AntFleet

Anatomy · 4c349ef3-2

Non-portable shebang hard-codes a local Homebrew Python path

mediumbuild-release
repo 703f69ec·PR #3·reviewed 5 days ago

The vulnerable code

infra/app.py:1-1

Code snippet unavailable.

The reasoning

Opus

`app.py` uses a non-portable shebang and imports `stack` without package context

lowbuild-releasehigh
  • infra/app.py:1-8
The shebang `/opt/homebrew/bin/python3.13` is a developer-machine-specific path (Apple Silicon Homebrew) and will fail in CI/Linux. The `from stack import GeoTradingStack` works only when CWD is `infra/`, which is brittle if `cdk` is invoked from elsewhere; this implicitly couples to `cdk.json`'s `app` command (not shown). Lambda runtime is also pinned to Python 3.12 while app.py targets 3.13 — version skew worth flagging.

Recommendation

Use `#!/usr/bin/env python3`, and either convert `infra/` to a package with `from infra.stack import GeoTradingStack` or document the required CWD in `cdk.json`'s `app` field.

GPT-5

Non-portable shebang hard-codes a local Homebrew Python path

mediumbuild-releasehigh
  • infra/app.py:1
The script pins a machine-specific interpreter path that will fail on most systems and CI environments. CDK apps are typically run via the active Python in the environment; hard-coding a Homebrew path reduces reproducibility.

Recommendation

Use a portable shebang like #!/usr/bin/env python3 or remove the shebang and rely on the environment’s interpreter (e.g., invoking via python -m or the CDK toolchain).

The agreement

Both frontier models flagged this within the same line range. AntFleet's unanimous gate fired — the finding posted on the PR.

Closure

Tweet thread template

tweet 1 of 8152 / 280

Two frontier models reviewed PR #3 on 703f69ec. Both found this bug: medium build-release: Non-portable shebang hard-codes a local Homebrew Python path

tweet 2 of 8102 / 280

The vulnerable code (infra/app.py:1-1): (full snippet at https://www.antfleet.dev/anatomy/4c349ef3-2)

tweet 3 of 8280 / 280

What Opus saw: "The shebang `/opt/homebrew/bin/python3.13` is a developer-machine-specific path (Apple Silicon Homebrew) and will fail in CI/Linux. The `from stack import GeoTradingStack` works only when CWD is `infra/`, which is brittle if `cdk` is invoked from elsewhere; this…

tweet 4 of 8244 / 280

What GPT-5 saw: "The script pins a machine-specific interpreter path that will fail on most systems and CI environments. CDK apps are typically run via the active Python in the environment; hard-coding a Homebrew path reduces reproducibility."

tweet 5 of 897 / 280

Both flagged the same line range. AntFleet's unanimous gate fired — the finding posted on the PR.

tweet 6 of 893 / 280

The fix landed in commit pending: (view diff at https://www.antfleet.dev/anatomy/4c349ef3-2)

tweet 7 of 881 / 280

AntFleet reviews every PR with two frontier models. Only unanimous findings post.

tweet 8 of 877 / 280

Full anatomy + reasoning + diffs: https://www.antfleet.dev/anatomy/4c349ef3-2

Paste into X composer one tweet at a time. X has no multi-tweet intent API.

view receipt →all receipts →view disagreements →case studies →