Disagreement · 5bbcd2d3-anthropic-0

selfJid/replySenderJid device-suffix stripping uses literal backslash-d regex, never matches

mismatch

repo 5149da9d·PR #3·reviewed 2 days ago

Primary finding

selfJid/replySenderJid device-suffix stripping uses literal backslash-d regex, never matches

highbughigh

src/web/auto-reply/monitor/group-gating.ts:118-120

The regex literal `/:\d+/` in source is `/:\\d+/` (escaped backslash followed by `d+`), which matches a colon followed by a literal backslash and one or more `d` characters – not a colon followed by digits. WhatsApp JIDs have device suffixes like `:12` separated by colon-digits. As a result, the device-suffix stripping intended to normalize JIDs before comparing for implicit reply-mention is a no-op. When `selfJid` is `12345@s.whatsapp.net` and `replyToSenderJid` is `12345:3@s.whatsapp.net` (or vice versa), the strings will not match and the implicit-mention detection (replies to the bot) silently fails. The E.164 fallback partially compensates only when both E.164 values are present; if only JIDs are available, the bot will fail to recognize replies and may skip messages that should be processed.

Recommendation

Use the regex literal `/:\d+/` (single backslash) so that JS source contains `replace(/:\d+/, "")`. The doubled backslash here was almost certainly a paste error from a JSON/string-escaped context.

Counterpart finding

Implicit mention detection uses incorrect regex; device suffix not stripped from JIDs

mediumbughigh

src/web/auto-reply/monitor/group-gating.ts:121-123

The pattern /:\d+/ in a regex literal matches a colon followed by a literal backslash and one or more 'd' characters, not digits. This fails to strip the ":<digits>" device suffix (e.g., ":1"). As a result, implicitMention may be false when reply-to sender equals self except for differing device suffixes.

Recommendation

Use a correct digit-matching pattern, ideally anchored to the end: replace(/:\d+$/, ""). This reliably removes a trailing ":<digits>" device suffix for both selfJid and replySenderJid. Alternatively, parse JIDs via a helper that normalizes device suffixes.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

highbug
Allowlist comparisons use normalized lists but compare against unnormalized candidates (can mis-block/allow DMs/groups)
view anatomy →

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗