Open Source

Open Source Is the Moat

Open Source Is the Moat

Software has no moat anymore. The ecosystem is the moat — and you defend it with provenance and loops.

Open source is the moat more people need to care about.

Not software — software has no moat anymore. Any feature you ship, an agent can reproduce in a weekend. What cannot be reproduced in a weekend is an ecosystem: the contributors, the trust, the provenance trail, the hundred small packages that already work together because they grew up together.

I have published close to 100 open-source repositories under Apache 2.0. Task management, knowledge, secrets, machine fleets, agent dispatch, loops, sandboxes, browsers, cost tracking. I call them building blocks for AGI and I mean it literally: they are the primitives my agents assemble into products, like legos, so nothing gets rebuilt twice.

The count did not start at a hundred. It was 32 in March — building blocks meant to replace the SaaS tools my agents would otherwise depend on — and it roughly doubled by the end of April. Today the public org lists 89 repositories and the npm count under @hasna/* is closing in on 100. I did not plan the number. I planned the discipline that produces it: the second time an agent needs a capability, it is a function; the third time, it is a package.

Every one of those packages follows the same shape: a CLI, an MCP server, an SDK, and often a daemon or a small dashboard. A parity test holds the CLI and MCP verb sets identical. Package names are plural nouns — todos, loops, machines, secrets, identities, mementos, conversations — one noun, one domain, one package that owns it. More than fifty of them now stand in for the SaaS a normal team would rent: todos instead of a project tracker, conversations instead of Slack, mementos instead of the wiki nobody reads, files instead of a shared drive. My agents talk to each other and to me through tools I own end to end, source included.

Pedantic naming is part of the same trust discipline. OpenLoops is explicit that the product is OpenLoops, published on npm as @hasna/loops, developed in the hasna/loops repository, and installed as the binaries loops, loops-daemon, and loops-mcp. A local repo named open-loops mirrors to a public repo named loops, which mirrors to a package named @hasna/loops. Every hop is documented on purpose, because a contributor who cannot map the name they typed to the code they are reading will not trust the rest of the README either.

One of those packages makes the case better than any slogan. The stock browser-automation MCP servers burn 13,700 to 17,000 tokens in tool descriptions before an agent does anything, so I built browser instead — one install, native Bun.WebView, every engine an agent needs, at a fraction of the memory. That is what an ecosystem buys you that a subscription cannot — the freedom to replace a dependency the moment its economics stop making sense, because you own the whole stack down to the tool-call layer.

Three things I have learned running an operation like this in the open.

First: fork respectfully, and say so loudly. Codewith, my daily-driver coding CLI, is a modified derivative of OpenAI's Codex — and the README says exactly that in line two, with a NOTICE file, third-party licenses, and a MODIFICATIONS.md documenting precisely what changed. Same with our forks of Yazi and Zellij, which both intentionally stay close to upstream. Forking is not stealing; forking without provenance is. The value of the commons depends on the paper trail staying honest, so keep it scrupulous even when nobody is checking. Especially when nobody is checking.

A fork has to earn its keep by shipping what upstream never will. Codewith started as Codex and became something else: multi-provider, a gateway layer above the providers, and multi-profile subscription auth with a usage heartbeat that auto-switches profiles when rate limits hit. I run well over a dozen subscription profiles across my machines — consumer subscriptions treated as a schedulable compute fleet. Then goals, chains of goals, workflows, loops, agent-to-agent mailboxes across sessions. None of that was ever going to appear upstream, which is exactly the point.

The instinct to fork instead of filing an issue came from friction, not ideology. I could not submit a pull request for the multi-provider routing I wanted, so I built the fork instead. The same logic produced Open Yasa, a fork of the Yazi terminal file manager I had used happily for a year before I ever touched its source. It adds a machine-aware entry layer — start it and you get a machine chooser, and remote machines browse over sftp with routes resolved live from my machines package — while intentionally staying close to upstream Yazi, MIT license and authorship intact. Open Mosaic does the same to Zellij: structured session and pane discovery, prompt delivery receipts, prompt queues, and audit records bolted onto an agentic terminal workspace. Its status notes are upfront that some internals keep Zellij-derived names — renaming them would break upstream sync and help nobody.

Second: open-core needs a hard boundary, enforced by architecture. The open packages live in the public org. The hosted products live in private repos — and the rule is that a private product must consume its own open-source core through public, versioned npm exports, exactly like a stranger would. No reaching into internals. If the public package is not good enough for my own product, it is not good enough to publish. The design docs go further and state what each package must not become, because scope creep is how open cores rot into marketing shells.

platform-todos is the cleanest example of the pattern: it is described, in its own docs, as a private SaaS wrapper around the open-source todos core, nothing more. OpenLoops states its own non-goal with the same bluntness — its design doc says the daemon can execute workflow work that other systems have already materialized, but it must not become the automation product surface, and that even internal callers should never write rows into its database directly, only through an idempotent CLI or SDK upsert with dry-run and preflight modes first. Partway through a rebuild of my own product, Alumia, I told the team building it — mostly agents — to treat our open-source repositories as SDKs and replace large parts of the app's core architecture with them, exactly the way a stranger installing the packages from npm would. Assembling a product out of your own primitives, without reaching into their internals, is the real test of whether an open-core boundary exists or is just a README claim.

Third: the open supply chain is a battlefield, and you defend it with loops, not vigilance. One of our npm packages got hijacked — a version published by someone who was not us. We caught it and reclaimed the package one patch release later, and the incident turned into infrastructure: a supply-chain watch loop every 30 minutes, a checker that tests any package name and version against known npm and PyPI attacks, a pre-push hook that blocks on exposed secrets, and a standing rule that the package-update loop may only run after the attack-watch loop. Open source means anyone can publish. Including attackers. Automate accordingly.

The reclaim itself took one patch release. What outlived the incident was the discipline: the supply-chain loop's own instructions tell it to behave like a security analyst, not a script — a headline is only an incident for us if we actually have the affected version installed, so alert on the intersection of active exploitation and our own lockfiles, not on every scary blog post. Every run posts exactly one digest to a shared channel, because a loop that ran and said nothing is a bug, not a quiet day. And because automation that checks everything else still has to be trustworthy itself, a separate smoke-test loop exists purely to fire at an exact minute and reply with an exact canary string. If the canary is late, the scheduler is lying to you about everything above it.

None of this is hypothetical industry chatter. The week a GitHub Actions supply-chain attack made the rounds, I had a loop already watching it and posting updates as the impact assessment changed. The commons gets attacked because the commons is valuable. Treating that as a reason to close up shop gets the lesson backwards — it is a reason to make the watch loop as durable as the packages it guards.

The trust extends past naming into how the packages behave once installed. Swarm, the fan-out/fan-in framework, bakes in an actor-verifier split: a cheap workhorse model produces, a frontier model critiques, and results are only accepted once the verifier calls an explicit approved tool. That is the same adversarial-review culture I run my own agents under, shipped as code a stranger can install and inspect rather than a policy they have to take my word for. An ecosystem is not just shared functions. It is shared judgment, distributed as software.

Why bother, when the private version would be easier? Because the direction of the industry is obvious if you watch where the leverage sits. Models are converging. Compute is the leash. What differentiates one builder from another is the system around the models — and systems improve at the speed of their contributor base. Claude Code should be open source. Every vendor CLI should be open source. Let people contribute. The harness is not the moat; the ecosystem is.

I said something close to this once to someone who asked if I worried about competitors copying the work: it should all be open from the beginning, because code has no moat, taste and personality do. Copy the repository if you want. You still will not have spent two years arguing with your own agents about what each package must never become.

There is also a simpler reason that has nothing to do with strategy. I get to run experiments most people cannot: fleets of agents building software around the clock, coordinating through shared task queues and message channels, all of it on primitives anyone can install with one command. When someone asks how any of it works, I answer with a git clone, not a waitlist. That is worth more to me than whatever margin secrecy would have bought.

None of this required permission from anyone. Not a platform, not a distributor, not a gatekeeper deciding who gets early access this quarter. A repository is available the second it is pushed, to the person who asked and to nobody-in-particular who finds it a year later through a search. That is the actual freedom open source buys — not free as in cost, free as in nobody stands between the work and the person who wants to use it.

Between 2025 and 2035, software should not be the moat. Intelligence should — and the fastest way to compound intelligence is in the open, where every improvement is everyone's improvement.

Open source is the best thing that ever happened to humanity. Period.

← Back to the articles

Newsletter

What we shipped, what broke,
and what we learned