Hadrian OpenHack — Open-source AI Code Review for Claude Code / Codex / Cursor
Summary¶
Hadrian open-sourced OpenHack — an MIT-licensed framework that turns commodity LLMs into reliable code-review tooling and runs directly inside Claude Code, Codex, and Cursor. It targets two well-known failure modes of single-agent code review: unscoped prompts ("the agent doesn't know what question it's answering") and self-graded findings ("the same agent proposing bugs decides their validity"). Hadrian used the same methodology to find hundreds of vulnerabilities, including critical-severity flaws, in OSS used by Dutch government agencies.
Key Details¶
- Scenario-based scoping — every unit of work is one routing unit, one expert, and one specific proof question. Mirrors the toolkit's instinct toward narrow, single-purpose skills and agents.
- Independent triage agent — a separate triage agent reviews each candidate before it becomes a recorded finding. Directly addresses the self-grading bias that affects single-agent reviewers like the current
security-sentinel. - Inspectable artifact trail — all output lives as plain files on disk for end-to-end auditability. Same philosophy as
intake/,specs/,.claude-checkpoint.md. - Harness-agnostic, model-agnostic — works under Claude Code, Codex, or Cursor with any supported model. No vendor lock-in.
- MIT-licensed, Python 3.9+ — installable today, low-friction to evaluate against an existing PR.
Direct overlap with our /vt-c-4-review (six parallel reviewers) and /vt-c-security-scan workflows. Two distinct adoption paths: bundle OpenHack as a backend, or borrow the scoping + triage patterns into our own agent definitions.
Why Rolf Thinks This Matters¶
Further Reading¶
- Hadrian — OpenHack release announcement
- github.com/hadriansecurity/openhack
- Related proposal:
intake/pending/from-research/2026-05-24-inbox-hadrian-openhack-ai-code-review.md