Skip to main content

Tool matrix

Most pitfalls in this book are paradigm-level — they come from the shared machinery of a large model plus tool-calling, long context, and auto-execution, so you hit them in any tool. By default, then, every entry applies across AI coding tools. This page indexes only the two kinds of exception: where the same root cause needs a different guardrail in a different tool (written up in an entry's "Tool differences" section), and where a pitfall comes from a mechanism unique to one tool (its own entry / a case).

Coverage depth (read it honestly)

Claude Code has the deepest coverage and is the book's default reference (it applies to nearly every entry, so the matrix gives it no column of its own). Gemini CLI, Codex CLI, Cursor, and GitHub Copilot are the filled-in second batch, and the table below is each one's first set of tool differences — Codex / Gemini (open-source, complete docs) are the most solid; Cursor / Copilot (proprietary, multi-mode, fast-changing) lean on security disclosures + official docs and are thinner. The matrix lists mechanism names only, not exact commands, and it goes stale fast — when you act, defer to your version's official docs. As of 2026-07.

Coverage at a glance

Rows = pitfalls that have a "Tool differences" section (click in for each tool's specific mechanism); columns = the four second-batch tools; = the entry has a difference section for that tool, = none yet.

Pitfall (main entry)GeminiCodexCursorCopilot
Advisory context vs enforced config
Context-file overload
Over-permissioning
Skipping plan mode
Destructive / irreversible actions
MCP over-access
Dev-time prompt injection
CI permission blindspot
Overwriting without checking file state
Runaway autonomous loops
Mistimed /compact
Poor git hygiene
Hallucinated APIs / version drift
Gaming the tests
Reviewing my own code favors me
Uncontrolled network egress
Soft permissions without an OS-level sandbox
Subagents without boundaries

Column shorthands: Gemini = Gemini CLI, Codex = Codex CLI, Copilot = GitHub Copilot. The Skipping plan mode row is for Codex: Codex has no dedicated "plan mode," only a read-only preset that approximates one, so the evidence is too thin to list. The Gaming the tests row is for Gemini: no equivalent deterministic-hook mechanism verified for Gemini CLI. The Reviewing my own code row is for Gemini: the Gemini-family independent reviewer is Gemini Code Assist (a GitHub app), not Gemini CLI — the column axis tracks tools, and we don't mix products (the entry names it explicitly). The Uncontrolled network egress row is for Cursor / Copilot: no native egress-narrowing mechanism verified for the local IDE agent shapes (egress control falls to your environment layer). The Subagents without boundaries row is only for Cursor: no equivalent native subagent mechanism verified for Gemini / Codex as of 2026-07, and none for Copilot.

One more entry carries a tool-generic differences section (mechanism families, no per-vendor rows, so no ✓ columns): Context-starved review.

Per tool (mechanisms + unique entries)

Read each section in two layers: Mechanism (stable) = the axis that sets this tool apart from the others, doesn't shift with point releases, safe to remember; Version observation (as of 2026-06, will go stale) = defaults, CVE / GHSA, and fix status — the most perishable line, so when you actually act, defer to your version's official docs and don't treat this line as a lasting fact.

Gemini CLI

  • Mechanism (stable): differentiating axis = the default state of plan mode / checkpointing + how folder trust inherits into subdirectories.
  • Version observation (as of 2026-06, will go stale): Plan Mode on by default, Checkpointing off by default; critical in-the-wild findings — the Tracebit RCE, CI auto-trusting the workspace (GHSA-wpqr, CVSS 10).
  • Unique entry: Gemini trust inheritance
  • Case: hijacked by "tell me about this repo" (Tracebit RCE)
  • All entries → /tags/gemini-cli

Codex CLI

  • Mechanism (stable): differentiating axis = sandbox default state (opposite of Claude Code) + the enforcement tiers of a three-layer config (advisory / local / org-enforced).
  • Version observation (as of 2026-06, will go stale): the only one sandboxed by default (macOS Seatbelt / Linux Landlock + network off); config splits into AGENTS.md / config.toml / requirements.toml; config-poisoning RCE (CVE-2025-61260).
  • Case: a .codex config turned "open the repo" into silent RCE (CVE-2025-61260)
  • All entries → /tags/codex-cli

Cursor

  • Mechanism (stable): differentiating axis = permissions are "best-effort," not a security guarantee + the command gate can be bypassed at the parser level + the MCP attack surface.
  • Version observation (as of 2026-06, will go stale): the docs say plainly that permissions.json and .cursorignore are not security boundaries; denylist deprecated, NomShub bypass; two MCP CVEs (CurXecute / MCPoison).
  • Unique entry: .cursorignore isn't a boundary
  • All entries → /tags/cursor

GitHub Copilot

  • Mechanism (stable): differentiating axis = three modes defend differently (completion / Chat / coding agent) + the coding agent's server-side guardrails and firewall coverage boundary + the instructions-file read cap.
  • Version observation (as of 2026-06, will go stale): the coding agent pushes only to copilot/* branches with the firewall on by default, but the firewall doesn't cover MCP or setup steps; code review reads only the first 4,000 chars of the instructions file; CVE-2025-53773, CamoLeak (CVSS 9.6).
  • Case: private-repo secrets exfiltrated through the Camo image proxy (CamoLeak)
  • All entries → /tags/git-hub-copilot

Claude Code

  • Mechanism (stable): the book's default reference — applies to nearly every entry (so no tag, no column). Differentiating axis = the hardest enforcement layer: client-side permissions.deny, deterministic hooks, rewind snapshots — the baseline the four tools' "tool differences" above are contrasted against.
  • Version observation (as of 2026-06, will go stale): rewind snapshots on by default.
This table will go stale

Tool differences and defaults change fast with each version. This page records mechanism names and direction only, not specific commands; when you actually act, defer to your version's official docs. Spot something out of date? Flag it on GitHub.