AntFleet

Disagreement · c1b2ef35-openai-0

Required GitHub App credentials are not validated before use

solo GPT-5
repo e24ef98c·PR #6·reviewed 1 week ago

GPT-5 finding

Required GitHub App credentials are not validated before use

lowapi-contracthigh
  • apps/web/scripts/inspect-app.ts:20-23
  • apps/web/scripts/inspect-app-hook.ts:21-24
Both scripts depend on GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY, but rely on the non-null assertion operator. If either env var is missing or malformed, the failure will occur deep inside Octokit with a less actionable error. A simple upfront check would give immediate, clear feedback and prevent confusing stack traces.

Recommendation

Before calling createAppAuth, explicitly validate that process.env.GITHUB_APP_ID and process.env.GITHUB_APP_PRIVATE_KEY are present (and optionally that appId is a valid number/string). If missing, print a clear error (e.g., which variable is missing and expected location .env.local) and exit(1).

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗