docs: add June 2026 codebase review with prioritized findings

[panbanda]

Covers security posture, performance hot paths, correctness, cleanup,
test gaps, and an assessment of Apple's Core AI framework relative to
the MLX-based architecture.

https://claude.ai/code/session_01Rko86UGb3GKp84joEs5E5c

Summary by CodeRabbit

Release Notes

• New Features

  • Added configurable CORS origins support, including wildcard option for permissive CORS.

• Security Improvements

  • Server now binds to 127.0.0.1 by default instead of 0.0.0.0 for safer defaults.
  • Config files now have owner-only permissions on Unix systems.
  • Upstream error responses are truncated to prevent credential exposure.
  • Added template execution limits to prevent unbounded rendering.

• Performance

  • Optimized streaming text generation with incremental decoding.

• Enhancements

  • Enhanced diagnostics with config file permission and security validation checks.

[coderabbitai]

Warning

Review limit reached

@panbanda, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 34 minutes and 50 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 71808fec-3da5-4c97-b786-46381a4c06c9

📥 Commits

Reviewing files that changed from the base of the PR and between a949e50 and 8d16696.

📒 Files selected for processing (8)

• crates/higgs-engine/src/batch_engine.rs
• crates/higgs-engine/src/simple.rs
• crates/higgs/src/config.rs
• crates/higgs/src/daemon.rs
• crates/higgs/src/doctor.rs
• crates/higgs/src/lib.rs
• crates/higgs/src/proxy.rs
• crates/higgs/tests/integration/router.rs

📝 Walkthrough

Walkthrough

This PR implements security hardening, streaming performance optimization, and configuration management improvements identified in a June 2026 codebase review. Key changes include enabling template execution bounds via Minijinja fuel, replacing O(n²) streaming decode with sliding-window incremental detokenization, introducing secure private-permission file I/O, adding CORS configuration control, and extending doctor validation for network exposure and file permissions.

Changes

Security, Performance, and Configuration Improvements from Codebase Review

Layer / File(s)	Summary
Configuration schema, secure file I/O, and server defaults crates/higgs/src/config.rs, crates/higgs/src/daemon.rs, crates/higgs/src/cli_config.rs	ServerSection gains cors_origins field; default host becomes 127.0.0.1. New write_private_file helper applies 0o600 permissions on Unix. Daemon PID/config file writing and CLI config persistence now use secure private-file mode.
CORS configuration and Axum router integration crates/higgs/src/lib.rs, crates/higgs/src/main.rs	build_router accepts cors_origins parameter. New build_cors_layer helper parses origin allow-list supporting wildcard and explicit origins. CORS middleware conditionally layered into router. Main cmd_serve extracts and passes cors_origins to router.
Doctor validation for configuration, permissions, and network exposure crates/higgs/src/doctor.rs	run_doctor now accepts optional config_path for file permission checks. Network-reachability detection warns when non-loopback host lacks api_key. CORS validation checks origin entries with network-aware rules. New test cases cover exposure/API-key scenarios and origin list variants.
Incremental detokenization for streaming performance crates/higgs-engine/src/batch_engine.rs, crates/higgs-engine/src/simple.rs	Replaces per-step full re-decode with IncrementalDetok sliding-window tracking. New find_stop_in_tail helper performs boundary-aware stop detection on new-text tail only. Eliminates O(n²) decode by appending incremental token windows and flushing incomplete UTF-8. Test scaffolding updated for detok field.
Template execution bounds and proxy error handling Cargo.toml, crates/higgs-engine/src/chat_template.rs, crates/higgs/src/proxy.rs	Minijinja fuel feature enabled. TEMPLATE_FUEL constant caps template-engine instructions. chat_template.rs applies via env.set_fuel(). New truncate_error_body helper in proxy.rs implements UTF-8-safe byte limiting to prevent credential leakage in upstream error responses.
Documentation, test updates, and breaking-change notices README.md, docs/configuration.md, docs/codebase-review-2026-06.md, crates/higgs/tests/integration/*	README documents 127.0.0.1 binding default and CORS-only-when-configured behavior. configuration.md examples updated with new defaults and exposure guidance. Codebase-review document enumerates P0–P3 findings and marks addressed items as [fixed]. Integration tests updated to pass cors_origins parameter.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Possibly related PRs

• panbanda/higgs#45: Both PRs modify daemon startup file-writing paths in crates/higgs/src/daemon.rs, though for different purposes (secure permissions vs. profile-scoped naming).
• panbanda/higgs#38: Both PRs extend proxy send_to_provider behavior; main PR truncates upstream error bodies to prevent credential leakage.
• panbanda/higgs#103: Both PRs modify Axum router construction via build_router signature and parameter additions (main PR adds cors_origins, referenced PR adds body-size limits).

Suggested labels

risk: high

Poem

A rabbit hops through the codebase green,
Securing files with permissions pristine,
CORS now bounds what the network can see,
Incremental tokens decode with glee,
Templates fueled, errors truncated tight—
The PR is done, the review takes flight! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the primary change: adding a June 2026 codebase review document with prioritized findings. It reflects the main visible addition in the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/codebase-review-coreai-6wcz9q

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

crates/higgs-engine/src/simple.rs (1)

2217-2227: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Route the first streamed token through IncrementalDetok too.

Both engines still special-case the first chunk with a raw decode and only start IncrementalDetok afterward. If that first token is just a prefix of a multibyte character, the stream emits � immediately and the detok state can never recover because its baseline text already contains the replacement char. In the batch path, the same special-case also drops any prefix before a stop sequence in the first token by returning "" on a hit. Initialize IncrementalDetok from an empty state and materialize the first chunk with the same append/tail-stop/flush flow used for later chunks; please add a regression test for an initial partial-UTF-8 token and for a first-token prefix + stop case.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@crates/higgs-engine/src/simple.rs` around lines 2217 - 2227, The code
currently decodes the first chunk with self.decode_tokens and seeds
IncrementalDetok via IncrementalDetok::new(first_decoded,...), which causes
irrecoverable replacement chars for partial-UTF8 first tokens and mishandles
prefix+stop hits; instead, construct IncrementalDetok from an empty state (do
not pass first_decoded into IncrementalDetok::new), then feed the first_decoded
through the same flow used for subsequent chunks: call
IncrementalDetok.append(...) (and then run the same tail-stop/flush logic and
check_stop_sequences handling) so the detokenizer can correctly handle partial
multibyte sequences and prefix+stop cases; update the logic around
check_stop_sequences to operate on the detok materialized output (not the raw
first_decoded) and add regression tests covering an initial partial-UTF-8 token
and a first-token "prefix + stop" scenario.

crates/higgs/src/daemon.rs (1)

544-547: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use write_private_file for the detach PID path as well.

detach() still creates the PID file with fs::write, so mode follows umask. The later rewrite path does not tighten existing-file permissions, so loose PID permissions can persist.

Suggested fix

-    if let Err(e) = fs::write(pid_path(profile), child_pid.to_string()) {
+    if let Err(e) = config::write_private_file(&pid_path(profile), &child_pid.to_string()) {
         eprintln!("failed to write pid file: {e}");
         std::process::exit(1);
     }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@crates/higgs/src/daemon.rs` around lines 544 - 547, The detach() function
currently writes the PID file using fs::write which creates the file with
umask-controlled permissions; change that to call
write_private_file(pid_path(profile), child_pid.to_string()) so the PID file is
created with restrictive permissions consistently (replace the fs::write call in
detach() that writes to pid_path(profile) with write_private_file and propagate
any returned error into the existing error handling path).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@crates/higgs-engine/src/simple.rs`:
- Around line 2217-2227: The code currently decodes the first chunk with
self.decode_tokens and seeds IncrementalDetok via
IncrementalDetok::new(first_decoded,...), which causes irrecoverable replacement
chars for partial-UTF8 first tokens and mishandles prefix+stop hits; instead,
construct IncrementalDetok from an empty state (do not pass first_decoded into
IncrementalDetok::new), then feed the first_decoded through the same flow used
for subsequent chunks: call IncrementalDetok.append(...) (and then run the same
tail-stop/flush logic and check_stop_sequences handling) so the detokenizer can
correctly handle partial multibyte sequences and prefix+stop cases; update the
logic around check_stop_sequences to operate on the detok materialized output
(not the raw first_decoded) and add regression tests covering an initial
partial-UTF-8 token and a first-token "prefix + stop" scenario.

In `@crates/higgs/src/daemon.rs`:
- Around line 544-547: The detach() function currently writes the PID file using
fs::write which creates the file with umask-controlled permissions; change that
to call write_private_file(pid_path(profile), child_pid.to_string()) so the PID
file is created with restrictive permissions consistently (replace the fs::write
call in detach() that writes to pid_path(profile) with write_private_file and
propagate any returned error into the existing error handling path).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 97cb2575-d717-409c-839e-a74ea15d12cc

📥 Commits

Reviewing files that changed from the base of the PR and between f6e3c2f and a949e50.

📒 Files selected for processing (16)

• Cargo.toml
• README.md
• crates/higgs-engine/src/batch_engine.rs
• crates/higgs-engine/src/chat_template.rs
• crates/higgs-engine/src/simple.rs
• crates/higgs/src/cli_config.rs
• crates/higgs/src/config.rs
• crates/higgs/src/daemon.rs
• crates/higgs/src/doctor.rs
• crates/higgs/src/lib.rs
• crates/higgs/src/main.rs
• crates/higgs/src/proxy.rs
• crates/higgs/tests/integration/api_contract.rs
• crates/higgs/tests/integration/proxy_e2e.rs
• docs/codebase-review-2026-06.md
• docs/configuration.md

[panbanda]

@coderabbitai review

---

Generated by Claude Code

[coderabbitai]

@panbanda I’ll review the PR changes now.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.