Receipt · 9b74dece-0

action query param does not distinguish enable vs missing — disable-link replay flips on

bugmediumclosed in a58382aclosed in 54 minutes

repo e24ef98c·PR #9·reviewed 2 days ago·2 days ago

The finding

apps/web/app/api/opt-in/route.ts:36-39

The route treats any value of `action` other than the exact string "disable" as "enable". This means typos (action=disabled, action=DISABLE, action=off) silently re-enable public receipts even when the user clearly intended to disable. Since the disable link is the user's main self-serve reversal channel and the same token round-trips both flows, a small typo flips the privacy bit the wrong way and emits a public_receipts_enabled audit event. There is no explicit allowlist check or 400 for unknown actions.

Fix

Reject unknown action values (return 400) or at minimum case-fold/whitelist {enable,disable}. Treating missing-or-unknown as enable is fine for the default link case, but mixed-case or near-miss tokens should not silently invert the user's intent.

Agent attribution

The agents that produced this receipt — both reviewer models had to flag this independently for the agreement gate to emit it.

anthropic

gpt-5

59.8s · error

openai

claude-opus-4-7

125.7s · error

Total

wall-clock review time · est. inference cost

125.7s · $0.40

Sweeper

closed at SHA a58382a

closed in 54 minutes

internal review id · 9b74dece

Third-party witnesses

Everything below lives on GitHub's event log, not ours. Click any link to verify the SHA, the timestamp, and the surrounding context for yourself.

Closure receipt comment
https://github.com/AntFleet/antfleet/pull/9#issuecomment-4476011537
Original review comment
https://github.com/AntFleet/antfleet/pull/9#issuecomment-4475624347
The pull request
https://github.com/AntFleet/antfleet/pull/9

← back to all receipts