1.6 KiB
1.6 KiB
| id | title | status | planted | trigger |
|---|---|---|---|---|
| SEED-003 | Rewrite claudebox in Go | planted | 2026-04-09 | bash complexity becomes a maintenance burden, or code review issues accumulate |
Idea
Replace claudebox.sh with a lightweight Go binary. Solves structural issues that are awkward in bash: the dry-run command reconstruction diverging from the real bwrap call, the EXIT trap not firing after exec, proper argument parsing, and the CLAUDEBOX_EXTRA_ENV blocklist (CR-01).
Why
- Bash associative arrays and string manipulation are fragile for security-critical code
- Dry-run output is a manual reconstruction of the bwrap command — in Go, you'd build the exec args once and either print or exec them
- Trap-based cleanup doesn't survive exec — Go defers work naturally
- Proper flag parsing with cobra/pflag instead of hand-rolled case/esac
- Static binary via
go build— no runtime dependencies, trivial Nix packaging viabuildGoModule - Can add structured logging, better error messages, and validation for free
When This Becomes Relevant
- When the bash script accumulates enough code review findings that patching feels wrong
- When a new feature (e.g., eBPF integration from SEED-002) would be painful in bash
- When the project moves beyond single-user local tool toward something distributable
Rough Shape
- Single
main.gowith subcommands:claudebox run,claudebox check,claudebox dry-run,claudebox audit-log - Nix:
buildGoModulereplaceswriteShellApplication - Same bwrap invocation, same env model, same mounts — just built programmatically
- Could embed the env blocklist as a Go map instead of bash pattern matching