Patrick Bass Area: Integration / API (audit p13) · Surface: /admin/api/settings (rate-limit precedence card) · Dimension: Law 6 (config paths on UI) · Severity: cosmetic
Law 6 says users should not see internal mechanism like config file paths. This admin surface exposes 'app.ini' and the raw key 'api.rate_limit_per_minute'. It is a privileged super-admin surface (app.ini is super-admin-writable in this codebase), so the severity is low, but the phrasing leaks implementation detail where 'the platform default' alone would read cleaner and stay on-brand.
Evidence
platform/templates/admin/api-keys/settings.php:63 `<span class="ak-stat-strip__sub">from app.ini</span>`, :97 `…the platform default of <strong><code>…</code></strong> req/min from <code>app.ini</code>.`, :125 `<strong>Platform default</strong> from <code>api.rate_limit_per_minute</code> in <code>app.ini</code> is the floor…`. These name the internal config file and config key directly to the tenant super-admin audience.Suggested fix. Drop the file/key names from customer-facing copy — say 'the platform default' instead of 'from app.ini' / 'api.rate_limit_per_minute in app.ini'. Keep the numeric value; remove the mechanism.
Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.
Patrick Bass
@mobieus
