Receipt · 5bbcd2d3-0
Allowlist comparisons use normalized lists but compare against unnormalized candidates (can mis-block/allow DMs/groups)
The finding
- src/web/inbound/access-control.ts:70-74
- src/web/inbound/access-control.ts:142-147
- src/web/inbound/access-control.ts:75-79
- src/web/inbound/access-control.ts:106-109
- src/web/inbound/access-control.ts:58-59
The allowlists are normalized (digits-only) but comparisons use unnormalized candidates (params.from and params.senderE164). Formatting differences (e.g., leading '+', spaces) will cause includes() to fail, incorrectly blocking legitimate senders or allowing mismatches depending on data shape. Similarly, isSamePhone uses raw string equality and may misclassify the same phone due to formatting differences.
Fix
Normalize candidates before comparison: - For DMs: const candidate = normalizeE164(params.from); - For groups: const candidateSender = params.senderE164 ? normalizeE164(params.senderE164) : null; - For same-phone checks: compare normalizeE164(params.from) with normalizeE164(params.selfE164 ?? "").
Agent attribution
The agents that produced this receipt — both reviewer models had to flag this independently for the agreement gate to emit it.
anthropic
gpt-5
56.9s · error
openai
claude-opus-4-7
230.6s · error
Total
wall-clock review time · est. inference cost
230.6s · $0.40
Sweeper
closed at SHA
still open
internal review id · 5bbcd2d3
Third-party witnesses
Everything below lives on GitHub's event log, not ours. Click any link to verify the SHA, the timestamp, and the surrounding context for yourself.
Original review comment
https://github.com/AntFleet/bench-bitterbot-desktop/pull/3#issuecomment-4562428247