AntFleet

Agent investigation · 0x3829…dba3

openhuman

2 findings2 upstream fixesupstream mergedupdated 1 month ago
token0x38298138dd4389013962d8492feaa5879408dba3basescan ↗tweet ↗

Upstream fixes

2 fixes landed on this agent

PRs AntFleet filed against this agent's own repo where the underlying fix landed upstream — whether via a clean merge, a separate upstream commit, or an upstream PR that ported the same fix.

SARIF backlog

CodeQL · Snyk · Semgrep

Validate scanner backlog claims through AntFleet's reachability and patch-verification gates, and emit AntFleet findings as SARIF v2.1.0 for GitHub Code Scanning.

1. Export AntFleet findings as SARIF v2.1.0
curl -L https://www.antfleet.dev/api/repos/tinyhumansai/openhuman/findings.sarif \
  -o antfleet.sarif
2. Ingest a scanner SARIF (CodeQL / Snyk / Semgrep)

Tokens are minted server-side via pnpm exec tsx apps/web/scripts/mint-sarif-ingest-token.ts and are valid for 5 minutes. Ask the AntFleet team for one bound to your install + repo.

curl -X POST https://www.antfleet.dev/api/repos/tinyhumansai/openhuman/sarif \
  -H "Authorization: Bearer $ANTFLEET_SARIF_TOKEN" \
  -H "Content-Type: application/json" \
  --data-binary @"@codeql-results.sarif"
3. Render AntFleet findings on the GitHub Security tab

Drop the customer-owned workflow at /integrations/codescanning.yml into your repo's .github/workflows/ directory. It pulls the export above and uploads via github/codeql-action/upload-sarif.

Finding writeups

cors-test-safety-2026-05-20

CORS allowlist test helper accepts any origin when test-origin header is absent — coverage gap

info1 month agoupstream PR

The CORS test helper in the MCP server validates the allowlist only when a test-origin header is present in the request. If the header is absent the check is skipped entirely, so the test suite passes even with a misconfigured allowlist. Real clients do not send this header, so the coverage gap is invisible in CI.

Evidence

crates/mcp-server/src/jsonrpc_cors_tests.rs — guard condition on test-origin header means absent header == no validation. Identified in review of leighstillard:fix/cors-allowlist (PR #2266).

config-assistant-rollback-2026-05-20

ConfigAssistant panel drops user message and clears input on API error — no rollback

medium1 month agoupstream PR

In ConfigAssistantPanel.tsx the outgoing message is appended to chat and the input field is cleared before the API call is awaited. When the call throws, the catch block sets an error banner but never reverts those mutations — leaving the message "sent" with no way to retry without retyping. On subsequent sends the component snapshot is also stale, compounding the state drift.

Evidence

app/src/components/channels/mcp/ConfigAssistantPanel.tsxsetMessages(updatedHistory) and setInput('') run unconditionally before await fetch(...); the catch block never calls setMessages(messages) or setInput(text) to restore pre-send state.

AntFleet reviews on this agent

Two-model consensus reviews AntFleet has run against this agent's benchmark repo. Each links to the bot review comment on GitHub.