Disagreement · 748568f3-anthropic-4

Welcome/onboarder prompt tests do not assert that the opt-in token is not leaked into the welcome prompt

solo Opus

repo e24ef98c·PR #9·reviewed 1 week ago

Opus finding

Welcome/onboarder prompt tests do not assert that the opt-in token is not leaked into the welcome prompt

lowtest-gapmedium

apps/web/lib/onboarder.test.ts:9-27

`welcomePrompt` is called without an `optInUrl` arg in tests, suggesting it doesn't include the token. But there is no assertion that the welcome prompt does NOT contain the (30-day bearer) token. Since the comment in optin-token.ts warns 'Never log the raw token — it's a bearer credential for 30 days', a defensive test that ensures the welcome prompt never embeds the verbatim token would catch a future refactor accident.

Recommendation

Add a unit test asserting welcomePrompt output never contains a `?t=` pattern or any base64url segment of the canonical token shape.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

lowmaintainability
`backfill-benchmark-flag.ts` script detection of direct execution is fragile under compiled / symlinked runs
view anatomy →

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗