Architectural Health & Triage Analysis (Sentrux + Automated Review) — 2026-04-04

[freyandere]

Architectural Health & Triage Analysis

This is an automated, multi-dimension analysis compiled across 4 sub-agents. Based on repo state as of commit aa97b4a (2026-04-04 02:27 UTC). Point-in-time snapshot — individual issue/PR statuses should be checked at read time.

---

Repository Snapshot

Metric	Value
Open Issues	46 (all within 3 days of 2026-04-01 to 2026-04-04)
Open PRs	24 (23 OPEN, 1 DRAFT)
Recent commits	177 in 90 days
Source files	1,984
Test files	56
Unique PR authors	16

---

Issue Triage & Deduplication

TUI / Input Bugs (Highest Impact)

Issue	Problem	Status
#205 / #220	Keyboard input freeze (Mac/Linux/Windows)	Fix merged in PR #285
#194	Random characters printed in TUI	Untriaged
#303 / #263 / #147	Image copy-paste broken	3 duplicates — merge into one

Third-Party Provider Compatibility (~10 issues)

Issue	Problem
#267 / #248	Anthropic-specific params leaking to 3P requests → 400 errors
#294	Gemini thought signature mismatch
#202	Same-role coalesce errors
#287	JSON write/parse on follow-up
#214, #299, #291, #190	GLM, LM Studio, Azure Foundry, Grok-specific issues

Security

Issue	Severity	Notes
#244	HIGH	3P providers lack AI safety classifier + sandbox gate (3 findings)
#193 / #106	Medium	Provenance / DMCA legal risk

---

PR Analysis

Merge Priority (Fast-Track These First)

PR	What	Lines	CI	Why Priority
#246	Fix acceptEdits rm bypass	2	Passing	Security, addresses part of #244
#268	Anthropic fields leak to 3P	~10	Passing	Fixes multiple user-facing errors
#243	Cross-provider env var leaks	~5	Passing	Quiet data leak
#250	Context window table	1	Passing	Small, clean, no risk
#242	Fix lodash-es transitive vulnerability	2	Passing	Security fix, trivial merge

All five PRs above are still open as of this snapshot.

Stale / Blocked PRs

PR	Status	Blocker
#201, #210, #215, #218, #259	Changes requested	Awaiting author reply
#213	Draft	68 files, 3,217 lines — too large to review

Conflict Zone: openaiShim.ts

6+ PRs modify this 1,109-line file simultaneously (#258, #268, #241, #237, #259, #296, #288). Recommend merge order to avoid conflicts:

1. #258 → Strip thinking blocks (smallest)
2. #268 → Tool result image fix
3. #288 → Copilot constants/headers
4. #241 → Same-role coalescing
5. #237 → Reasoning + images (needs rebase on above)
6. #259 → reasoning_content (needs rebase on above)
7. #296 → Groq refactoring (merge LAST — most invasive)

---

Sentrux Architectural Health

Overall Quality: 3,385 / 10,000 (Very Low)

Dimension	Score	Grade	Root Cause
Depth	584	F	Call chains 129 levels deep
Equality	4,056	D	Imbalanced module sizes
Modularity	4,429	D	16% modularity, high coupling
Acyclicity	5,000	D	1 circular dependency
Redundancy	8,473	C	15% code duplication

Critical Findings

• No .sentrux/rules.toml — no structural quality gate exists. No max cycles, no layer boundaries, no complexity limits.
• 30 hotspot files — high churn x complexity areas most likely to regress
• 201 solo-author files — 74% single-author ratio, knowledge silo risk
• 330 untested source files — only 56 test files for 1,984 source files
• 1 circular dependency in the import graph

---

Security Risk Summary

Risk	Severity	Status
No AI classifier for 3P + bypass mode	HIGH	Active (#244, Finding 1)
Sandbox gate employee-only	HIGH	Active (#244, Finding 2)
Plaintext credentials on Windows/Linux	HIGH	Active (PR #215, changes requested)
acceptEdits bypasses dangerous path checks	MEDIUM	Active (PR #246 not merged)
lodash-es transitive vulnerability	HIGH	Active (PR #242 not merged)
gRPC unauthenticated endpoint	MEDIUM	Not merged yet

---

Suggested Next Steps for Maintainers

1. Merge the fast-track PRs (fix: run dangerous path check before auto-allowing rm/rmdir in acceptEdits mode #246, fix: prevent Anthropic-specific fields from leaking into 3P requests #268, fix: prevent cross-provider model env var leaks and sync Codex detection #243, fix: add missing o1-series and Ollama models to context window table #250, security: force lodash-es 4.18.0 for transitive dependencies #242) — 7 files total, all CI passing
2. Add .sentrux/rules.toml with max cycles = 0, max coupling, and layer boundaries
3. Add issue/PR templates with required labels to reduce duplicate issues
4. Close duplicates — at least 6 issues are duplicates of Unable to type #205/Mac Cannot input when running 'bun run dev' #220 and can't paste image #303/Problem in linux paste image #263/Theme selector preview not working and also image copy pasting doesn't work in linux and change name asap #147
5. Add tests for openaiShim.ts before merging the 6+ PRs touching it
6. Re-open/refresh PR fix: resolve keyboard input freeze on Windows and Mac at startup #285 — keyboard freezing fix is the single most impactful UX patch

---

Generated via automated multi-agent analysis (issues, PRs, sentrux structural health, security audit). All issue/PR numbers reference Gitlawb/openclaude.

[Vasanthdev2004]

Thanks for putting this together � there is useful signal in here, especially around clustering related issues and calling out merge-risk hotspot files.

A quick maintainer note for anyone reading this later: this is best treated as a point-in-time reference, not current repo state. A few items have already moved since this snapshot, for example:

• #285 has already been merged
• #242, #243, #246, #250, and #268 are still open, not merged yet

So the general themes are helpful, but the exact status tables will drift quickly in this repo.

My take: this is most useful as background/context, while actual bug triage and merge decisions should still happen in the individual issues and PRs themselves. If you post similar broad automated audits again, including the exact commit / timestamp basis up front will make them easier to interpret.

[freyandere]

Thanks for putting this together � there is useful signal in here, especially around clustering related issues and calling out merge-risk hotspot files.

A quick maintainer note for anyone reading this later: this is best treated as a point-in-time reference, not current repo state. A few items have already moved since this snapshot, for example:

• #285 has already been merged
• #242, #243, #246, #250, and #268 are still open, not merged yet

So the general themes are helpful, but the exact status tables will drift quickly in this repo.

My take: this is most useful as background/context, while actual bug triage and merge decisions should still happen in the individual issues and PRs themselves. If you post similar broad automated audits again, including the exact commit / timestamp basis up front will make them easier to interpret.

Noted, thanks for the review. I've updated the issue body:

• Added the commit hash and timestamp (aa97b4a, 2026-04-04 02:27 UTC) at the top so the snapshot basis is explicit
• Corrected the status tables: fix: resolve keyboard input freeze on Windows and Mac at startup #285 is merged, security: force lodash-es 4.18.0 for transitive dependencies #242 is still open, and the fast-track list clarifies all are pending at snapshot
  time

Point taken that these tables will drift — future scans will include the commit/timestamp header upfront. I'll follow up on
individual issues and PRs directly going forward rather than broad audits.

---

One thing worth mentioning since it came up in this thread: a large chunk of the 46 open issues currently have no labels at all, which makes triage and cross-referencing much harder.
A baseline labeling pass — even just bug, security, provider-compat, duplicate — would make both manual review and automated audits significantly more actionable.