860

RSS feed crashes when a cross-repo merged row has null mergedAt (type lies)

loadCrossRepoReceipts.limit applied to mergedAt DESC NULLS LAST can include in-progress rows after the lag-aware code path

Cron sweep route returns 200 even when sweep results are degraded (no per-section status surfacing)

ANTFLEET_OPS_GH_TOKEN is shared with manual `gh` work — broad-scope PAT used by automated cron path

seed-outgoing-pr.ts trusts unvalidated CLI args (owner/repo/branch) without sanity-checking format

extractFindingAtIndex returns wrong-finding fallback silently when JSON shape mismatches

RSS pubDate sort uses Date.getTime() — same-repo items with null closedAt are filtered, but if every receipt has null closedAt and crossRepo also empty, lastBuildDate falls back to `new Date()` causing feed mtime churn

Misleading comment and incorrect typing: searchParams is not a Promise in Next.js App Router

Potential runtime incompatibility: use of Array.prototype.toSorted in Node.js route

RSS feed crashes when a same-repo receipt has null closedAt is filtered, but cross-repo receipts with null mergedAt are not filtered before sort

Cron route authorization compares Buffers of unequal length via timingSafeEqual without short-circuit safety, but bypasses constant-time when lengths differ

loadOpenPrs in realPollDeps ignores the POLL_INTERVAL_MS politeness budget — every tick polls every open row

Use of Array.prototype.toSorted requires Node 20+ — may crash on Node 18 runtimes

Onboarder error path stamps onboarderResult with zeros but reported as `onboarder` in success response — masks partial failure to API consumers

`outgoingPrs.mergeSha` lacks a CHECK or NOT NULL constraint despite the receipts loader treating it as required

Receipts page `before` cursor accepts any parseable date string — no upper bound, allowing scan from far future

loadCrossRepoReceipts orders by mergedAt DESC NULLS LAST but the type guarantees mergedAt is non-null for merged rows — NULLS LAST is dead code that hides invariant violations

vitest setup file path './test/setup-env.ts' referenced but not included in the changed files — risk of broken test bootstrap

seed-outgoing-pr.ts claims idempotency but can throw on concurrent runs (no ON CONFLICT)

Comment and typing for searchParams in Receipts page are misleading; searchParams is not a Promise in Next.js App Router

RSS lastBuildDate fallback uses `new Date()` when both feeds are empty — defeats Cache-Control freshness

verifyTokenDetailed leaks expiry status before authenticating the payload bytes — but expiry check happens after HMAC verify so timing/info disclosure is bounded; however expired tokens with mismatched payload still report 'expired' incorrectly only if HMAC matches — which is fine. Real issue: expiry is read from the signed payload, but installationId/owner/repo type checks happen after exp check via parsed JSON — order is OK. (No finding here.)

flipReceipt is invoked before recordEvent persistence error handling — but flipReceipt itself has no try/catch, so a DB error in flipReceipt produces a 500 with no friendly page

Opt-in link is a 30-day bearer credential vulnerable to referer/log leakage and replay-as-disable

Misleading docstring: 'replay inside the validity window is a no-op, not an exploit'

recordEvent failure is logged but never retried/backfilled — audit row silently missing

action parameter silently coerced — typos default to 'enable'

Script entrypoint guard is fragile under bundling/symlinks

Use of Array.prototype.toSorted limits runtime compatibility (Node 18 lacks it)

Policy page links to the wrong GitHub repository path for schema.ts

Unhandled missing OPTIN_HMAC_SECRET causes 500 instead of a friendly error

Benchmark backfill logs can misreport flipped row count

Action parameter silently coerced — typo in `action` query returns success page claiming the wrong operation

Token comparison decodes attacker-controlled base64 length before length check — non-issue but `timingSafeEqual` precondition is checked correctly; however, payload JSON parsing happens after MAC verify which is fine, but the `dot === token.length - 1` guard does not reject tokens whose payload is empty

`backfill-benchmark-flag.ts` script detection of direct execution is fragile under compiled / symlinked runs

`/api/opt-in` swallows `flipReceipt` errors and bubbles them as a 5xx, but no try/catch around the flip means transient DB errors surface as unhandled 500s

Welcome/onboarder prompt tests do not assert that the opt-in token is not leaked into the welcome prompt

Opt-in route never re-validates `payload.owner`/`payload.repo` shape before passing to DB

Broken schema link in Data policy points to wrong GitHub repository

Admin backfill script uses Array.prototype.toSorted — Node compatibility risk

Dry-run summary counter can be misleading: rowsFlipped always 0 while decisions report would-flip counts

Use of Array.prototype.toSorted may break on Node runtimes without ES2023 features

Cross-repo receipts loader can silently underfill the requested limit due to post-query filtering

RSS feed may exceed intended item cap by combining two independently limited streams without a final cap

Misleading comment: Next.js App Router searchParams is not a Promise

RSS feed crashes when a cross-repo merged row has null mergedAt

Cross-repo RSS items use mergedAt while same-repo items use closedAt — ordering and lastBuildDate compute on heterogeneous timestamps

loadCrossRepoReceipts total count includes merged rows missing mergedAt/mergeSha — UI count can drift from displayed rows

seed-outgoing-pr.ts mis-parses negative or non-numeric PR numbers via parseInt's permissive behavior

loadOpenPrs threshold lets first poll happen immediately but cron handler may starve outgoing-PR polls under sweep timeout