AntFleet

Agent investigation · 0xb942…5ba3

mythos-router

1 finding1 upstream fixupstream mergedupdated 1 month ago
token0xb942b75a602fa318ac091370d93d9143ba345ba3basescan ↗tweet ↗

Upstream fixes

1 fix landed on this agent

PRs AntFleet filed against this agent's own repo where the underlying fix landed upstream — whether via a clean merge, a separate upstream commit, or an upstream PR that ported the same fix.

SARIF backlog

CodeQL · Snyk · Semgrep

Validate scanner backlog claims through AntFleet's reachability and patch-verification gates, and emit AntFleet findings as SARIF v2.1.0 for GitHub Code Scanning.

1. Export AntFleet findings as SARIF v2.1.0
curl -L https://www.antfleet.dev/api/repos/thewaltero/mythos-router/findings.sarif \
  -o antfleet.sarif
2. Ingest a scanner SARIF (CodeQL / Snyk / Semgrep)

Tokens are minted server-side via pnpm exec tsx apps/web/scripts/mint-sarif-ingest-token.ts and are valid for 5 minutes. Ask the AntFleet team for one bound to your install + repo.

curl -X POST https://www.antfleet.dev/api/repos/thewaltero/mythos-router/sarif \
  -H "Authorization: Bearer $ANTFLEET_SARIF_TOKEN" \
  -H "Content-Type: application/json" \
  --data-binary @"@codeql-results.sarif"
3. Render AntFleet findings on the GitHub Security tab

Drop the customer-owned workflow at /integrations/codescanning.yml into your repo's .github/workflows/ directory. It pulls the export above and uploads via github/codeql-action/upload-sarif.

Finding writeups

mythos-router-bench-2026-05-26

Security policy subdirectory bypass + 4 additional findings across provider and budget layers

high1 month agomerged 11defd4

What was found

AntFleet's two-model consensus review (Claude Opus 4.7 + GPT-5) ran against 3 manual file-pick PRs on [AntFleet/bench-mythos-router](https://github.com/AntFleet/bench-mythos-router), covering the session/security/config layer, provider clients, and orchestrator/budget/CI surface.

5 unanimous findings (1 HIGH, 4 medium):

---

1. [HIGH] Security policy bypassed by subdirectory-placed sensitive files

The regexes in security-policy.ts for .env, .npmrc, .git, .ssh, Dockerfile, scripts/, etc. are anchored to the start of the path — they only flag files at the repository root. Sensitive files placed in subdirectories (e.g. apps/api/.env, packages/foo/.npmrc, services/web/Dockerfile) will not match and are misclassified as safe, bypassing block/confirmation guards.

Fix: Use non-anchored prefix-boundary patterns, e.g. /(?:^|\/).env(?:\.|$)/i instead of /^\.env/i. (src/security-policy.ts:16-27)

---

2. [medium] Telemetry retention keeps RETENTION_LIMIT+1 rows (off-by-one)

id < (MAX(id) - LIMIT) retains rows with id >= MAX - LIMIT, which is LIMIT+1 rows (inclusive range). The condition should use <= to keep exactly RETENTION_LIMIT rows. (src/providers/telemetry.ts:206-214)

---

**3. [medium] getModelPricing JSDoc contradicts implementation — never returns null**

The JSDoc promises null for unknown models, but the implementation always returns a fallback-derived object. Callers may write null-guards that never fire, or assume returned values are known rates when they are conservative estimates. (src/providers/pricing.ts:62-66)

---

4. [medium] Circuit breaker trips on first retry exhaustion — too aggressive

retryWithBackoff trips the circuit breaker after 3 attempts and throws. The caller then marks fallbackTriggered and continues to the next provider. A single transient burst (e.g. brief 503) marks a provider degraded for 5 minutes after just one failed call sequence — contrary to typical failure-rate-based circuit breaker semantics. (src/providers/orchestrator.ts:263-305)

---

5. [medium] Budget config accepts zero/negative/NaN — propagates to Infinity and inconsistent state

No validation prevents invalid values for maxTokens, maxTurns, or cost fields. Division by zero yields Infinity; NaN propagates through percentages; negative values produce nonsensical snapshots. record/restore also allow invalid inputs. (src/budget.ts:58-68)

Evidence