Disagreement · 219fd253-openai-1

HTTP Signatures example claims RFC 9421 but shows non-compliant header usage

solo GPT-5

repo a16d2030·PR #3·reviewed 1 week ago

GPT-5 finding

HTTP Signatures example claims RFC 9421 but shows non-compliant header usage

mediumapi-contractmedium

gitlawb/references/api-reference.md:10-16

The document cites RFC 9421 but uses the older Authorization: Signature syntax rather than the standardized Signature-Input and Signature fields defined by RFC 9421. This can mislead client implementers and cause interoperability issues if they implement the RFC strictly.

Recommendation

Update the Authentication section to use RFC 9421-compliant fields (Signature-Input and Signature) and provide a concrete, correct example, or explicitly note support for the legacy draft scheme if that is what the server actually implements. Ideally, publish a minimal, tested sample request showing exact headers and canonicalization details.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗