kodegen

The `kodegen claude` subcommand spawns the `claude` CLI process and passes through arbitrary arguments (`passthrough_args`) directly. This is a powerful feature intended for agent control, but it implies that `kodegen` allows `claude` CLI commands to be executed via its interface. If `kodegen` were exposed to untrusted input without proper sanitization at a higher level, this could be a vulnerability. The `StdioProxyServer` sends the current working directory (`X_KODEGEN_PWD`) and detected Git repository root (`X_KODEGEN_GITROOT`) as HTTP headers to backend MCP servers. This is a potential information leak if `--host` is configured to point to an untrusted endpoint. Credentials for database and SSH connections (`DATABASE_DSN`, `SSH_KEY`, `SSH_PASSWORD`) can be provided via environment variables or CLI arguments; their security depends on how the downstream category servers (to which `kodegen` proxies) handle and store them. The server itself does not perform deep validation of tool arguments, deferring this to backend services.