docs: plant seed — Go rewrite of claudebox.sh

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.planning/seeds/SEED-003-go-rewrite.md

@@ -0,0 +1,33 @@
+---
+id: SEED-003
+title: Rewrite claudebox in Go
+status: planted
+planted: 2026-04-09
+trigger: bash complexity becomes a maintenance burden, or code review issues accumulate
+---
+
+## Idea
+
+Replace claudebox.sh with a lightweight Go binary. Solves structural issues that are awkward in bash: the dry-run command reconstruction diverging from the real bwrap call, the EXIT trap not firing after exec, proper argument parsing, and the CLAUDEBOX_EXTRA_ENV blocklist (CR-01).
+
+## Why
+
+- Bash associative arrays and string manipulation are fragile for security-critical code
+- Dry-run output is a manual reconstruction of the bwrap command — in Go, you'd build the exec args once and either print or exec them
+- Trap-based cleanup doesn't survive exec — Go defers work naturally
+- Proper flag parsing with cobra/pflag instead of hand-rolled case/esac
+- Static binary via `go build` — no runtime dependencies, trivial Nix packaging via `buildGoModule`
+- Can add structured logging, better error messages, and validation for free
+
+## When This Becomes Relevant
+
+- When the bash script accumulates enough code review findings that patching feels wrong
+- When a new feature (e.g., eBPF integration from SEED-002) would be painful in bash
+- When the project moves beyond single-user local tool toward something distributable
+
+## Rough Shape
+
+- Single `main.go` with subcommands: `claudebox run`, `claudebox check`, `claudebox dry-run`, `claudebox audit-log`
+- Nix: `buildGoModule` replaces `writeShellApplication`
+- Same bwrap invocation, same env model, same mounts — just built programmatically
+- Could embed the env blocklist as a Go map instead of bash pattern matching