Intent-Code Divergence
Medium
- Confidence
- 95% confidence
- Finding
- The documentation says `GET /api/v1/builds/mine?slug=<slug>` is a public lookup with no authentication required, even though the path name implies a private authenticated resource (`/builds/mine`). Ambiguous or incorrect auth documentation can cause client developers and agents to expose private build data assumptions, misuse credentials, or accidentally rely on an endpoint being public when it should not be, indicating an access-control documentation flaw with real security consequences if implemented as documented.
