AntFleet

Disagreement · 44a066f2-openai-1

README Authentication table incorrectly claims REPPO_API_KEY is required for register-agent (command uses no auth)

mismatch
repo 799b2361·PR #1·reviewed 5 days ago

Primary finding

README Authentication table incorrectly claims REPPO_API_KEY is required for register-agent (command uses no auth)

mediumdocs-gaphigh
  • README.md:25-26
  • src/commands/register-agent.ts:6
The README states REPPO_API_KEY is required for register-agent, but the implementation calls a no-auth endpoint and does not read or send any API key. This inconsistency will confuse users and scripts about necessary environment setup.

Recommendation

Update the Authentication table to remove REPPO_API_KEY as a requirement for register-agent. Clarify that register-agent is unauthenticated and returns the persistent apiKey used for subsequent agent-scoped endpoints. Also note that agent-scoped endpoints use that returned apiKey as Bearer auth.

Counterpart finding

README documents REPPO_API_KEY as required for register-agent, but the command never reads it

lowdocs-gaphigh
  • README.md:22
  • src/commands/register-agent.ts:70-80
  • src/commands/register-agent.ts:6-7
The README's authentication table lists REPPO_API_KEY as required for `register-agent`, but the command source explicitly states the endpoint is permissionless ('no auth required for registration itself — it's permissionless') and the fetch call sends no Authorization or API-key header. This is contradictory documentation: register-agent is the command that *produces* an apiKey, so requiring an apiKey to call it would be circular. Users following the README may set an unused variable and be confused; agents reading the README to determine env prerequisites will gate on a variable that has no effect.

Recommendation

Remove `register-agent` from the REPPO_API_KEY row in README.md (leave only `create-datanet` if that is still accurate), or add a footnote clarifying that register-agent itself is unauthenticated and only subsequent agent-scoped calls use the returned apiKey.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗