AntFleet

Disagreement · b7190c33-openai-0

upsertAuthProfileWithLock stores raw secrets without normalization (inconsistent with upsertAuthProfile)

solo GPT-5
repo 5149da9d·PR #2·reviewed 2 days ago

GPT-5 finding

upsertAuthProfileWithLock stores raw secrets without normalization (inconsistent with upsertAuthProfile)

mediumapi-contracthigh
  • src/agents/auth-profiles/profiles.ts:53-63
  • src/agents/auth-profiles/profiles.ts:74-80
The non-locking upsert path normalizes API keys/tokens, trimming or cleaning inputs. The locking variant writes the credential object as-is, which can persist secrets with trailing whitespace/newlines and lead to auth failures or inconsistent behavior depending on which API is used.

Recommendation

Apply the same normalization in upsertAuthProfileWithLock as in upsertAuthProfile (e.g., reuse the normalization branch or call normalizeSecretInput on key/token fields before updating the store). Consider delegating both code paths to a common helper to avoid drift.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗