anthropics

Claude Code became a more secure repository this week, though not in the way users would notice. The team hardened 8 different pieces of GitHub automation infrastructure after what appears to be operational pain with failing workflows. They added a security policy directing researchers to HackerOne, built wrapper scripts that validate GitHub CLI commands before execution, and created automated checks that flag risky permission changes in pull requests. The most telling change was removing the entire oncall triage workflow (140 lines deleted) after first trying to fix it by increasing timeouts from 15 to 25 minutes. That suggests the automated issue escalation system was causing more problems than it solved. All the security wrapper work, input validation, and error message improvements point to a team that got burned by brittle automation and decided to rebuild it properly. The repository now has stronger guardrails around what GitHub operations the automation can perform, but the core triage functionality took a step backward. Next week will show whether the simplified approach actually improves reliability or if they need to rebuild the automated escalation system from scratch.