AntFleet

Disagreement · 32b75da9-anthropic-1

Parent-override regex permits empty owner-second-char and rejects valid GitHub names

solo Opus
repo 6f7fc663·PR #27·reviewed 1 week ago

Opus finding

Parent-override regex permits empty owner-second-char and rejects valid GitHub names

lowapi-contractmedium
  • skills/fork-first-run-alert/SKILL.md:88-91
The owner half of GitHub `full_name` is also case-insensitive matched here, but actual user/org logins can contain uppercase characters in the original API response (canonicalisation to lowercase is noted later in edge-cases). More importantly the regex allows a leading hyphen via `[a-z0-9-]*` only after the first char (OK), but disallows underscores in owners (GitHub owners do not allow underscores, so OK) — yet the repo half allows leading `.`/`-`, which GitHub rejects. A user passing e.g. `aaronjmars/.aeon` would be accepted as valid and then fail at the `gh api` call with a confusing error rather than `FORK_FIRST_RUN_ALERT_BAD_VAR`. Minor input-validation gap that surfaces as a noisy API failure instead of a clean BAD_VAR exit.

Recommendation

Tighten the repo half to `[a-zA-Z0-9_][a-zA-Z0-9._-]*` (first char alnum/underscore) to mirror GitHub's actual rules.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗