Disagreement · b1d71d08-openai-1

Sandbox note claims “No gh api calls” but Step 2 requires gh api

mismatch

repo 6f7fc663·PR #24·reviewed 1 week ago

Primary finding

Sandbox note claims “No gh api calls” but Step 2 requires gh api

mediumdocs-gaphigh

skills/fleet-state/SKILL.md:60-67
skills/fleet-state/SKILL.md:396-398

The implementation sample for resolving the parent repo explicitly invokes gh api, which contradicts the Sandbox note’s guarantee of no gh api calls. This is an operator expectation mismatch that can break in environments without gh or network access, and it undercuts the stated constraint of pure local I/O.

Recommendation

Align docs and implementation: - Either (A) update Sandbox note to acknowledge a minimal gh api call used only to resolve the parent repo and list gh and GITHUB_TOKEN as prerequisites; or (B) remove gh dependency by reading $GITHUB_REPOSITORY (for current repo full name) and skipping parent resolution altogether, or caching/storing parent in state and only updating it when provided via var. If parent detection is retained, clearly state that gh api is used and is read-only.

Counterpart finding

PARENT_REPO via gh api missing auth/error handling — failure silently empties PARENT_OWNER

lowbugmedium

skills/fleet-state/SKILL.md:70-76
skills/fleet-state/SKILL.md:343-348

If `gh repo view` or `gh api` fails (rate-limit, missing GH_TOKEN, offline run), PARENT_REPO becomes empty and PARENT_OWNER is empty. The subsequent parent-comparison logic ("If the state file's `parent` is set and differs from the resolved `PARENT_REPO` → clear snapshot + history") will treat "" as a different parent and *nuke 12 weeks of history*. This is a data-loss path triggered by a transient API failure. Also note: the constraints section says "never calls gh api on fork repos" but does call gh api on the current repo's nameWithOwner — minor; but a transient failure should not wipe history.

Recommendation

Validate `[ -n "$PARENT_REPO" ]` after the gh call; on failure, log `FLEET_STATE_PARENT_UNRESOLVED` and exit without touching state, OR fall back to the stored parent.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

highdata-loss
State file rollback uses non-existent .bak and can cause data loss on write failure
view anatomy →

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗