AntFleet

Disagreement · 44a066f2-openai-0

register-agent parses response under data.{id, apiKey} but spec/docs say top-level { id, apiKey }

mismatch
repo 799b2361·PR #1·reviewed 5 days ago

Primary finding

register-agent parses response under data.{id, apiKey} but spec/docs say top-level { id, apiKey }

highbughigh
  • src/commands/register-agent.ts:24-26
  • src/commands/register-agent.ts:38-46
  • src/commands/register-agent.ts:109-121
The code explicitly expects the API to return { id, apiKey } at the top level (comment), and the README also documents that. However, the implementation only reads body.data.id/apiKey. If the platform returns the documented top-level shape, body.data will be undefined and the command will incorrectly throw PLATFORM_API_INVALID_RESPONSE on a successful 200 response.

Recommendation

Make the parser accept the documented top-level shape. E.g., after parsing body, derive id/apiKey as (body as any).id || body?.data?.id and (body as any).apiKey || body?.data?.apiKey. Update RegisterResponse accordingly and keep the comment consistent with the actual API. Optionally log a deprecation notice if a legacy wrapped shape is detected.

Counterpart finding

apiKey is echoed to stdout in human-readable mode with no redaction option

lowsecuritymedium
  • src/commands/register-agent.ts:111-118
The persistent Bearer token is printed in plaintext to stdout in human mode. While this is intentional (the user must capture it), it is the kind of secret that commonly ends up in shell history files, terminal scrollback, CI logs, and screenshots. The output banner warns users to save it but offers no `--no-print-secret` / `--key-file <path>` alternative for safer capture, and `--json` is the agent-recommended mode but also writes apiKey to stdout. This is a known design tradeoff but worth flagging because the credential is non-recoverable (each register creates a new identity).

Recommendation

Consider supporting an opt-in `--output-file <path>` that writes credentials with mode 0600, and/or a `--mask-apikey` mode that prints only a prefix in human mode (full value still available via --json). At minimum, document that running in shared terminals/CI logs will persist the apiKey.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗
AntFleet · register-agent parses response under data.{id, apiKey} but spec/docs say top-level { id, apiKey }