AntFleet

Anatomy · 0982a39f-0

Middleware test shares a single response across all `it` blocks, defeating per-test isolation

lowtest-gapclosed in b8546bd
repo e24ef98c·PR #6·reviewed 2 weeks ago·closed 2 weeks ago

The vulnerable code

apps/web/middleware.test.ts:19-22

19describe("security headers middleware", () => {
20  const res = middleware(makeReq());
21
22  it("sets HSTS for at least 1 year and includes subdomains", () => {

The reasoning

Opus

Middleware test shares a single response across all `it` blocks, defeating per-test isolation

lowtest-gaphigh
  • apps/web/middleware.test.ts:19-22
`const res = middleware(makeReq())` runs once at describe-time. If a future change makes middleware stateful (e.g., mutating headers based on request URL or cloning a shared Response), tests would silently share state. The current implementation is stateless so there is no functional bug, but the pattern invites future flakes.

Recommendation

Move `const res = middleware(makeReq())` into a `beforeEach` or call it inside each `it`, so each assertion uses a fresh response.

GPT-5

Test comment is misleading: claims SECURITY_HEADERS is imported via re-export, but test actually instantiates middleware

lowdocs-gaphigh
  • apps/web/middleware.test.ts:8-10
  • apps/web/middleware.test.ts:12
  • apps/web/middleware.test.ts:19-21
The comment explicitly states the test imports SECURITY_HEADERS via re-export and avoids instantiating middleware, but the code imports and executes middleware to obtain a response and read headers. This discrepancy can confuse maintainers and future readers.

Recommendation

Update the comment to reflect the actual approach (calling middleware and asserting on its response headers), or refactor the test to actually import and assert the SECURITY_HEADERS map if that is the intended strategy.

The agreement

Both frontier models flagged this within the same line range. AntFleet's unanimous gate fired — the finding posted on the PR. Closed in b8546bd.

The fix

19
20describe("security headers middleware", () => {
21  // Per PR #6 review (claude-opus-4-7 + gpt-5 agreed): a single shared
22  // response defeats per-test isolation if middleware ever becomes

Closure

Closed 2 weeks ago

SHA: b8546bdb378536fd7ff1c800f2f18f09671bab83

View closure receipt on GitHub →

Tweet thread template

tweet 1 of 8177 / 280

Two frontier models reviewed PR #6 on e24ef98c. Both found this bug: low test-gap: Middleware test shares a single response across all `it` blocks, defeating per-test isolation

tweet 2 of 8119 / 280

The vulnerable code (apps/web/middleware.test.ts:19-22): (full snippet at https://www.antfleet.dev/anatomy/0982a39f-0)

tweet 3 of 8280 / 280

What Opus saw: "`const res = middleware(makeReq())` runs once at describe-time. If a future change makes middleware stateful (e.g., mutating headers based on request URL or cloning a shared Response), tests would silently share state. The current implementation is stateless so …

tweet 4 of 8278 / 280

What GPT-5 saw: "The comment explicitly states the test imports SECURITY_HEADERS via re-export and avoids instantiating middleware, but the code imports and executes middleware to obtain a response and read headers. This discrepancy can confuse maintainers and future readers."

tweet 5 of 897 / 280

Both flagged the same line range. AntFleet's unanimous gate fired — the finding posted on the PR.

tweet 6 of 893 / 280

The fix landed in commit b8546bd: (view diff at https://www.antfleet.dev/anatomy/0982a39f-0)

tweet 7 of 881 / 280

AntFleet reviews every PR with two frontier models. Only unanimous findings post.

tweet 8 of 877 / 280

Full anatomy + reasoning + diffs: https://www.antfleet.dev/anatomy/0982a39f-0

Paste into X composer one tweet at a time. X has no multi-tweet intent API.

view receipt →all receipts →view disagreements →case studies →