Disagreement · 44bd7a66-anthropic-9

detectProviders() inconsistently validates the anthropic key (skips sk-ant- prefix check used by getAnthropicKey)

solo Opus

repo 56f59a0d·PR #1·reviewed 4 days ago

Opus finding

detectProviders() inconsistently validates the anthropic key (skips sk-ant- prefix check used by getAnthropicKey)

lowapi-contracthigh

src/config.ts:180-192

detectProviders reads ANTHROPIC_API_KEY directly with trim(), while openai/deepseek call their helpers. validateProviderKeys uses getAnthropicKey() which enforces the 'sk-ant-' prefix. So a status UI that calls detectProviders will report anthropic 'configured' even when the value is invalid; then validateProviderKeys will throw at runtime. UI/runtime disagreement is a contract gap. Easy fix: also call getAnthropicKey() but wrap to swallow throws into null (since detection is intentionally non-throwing).

Recommendation

Implement detectProviders().anthropic via a try/catch around getAnthropicKey() so the status UI reflects 'unset OR malformed → null'.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

highsecurity
Security policy can be bypassed by placing sensitive files in subdirectories (anchored patterns only match repo root)
view anatomy →

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗