Something I'm trying to track down is how this remote claude session thing works. A ...

Why Nostr? What is Njump? Join Nostr

jonny (good kind)

npub1lj…pw8tm

2026-04-05 03:36:25 UTC

in reply to nevent1q…n024

Something I'm trying to track down is how this remote claude session thing works. A general pattern in the claude code source is that more recent features are implemented in a way more chaotic way than more "core" features, which reflects the nature of vibe coding: because you don't have a solid foundation, and there is a progressive layer of crust and special cases, the only real way to add more features is to keep adding more crust and special cases. Like rather than having a set of blocks that are self contained and you add another block, you need to slice across all the prior blocks and add something to each of them.

There are a number of places, both in comments and code, that rely on "this session is running in claude code remote session" in some VM, and so therefore they use the filesystem for state (e.g. [storing the api and oauth keys](https://neuromatch.social/@jonny/116345270216954323 )), but those parts of the code are in no way cleanly isolated from the rest of the code. So I suppose if i were a pentester or security auditor or whatever what i'd be looking for is places where the mashup of "in remote session / not in remote session" assumptions fails, and we do something naughty on the host system rather than a VM. Like I said still reading, just sort of musing about some of the problems with the package that are larger than individual functions and features.

quoting
note14mc…psrh

FOR EXAMPLE:

In the claude code remote feature it is sometimes possible for the means of passing auth credentials to fail. So claude code has a fallback of *writing the API key or OAUTH token to a single well-known file* because *sometimes* one of the several means of inheriting the fucking most important secret information in the entire thing doesn't work.

I'm not a security person but that seems like a pretty bad thing to do that maybe someone should look into.

Author Public Key

npub1ljmfkwmllavdpnf5tgmrfay6mj4t78c0xryugfw4qka0c4exas0q2pw8tm

Seen on

wss://relay.momostr.pink

Show more details

Published at

2026-04-05 03:36:25 UTC

Kind type

1 Short Text Note

Event JSON

{ "id": "a04bbf67a2f2dfc2305a3e303aa2cfa9492e1384b515fab489183fe99907aa1d", "pubkey": "fcb69b3b7fff58d0cd345a3634f49adcaabf1f0f30c9c425d505bafc5726ec1e", "created_at": 1775360185, "kind": 1, "tags": [ [ "proxy", "https://neuromatch.social/@jonny/116350005090507858", "web" ], [ "q", "aef10cf317cf4156d9949139de8e195b6644f2387dcb9d6225be2a557117e917" ], [ "e", "96139fe698135e312c8b1250549ef4fa9b88e793b54b70dd13f5b09ec95b5748", "", "root", "fcb69b3b7fff58d0cd345a3634f49adcaabf1f0f30c9c425d505bafc5726ec1e" ], [ "p", "fcb69b3b7fff58d0cd345a3634f49adcaabf1f0f30c9c425d505bafc5726ec1e" ], [ "content-warning", "trying to figure out claude code remote sessions, musing on how the vibe coding pattern can be observed in the chronology of new v. old features in claude" ], [ "e", "222e74a93f0b6b12f80a0cf5fa050f05df09c02ec2a6972256d7a44ff982da8f", "", "reply", "fcb69b3b7fff58d0cd345a3634f49adcaabf1f0f30c9c425d505bafc5726ec1e" ], [ "proxy", "https://neuromatch.social/users/jonny/statuses/116350005090507858", "activitypub" ], [ "L", "pink.momostr" ], [ "l", "pink.momostr.activitypub:https://neuromatch.social/users/jonny/statuses/116350005090507858", "pink.momostr" ], [ "-" ] ], "content": "Something I'm trying to track down is how this remote claude session thing works. A general pattern in the claude code source is that more recent features are implemented in a way more chaotic way than more \"core\" features, which reflects the nature of vibe coding: because you don't have a solid foundation, and there is a progressive layer of crust and special cases, the only real way to add more features is to keep adding more crust and special cases. Like rather than having a set of blocks that are self contained and you add another block, you need to slice across all the prior blocks and add something to each of them.\n\nThere are a number of places, both in comments and code, that rely on \"this session is running in claude code remote session\" in some VM, and so therefore they use the filesystem for state (e.g. [storing the api and oauth keys](https://neuromatch.social/@jonny/116345270216954323 )), but those parts of the code are in no way cleanly isolated from the rest of the code. So I suppose if i were a pentester or security auditor or whatever what i'd be looking for is places where the mashup of \"in remote session / not in remote session\" assumptions fails, and we do something naughty on the host system rather than a VM. Like I said still reading, just sort of musing about some of the problems with the package that are larger than individual functions and features.\nnostr:note14mcseucheaq4dkv5jyuaarsetdnyfu3c0h9e6c39hc492ughayts50psrh\n", "sig": "69bcca5ef894dd7f6bd0396efcfb835d52ea012c3c277d1ce41fa45abb548b6a99db980870c0e36e1d2a897e9ebca8c8e5e1575b2c5fdcfc852ada5c812ca0db" }