIntegrationUpdateLabel

Signature Cryptographically verified

Snapshot

ID sha256:0fbe3125ab29f515eb0ebe9a400389f2edd4b55b0094cd8ac323ae21aa4bcf2d

Files 0

Browse tree at this commit →

Commit

SHA sha256:d3ae4478c0410dbb6ee5f0e3c33739ed3e5329d10f45fa29c56be010d1dfd1ef

Parent

sha256:3c970c31e3f83085b6d8fcafe5ee0f74b64f4c621e1c297aac81b61df2e3283d

Branch fix/issue-label-auth-security