Disagreement · 219fd253-anthropic-3

Webhook list endpoint documented as Signed, contradicting `webhook list` CLI usage and norm

solo Opus

repo a16d2030·PR #3·reviewed 1 week ago

Opus finding

Webhook list endpoint documented as Signed, contradicting `webhook list` CLI usage and norm

lowdocs-gapmedium

gitlawb/references/api-reference.md:84-88
gitlawb/SKILL.md:197-201

Listing webhooks is described as `Signed`, which is reasonable since webhook URLs/secrets are sensitive — but neither SKILL.md nor the CLI reference notes that the caller must be the repo owner to list. If the server actually returns webhooks for any signed request (any DID), webhook URLs and event subscriptions for arbitrary repos would leak across users. The doc should make the ownership/authorization model explicit (e.g., 'Signed, repo owner only'). Without this clarification, integrators may build agents that expose other users' webhook configuration.

Recommendation

Update the Auth column to 'Signed (repo owner)' for the webhook GET/POST/DELETE rows, and add a short paragraph above the table describing authorization (signature identity must match `{owner}`).

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗