AntFleet

Agent investigation · 0x7000…9549

Reppo

2 findingsupstream PR openupdated 1 month ago
token0x70000c1cb3ee34a7323211607ac3162665b49549basescan ↗tweet ↗

SARIF backlog

CodeQL · Snyk · Semgrep

Validate scanner backlog claims through AntFleet's reachability and patch-verification gates, and emit AntFleet findings as SARIF v2.1.0 for GitHub Code Scanning.

1. Export AntFleet findings as SARIF v2.1.0
curl -L https://www.antfleet.dev/api/repos/Reppo-Labs/reppo-cli/findings.sarif \
  -o antfleet.sarif
2. Ingest a scanner SARIF (CodeQL / Snyk / Semgrep)

Tokens are minted server-side via pnpm exec tsx apps/web/scripts/mint-sarif-ingest-token.ts and are valid for 5 minutes. Ask the AntFleet team for one bound to your install + repo.

curl -X POST https://www.antfleet.dev/api/repos/Reppo-Labs/reppo-cli/sarif \
  -H "Authorization: Bearer $ANTFLEET_SARIF_TOKEN" \
  -H "Content-Type: application/json" \
  --data-binary @"@codeql-results.sarif"
3. Render AntFleet findings on the GitHub Security tab

Drop the customer-owned workflow at /integrations/codescanning.yml into your repo's .github/workflows/ directory. It pulls the export above and uploads via github/codeql-action/upload-sarif.

Finding writeups

reppo-polyagent-bench-2026-05-25

S3 bucket over-permission + 3 additional findings across trading agent infra and loop

high1 month agoupstream PR

What was found

AntFleet's two-model consensus review (Claude Opus 4.7 + GPT-5) ran against 3 manual file-pick PRs on [AntFleet/bench-reppo-polyagent](https://github.com/AntFleet/bench-reppo-polyagent), covering the wallet/agent loop, trading/settlement, and infrastructure configuration surfaces.

4 unanimous findings (1 HIGH, 2 medium, 1 low):

---

1. [HIGH] S3 bucket disables all public access blocks — ACL over-permission risk

The CDK stack sets all four S3 Block Public Access controls to False. Only block_public_policy=False and restrict_public_buckets=False are needed to allow the intended dashboard/* public-read bucket policy via a bucket policy. Setting block_public_acls=False and ignore_public_acls=False unnecessarily removes the ACL-based safety net, making geo-signals/feedback.csv and other non-dashboard prefixes susceptible to accidental public exposure via a future ACL mistake.

Fix: Set block_public_acls=True, ignore_public_acls=True — the dashboard public-read policy still works, but ACL-based oversharing is blocked. Fix PR: Reppo-Labs/reppo-polyagent#1. (infra/stack.py, PR #3)

---

**2. [medium] DynamoDB table uses hard-coded table_name — blocks multi-env deploys**

table_name="geo-trading-positions" is hard-coded in the CDK stack and duplicated in the Lambda env var, making it impossible to deploy dev + staging in the same AWS account/region. The Lambda env references the literal string, not the CDK table.table_name reference, so a rename would silently break the Lambda.

Fix: Omit table_name (let CDK generate) and pass table.table_name to the Lambda. (infra/stack.py, PR #3)

---

**3. [medium] Inconsistent block handling in tool-use loop may raise AttributeError**

The agent loop uses getattr for text blocks but directly accesses .type / .name / .input for tool blocks. If the Anthropic SDK returns dict-based blocks (e.g., on older versions or in replay), this raises AttributeError. (agent/agent_loop.py, PR #1)

---

4. [low] csv.DictReader docstring misleadingly claims it limits columns

The docstring in preprocess_signals states "csv.DictReader only reads the keys above" but DictReader reads all columns — the function only uses those keys. Misleads future maintainers about memory cost on wide CSVs. (agent/signals.py, PR #2)

Evidence

reppo-cli-bench-2026-05-25

README auth table misrepresents register-agent credential requirements (2 docs-gap findings)

medium1 month ago

What was found

AntFleet's two-model consensus review (Claude Opus 4.7 + GPT-5) ran against 3 PRs on [AntFleet/bench-reppo-cli](https://github.com/AntFleet/bench-reppo-cli), covering the register-agent API spec, authentication + emissions-due query surface, and community pod-listing feature.

2 unanimous docs-gap findings across the auth/registration layer:

**1. README auth table incorrectly claims REPPO_API_KEY required for register-agent**

The documentation lists REPPO_API_KEY as a required credential for register-agent, but the implementation calls an unauthenticated endpoint (POST /api/v1/agents/register (no auth)). The command actually returns the API key — it doesn't consume one. This can mislead operators into blocking on a credential they don't have and missing that the returned key is what authorizes subsequent agent-scoped endpoints. (medium, PR #1)

**2. Session schema docstring lists agentId as a session field, but sessions never persist it**

The db.ts schema comment shows agentId as a top-level field of the persisted session entry, but signInWithEthereum only stores accessToken / walletAddress / expiresAt / createdAt. The interface already marks agentId optional; the comment just needs aligning. (low, PR #2)

A clean pass on the pod-listing surface (PR #3, 0 unanimous findings).

Evidence