security(operator): scope read-only views by repo permission

Per code review: writers (read/triage/write on the auth repo) could
enumerate every repo the copier touches via the read-only operator
endpoints, regardless of GitHub access to the underlying repos. Each
endpoint leaks a different slice of topology — repo names, paths,
commit SHAs, free-form Detail fields, full source→target workflow
config — to anyone holding any valid PAT for the auth repo.

Add a per-request repoFilter that memoises CanUserReadRepo lookups
and post-filters rows. Operators (admin/maintain) bypass; writers
only see rows whose referenced repos they can read on GitHub.

- /audit/events: drop rows where source_repo or target_repo is
  unreadable; config_change rows (no repo) are operator-only.
- /observability/webhook-traces: drop traces with no repo or with
  unreadable repos; total stays unfiltered so retention vs
  visibility stays distinguishable.
- /logs (per-delivery): look up the delivery's repo via a new
  WebhookTraceBuffer.RepoForDelivery helper; deny writers when
  no trace exists or the repo is unreadable.
- /workflows: drop workflows whose source or destination repo is
  unreadable; surface hidden_count so the UI can hint without
  naming the hidden rows.

RoleWriter doc updated to describe the post-filter behaviour
explicitly so the boundary is discoverable from the type.

Author: cbullinger

services/operator_auth.go

@@ -58,9 +58,16 @@ var ghRepoNameRe = regexp.MustCompile(`^[a-zA-Z0-9_.-]{1,100}$`)
 type OperatorRole string
 
 const (
-	// RoleOperator has full access: view, replay, release.
+	// RoleOperator has full access: view, replay, release. Operators are
+	// trusted with the full repo topology and bypass per-repo scoping in
+	// the read-only views (audit events, webhook traces, delivery logs,
+	// workflow config).
 	RoleOperator OperatorRole = "operator"
 	// RoleWriter has read-only access: view workflows, audit, recent copies.
+	// Read-only views are post-filtered by repoFilter so writers only see
+	// rows that reference repos they can read on GitHub — without this they
+	// could enumerate every source→target pairing and audit row in the
+	// system, regardless of whether they have GitHub access to those repos.
 	RoleWriter OperatorRole = "writer"
 	// RoleDenied means the user has no access.
 	RoleDenied OperatorRole = "denied"

services/operator_repo_filter.go

@@ -0,0 +1,116 @@
+package services
+
+import (
+	"context"
+	"strings"
+)
+
+// repoFilter post-filters operator UI rows so a writer only sees rows that
+// reference repos they can read on GitHub. Operators (admin/maintain on the
+// auth repo) bypass the check — they're trusted with full topology.
+//
+// Per-request only: results memoise inside one filter instance so we don't
+// hit the GitHub API more than once per distinct repo per request, even with
+// pages of audit/trace rows that share the same source/target.
+//
+// Construct via newRepoFilter and reuse for the duration of one HTTP handler.
+type repoFilter struct {
+	ctx   context.Context
+	cache *ghAuthCache
+	pat   string
+	user  *OperatorUser
+	// memo of repo → has-read for this request. nil entries are treated as
+	// "deny" so a transient GitHub error fails closed for that row.
+	memo map[string]bool
+}
+
+func newRepoFilter(ctx context.Context, cache *ghAuthCache, pat string, user *OperatorUser) *repoFilter {
+	return &repoFilter{ctx: ctx, cache: cache, pat: pat, user: user, memo: make(map[string]bool)}
+}
+
+// bypass reports whether this filter should let every row through unmodified.
+// Operators see everything; writers go through per-repo checks.
+func (f *repoFilter) bypass() bool {
+	return f == nil || f.user == nil || f.user.Role == RoleOperator
+}
+
+// canRead returns true if the caller has read access to repo. Empty repo
+// returns true so a single missing field doesn't drop a row that's otherwise
+// scoped by a populated peer (e.g. a copy event with target_repo set but
+// source_repo empty). Callers that need both fields populated should compose
+// canRead checks themselves and treat empty as "no info" rather than "ok".
+func (f *repoFilter) canRead(repo string) bool {
+	if f.bypass() {
+		return true
+	}
+	repo = strings.TrimSpace(repo)
+	if repo == "" {
+		return true
+	}
+	if v, ok := f.memo[repo]; ok {
+		return v
+	}
+	ok, err := f.cache.CanUserReadRepo(f.ctx, f.pat, f.user.Login, repo)
+	// Fail closed on error: a transient GitHub 5xx shouldn't reveal a row
+	// the writer wouldn't normally see. Cached deny entries naturally pass
+	// through the same path.
+	allowed := err == nil && ok
+	f.memo[repo] = allowed
+	return allowed
+}
+
+// allowAuditEvent decides whether to surface one audit row to the caller.
+// A writer must be able to read every repo named on the row; otherwise the
+// row leaks the existence of a repo the writer has no business knowing about.
+// Rows with neither source_repo nor target_repo populated (config_change
+// events) are operator-only — writers don't get to see admin actions.
+func (f *repoFilter) allowAuditEvent(ev *AuditEvent) bool {
+	if f.bypass() {
+		return true
+	}
+	if strings.TrimSpace(ev.SourceRepo) == "" && strings.TrimSpace(ev.TargetRepo) == "" {
+		return false
+	}
+	if ev.SourceRepo != "" && !f.canRead(ev.SourceRepo) {
+		return false
+	}
+	if ev.TargetRepo != "" && !f.canRead(ev.TargetRepo) {
+		return false
+	}
+	return true
+}
+
+// filterAuditEvents returns the subset of events visible to the caller.
+// Returns the input slice unchanged when the filter is in bypass mode.
+func (f *repoFilter) filterAuditEvents(events []AuditEvent) []AuditEvent {
+	if f.bypass() {
+		return events
+	}
+	out := make([]AuditEvent, 0, len(events))
+	for i := range events {
+		if f.allowAuditEvent(&events[i]) {
+			out = append(out, events[i])
+		}
+	}
+	return out
+}
+
+// filterWebhookTraces returns the subset of webhook traces visible to the
+// caller. Traces with no Repo populated are dropped for writers — a trace
+// without a repo can't be scoped, and the Detail field can carry sensitive
+// content (truncation is a length cap, not redaction).
+func (f *repoFilter) filterWebhookTraces(traces []WebhookTraceEntry) []WebhookTraceEntry {
+	if f.bypass() {
+		return traces
+	}
+	out := make([]WebhookTraceEntry, 0, len(traces))
+	for _, t := range traces {
+		if strings.TrimSpace(t.Repo) == "" {
+			continue
+		}
+		if f.canRead(t.Repo) {
+			out = append(out, t)
+		}
+	}
+	return out
+}