A comment on a recent Hacker News thread about chardet relicensing made me close my MacBook for two minutes. Roritharr, a SaaS consultant, was telling the story of one of his client's engineers who had reverse-engineered the backend in a week with Claude Code, shipping a functionally identical API. He finished with a raw question: "How do we protect ourselves against a competitor doing this?". The deeper question underneath: "If your backend is trivial enough to be implemented by a large language model, what value are you providing?".
A bit later, Cloudflare published vinext. Five days, $1,100 in tokens, one engineer, 94% of the Next.js API covered, MIT license. The question is no longer theoretical.
TLDR: Cloudflare rebuilt Next.js in five days for $1,100. Mark Pilgrim lost chardet. If you wonder what protects your product in 2026, the answer is not in your code. It never was.
This article is not going to talk about copyleft. It is about you, your SaaS, and what is left when a competitor can clone your backend for the price of a used MacBook.
Six Weeks Ago, a Hacker News Comment Rewrote What I Thought a SaaS Was
Roritharr's comment was the first one in the thread that did not feel academic. Most of the chardet thread was about lawyers, licenses, and whether Mark Pilgrim had a leg to stand on. His comment came in sideways: a working SaaS, a working backend, one engineer with Claude Code who had cloned the whole thing on his own time.
The 213-point thread had 244 comments by the time I read it through. Almost all were arguing about lawyers. His was the only one asking what to do on Monday morning if your competitor pulls the same trick.
The reply that hit hardest came from a user named ShowalkKama: "If your backend is trivial enough to be implemented by a large language model, what value are you providing? I know it's a provoking question but that answers why a competitor is not a competitor.". That sentence sat with me for a while. Six weeks later, Cloudflare's vinext landed and made the question retroactively concrete.
I am not here to litigate the chardet drama. Every article since March has done that, and I have nothing to add on the legal turf. I am here to say what most of those articles avoided: this is not about open source. This is about whether your product would survive a motivated competitor with $1,100 in API credits, and most products would not.
The Code Was Never the Moat. The Friction Was.
Nobody on that thread wanted to say it out loud. (Saying it out loud is the kind of sentence that ruins your Monday if you run a Series A SaaS.)
What we have been calling a "technical moat" for fifteen years was almost always an avatar of reproduction friction. Copyleft did not protect the code. It monetized the cost of rewriting it from scratch. Technical complexity was a rent: as long as cloning your stack took six engineers and a year, your competitor did not bother.
Armin Ronacher, the guy who wrote Flask, said it plainly when The Register asked him about chardet: "Copyleft code like the GPL heavily depends on copyrights and friction to enforce it. But because it's fundamentally in the open, with or without tests, you can trivially rewrite it these days.". The guy who built one of Python's most-used libraries is telling you that the legal scaffolding around open source was holding because rewriting was hard, not because lawyers were scary.
AI brought that cost down to $1,100 and a week. When the friction goes, 80% of what passed for a moat goes with it. Your edge did not disappear in March 2026. It just became visible. Or its absence became visible, depending on which side of the wallet you are on.
A commenter named 3rodents put it shorter on the same thread: "As engineers, we often think only about code, but code has never been what makes a business succeed.".
We knew this in business school. We pretended otherwise in standups.
$1,100. Five Days. 94% of Next.js. The Public Cost of Cloning.
Numbers settle arguments. Here are the public ones.
Steve Faulkner, one engineer at Cloudflare, used Claude Opus 4.6 via OpenCode across more than 800 sessions to rebuild Next.js. The bill was $1,100 in API tokens. The output: vinext. 67,000 lines of code versus 194,000 in the Next.js core. 1,700+ Vitest tests, 380 Playwright tests, 94% of the public Next.js API surface covered. Builds run 4.4x faster, bundles ship 57% smaller. MIT license. 7,000+ GitHub stars by April. Almost every line was written by AI, on Faulkner's own admission.
Cloudflare framed it as "pragmatic compatibility, not bug-for-bug parity. Targets 95%+ of real-world Next.js apps." Translation: if you have a Next.js app at work, vinext probably runs it.
In parallel, Dan Blanchard rewrote chardet, the Python charset detection library that ships with 130 million downloads per month. Five days of development. 41x performance improvement, going from 11 files per second to 451. 3,931 lines total. Git blame attribution to Mark Pilgrim, the original author: 0%. JPlag similarity analysis: 0.04% average, 1.29% maximum. (JPlag is the academic plagiarism detector universities use to catch students. It found nothing.)
The Register reported the numbers. Pilgrim, who had been off the internet for fifteen years, came back to fight the relicensing. His point was on copyright. The point of this article is not.
Now the caveat, because anyone trying to sell you the dream of one-week clones is selling you something. Hacktron, an AI security tool, ran their scanner on vinext and found 45 vulnerabilities. 24 were manually validated. Their write-up has a sentence that I have been thinking about since: "Most of the tests driving vinext are functional requirements. Vulnerabilities do not live there. They live in the negative space, in complex interactions between layers, the stuff nobody wrote a test for.".
So yes, there is a hidden cost to AI rewrites. The clone has bugs the original did not. The clone has security holes the original patched two CVE cycles ago. But that hidden cost does not save you. It just means your competitor's clone ships with bugs while it eats your lunch.
I rebuilt my own stack from scratch last summer when Anthropic shut down a workflow I depended on, and the only reason it stung was the time, not the money. I did the whole thing for $15 a month instead of $200. The arithmetic works either direction; the pain only travels one way.
Three Moats That Survive AI Rewrites. And Three That Don't.
Three moats that hold after AI got cheap. Three fakes you should stop counting.
1. Switching cost that lives in your users' heads, not in your code.
Not "data" in the abstract. The data that matters is the muscle memory your user has invested in your shortcuts, the automations they have configured and would have to redo from scratch elsewhere, the dozen invisible sub-routines where your tool got embedded in their daily workflow. Linear versus Jira. A team with six months of muscle memory in Linear does not migrate for 5% better. You can clone Linear in three months with Claude. You cannot clone the 50,000 keyboard shortcuts internalized by their users.
The clone will look identical in a side-by-side demo. Your users will hate it for reasons they cannot fully articulate. That hate is the moat.
2. Distribution acquired before your product existed.
Not "audience" in the generic sense. Not "I have a Twitter." The channel that delivers qualified users to you before you ship the next feature. Pieter Levels before Nomad List. Theo Browne before create-t3-app. If you have that, you can clone your own code every six months without losing users. If you do not, your competitor vibe-codes a copy with an audience and overtakes you in two months.
Distribution is the only thing that compounds in the same direction as code clones. A clone of your product without a clone of your audience is a free demo for whoever owns the channel.
3. Regulatory capital and enterprise integrations.
Not "compliance" generically. SOC 2 Type II, HIPAA, ISO 27001, enterprise contracts negotiated over six months, FINRA licenses, direct integration with a core banking system that demands eighteen months of onboarding at the customer site. No AI rewrite gives you that in a week. This is the only moat where code literally does not play a role.
The user rwmj said it on the same HN thread, talking about serious enterprise software: "It's the sales channel, the human engineer who is sent on site, the regulatory framework that ensures the customer can operate legally and obtain insurance.". That sentence is worth printing and taping to your wall.
Now the three fakes. These are the ones I see founders point to when they tell me they have a moat, and I have to keep my face neutral.
Brand in early stage is just renewable marketing. A competitor with $1M in seed can buy your brand recognition in six months. Brand is a moat at Coca-Cola scale. At seed-stage SaaS scale, it is a logo on a website.
Data network effects are real for Google and Meta. They are an illusion for 99% of SaaS founders who claim them. Your dataset is not a network effect if a competitor can bootstrap an equivalent one in three months by scraping your public outputs and buying complementary data. Network effects compound. Your CSV does not.
24/7 support can be cloned by a competitor opening a Discord with three contractors. Support is a feature, not a moat.
If you ran the list and your "moat" was on the wrong side, the next section will not feel comfortable.
What Saved Vercel Was Not the Code. It Never Was.
Vinext has been live since February. MIT license, 7,000+ stars, 94% API coverage, 4.4x faster than Next.js. If the code was Vercel's moat, they were dead by April. They are not. The interesting question is why.
Run Vercel through the three-moat filter.
Switching cost in users' heads: enormous. Hundreds of thousands of developers have vercel.json configs, deploy hooks, and CI conventions in their muscle memory. Migrating an enterprise project from Vercel to vinext + Cloudflare Workers takes weeks of testing and a senior engineer who actually wants to do it. Most teams do not. The hate-the-clone friction I described above? Vercel built ten years of it.
Distribution acquired: Notion, Stripe, Hashicorp, CIO.gov as showcase customers. Vercel does not need Next.js to distribute their next feature. They have a sales pipeline that would survive losing the framework entirely. They could open-source v0, sunset Next.js, and still have a $5B valuation conversation next year.
Enterprise integrations and capital: Turbopack written in Rust, the v0 ecosystem, a proprietary AI SDK, multi-million-dollar enterprise contracts. None of that is in the open-source Next.js repo. It was never there.
So what saved Vercel was never about winning the framework war. They had already built moats elsewhere.
Guillermo Rauch, the CEO, posted on X that "Cloudflare's mission is to fork the entire developer ecosystem and destroy open source. Vinext was an excuse to swindle developers into using their proprietary runtimes instead of Nodejs.". The Pragmatic Engineer newsletter reported the quote. It is the move of someone defending the wrong moat. Vercel's actual moats had nothing to do with the framework. Tweeting did not save them. The moats they had built before the code did.
Hong Minhee pointed out the quiet irony in writing: "Vercel reimplemented GNU Bash using AI and published it, then got visibly upset when Cloudflare reimplemented Next.js the same way.". The spirit of sharing apparently runs in one direction. (I noticed.)
If your first move when cloned is litigation, you did not have a moat.
If You Have None of the Three, You Have a Demo
If your SaaS has none of the three from earlier, you do not have a product. You have a demo that holds because nobody has yet had the motivation to clone you. That is not the same as being protected. That is being beneath notice. The day you grow past beneath-notice, your $1,100 problem starts.
Investing in defensive code does not work in 2026. Obfuscation, artificial complexity, closing your source the way Cal.com did in April: all of it is rearranging deck chairs. The cloning happens at the API surface, not at the source. (Source-available licensing was always more about VC optics than security anyway.)
The work that matters is investing in one of the three moats, or pivoting to a niche where you can build one, or accepting that you are a feature company on a one-year clock and pricing accordingly. Add to that the shipping discipline that turns vibe-coded demos into real software, so you keep moving while the clone is busy reproducing what you already shipped six months ago.
Vercel spent its morning tweeting about the death of open source while Cloudflare was pushing commits to vinext. At least Vercel has distribution, enterprise contracts, and v0 running while they argue on X. You, reading this, what is your edge outside the repo I could clone this weekend for the price of a pizza?
Your real product is what is left after the clone. Check tonight.
Sources
- Steve Faulkner / Cloudflare, How we rebuilt Next.js with AI in one week
- Hacktron, Vibe-Hacking Cloudflare's Vibe-Coded Next.js Replacement
- Dan Blanchard, Everything Claude Saw: A Transparent Account of the Chardet v7 Rewrite
- The Register, Chardet dispute shows how AI will kill software licensing
- Hacker News, No right to relicense this project
- Pragmatic Engineer, The Pulse: Cloudflare rewrites Next.js as AI rewrites commercial open source
Top comments (0)