fix(bitbucket): replace retired CHANGE-3022 API endpoints

[drazisil-codecov]

Summary

Bitbucket retired three endpoints on 2026-04-14 (CHANGE-3022), all returning 410. This PR replaces them with current equivalents and removes one deprecated call entirely.

Dead endpoints fixed (410 → working):

• GET /user/permissions/repositories → removed (list_permissions) and replaced (get_authenticated)
• GET /workspaces/{uuid}/permissions → GET /workspaces/{slug}/permissions — was passing UUID where slug is required, causing 404s in get_is_admin

Changes:

• get_is_admin: use self.data["owner"]["username"] (slug) instead of service_id (UUID)
• get_authenticated: GET /repositories/{workspace}?role=contributor&q=full_name="..." — presence in results = write access
• list_permissions(): deleted entirely (see below)

Why list_permissions() was dropped, not replaced:

list_permissions called GET /repositories?role=member to discover repos where a user had collaborator access outside of workspace membership. That endpoint is itself deprecated per the Bitbucket swagger spec — the recommended replacement is the workspace-scoped GET /repositories/{workspace}.

Since list_repos already calls GET /repositories/{workspace} for every workspace slug returned by list_teams(), and Bitbucket is retiring the "repo-level collaborator without workspace membership" access model, list_permissions was redundant. Dropping it means the sync path uses only non-deprecated workspace-scoped calls.

Swagger spec used for response shape verification: https://dac-static.atlassian.com/cloud/bitbucket/swagger.v3.json

Test plan

• 71 unit + integration tests pass locally
• Tested end-to-end locally via real Bitbucket OAuth flow with two accounts:
  • sync_repos calls only workspace-scoped endpoints (GET /repositories/{workspace})
  • Non-member workspaces are correctly skipped — never queried
  • A repo added to a workspace mid-session was picked up on the next sync
  • get_is_admin correctly returns 403 for a user who is a workspace member but not an owner
  • get_authenticated correctly denies edit access for a user not in the workspace
  • A user who is a member of a workspace cannot see private repos in that workspace they do not have explicit access to — Bitbucket's API only returns repos the requesting user can access, so workspace membership alone is not sufficient
• Verify sync_repos / sync_teams no longer produce 410s in Sentry after deploy

🤖 Generated with Claude Code

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.25%. Comparing base (7cb0beb) to head (d237ed7).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #883      +/-   ##
==========================================
- Coverage   92.26%   92.25%   -0.01%     
==========================================
  Files        1307     1307              
  Lines       48014    47984      -30     
  Branches     1632     1625       -7     
==========================================
- Hits        44298    44270      -28     
- Misses       3407     3408       +1     
+ Partials      309      306       -3     

Flag	Coverage Δ
apiunit	96.35% <ø> (ø)
sharedintegration	36.97% <0.00%> (+0.06%)	⬆️
sharedunit	84.89% <100.00%> (-0.02%)	⬇️
workerintegration	58.54% <ø> (ø)
workerunit	90.39% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[codecov-notifications]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

[codspeed-hq]

Merging this PR will not alter performance

✅ 9 untouched benchmarks

---

_{Comparing fix/bitbucket-repos-permissions-api (d237ed7) with main (b3cda5a)¹}

Footnotes

1. No successful run was found on main (7cb0beb) during the generation of this report, so b3cda5a was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩

[drazisil-codecov]

Follow-up to initial fix: removed list_permissions() from the sync path entirely.

list_permissions() originally called GET /user/permissions/repositories (retired, 410) to discover repos where a user had collaborator access outside of workspace membership — cases where the user wasn't a workspace member but had repo-level write access granted directly.

The initial fix in this PR replaced that with GET /repositories?role=member, but that endpoint is itself deprecated by Bitbucket — they recommend workspace-scoped calls instead.

The root cause is that Bitbucket's new access model is workspace-based. The "repo-level collaborator without workspace membership" pattern is the deprecated collaborator role they're phasing out. Because of this:

• list_teams() already returns all workspace slugs the user belongs to
• The list_repos loop already calls GET /repositories/{workspace} (workspace-scoped, non-deprecated) for each one
• list_permissions() was adding owner slugs to that set, but those slugs were already covered by workspace membership in practice

So we dropped list_permissions() and the deprecated cross-workspace call with it. The per-workspace GET /repositories/{workspace} calls in the loop are the correct non-deprecated path.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit f3232d3. Configure here.}

[michelletran-sentry]

Just checking: do we receive webhooks on name changes? I want to make sure that users who rename their org/slug (if that's possible) will have it reflected in Codecov.

[michelletran-sentry]

I feel like we're losing some potential useful context with the removal of this docstring. Can we update it to better reflect what it's actually doing?