claude-code-mcp-bridge

The server spawns subprocesses (`child_process.spawn`, `child_process.exec`) based on user prompts, which can be a risk if not properly sanctioned. The `dangerouslySkipPermissions` flag is used, bypassing critical security checks for subprocesses, which could allow arbitrary file access or tool execution if the prompt is not carefully constrained by the upstream AI or user. The `mcp-session-manager.ts` handles sensitive session files (like `.claude-mcp-sessions.json`) in user profile directories, which are protected by OS permissions, but not encrypted by default on all platforms (e.g., Windows DPAPI not used). Hardcoded paths like `C:\Users\jonat\hubspot-mcp-railway\.mcp-config.json` pose a risk if the orchestrator prompt were to guide the AI to arbitrary paths. However, the system is designed to delegate authentication to the Claude Code CLI and not handle tokens directly, which is a good security practice. The use of `axios` for external API calls is standard but relies on the security of the target MCP servers. Overall, the system's security depends heavily on the robustness of the Claude Code CLI's sandboxing and the trustworthiness of the prompts it's given, especially when `dangerouslySkipPermissions` is enabled. The `spawn_code_subprocess_direct` tool is introduced to specifically avoid stdio deadlock, highlighting the architectural complexity which often comes with security challenges.