AntFleet

Disagreement · 24879b45-anthropic-3

ANTFLEET_OPS_GH_TOKEN is shared with manual `gh` work — broad-scope PAT used by automated cron path

solo Opus
repo e24ef98c·PR #10·reviewed 1 week ago

Opus finding

ANTFLEET_OPS_GH_TOKEN is shared with manual `gh` work — broad-scope PAT used by automated cron path

mediumsecuritymedium
  • apps/web/lib/outgoing-prs.ts:18-24
  • apps/web/lib/outgoing-prs.ts:136-144
The comment explicitly states the token is shared between automated cron polling and manual `gh` operator work. PATs typically have broad org/repo scope; using the same token for both raises blast radius if it leaks (e.g. via logs). For polling public PR state, only `public_repo` (read-only) scope is needed; using a higher-scoped human token violates least-privilege.

Recommendation

Mint a dedicated fine-grained PAT or App installation token scoped to read-only PR access on the specific upstream repos, separate from the operator's manual-work PAT. Or use unauthenticated public API calls (lower rate limit but still feasible at one-hour cadence per row).

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗