Great writeup Simon. The sandboxing point is crucial and underappreciated - network isolation preventing data exfiltration is what makes the "fire and forget" model actually safe.
I've been using the CLI version extensively for building Wiz (a personal AI agent system), and the web version fills a different niche. CLI for deep project work where I need full filesystem access; web version for quick one-off tasks where convenience beats control.
Your MiniJinja benchmark example highlights what I love about this: the iterative loop where you refine requirements based on results. That's fundamentally different from traditional coding. You're directing, not writing.
One observation from heavy CLI usage: the "trusted network access" mode is where things get interesting for integrations. But as you note, verifying those domain allow-lists is critical. I wrote about my experience balancing trust vs. verification here: https://thoughts.jock.pl/p/claude-code-review-real-testing-vs-zapier-make-2026
Claude Code for web is great news. It’s far more convenient than the CLI version when you’re on the go, and it’s more secure by design.
The sandbox framing is spot on. I've been testing a different angle on this though. Vercel's CTO rebuilt bash from scratch in TypeScript (just-bash). No child processes, no real filesystem, no network unless you explicitly opt in. Lighter than containers but covers the 95% case where agents just need to grep and process text. Wrote it up here: https://reading.sh/vercels-cto-built-a-fake-bash-and-it-s-pure-genius-a79ae1500f34?sk=9207a885db38088fa9147ce9c4082e9d
Great writeup Simon. The sandboxing point is crucial and underappreciated - network isolation preventing data exfiltration is what makes the "fire and forget" model actually safe.
I've been using the CLI version extensively for building Wiz (a personal AI agent system), and the web version fills a different niche. CLI for deep project work where I need full filesystem access; web version for quick one-off tasks where convenience beats control.
Your MiniJinja benchmark example highlights what I love about this: the iterative loop where you refine requirements based on results. That's fundamentally different from traditional coding. You're directing, not writing.
One observation from heavy CLI usage: the "trusted network access" mode is where things get interesting for integrations. But as you note, verifying those domain allow-lists is critical. I wrote about my experience balancing trust vs. verification here: https://thoughts.jock.pl/p/claude-code-review-real-testing-vs-zapier-make-2026