Skip to content

Instantly share code, notes, and snippets.

@makash
Created March 31, 2026 11:32
Show Gist options
  • Select an option

  • Save makash/e75594e184a1d543e6ee912972824e97 to your computer and use it in GitHub Desktop.

Select an option

Save makash/e75594e184a1d543e6ee912972824e97 to your computer and use it in GitHub Desktop.
Codex Reviewing the Leaked Claude Code Source Code for Security and other NFRs

Review this source code using subagents and give me an executive brief about the security, performance and other NFRs

• Reviewing the repository with parallel subagents is the right shape for this request. I’ll map the codebase first, then run focused reviews for security, performance, and broader NFR concerns, and finish with an executive brief plus concrete findings.

• I’ve confirmed this is a large TypeScript codebase, with the main CLI logic concentrated in main.tsx, query.ts, QueryEngine.ts, Tool.ts, and the tools/, services/, and commands/ trees. I’m pulling the repo-review and specialist review skills now, then I’ll split security, performance, and maintainability analysis across parallel agents.

• The repo has no README or config manifests at the top level, so I’m treating the source itself as the primary documentation. I’m launching four parallel review agents now: codebase mapping, security, performance, and broader NFR/architecture.

• The early picture is a CLI/agent runtime with substantial local shell, file, MCP, and remote-session surface area. I’m drilling into the trust boundaries now: hooks, MCP config/ auth, remote session transport, and the tool execution path, since those are where security and reliability findings are most likely to be real rather than speculative.

• I’m now verifying whether the expensive-looking paths are actually optimized or just commented as such. The main candidate so far is transcript persistence in the SDK/query loop, because if it serializes the whole conversation on every streamed assistant chunk, that turns long sessions into quadratic I/O.

• The first concrete risks are converging around trust-boundary exceptions rather than classic injection bugs. I’m waiting on the specialist agents now and cross-checking their findings against the source so the final brief stays evidence-based.

• The architecture agent confirmed the broad shape I’d already seen: the code is thoughtfully layered, but the blast radius sits in a small set of huge orchestration files. I’m holding the final brief until the security and performance agents finish so I can separate genuine findings from design tradeoffs.

• I have enough to draft the review, but I’m giving the dedicated security agent one more window to either corroborate or contradict the trust-boundary findings before I close. If it doesn’t return, I’ll synthesize from the source plus the completed specialist reviews.

• The security review is back, and it narrowed the risk profile in a useful way: the code is not generally “wide open,” but there are a few concrete trust-boundary mistakes around auth and session bootstrap. I’m validating those specific paths now and then I’ll give you the executive brief with severity, NFR posture, and what I’d fix first.

• I reviewed the repository statically with four parallel subagents focused on architecture, security, performance, and broader NFRs.

Findings

  • High: Dangerous remote-managed settings are auto-applied in non-interactive sessions, bypassing the approval gate. The check returns no_check_needed when the session is not interactive, and the fetched settings are then applied and persisted anyway. See services/remoteManagedSettings/securityCheck.tsx:33 and services/remoteManagedSettings/ index.ts:458.
  • High: Settings/state persistence is non-atomic in two paths, so crashes or concurrent reads can leave truncated JSON on disk. See services/settingsSync/index.ts:461 and services/ remoteManagedSettings/index.ts:367.
  • High: Transcript persistence rescans the full in-memory conversation on nearly every persisted event, which will trend toward quadratic CPU/GC cost in long or tool-heavy sessions. QueryEngine repeatedly calls recordTranscript(messages) on a growing message array, and recordTranscript walks it again to find deltas. See QueryEngine.ts:430, QueryEngine.ts:716, QueryEngine.ts:779, QueryEngine.ts:833, and utils/sessionStorage.ts:1408.
  • Medium: The manual OAuth flow accepts pasted authorization codes without validating state, so it is exposed to login CSRF/account-confusion in manual auth flows. The localhost callback path does validate state, which makes the manual path a real gap. See services/oauth/index.ts:157 and services/oauth/auth-code-listener.ts:164.
  • Medium: Direct-connect trusts an arbitrary ws_url from the initial session response and then forwards the bearer token to that URL without origin pinning or scheme validation. See server/types.ts:5, server/createDirectConnectSession.ts:71, and server/directConnectManager.ts:50.
  • Medium: Failed first-party telemetry batches are persisted locally in cleartext, without an explicit restrictive file mode, even though the payload includes auth and email metadata. See services/analytics/firstPartyEventLoggingExporter.ts:183, services/analytics/firstPartyEventLoggingExporter.ts:200, and services/analytics/ firstPartyEventLoggingExporter.ts:729.
  • Medium: Remote session WebSocket recovery only retries after a previously successful connection, so transient failures during initial connect can fail permanently instead of self-healing. See remote/SessionsWebSocket.ts:274.
  • Medium: MCP and tool-orchestration state management does repeated whole-collection scans/rebuilds, which will scale poorly with many MCP servers or tool-heavy turns. See services/mcp/useManageMCPConnections.ts:216, main.tsx:2691, and services/tools/StreamingToolExecutor.ts:76.

Executive Brief Security posture is moderate. The codebase already has substantial permission, sandbox, and trust-boundary machinery, so I did not find a broad “arbitrary execution everywhere” problem. The real security issues are narrower and more important: auth/bootstrap validation gaps, unsafe trust in follow-on connection URLs, and a few places where sensitive operational data can leak to disk.

Performance posture is acceptable for normal interactive use, but I would expect degradation in long-lived sessions, tool-heavy turns, and MCP-heavy environments. The main hotspot is transcript persistence; the secondary ones are repeated MCP state rebuilds and queue scans in tool execution.

Other NFRs are mixed. Availability/resilience are generally good and intentionally fail-open, but configuration safety, privacy of persisted telemetry, and diagnosability are weaker than the rest of the system. Maintainability risk is also real: core behavior is concentrated in a few very large files, especially main.tsx, services/mcp/client.ts, and QueryEngine.ts.

Priority Order

  • Fix auth/session bootstrap first: validate manual OAuth state, and pin/validate direct-connect ws_url.
  • Make settings and synced state writes atomic.
  • Rework transcript persistence to append deltas instead of rescanning full history.
  • Tighten privacy/ops behavior: explicit file modes for telemetry persistence, better structured error logging, and retry initial WebSocket connect failures.

Static review only. I did not run tests or build the project, and there is no obvious top-level manifest in the repo root to drive a standard verification pass.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment