My Mac crashed today because a menu bar app ate 36 GB of memory.
The app was CodexBar, Peter Steinberger's usage monitor for AI coding tools. I'd just installed it to replace my janky 700-line SwiftBar plugin. Ran a couple CLI commands, went back to work. An hour later, the machine locked up. Jetsam was killing system services in a loop. Force Quit showed Moonlight and iTerm2 ballooning to 30+ GB each, but the actual culprit was CodexBar's CLI processes running underneath. Both showed the exact same memory figure, which suggests the system was double-counting the same ~36 GB of swap, not actually consuming 72 GB.
What happened
CodexBar ships a CLI (codexbar usage, codexbar cost) alongside the menu bar app. I ran it a few times to check it out. LuLu, my firewall, had never seen the binary before. Its default behavior for unknown apps: silently hold outgoing connections until you click Allow in the popup.
I didn't see a popup. The CLI commands just hung. I moved on.
Here's the problem: ProviderHTTPClient.swift uses URLSession.shared with zero custom timeout configuration. Apple's default timeoutIntervalForResource is 604800 seconds. Seven days. When a firewall silently drops packets (no RST, no ICMP unreachable, just silence), URLSession waits. For a week.
The codexbar command with no arguments defaults to fetching usage for every enabled provider simultaneously. Each provider's HTTP request hangs forever. The Swift concurrency runtime holds all those suspended tasks in memory. The cost scanner tries to load JSONL session files. Memory climbs.
The fix
One meaningful change:
public init(session: URLSession? = nil) {
if let session {
self.session = session
} else {
let configuration = URLSessionConfiguration.default
configuration.timeoutIntervalForRequest = 30
configuration.timeoutIntervalForResource = 90
#if !canImport(FoundationNetworking)
configuration.waitsForConnectivity = false
#endif
self.session = URLSession(configuration: configuration)
}
}
Thirty-second request timeout. Ninety-second resource timeout. waitsForConnectivity = false so blocked connections fail immediately instead of waiting for the network to "become available."
I verified it works by running both versions against a non-routable IP (10.255.255.1, which simulates the exact silent-drop behavior of a firewall):
UNFIXED (URLSession.shared): still running after 60s, killed manually
FIXED (30s/90s config): all 5 providers fail at 30.0s, process exits cleanly
I submitted PR #1005. Peter closed it and committed the fix to main himself within hours, crediting me as co-author. Fast turnaround.
The Windows port
While debugging this, I noticed a tweet thread where someone asked Peter for a Windows version. His reply: "Build it."
So I did.
codexbar-win is a single PowerShell file. Zero dependencies. Runs on any Windows 10/11 machine out of the box. Double-click to start. It shows a colored circle in the system tray (green through red based on usage), polls Claude and Codex APIs every 60 seconds, and handles OAuth token refresh automatically.
The entire thing is 350 lines. It reads your existing CLI credentials (~/.claude/.credentials.json for Claude, ~/.codex/auth.json for Codex) so you don't need to log in separately. When the token expires, it refreshes it. When no provider is authenticated, the icon turns gray with a "!" and gives you a clickable menu item to authenticate.
It's not as polished as Finesssee's Win-CodexBar (which has 41 providers, Tauri/Rust, winget distribution). But it's the kind of thing you can install on a coworker's machine in 5 seconds by pasting one file.
Getting SSH onto the Windows box
Building this made me realize something embarrassing: I couldn't SSH into my own Windows machine. It's on my Tailscale network, pingable, sitting ten feet away. But OpenSSH Server isn't enabled by default on Windows. So I'd been walking over to it every time I needed to do something.
Four lines of admin PowerShell:
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Start-Service sshd
Set-Service -Name sshd -StartupType Automatic
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
The first line downloads and installs the OpenSSH Server capability from Windows Update. Takes a few minutes, shows a progress bar filled with os. The rest starts the service, makes it survive reboots, and punches a hole in Windows Firewall for port 22.
One gotcha with Windows SSH and admin accounts: keys don't go in ~/.ssh/authorized_keys like everywhere else. Admin users need their keys in C:\ProgramData\ssh\administrators_authorized_keys, with tight ACLs:
icacls "C:\ProgramData\ssh\administrators_authorized_keys" /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F"
Regular user accounts use the normal C:\Users\<username>\.ssh\authorized_keys path. If you have both types of accounts (I do), set up both.
Now I can ssh michael@my-windows-pc from my Mac and land in a PowerShell session. Deploy codexbar-win, run chkdsk on NTFS drives, whatever. No more walking.
The security audit trail
Before installing CodexBar on my own machine, I audited the full source. 563 Swift files. The findings:
- Every outbound URL maps to a legitimate provider API. No data goes to the developer.
- No telemetry. No Sentry, no Mixpanel, no Firebase. Nothing.
- Credentials stored in macOS Keychain with
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly. - Logs run through a
LogRedactorthat strips bearer tokens, cookies, and API keys. - Sparkle (auto-updater) has system profiling explicitly disabled.
Clean. No issues. The actual problem was a missing timeout.
Takeaways
Don't use URLSession.shared in CLI tools. Its defaults are designed for long-running apps where a user might walk away from WiFi and come back. A CLI command that hangs for seven days isn't a feature.
If you ship a macOS app that makes network requests, test with a firewall that blocks by default. LuLu and Little Snitch are common. Your app will encounter them.
And if someone tells you to build something, sometimes you should just build it.
Enjoyed this post?
Get notified when I publish something new. No spam, unsubscribe anytime.