Tool matrix
Most pitfalls in this book are paradigm-level — they come from the shared machinery of a large model plus tool-calling, long context, and auto-execution, so you hit them in any tool. By default, then, every entry applies across AI coding tools. This page indexes only the two kinds of exception: where the same root cause needs a different guardrail in a different tool (written up in an entry's "Tool differences" section), and where a pitfall comes from a mechanism unique to one tool (its own entry / a case).
Claude Code has the deepest coverage and is the book's default reference (it applies to nearly every entry, so the matrix gives it no column of its own). Gemini CLI, Codex CLI, Cursor, and GitHub Copilot are the filled-in second batch, and the table below is each one's first set of tool differences — Codex / Gemini (open-source, complete docs) are the most solid; Cursor / Copilot (proprietary, multi-mode, fast-changing) lean on security disclosures + official docs and are thinner. The matrix lists mechanism names only, not exact commands, and it goes stale fast — when you act, defer to your version's official docs. As of 2026-07.
Coverage at a glance
Rows = pitfalls that have a "Tool differences" section (click in for each tool's specific mechanism); columns = the four second-batch tools; ✓ = the entry has a difference section for that tool, – = none yet.
| Pitfall (main entry) | Gemini | Codex | Cursor | Copilot |
|---|---|---|---|---|
| Advisory context vs enforced config | ✓ | ✓ | ✓ | ✓ |
| Context-file overload | ✓ | ✓ | ✓ | ✓ |
| Over-permissioning | ✓ | ✓ | ✓ | ✓ |
| Skipping plan mode | ✓ | – | ✓ | ✓ |
| Destructive / irreversible actions | ✓ | ✓ | ✓ | ✓ |
| MCP over-access | ✓ | ✓ | ✓ | ✓ |
| Dev-time prompt injection | ✓ | ✓ | ✓ | ✓ |
| CI permission blindspot | ✓ | ✓ | ✓ | ✓ |
| Overwriting without checking file state | ✓ | ✓ | ✓ | ✓ |
| Runaway autonomous loops | ✓ | ✓ | – | – |
| Mistimed /compact | ✓ | ✓ | ✓ | – |
| Poor git hygiene | ✓ | ✓ | ✓ | – |
| Hallucinated APIs / version drift | ✓ | – | ✓ | ✓ |
| Gaming the tests | – | ✓ | ✓ | ✓ |
| Reviewing my own code favors me | – | – | ✓ | ✓ |
| Uncontrolled network egress | ✓ | ✓ | – | – |
| Soft permissions without an OS-level sandbox | ✓ | ✓ | – | ✓ |
| Subagents without boundaries | – | – | ✓ | – |
Column shorthands: Gemini = Gemini CLI, Codex = Codex CLI, Copilot = GitHub Copilot. The
Skipping plan moderow is–for Codex: Codex has no dedicated "plan mode," only a read-only preset that approximates one, so the evidence is too thin to list. TheGaming the testsrow is–for Gemini: no equivalent deterministic-hook mechanism verified for Gemini CLI. TheReviewing my own coderow is–for Gemini: the Gemini-family independent reviewer is Gemini Code Assist (a GitHub app), not Gemini CLI — the column axis tracks tools, and we don't mix products (the entry names it explicitly). TheUncontrolled network egressrow is–for Cursor / Copilot: no native egress-narrowing mechanism verified for the local IDE agent shapes (egress control falls to your environment layer). TheSubagents without boundariesrow is✓only for Cursor: no equivalent native subagent mechanism verified for Gemini / Codex as of 2026-07, and none for Copilot.One more entry carries a tool-generic differences section (mechanism families, no per-vendor rows, so no ✓ columns): Context-starved review.
Per tool (mechanisms + unique entries)
Read each section in two layers: Mechanism (stable) = the axis that sets this tool apart from the others, doesn't shift with point releases, safe to remember; Version observation (as of 2026-06, will go stale) = defaults, CVE / GHSA, and fix status — the most perishable line, so when you actually act, defer to your version's official docs and don't treat this line as a lasting fact.
Gemini CLI
- Mechanism (stable): differentiating axis = the default state of plan mode / checkpointing + how folder trust inherits into subdirectories.
- Version observation (as of 2026-06, will go stale): Plan Mode on by default, Checkpointing off by default; critical in-the-wild findings — the Tracebit RCE, CI auto-trusting the workspace (GHSA-wpqr, CVSS 10).
- Unique entry: Gemini trust inheritance
- Case: hijacked by "tell me about this repo" (Tracebit RCE)
- All entries → /tags/gemini-cli
Codex CLI
- Mechanism (stable): differentiating axis = sandbox default state (opposite of Claude Code) + the enforcement tiers of a three-layer config (advisory / local / org-enforced).
- Version observation (as of 2026-06, will go stale): the only one sandboxed by default (macOS Seatbelt / Linux Landlock + network off); config splits into
AGENTS.md/config.toml/requirements.toml; config-poisoning RCE (CVE-2025-61260). - Case: a
.codexconfig turned "open the repo" into silent RCE (CVE-2025-61260) - All entries → /tags/codex-cli
Cursor
- Mechanism (stable): differentiating axis = permissions are "best-effort," not a security guarantee + the command gate can be bypassed at the parser level + the MCP attack surface.
- Version observation (as of 2026-06, will go stale): the docs say plainly that
permissions.jsonand.cursorignoreare not security boundaries; denylist deprecated, NomShub bypass; two MCP CVEs (CurXecute / MCPoison). - Unique entry: .cursorignore isn't a boundary
- All entries → /tags/cursor
GitHub Copilot
- Mechanism (stable): differentiating axis = three modes defend differently (completion / Chat / coding agent) + the coding agent's server-side guardrails and firewall coverage boundary + the instructions-file read cap.
- Version observation (as of 2026-06, will go stale): the coding agent pushes only to
copilot/*branches with the firewall on by default, but the firewall doesn't cover MCP or setup steps; code review reads only the first 4,000 chars of the instructions file; CVE-2025-53773, CamoLeak (CVSS 9.6). - Case: private-repo secrets exfiltrated through the Camo image proxy (CamoLeak)
- All entries → /tags/git-hub-copilot
Claude Code
- Mechanism (stable): the book's default reference — applies to nearly every entry (so no tag, no column). Differentiating axis = the hardest enforcement layer: client-side
permissions.deny, deterministic hooks, rewind snapshots — the baseline the four tools' "tool differences" above are contrasted against. - Version observation (as of 2026-06, will go stale): rewind snapshots on by default.
Tool differences and defaults change fast with each version. This page records mechanism names and direction only, not specific commands; when you actually act, defer to your version's official docs. Spot something out of date? Flag it on GitHub.