Disagreement · 7284403c-anthropic-4

BigInt coercion of totalClaimable will throw on decimal strings or scientific notation

solo Opus

repo 799b2361·PR #2·reviewed 5 days ago

Opus finding

BigInt coercion of totalClaimable will throw on decimal strings or scientific notation

mediumbughigh

src/commands/query/emissions-due.ts:117-123

BigInt() throws SyntaxError if given a string with a decimal point or 'e' (e.g. '1.5' or '1e18'). If the platform ever returns totalClaimable as a JS number that serializes with decimals (very common when REST APIs format BigInts as strings inconsistently), the command crashes with a raw SyntaxError rather than the structured PLATFORM_API_INVALID_RESPONSE / PLATFORM_API_ERROR contract. Same risk for `e.amount` though that one is preserved as a string and not BigInt'd until display — actually it's never BigInt'd, but totalClaimable is.

Recommendation

Validate via a try/catch around the BigInt() call, throwing cliError('PLATFORM_API_INVALID_RESPONSE') with the offending field.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

lowdocs-gap
Comment in db.ts claims session schema has agentId, but persisted sessions for reppo-platform never carry one
view anatomy →

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗