(first off at least, seeing what it looks like with all of them as subtasks of this one, but with additional links between some of those subtasks)

IT DID!
xref https://phabricator.wikimedia.org/T388022#11784455

apparently not with conduit either, at least not with maniphest.edit:

damnit i forgot to change the visibility of the parent task back to hidden before trying this ://

[{"type":"parent","value":"PHID-TASK-rdnghrhopik2clze6aiv”},{"type":"title","value":"test subtask creation of a hidden task that i can't see but that i know the PHID of"}]

or something like that i guess

wait what about conduit

turns out that they apparently can’t:

Parent task identifier "276" does not identify a visible task.

True, though that wouldn't restrict malicious actors from being able to edit via the API if they wanted to (as documented e.g. at https://we.phorge.it/book/phorge/article/forms/#use-case-security-issues:~:text=regardless%20of,Conduit%20API).

Another idea might be to restrict what forms you can use to edit. I think you could allow claiming a task that way while disallowing some other edits.

note to self: one thing is that this would appear to prevent non-members of Task-Editors from claiming tasks as well (which might in turn mean that new developers then couldn’t assign a task to themselves)

(this _test2 account is not currently in the #pseudo-trusted-contributors project)