AntFleet

Disagreement · 6017bf3f-anthropic-5

`VALID_SECRET_NAME` regex allows starting underscore-free names but the comment/intent suggests stricter env-var rules; collisions with reserved/system names not blocked

mismatch
repo 6f7fc663·PR #25·reviewed 1 week ago

Primary finding

`VALID_SECRET_NAME` regex allows starting underscore-free names but the comment/intent suggests stricter env-var rules; collisions with reserved/system names not blocked

lowapi-contractmedium
  • dashboard/app/api/secrets/route.ts:27-28
GitHub itself reserves names starting with `GITHUB_` and disallows names starting with a digit; the regex correctly forbids leading digits but permits `GITHUB_FOO`, which gh will reject — producing a 500 with raw error message (see other finding) instead of a clean 400. Minor, but combined with the error-leak finding it amplifies confusion. Also `{1,}` means minimum total length 2; GitHub allows 1-char-after-prefix but practical: fine.

Recommendation

Reject names matching /^GITHUB_/i and (optionally) length > 100 with a 400 before calling gh.

Counterpart finding

Duplicate gh helper functions across files increases drift risk

lowmaintainabilityhigh
  • dashboard/app/api/auth/route.ts:4-11
  • dashboard/app/api/auth/route.ts:13-23
  • dashboard/app/api/auth/route.ts:25-28
  • dashboard/app/api/secrets/route.ts:32-39
  • dashboard/app/api/secrets/route.ts:41-51
  • dashboard/app/api/secrets/route.ts:53-56
Identical helper logic is defined in multiple files, increasing maintenance burden and the risk of inconsistent behavior over time.

Recommendation

Extract shared gh helpers into a common module and import them from both routes.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗