|
Anthropic had a rough week. And the part that stings isnât just that something went wrong - itâs how they handled it. A map file, a DMCA frenzy, and a Python loopholeOn March 31st, Anthropic accidentally shipped Claude Codeâs TypeScript source code via a map file left in their npm package. The leak was spotted almost immediately, and GitHub repositories mirroring the code started receiving DMCA takedowns shortly after. What followed was a fairly aggressive takedown campaign by Anthropic. One of the interesting things that happened as a result of this takedown campaign was that someone used an AI agent to rewrite the leaked TypeScript into Python. Functionally equivalent, but different language means that DMCA doesnât apply. DMCA protects specific expression, not ideas or functionality. A port isnât a copy. Ironically, Anthropic, who themselves have trained models on derived works and leaned on the argument that AI output isnât straightforwardly copyrightable, canât easily pursue this without creating precedents that cut directly against their own interests. Then they made it worseA few days later, on April 4th, Anthropicâs Boris Cherny announced that Claude subscriptions would no longer cover third-party tools like OpenClaw. Effective immediately. Users could still access Claude via their own login with usage bundles, or pay per token via the API - but the free ride for tools built on top of Claudeâs subscription tier was over. The stated reason was capacity. Subscription plans werenât designed for the usage patterns these tools generate. I understand the economics. But the timing, and the bluntness of the move, are hard to separate from the week Anthropic just had. This is a company that built significant goodwill with developers - the kind of goodwill that comes from making genuinely good tools and being transparent about how they work. Cutting off third-party ecosystem tools with little notice, right after a messy source code incident, reads as pulling up the drawbridge. Developer-hostile is a strong phrase. But Iâm not sure what else to call it. Whatâs making things worse is that the rules about this limitation are not clear. Matt Pocock summarized the absolute mess around this in a thread on Twitter. See for yourself. The silver lining: what the leak actually revealedMy colleague Nnenna Ndukwe at Qodo wrote something genuinely worth reading - a deep dive into the governance patterns inside the leaked Claude Code source. If youâre going to accidentally publish your source code, the least you can do is have code worth learning from. And apparently thereâs a lot to learn. The patterns Nnenna describes are the kind of structural quality work that rarely makes it into blog posts: how the pipeline is governed, how trust is maintained across the delivery chain, what the release process reveals about how Anthropic thinks about integrity. Itâs a valuable read regardless of how you feel about the incident that made it possible. The uncomfortable question the post raises implicitly: if these patterns were in place, how did the map file still slip through? Strong architectural governance doesnât automatically catch everything. Release pipelines have gaps that code review doesnât touch. A practical thing while weâre hereIf you use Claude Code, @zodchiiiâs thread on hooks is worth bookmarking. Eight concrete hooks for automating quality enforcement - auto-formatting, blocking dangerous commands, preventing PRs if tests fail. The key insight is that CLAUDE.md instructions are followed about 80% of the time, but hooks execute every time. One is a suggestion; the other is a gate. The comfortable liesI published a post on my blog this week - Maslowâs Hammer and three lies QA tells itself - about where quality engineering is actually headed, and the self-soothing myths that make it hard to see clearly. I wrote it because I keep seeing QA professionals framing the AI moment as something that will pass, or something that doesnât really affect what they do. I think thatâs wrong, and I think itâs comfortable to be wrong about it. Iâd love to hear how youâre thinking about this. Are you seeing quality work change shape in your organization, or does it still look more or less the same as it did three years ago? |
Sign up for weekly tips on testing, development, and everything related. Unsubscribe anytime you feel like you had enough đ
Hey Reader,, Theo asked a question this week thatâs been sitting in the back of every developerâs head: how much better do the models have to get before you stop reading the code? Itâs been going on for days, but I honeslty love it. We are talking about verification and quality! Although the initial question might not be the right one. Reading was never the goal, itâs one tactic for earning the right to ship something. If reading is the sharpest tool youâve got, read. If you have something...
Hey Reader,, A few years ago Cursor was a nicer place to type code. This week it announced Origin, its own Git competitor built for agent workloads, and got acquired by SpaceX for sixty billion dollars. Somewhere in between, it stopped being an editor and started becoming the whole stack â the place you write, review, merge, and increasingly test your software. I come from QA, so my first instinct isnât excitement, itâs a question: when one tool owns every step of the loop, whoâs the...
âToo dangerous to releaseâ has become its own genre of AI announcement. Project Glasswing is the latest entry: not quite a product launch, but a claim about a threshold, dressed up with enough corporate coalition to signal this one is serious. Anthropic says their new security-focused model, Claude Mythos Preview, can find software vulnerabilities better than all but the most skilled human experts. George Hotz challenged the âtoo dangerous to releaseâ narrative by pointing at the obvious:...