If creating OSS is this low effort, the right question is: What high effort assets, that are valuable to other builders, should open communities be working on? And I think the answer is open source models with open training and open training data.
The generous take is that this is someone's pet project that marketing got too excited about, and that the leadership haven't applied their minds to. GPL provides a moat for the community, who are contributing their time and energy into a project. It ensures that, even if a commercial company grabs your software, extends it, and commercializes it, that you can fold those improvements back into your original distribution. While the commercial entity benefits from your free labor, you benefit back from theirs.
Re-implementing WordPress (their words, not mine) as MIT licensed, while legally questionable, breaks that virtuous cycle and removes the community's moat. They've taken WordPress's roles and menus and borrowed its Gutenberg code (which is GPL), and launched it as an MIT licensed product, which breaks that virtuous cycle. It means e.g. a hosting company can take the product closed source if they want to, and never have to contribute any of what they build on top of the community's work, back to the community.
Emdash uses WP's RBAC roles. Also uses their menus. Also depends on @wordpress/block-serialization-default-parser which I think might (??) be able to be used by an MIT project even though WordPress is GPL.
They used Claude Code it seems because the first commit has a CLAUDE.md file which became an AGENTS.md.
In the source there is an outbound-only Remote Control session that can forward recent transcript history and ongoing user/assistant/local-command events to a claude.ai session, likely for cross-device/session sync, remote viewing, internal dogfooding, or telemetry/ops experiments. It’s separate from the normal explicit /remote-control flow. But in the actual production binary I checked, the mirror helpers are compiled down to hard false, so it does not appear enabled in the shipped distribution build.
Same story for the anti_distillation: ['fake_tools'] path: I could find it in source, but the prod binary I checked does not contain the anti_distillation / fake_tools strings at all.
Haven’t looked at the code, but is the server providing the client with a system prompt that it can use, which would contain fake tool definitions when this is enabled? What enables it? And why is the client still functional when it’s giving the server back a system prompt with fake tool definitions? Is the LLM trained to ignore those definitions?
Wonder if they’re also poisoning Sonnet or Opus directly generating simulated agentic conversations.
Claude Code has a server-side anti-distillation opt-in called fake_tools, but the local code does not show the actual mechanism.
The client sometimes sends anti_distillation: ['fake_tools'] in the request body at services/api/claude.ts:301
The client still sends its normal real tools: allTools at services/api/claude.ts:1711
If the model emits a tool name the client does not actually have, the client turns that into No such tool available errors at services/tools/StreamingToolExecutor.ts:77 and services/tools/toolExecution.ts:369
If Anthropic were literally appending extra normal tool definitions to the live tool set, and Claude used them, that would be user-visible breakage.
That leaves a few more plausible possibilities:
Fake_tools is just the name of the server-side experiment, but the implementation is subtler than “append fake tools to the real tool list.”
or
The server may inject tool-looking text into hidden prompt context, with separate hidden instructions not to call it.
or
The server may use decoys only in an internal representation that is useful for poisoning traces/training data but not exposed as real executable tools.
We do know that Anthropic has the ability to detect when their models are being distilled, so there could be some backend mechanism that needs to be tripped to observe certain behaviour. Not possible to confirm though.
We can be used to refer to people in general, and we know because Anthropic published a post called "Detecting and preventing distillation attacks" a month ago, while calling out 3 AI labs for large scale distillation
Can we immunize HN against being yet another AI drama site? Obviously this isn’t a fundamental issue with agents or AI or Anthropic but a misconfiguration edge case.
reply