5b17503df7
getPageBreadCrumbs returns the full ancestor chain filtered only by deletedAt; the /breadcrumbs endpoint validates validateCanView on the target page only. Document why this is safe rather than an accepted leak: page restrictions inherit down the tree, so viewing a page implies the right to view every ancestor (canUserAccessPage checks the full ancestor chain). A hidden ancestor would already hide the target itself, making per-ancestor filtering redundant. Owner decision: document, no logic change. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>