AntFleet

Disagreement · 3cf9137d-openai-1

Input validation mismatch: docs claim case-insensitive owner/repo for var, but regex and shell matching are case-sensitive

mismatch
repo 6f7fc663·PR #27·reviewed 1 week ago

Primary finding

Input validation mismatch: docs claim case-insensitive owner/repo for var, but regex and shell matching are case-sensitive

mediumapi-contractmedium
  • skills/fork-first-run-alert/SKILL.md:76-77
  • skills/fork-first-run-alert/SKILL.md:280
The regex allows only lowercase for the owner segment and default bash regex matching is case-sensitive, conflicting with the stated "case-insensitive owner/repo" acceptance. Users providing Owner/Repo may be rejected and logged as BAD_VAR despite the contract promising case-insensitivity. Repo names can include uppercase; owners are commonly lowercase but input should honor the documented behavior.

Recommendation

Normalize the override input to lowercase before validation (e.g., PARENT_RAW=$(...) ; PARENT_LOWER=${PARENT_RAW,,}) or enable case-insensitive matching (shopt -s nocasematch) and update the regex to permit uppercase for owner if desired. Align the documentation with actual behavior and explicitly state normalization to lowercase for storage and comparisons.

Counterpart finding

Var parsing rule for 'dry-run' prefix is ambiguous when var equals exactly 'dry-run'

lowapi-contractmedium
  • skills/fork-first-run-alert/SKILL.md:71-75
The regex ^dry-run will also match strings like 'dry-runs' or 'dry-run-foo' with no separator. The spec does not state what separator (space? colon?) splits the dry-run prefix from the owner/repo remainder. Examples elsewhere in aeon.yml use 'dry-run' alone or 'owner/repo' alone but never combined. If a caller passes 'dry-run aaronjmars/aeon', the remainder after stripping is ' aaronjmars/aeon' (leading space) which fails the owner/repo regex and results in FORK_FIRST_RUN_ALERT_BAD_VAR even though the intent is clear.

Recommendation

Specify the separator explicitly (e.g., 'dry-run' or 'dry-run <owner/repo>' with whitespace trim) and that the remainder is trimmed before regex match.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗