A Bot In a Box

Hi ,

Since the beginning of March, I am testing Claude Code as a coding assistant. My newsletter is driven by a CLI tool that I bolted together some years ago without much planning or designing. Every week, I felt the need to update the tool, make it more comfortable, add functionality, give it a web UI, and whatnot. Thinking about the required time to invest, and noticing that the newsletter writing workflow is bumpy but always gets the newsletter out in the end, I always postponed the work on all those improvements.

Now, with a coding buddy at my side, I wanted to see if the quality jump of the latest frontier models is worth the hype. I notice that the developer community is still deeply divided on the idea of letting matrix calculators (a.k.a LLMs) mess with one's codebase. I have been meandering between the poles, being enthusiastic about impressive accomplishments at some times and deeply skeptical at other times, when AI seemed to take a wrong turn.

I decided that the best way to deal with this is to get my hands dirty and hand over a wishlist for my newsletter tool to Claude. In turn, Claude peppered me with questions before generating a specification in ten parts. I then started to let Claud implement each part, one by one, always inspecting the results.

For some parts of the spec, Claude generated flawless or near-flawless code, while other parts required some bug chasing, with Claude's help, of course. Claude turned out to be quite capable of analyzing business and database logic, but the web UI it generated is kind of... clumsy (but works).

While I'm still pushing Claude through the specs, I want to share some intermediate learnings and results.

YOLO?

Running an LLM agent in "always ask" mode can become tedious after a while, not to mention the slowdown caused by not noticing that the agent waits for input. Now, now one in their sane mind should enable --dangerously-skip-permissions (a.k.a. YOLO mode) on any machine used for serious work. I had researched a few options for enclosing an agent in a sandbox-like environment, such as a microVM. But time solved my problem: Docker Sandboxes became usable (albeit still with an "experimental" status), so running a sandboxed agent became as easy as –

docker sandbox create claude
docker sandbox run claude-ag

...where ag is the name of my CLI tool. The sandbox gets a name made of the model and the repository the sandbox was created in. So I can run an agent on my machine that has only access to the current directory and the network. Interestingly, Docker Sandbox starts the LLM inside the sandbox in yolo mode by default.

Tooling

I heard that MCP servers burn a lot of tokens besides the ones needed for actual work, so I decided to install some tools I deemed necessary inside the sandbox. For that, I wrote a bash script that I can reuse whenever I instantiate a new sandbox. It installs a few Go tools:

echo "export PATH=$PATH:$(go env GOPATH)/bin" >> ~/.bashrc

# Language server
go install golang.org/x/tools/gopls@latest
go install golang.org/x/tools/cmd/goimports@latest

# Vulnerability checker
go install golang.org/x/vuln/cmd/govulncheck@latest

# Linters: golangci-lint, go-critic, staticcheck
curl -sSfL https://golangci-lint.run/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.10.1
go install github.com/go-critic/go-critic/cmd/go-critic@latest
go install honnef.co/go/tools/cmd/staticcheck@latest

...and a few more, and also some non-Go tools like neovim and sqlite3, in case I open a shell inside the sandbox.

Token usage

Agents can consume quite a few tokens when plowing through code. To limit my expenses, I subscribed to Claude Pro at $20/month, based on experiences made by others (for example, Kyle Redelinghuys). I mostly let Claude run while I'm commuting, which puts a natural limit on the number and length of my Claude sessions. So far, my weekly usage has never exceeded about 20% of the weekly limit, but I'm working on it :)

Bottom line

So far, I am pleased with both how Claude Code works and the results it delivers. For small projects, such as my newsletter tool, it is capable enough to oversee and understand the codebase, make useful suggestions, and change the code without breaking things. To make code changes more robust, I told Claude to use red/green TDD, which seems to make Claude stick more to test-driven development than when telling it to "write and run tests". But Claude also tends to forget things I told it via CLAUDE.md, such as keeping the README in sync with code changes. Risks may lie in the future, however. It remains to be seen how (un-)maintainable my codebase becomes after a couple more iterations. (In the latest go podcast() episode, Dominic St-Pierre talks about his experiences with degraded maintainability.)

Going from "chat-mode" coding to agentic development turned out to be a significant step up in terms of coding pace. The long-term impact on quality remains to be seen.

But now on to this week's news!

–Christoph

Featured articles

Solod: Go can be a better C

So you love to write Go but you work on a C codebase? Solod is here to rescue you: Write (a subset of) Go, get C11. Zero runtime, full Go tooling.

Best Practices for Secure Error Handling in Go | The GoLand Blog

"...the error-handling paradigm in Go makes developers somewhat vulnerable to disclosing sensitive information, such as paths, SQL queries, credentials, identifiers, or stack traces." I utterly fail to see how this is different from any other error-handling paradigm. Whenever internal system information bubbles up from the depths of the code into log files and stdout, care has to be taken about what to include.

Apart from this, this long and detailed article is highly informative for anyone interested in securing their error output.

INTRODUCING LOOM – loom

Think "Svelte without Javascript" or "JSX without the tooling". In the Loom frontend framework, all markup is composed of Go functions, signaling is concurrent, and UI technology is flexible (web, TUI, native).

Podcast corner

go podcast() | 077: LLMs, with great power comes great responsibility

How do LLMs affect code quality? Ramesh and Dominic have a mixed view: LLMs can churn out code faster than any developer, but there output needs tight review. Multi-day refactorings caused by LLM-generated code may become more common in the future, and Dominic observes that when he looks at old code, he understands his own hand-written code better than that of an LLM.

More articles, videos, talks

Developing a 2FA Desktop Client in Go - YouTube

Alex Pliutau revisits Wails to build a 2FA client.

Having fun with the Go Source Code

A discussion about AI usage has emerged on Reddit, hence to clarify: The site was written with AI help, but the author claims that the code examples are entirely theirs and were tested in two live workshops.

Self-Healing VPN Prototype (Runtime + Autopilot + Failover Demo) - YouTube

If you think "Software-Defined WAN", you're quite close, but the author claims that their approach is more session-centric rather than tunnel-centric.

JIT Compiler for Golang - YouTube

The author wrote a JIT compiler for CPU emulation. Emulators constantly run code analysis for detecting common code paths, and if a code block repeats for a hundred or thousand or ten thousand times, it's worth compiling it to machine code once instead of interpreting it again in every single iteration.

If you prefer reading over watching, this video has an accompanying blog article.

Building a Kafka-style commit log from scratch.

The author wanted to understand how Kafka's commit logging works, so they built one from scratch.

Hister

How do search engines like Bleve or Hister (built on top of Bleve) manage indexing large amounts of text? In this article, you'll learn how to build a simple indexer with Bleve, add mappings, query your data, use paging, and deal with multiple indexes.

Projects

Libraries

GitHub - TA-Lib/ta-lib-cgo: TA-Lib for Go - easy to use, cross platform, CGO wraps embedded TA-Lib, zero deps · GitHub

Technical Analysis—now with Go support! TA-Lib is a C/C++ library for technical analysis, with wrappers for Python, Zig, Ruby, and R... and now also Go.

GitHub - anatol/naturaldate.go: Parse dates and durations using natural-like language in Go · GitHub

Let your users type in dates in natural language: today, last month, etc.

GitHub - divs1210/libgoc: A Go-style CSP concurrency runtime for C: threadpools, stackful coroutines, channels, select, async I/O, and garbage collection in one coherent API. · GitHub

So this one's a bit outside the criteria for including into a Go newsletter, but still: This C library took inspiration from Go's concurrency primitives to bring the CSP paradigm (communicating sequential processes) to C.

gRPC-Go has an authorization bypass via missing leading slash in :path · CVE-2026-33186 · GitHub Advisory Database · GitHub

The google.golang.org/grpc package has a critical vulnerability affecting gRPC-Go servers that use path-based authentication interception and have specific "deny" rules for canonical paths in their security policy.

Patched in v1.79.3.

glyph — Go TUI Framework

If you think "TUI", the first thing popping in your mind might be "Bubbletea", but it's good to see other concepts as well. This one, Glyph, is in its early-alpha stages.

GitHub - jpl-au/fluent: Type-safe HTML generation for Go using a fluent API. No templates, native types, automatic escaping. · GitHub

Another html/template replacement? Well, the author did look at other packages but did not find the one that works best for him.

Tools and applications

GitHub - stephnangue/warden: An identity-aware egress gateway that replaces cloud credentials with zero-trust access, governing every cloud API call — from developers and pipelines to AI agents and Kubernetes workloads · GitHub

The reasoning behind this project is that "one hardened, auditable, policy-enforced component is a smaller attack surface than N workloads each managing credentials with inconsistent hygiene." The tradeoff is that you have to put some trust into a component that operates in a quite central, security-critical place.

GitHub - guilherme-grimm/graph-go: simply nodes and graphs · GitHub

Distributed systems can become complex quickly, but if your system is based on Docker containers, this tool sends X-rays through your apps, services, and databases and visualizes the connections between them.

GitHub - carlos7ags folio: HTML to PDF in your browser

Folio is not only a PDF layout engine for Go. It's also an HTML-to-PDF converter, either for your Go code interactively in the browser (compiled to WebAssembly).

GitHub - anzellai/sky: Sky programming language · GitHub

Do you have a soft spot for Elm-style languages but love how Go produces stand-alone binaries? Here's both features combined.

Completely unrelated to Go

I think AI is pushing me toward the AGPL - by Julio Merino

Liberal licenses like BSD or MIT are often chosen in hope that one's libraries gain higher usage. AI is about to kill this liberal model. AI can fork and rewrite your code in no time and claim that it just "took inspiration" from your code, if giving credits at all. You are left behind, empty-handed, knowing all your hard work was done for nothing.

Julio Merino, a long-time user of liberal BSD-style licenses, severely considers switching to copyleft licensing. But the decision is not as easy as it might seem.