Hi maintainers — this is a friendly architecture-quality audit note, not a security report.
I've been building hermescheck, a small open-source scanner that reviews AI agent runtimes and gateway-style systems for recovery boundaries, schema drift, memory/state ownership, and other long-running maintainability risks. I ran it against ccNexus because this repo has a compact but real gateway/runtime surface across endpoint routing, request transformation, session handling, and persistent config/storage.
Three runtime/architecture notes looked worth sharing:
-
Endpoint and transformer compatibility looks very flexible, but the contract appears mostly config-driven rather than pinned.
internal/proxy/endpoint_resolver.go lets callers steer endpoints through headers, query params, and @endpoint/model syntax, while internal/proxy/request.go dynamically maps that choice into different upstream protocol shapes. That is powerful, but it also means backend API drift can become a runtime surprise unless there is a stronger reviewed compatibility boundary around endpoint + transformer combinations.
-
Session continuity appears to depend on an external file-layout contract.
internal/session/session.go reads session state and aliases from ~/.claude/projects/... and derives summaries directly from those JSONL files. That works today, but architecturally it makes continuity depend on another tool's on-disk structure rather than on an app-owned resumability contract, which may get brittle over time.
-
Portable config and runtime-secret state look only partially separated.
internal/storage/sqlite.go explicitly defines safeConfigKeys for cross-device backup/restore, and internal/service/backup.go persists and restores that configuration. The intent is clear, but it may still help to make the portable-config vs device/session-credential boundary even sharper so backup/restore behavior stays predictable as more auth and provider types are added.
None of the above is meant as "you must change this"; it just looked like a useful maintainer-facing architecture snapshot from an external pass.
Repo for the tool: https://github.com/huangrichao2020/hermescheck
If this isn't useful, feel free to close and I won't take it personally.
Hi maintainers — this is a friendly architecture-quality audit note, not a security report.
I've been building hermescheck, a small open-source scanner that reviews AI agent runtimes and gateway-style systems for recovery boundaries, schema drift, memory/state ownership, and other long-running maintainability risks. I ran it against
ccNexusbecause this repo has a compact but real gateway/runtime surface across endpoint routing, request transformation, session handling, and persistent config/storage.Three runtime/architecture notes looked worth sharing:
Endpoint and transformer compatibility looks very flexible, but the contract appears mostly config-driven rather than pinned.
internal/proxy/endpoint_resolver.golets callers steer endpoints through headers, query params, and@endpoint/modelsyntax, whileinternal/proxy/request.godynamically maps that choice into different upstream protocol shapes. That is powerful, but it also means backend API drift can become a runtime surprise unless there is a stronger reviewed compatibility boundary around endpoint + transformer combinations.Session continuity appears to depend on an external file-layout contract.
internal/session/session.goreads session state and aliases from~/.claude/projects/...and derives summaries directly from those JSONL files. That works today, but architecturally it makes continuity depend on another tool's on-disk structure rather than on an app-owned resumability contract, which may get brittle over time.Portable config and runtime-secret state look only partially separated.
internal/storage/sqlite.goexplicitly definessafeConfigKeysfor cross-device backup/restore, andinternal/service/backup.gopersists and restores that configuration. The intent is clear, but it may still help to make the portable-config vs device/session-credential boundary even sharper so backup/restore behavior stays predictable as more auth and provider types are added.None of the above is meant as "you must change this"; it just looked like a useful maintainer-facing architecture snapshot from an external pass.
Repo for the tool: https://github.com/huangrichao2020/hermescheck
If this isn't useful, feel free to close and I won't take it personally.