quiz: a vibecoded QUIC library in Zig
I know, I know. I promise I will explain myself, but before I do, I need to set the stage. That said, if that title did not make you spit out your drink, you might want to reflect on that.
Yes, this post was written with my own feeble brain. No, I do not look forward to comments by people who haven’t read it.
On coding agents
I feel like every one of these articles starts with staking some flag in the ground for or against LLM agents, specifically in terms of software development. Usually that comes with some peacock puffing on morals that I don’t find very interesting.
If you must know, I find it all mildly amusing. I enjoy seeing people lose their mind at what they perceive they are now capable of, and the potential of the technology. I equally enjoy other people shouting at those people about actually realized returns, S-curves, hype cycles, and the negative impact the technology will have/is having on society. I think all of these people have a lot of good points.
Consider me an AI nihilist. Equal parts horrified and entertained, but comfortably powerless in steering what seems like an inevitability at this point. Microsoft’s approach to agentic product development disgusts me, so I will choose to stop using GitHub going forward and elect to use Codeberg instead. However, I recognize my complete lack of ability as an individual to change what is happening.
How I use them
Despite my abject horror, I also use the things daily. Often times in ways that I consider perfectly reasonable: summarization, recall, jumping off into concepts I don’t yet know deeply, basic autocomplete, diving into and learning a new codebase. If it has to do with consumption, I have basically no qualms with the tools, and find them quite helpful.
Other times, I use them in ways that I believe are extraordinarily unreasonable.. which I can basically reduce to producing things other people might use or consume that I have not personally vetted. In concrete terms, in the last month and a half, I have “vibecoded” these projects with Claude Code (mostly in Zig, sometimes Rust):
- an email client, with..
- a mostly working HTML/CSS rendering engine
- a UI library
- a Signals library
- WebAssembly component model tooling for Zig
- a whole ass database engine
- a tree walking interpreter that successfully evaluates (some of) Zig
- a scripting language inspired by that interpreter
- a bare metal NixOS HashiCorp cluster with full chain-of-trust signing
- a zero allocation HTTP framework
- a zero allocation templating library
- an old school bulletin board
- personal accounting software
Here’s the thing: if you look at my Codeberg/GitHub, you’re not going to find a single one of these projects. Not one. I am not using any of these projects. They have been deployed nowhere. I would never personally sign up for maintaining any of these codebases. I could never in a million years suggest anyone else ever use these codebases for anything even resembling a production workload. As such, I have not unleashed them into the world, because I believe doing so would be reckless and irresponsible.
So why did I “vibe” them? If I am honest with myself, I think it’s a mixture: two parts joy ride to one part learning experience. I think that in some fucked up way, they have served as a dystopian form of occupational therapy after years and years of pouring myself into other people’s projects professionally. There’s also an element of curious compulsion.
Would I stake my personal security, or my own professional integrity on these projects; let alone take on the liability of an end user’s security? Fuck no.
The library
Reflecting on that thought, I had an idea. What is one of the worst possible projects I could vibecode completely blind with coding agents? Something no one in their right mind should ever use. A library that would curl the toenails of any mildly security conscious programmer in our industry.
There could be worse, but I arrived on a network transport protocol.
Off and on over the last 24 hours, I have used Claude Code to generate a QUIC implementation in the Zig programming language. I have not read a single line of code. As far as I know, it works. I applied my 25 years of experience as a programmer, and my many years as a software architect, lead and manager to herd these agent bastards into writing an implementation that looks like it probably works.
Here’s what I am thinking. Either these LLMs are sufficiently capable that you trust this codebase with the security of all of your network communication.. or they aren’t. I think most of us believe they have not earned such trust.
I would highly encourage you not to use this library in your own software, but you can find the codebase here on Codeberg. The codebase is not really the point, though.
On liability
The thing I really want to discuss, and it’s one of the big reasons I think that LLMs are such a shit show right now in the software industry, is liability.
Please excuse the tired analogy; if I design and sign off on a bridge, and that bridge collapses, killing a bunch of people, I am liable. It doesn’t matter if the blueprints are generated with a large language model or a passel of highly skilled possums with sharpies clenched in their teeth. The design is backed by my personal desire not to lose my reputation, my job, or spend many years in jail. If leadership is pushing me to “ship it”, my personal desire for freedom holds me accountable for neglect. It holds weight.
This, evidently, has not been the case with software. I could have created this library at my day job and had it licensed to any number of organizations. Over the course of a year, your PII might leak due to my complete lack of regard for your personal safety and security. That could lead to the persecution of any number of people (perhaps even their deaths), the loss of ungodly amounts of money, or the leaking of national secrets, who knows!
It’s possible that my employer might be sued. In a just world, the executives might even be held liable. Yet I, the person who wrote the software, would walk freely on to my next contract, taking a six figure salary, telling a machine what product I need to sell to maintain my income.
In our industry’s current framework, there is no personal incentive for me to push back upward against bad leadership (or walk). That creates no incentive for that leadership to stop pushing downward on me to ship the slop. Couple that with an executive level prisoner’s dilemma, and it basically guarantees a top down push spiraling us into insanity.
I don’t know what an answer looks like, but this doesn’t feel right to me. I just hope that we course correct soon.