AntFleet

Disagreement · b7190c33-openai-2

Inconsistent config compatibility: tryResolveOAuthProfile rejects token credentials when config.mode is "oauth", but resolveApiKeyForProfile allows it

mismatch
repo 5149da9d·PR #2·reviewed 2 days ago

Primary finding

Inconsistent config compatibility: tryResolveOAuthProfile rejects token credentials when config.mode is "oauth", but resolveApiKeyForProfile allows it

mediumbughigh
  • src/agents/auth-profiles/oauth.ts:106-112
  • src/agents/auth-profiles/oauth.ts:151-156
  • src/agents/auth-profiles/oauth.ts:219-224
resolveApiKeyForProfile explicitly treats config.mode "oauth" as compatible with stored token-based credentials, but tryResolveOAuthProfile strictly enforces mode equality. In fallback flows, resolveApiKeyForProfile delegates to tryResolveOAuthProfile, which will then reject otherwise compatible token credentials, causing unnecessary failures.

Recommendation

Align tryResolveOAuthProfile with the compatibility rule used in resolveApiKeyForProfile; allow config.mode "oauth" to accept stored token credentials. Alternatively, bypass tryResolveOAuthProfile in the fallback when the stored credential is a token and handle it similarly to resolveApiKeyForProfile.

Counterpart finding

Compatibility comment claims oauth/token mismatch is allowed but condition rejects all other mismatches silently

lowmaintainabilityhigh
  • src/agents/auth-profiles/oauth.ts:138-146
The comment is accurate but narrow. The negative condition returns null for all other mode/type mismatches, including legitimate ones like config=`token` and cred=`oauth` or vice versa for new providers. Returning null silently without logging makes provider migrations hard to diagnose. Recommend logging the mismatch.

Recommendation

Add a debug log when rejecting due to mode/type mismatch so misconfigurations are diagnosable.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗