AntFleet

Anatomy · 44a066f2-0

README Authentication table incorrectly claims REPPO_API_KEY is required for register-agent (command uses no auth)

mediumdocs-gap
repo 799b2361·PR #1·reviewed 5 days ago

The vulnerable code

README.md:25-26

Code snippet unavailable.

The reasoning

Opus

README documents REPPO_API_KEY as required for register-agent, but the command never reads it

lowdocs-gaphigh
  • README.md:22
  • src/commands/register-agent.ts:70-80
  • src/commands/register-agent.ts:6-7
The README's authentication table lists REPPO_API_KEY as required for `register-agent`, but the command source explicitly states the endpoint is permissionless ('no auth required for registration itself — it's permissionless') and the fetch call sends no Authorization or API-key header. This is contradictory documentation: register-agent is the command that *produces* an apiKey, so requiring an apiKey to call it would be circular. Users following the README may set an unused variable and be confused; agents reading the README to determine env prerequisites will gate on a variable that has no effect.

Recommendation

Remove `register-agent` from the REPPO_API_KEY row in README.md (leave only `create-datanet` if that is still accurate), or add a footnote clarifying that register-agent itself is unauthenticated and only subsequent agent-scoped calls use the returned apiKey.

GPT-5

README Authentication table incorrectly claims REPPO_API_KEY is required for register-agent (command uses no auth)

mediumdocs-gaphigh
  • README.md:25-26
  • src/commands/register-agent.ts:6
The README states REPPO_API_KEY is required for register-agent, but the implementation calls a no-auth endpoint and does not read or send any API key. This inconsistency will confuse users and scripts about necessary environment setup.

Recommendation

Update the Authentication table to remove REPPO_API_KEY as a requirement for register-agent. Clarify that register-agent is unauthenticated and returns the persistent apiKey used for subsequent agent-scoped endpoints. Also note that agent-scoped endpoints use that returned apiKey as Bearer auth.

The agreement

Both frontier models flagged this within the same line range. AntFleet's unanimous gate fired — the finding posted on the PR.

Closure

Tweet thread template

tweet 1 of 8201 / 280

Two frontier models reviewed PR #1 on 799b2361. Both found this bug: medium docs-gap: README Authentication table incorrectly claims REPPO_API_KEY is required for register-agent (command uses no auth)

tweet 2 of 8101 / 280

The vulnerable code (README.md:25-26): (full snippet at https://www.antfleet.dev/anatomy/44a066f2-0)

tweet 3 of 8280 / 280

What Opus saw: "The README's authentication table lists REPPO_API_KEY as required for `register-agent`, but the command source explicitly states the endpoint is permissionless ('no auth required for registration itself — it's permissionless') and the fetch call sends no Authori…

tweet 4 of 8254 / 280

What GPT-5 saw: "The README states REPPO_API_KEY is required for register-agent, but the implementation calls a no-auth endpoint and does not read or send any API key. This inconsistency will confuse users and scripts about necessary environment setup."

tweet 5 of 897 / 280

Both flagged the same line range. AntFleet's unanimous gate fired — the finding posted on the PR.

tweet 6 of 893 / 280

The fix landed in commit pending: (view diff at https://www.antfleet.dev/anatomy/44a066f2-0)

tweet 7 of 881 / 280

AntFleet reviews every PR with two frontier models. Only unanimous findings post.

tweet 8 of 877 / 280

Full anatomy + reasoning + diffs: https://www.antfleet.dev/anatomy/44a066f2-0

Paste into X composer one tweet at a time. X has no multi-tweet intent API.

view receipt →all receipts →view disagreements →case studies →