Windmill: Resource-scoped API tokens can read script contents outside their allowed path via scripts/list_search
A resource-scoped API token can read script contents outside its allowed path scope via GET /api/w/{workspace}/scripts/list_search. This appears to be a remaining variant of the scoped-token authorization class previously addressed for other endpoints. The route-level scope middleware validates the token domain/action, but does not enforce the resource/path segment of a scope. scripts/list_search then returns script path and content for scripts in the workspace without applying per-row path filtering against the …