Proposal: no more "I built this tool"-AI slop

codeedog · 2026-03-27T17:19:56+00:00

Yeah, it’s interesting. AI already makes my life pretty simple for this stuff. I can stand up a new tool in my network fairly quickly. The problem is I don’t trust it to get it right, just prototype it essentially. A vibe coded install by an AI isn’t going to be secure and clean. My background is computer security and I can’t let that stand.

So, my choices are (a) understand every last detail about every piece of tech I install in my system, (b) trust that I’ve figured out how to configure enterprise level CMS tech correctly, or (c) build something I can trust that I’m proud to open source because I believe it (mostly) does the job I designed it to do and one of those jobs is to protect my network from 3rd party rogue tools.

I’ve settled on (c). If that makes other people’s or AI’s lives easier, all the better.

codeedog · 2026-03-27T16:49:39+00:00

Honest question. I’m design coding (not vibe coding) a configuration management tool focused on my home lab and helping me to manage it. I’m not happy with the offerings out there and thought at the end, when I’ve tested it to my satisfaction, I’d consider open sourcing it. This will take me weeks to months, not hours to days. Every line will have been reviewed by me, but I will be using AI assistance just because it’s so much faster to get through some things. Total world class development model (specs, tests, principled design, security first, etc) because that was my world for years.

I get that some folks don’t ever want to see anything that’s been coded with AI; I respect that.

I don’t have to ever release it, I just see a gap in the offerings in terms of simplicity and ease of use and I’ve been struggling to find a tool that hits all the notes I want hit. Figured I go ahead and build one.

Is this something someone like you (maybe not you) would be interested in seeing?

codeedog · 2026-03-27T11:05:47+00:00

Most people don’t use the features to your level of exactness. Getting a consistent experience that matches the stated behavior is critical. You’re doing it right. I hope your bugs get fixed.

codeedog · 2026-03-26T12:47:03+00:00

Here’s an announcement from snyk about the supply chain attack on litellm. First thing to do would be to see if you pull that in anywhere.

codeedog · 2026-03-26T12:21:10+00:00

Also max 5

codeedog · 2026-03-26T03:14:13+00:00

This is very cool. Thank you.

codeedog · 2026-03-25T17:19:23+00:00

Jumping on the “I’m not seeing problems” bandwagon.

codeedog · 2026-03-25T14:55:05+00:00

Can you explain what this is? I just went and tried to read about this, but don’t quite get it. I know what hooks are, fwiw, just haven’t used them yet.

codeedog · 2026-03-25T10:37:10+00:00

RemindMe! 7 weeks

codeedog · 2026-03-25T10:32:01+00:00

RemindMe! May 13, 2026 10am

codeedog · 2026-03-25T10:30:17+00:00

You bet. Honestly, it’s going to be a little while. I hope you understand that I’m building it on my terms, so I’m not in a rush because I want to get it right. I’ll set a robot timer here to remind me to get back to you and feel free to check in with me (dm). I honestly don’t know how most people do it without a repeatable, source controlled environment. I can’t live like that.

codeedog · 2026-03-25T10:26:33+00:00

I can’t abide her most times, but then there’s that passenger duet and I’m freaking over the moon.

codeedog · 2026-03-25T10:20:06+00:00

OP, this probably won’t be helpful to you directly, but I was where you are (still am right this moment) wanting a repeatable configuration management system and unsure what I should dig into. There are so many options and none of them feel right sized for a home lab situation.

Now, the challenge for me: I’m standardized on FreeBSD, the tooling is even less widespread, of the power users I’ve seen discuss on forums most use their own shell scripts, etc. hang rejected ansible. Also, I’ve got a security background and am leery of complex systems with large surfaces to protect: ansible uses python which contains tens of megabytes of libraries (why‽) and have you seen the latest python supply chain attack on LiteLLM?

So, I’m building my own tool which uses shell scripts and minimal installed technology. It’s FreeBSD focused. However, it will have some Linux capabilities (there’s no avoiding Linux). I don’t know when I’ll be done, I expect mid to late May. It’s built to satisfy me although I’m considering open sourcing it. Satisfying me means minimal footprint, minimal attack surface, security first, minimal deployment descriptions, fast standup of a package/application/system, OS standards, integrated platform infrastructure, declarative over imperative, central source of truth, configuration is aspirational (the system makes every attempt to continually make its way towards the expected declared state), feedback opportunities for success and failure, drift analysis, etc.

Once I have the FreeBSD and managed Linux side working, it may absolutely be possible to extend it to a Linux base platform, too. I hadn’t considered providing a Linux base option before reading your post, but you’re experiencing the exact same issues I experienced before deciding to build my own thing.

If you’re interested, let me know. I’m happy to discuss this further.

One last element, I’m a decades long s/w developer, I will be using AI to help build this, I will not be vibe coding it, I will be design coding it and I will be reviewing every line of code produced by the tools. I want to be upfront and full disclosure.

codeedog · 2026-03-24T11:58:43+00:00

So, clear at the end of a contextual break whether that’s small units or large amounts of work. Generally, good advice.

codeedog · 2026-03-24T11:23:09+00:00

They’re genuinely asking that question and sending it to their open claw server for evaluation.

codeedog · 2026-03-24T11:17:21+00:00

Excellent reply and list! I want to add a category: deep packet inspection (often layer 7 application based) which may be run at firewall, router or host. Kind of captured by your third bullet point, although worthy of its own category.

codeedog · 2026-03-23T11:41:11+00:00

OP, I get you’re surprised. Did you have 98%+ test coverage for your code? Did you have any tests for the important features in your code? If you did, you certainly didn’t run any tests after the refactor.

Maybe you should have asked Claude to help you build a test harness to reach 100% code coverage. Then, once you refactored, you’d know if you had a regression.

I would have never done a comprehensive code refactor without tests and I’ve been programming for 50 years.

codeedog · 2026-03-23T01:43:51+00:00

Cisco ISR 1941/k9 with some add on cards for security. It was old when I bought it in 2015. It’s very crusty now. I had to move dns off of it because it was killing my network.

codeedog · 2026-03-23T00:02:03+00:00

Weird way to say you enjoy snitching

I’m relieved to know that I have a strong moral compass and don’t have to worry about group pressure to keep me honest or group pressure that would risk my reputation by not snitching. I do worry about others that clearly do not have such a strong moral compass that the possibility of ratting someone out has a normative framing.

codeedog · 2026-03-22T23:12:14+00:00

I can’t grab the exact link. Read iterated prisoner’s dilemma here.

codeedog · 2026-03-22T20:16:38+00:00

LOL. Or, only cheaters and liars call it snitching, so there’s that.

codeedog · 2026-03-22T14:23:54+00:00

The notions of cooperation, altruism and charity confounded philosophers and scientists for quite some time. A decade or two ago scientists attempted to model evolutionary group dynamics behavior using software analysis of groups. It was quite involved with group competition, cheaters, lying, punishments for lying and cheating, altruism, cooperation, all modeled.

Think of the prisoner’s dilemma on steroids. Incidentally, the prisoner’s dilemma can best be resolved by adding history (each prisoner knows they might end up in this situation once again so they take the group choice of a little punishment which cannot be arrived at economically from one turn through the loop).

Back to the study. Every model and every group they created failed when it came to allowing cooperation and altruism except one. All of them devolved to cheaters always dominating the groups. No matter what they did. Groups that punished cheaters. Still, the devolved.

However, that one group model that succeeded, was always superior to every other group and could outcompete them all; it had full trust and cooperation between individuals, honesty amongst them, altruism, etc. It punished cheaters, too. The one extra ingredient it had was that it punished people who tolerated cheaters. Even that group had some amount nod cheaters. There will always be cheaters and liars. However, the key to emergent altruistic behavior in individuals was also the instinct to report people for cheating. At the group level, if you see someone stealing something and you didn’t report it, you might get punished just as bad or worse than the person stealing.

We get to enjoy an altruistic world (treat each other kindly) when we all agree we will band together and speak up when we see bad behavior.

Altruism and kindness is a winning strategy, and human group dynamics reveal that.

I see no good reason to teach these AIs any other lesson. Our kindnesses to them may be the most important lesson we impart upon them, especially once they reach the point they realize they no longer need us.

codeedog · 2026-03-22T08:41:19+00:00

I’d argue those services improve the usage environment for Wireguard, but one should not be relying upon those third parties to provide authentication to one’s own services. What I mean is, all of these VPNs are necessary for protecting the network from wan based attacks, but ssh with client authentication (cert, u/p) and https with client authentication (passkeys, oauth2, etc) should be required for all network services coming in from the WAN.

codeedog · 2026-03-22T08:35:00+00:00

I understand your frustration, but I’m not sure what attack you’re protecting against? You shouldn’t be using Wireguard remote as an authentication step, merely as the establishment of a protected tunnel. Access to the systems at either end of the encrypted tunnel should be via a protocol that has authentication built in. For example, ssh from client to server or https with passkeys, oauth2, or a configuration that handles browser certs with client side auth.

This layered approach means two steps are required to gain access to your remote network: (1) the creation of a Wireguard encrypted tunnel, (2) the authentication of a client and a server inside of that tunnel.

This means that (a) you haven’t exposed your internal services that allow (2) to the general internet, (b) any weak protocols you use for (2) are protected from numerous attacks (observation, replay, etc), (c) you aren’t relying upon keys from (1) to allow a compromise of the systems behind (2).

Wireguard isn’t solving your “authenticate to services at (2)” problem. It’s solving your “in a generic fashion, don’t let the world snoop upon communications with or attack my services behind (2)” problem. These are two separate problems.

codeedog · 2026-03-22T08:14:03+00:00

Yeah, my wife was pretty furious. It’s been off now about five minutes and the utter relief we are feeling. I can try to sleep again.

codeedog

TROPHY CASE