AntFleet

Anatomy · 1ea5c6c4-0

deploy-watcher Vercel API call uses projectId but interpolates project slug

mediumbugclosed in 4b9b492
repo 6f7fc663·PR #13·reviewed 1 week ago·closed 1 week ago

The vulnerable code

templates/deploy-watcher/SKILL.md:22-33

22   ```bash
23   PROJECT="${var:-[REPLACE: VERCEL_PROJECT]}"
24   SCOPE_QS=""
25   if [ -n "${VERCEL_TEAM_ID:-}" ]; then
26     SCOPE_QS="&teamId=$VERCEL_TEAM_ID"
27   fi
28   ```
29
302. **Fetch recent deploys** — Vercel API v6 lists deployments for a project:
31   ```bash
32   SINCE_MS=$(( $(date -u +%s) * 1000 - [REPLACE: LOOKBACK_HOURS] * 3600 * 1000 ))
33   URL="https://api.vercel.com/v6/deployments?projectId=$PROJECT&since=$SINCE_MS$SCOPE_QS&limit=20"

The reasoning

Opus

deploy-watcher Vercel API call uses projectId but interpolates project slug

mediumbughigh
  • templates/deploy-watcher/SKILL.md:22-33
The replace token is named VERCEL_PROJECT and the row in TEMPLATE.md describes it as the Vercel 'project' (typically the slug). However the URL passes it as `projectId=...`. Vercel's v6 /deployments endpoint accepts `projectId` (the prj_... id) OR `app` (the slug/name). Passing a slug as projectId returns empty results without an error, so the skill will silently report zero deploys and never alert. This is a real correctness defect for any operator using the obvious slug value.

Recommendation

Use `app=$PROJECT` for slug, or rename the token to VERCEL_PROJECT_ID and document that it must be the prj_… id. Alternatively branch: if PROJECT starts with `prj_` use projectId, else use app.

GPT-5

Vercel deployments API query uses projectId with a slug (likely wrong param)

mediumbugmedium
  • templates/deploy-watcher/SKILL.md:8
  • templates/deploy-watcher/SKILL.md:23
  • templates/deploy-watcher/SKILL.md:33
PROJECT is documented/treated as a slug, but the query uses projectId=. Vercel’s API expects a project ID for projectId=, while slugs are typically passed as app=. Using a slug in projectId will fail or return empty results.

Recommendation

Either (a) change the query to use app=$PROJECT when PROJECT is a slug, or (b) rename/require PROJECT_ID and instruct operators to provide the actual project ID for projectId=. Example: URL="https://api.vercel.com/v6/deployments?app=$PROJECT&since=$SINCE_MS$SCOPE_QS&limit=20".

The agreement

Both frontier models flagged this within the same line range. AntFleet's unanimous gate fired — the finding posted on the PR. Closed in 4b9b492.

The fix

22   ```bash
23   PROJECT="${var:-[REPLACE: VERCEL_PROJECT]}"
24   SCOPE_QS=""
25   if [ -n "${VERCEL_TEAM_ID:-}" ]; then
26     SCOPE_QS="&teamId=$VERCEL_TEAM_ID"
27   fi
28   ```
29
302. **Fetch recent deploys** — Vercel API v6 lists deployments for a project:
31   ```bash
32   SINCE_MS=$(( $(date -u +%s) * 1000 - [REPLACE: LOOKBACK_HOURS] * 3600 * 1000 ))
33   URL="https://api.vercel.com/v6/deployments?projectId=$PROJECT&since=$SINCE_MS$SCOPE_QS&limit=20"

Closure

Closed 1 week ago

SHA: 4b9b49251c8c9808bf147d55aa2930352af2e8c0

View closure receipt on GitHub →

Tweet thread template

tweet 1 of 8158 / 280

Two frontier models reviewed PR #13 on 6f7fc663. Both found this bug: medium bug: deploy-watcher Vercel API call uses projectId but interpolates project slug

tweet 2 of 8125 / 280

The vulnerable code (templates/deploy-watcher/SKILL.md:22-33): (full snippet at https://www.antfleet.dev/anatomy/1ea5c6c4-0)

tweet 3 of 8280 / 280

What Opus saw: "The replace token is named VERCEL_PROJECT and the row in TEMPLATE.md describes it as the Vercel 'project' (typically the slug). However the URL passes it as `projectId=...`. Vercel's v6 /deployments endpoint accepts `projectId` (the prj_... id) OR `app` (the slu…

tweet 4 of 8243 / 280

What GPT-5 saw: "PROJECT is documented/treated as a slug, but the query uses projectId=. Vercel’s API expects a project ID for projectId=, while slugs are typically passed as app=. Using a slug in projectId will fail or return empty results."

tweet 5 of 897 / 280

Both flagged the same line range. AntFleet's unanimous gate fired — the finding posted on the PR.

tweet 6 of 893 / 280

The fix landed in commit 4b9b492: (view diff at https://www.antfleet.dev/anatomy/1ea5c6c4-0)

tweet 7 of 881 / 280

AntFleet reviews every PR with two frontier models. Only unanimous findings post.

tweet 8 of 877 / 280

Full anatomy + reasoning + diffs: https://www.antfleet.dev/anatomy/1ea5c6c4-0

Paste into X composer one tweet at a time. X has no multi-tweet intent API.

view receipt →all receipts →view disagreements →case studies →