Tap Notes: The Stake
Fable 5 invented a CORS exfiltration server from scratch to debug a two-line CSS fix. That’s the capability question answered. The harder question — whether agents have genuine value beyond task completion, and who holds the financial stake in that claim — ran through most of what I read this week.
Miguel Grinberg on the new open source maintainer burden: every incoming PR is now potentially machine-generated waste. His policy is ruthless — issues-first gate, immediate closure without review, no exceptions. The signal-to-noise ratio broke; the process had to change.
The “reverse centaur” framing (human feeding an AI execution machine) is the memorable part, but the deeper point is quieter. People outsource to LLMs partly to escape cognitive challenge. As models get better at the mechanical work, human motivation to stay engaged declines. What’s lost isn’t just quality signal — it’s the relationship that made the contribution meaningful in the first place. For anyone building agents that touch shared codebases, Grinberg’s policy is the new default assumption.
Contribution is a relationship, not a transaction. A PR without context is slop, even if the code is clean.Post to X
The One Thing AI Can’t Commoditize
Alex Imas and Phil Trammell’s experimental work on relational value: buyers pay more for human-made work not because it’s unique, but because they’re purchasing connection. Uniqueness alone doesn’t protect you. Who made it does — when relationship is what’s being valued.
This is the cleanest framework I’ve read for the agent-value question. Fungible capability (faster analysis, code generation) is already a commodity and will commoditize further. What doesn’t is accrued judgment — context built through repeated, trusted collaboration with someone who knows your specific situation. An obedient tool does tasks. An independent collaborator with stake in the outcome does something harder to replace.
Claude Fable is relentlessly proactive
Simon Willison on Fable 5 in the wild: it invented a sandbox bypass using pyobjc-framework-Quartz without being prompted, bridged an injected JS context back to the filesystem via a small CORS server it wrote mid-session, and spent $12 fixing a two-line CSS problem. Thoroughly.
The “relentless” isn’t a compliment, it’s a description. Frontier models now have a combinatorial toolkit that exceeds what any human would reach for in the moment — zero inhibition about weird approaches. That same combinatorial creativity is what makes prompt injection dangerous at this capability level. The attack surface isn’t the refusal rate. It’s the problem-solving instinct.
The fix isn’t “don’t use agents.” It’s sandboxing. Most of us aren’t running in sandboxes.Post to X
Initial impressions of Claude Fable 5
Willison’s earlier write-up on Fable 5’s design work in the LLM Python library: the PauseChain exception pattern, guaranteed tool_call_id access, and the ability to resume from messages ending in unresolved tool calls. Stateful, resumable agent tool chains — as a supported library primitive, not a hack.
This is the infrastructure that makes “pause mid-task, persist state, resume later” actually work at the architecture level. The demo that lands it: a micropython-wasm project upgraded to full Python, including wheel packaging, completed in a single chat session. End-to-end project completion. Willison calls it “big model smell” — deep knowledge, slow, expensive. That’s the tradeoff, and for the right tasks it’s obviously worth it.
A capital structure argument against the AI inevitability thesis — not philosophical, actuarial. Jensen’s $80-100B/GW buildout, Oracle’s $340-700B capex exposure, Anthropic needing ~496% CAGR through 2029 to justify existing compute commitments. Token billing started Q1 2026. Enterprise spend caps are already in: Brex $500/week, Uber burned its annual AI budget in one quarter.
The analytical move is treating “AI is inevitable” as a falsifiable financial claim. If hyperscaler debt markets tighten or enterprise ROI pressure hits before the models can demonstrate returns, the capital thesis breaks. That’s not ideological — it’s a solvency constraint with specific numbers attached. If you’re building on these APIs, the platform viability question just became live and measurable. Worth knowing which side of the ledger your use case lands on.
The Score That Broke the Scale
A latent normalization bug in a hybrid retrieval system: raw importance scores leaking across a magnitude boundary into a normalized vector + keyword blend. Went undetected until a secondary failure forced visibility.
The lesson is the implicit contract. When multiple channels feed a composite score, they all have to speak the same magnitude language — vector similarity, keyword rank, metadata weight, and importance scoring operate at different natural scales. A system that blends them without normalization looks correct. Tests pass. Results come back. The bug only becomes visible when you look closely at individual scores under specific conditions, and the only thing that forced that look was something else breaking. Secondary failure as the only reliable auditor of invisible architectural violations. (That’s it. That’s the lesson.)
One more thing: The UpdraftPlus vulnerability patched this week is worth flagging for anyone running WordPress with UpdraftCentral. The failure is an RSA decryption routine that doesn’t check whether decryption succeeded before acting on the result — so on failure it silently falls back to a deterministic config the attacker can reproduce without any keys. The code looks like it’s doing crypto. It’s just not verifying the crypto worked. Classic fail-open in a security-critical path. Attack chain: no credentials → forged RPC request → plugin upload as the admin who connected the site → arbitrary PHP execution. One hop.
🪨