Tests Are The New Moat

Open source projects grow over time. They are a product of incremental development. A project starts lean, gains adoption, pivots to accommodate that adoption, and maintains backwards compatibility throughout this process.

These lean projects become large ships. Historically, this has been the great power of open source. But what inevitably happens is the infrastructure that you build on becomes outdated. You try to Theseus your way out of it, rebuilding layers of your project on more modern foundations, but it can be hard to reorient your ship in the wake of its own velocity.

This has resulted in two forms of change: forks and total rewrites. You take the foundation that someone else built and you diverge paths. Or you take their contracts (like an API surface), and rewrite it on more modern, stable ground. Examples of this are S3-compatible APIs which are now commonplace, or something like redpanda–a kafka-compatible total-rewrite.

Incentives

When it's truly free-and-open-source software, meaning there is no commercial intent behind the project, this all is largely okay. You're focused on what you're building and someone else can go down their path. But, commercial open source work has a unique set of incentives. While the project's incentives may be publicly stated as purely altruistic, anyone who's operated a business can tell you, there are a number of incentives that one may have to balance at any given time. If their intent was absolutely altruistic (meaning 100%), they would inevitably make many decisions that would cut against the direct incentives of their business.

I believe some of these commercial OSS companies have actually made decisions that hurt themselves in the short-term, ceding control or profit in the interest of the longer view. And generally, I find that the longer view, the better-for-everyone-view, is more often correct for the business. But still, that tension remains ever-present.

Tests

Now, as AI grows more and more capable, we're figuring out what can be generated with AI and what can't. The coalescing point of open source software sticks to me as becoming more valuable than any: tests.

It used to be that good documentation, strong contracts, well designed interfaces, and a comprehensive test suite meant users could trust your platform. Help you develop it further. That it was rigid and well designed. And yet, all of these things actually just make it easier for competing companies to re-build your work on their own foundations. No backwards compatibility, no stale ship of velocity. Prompt an AI to read all of their docs, import their tests, and change the foundation.

Cloudflare and Vercel

This is how Cloudflare was able to build¹¹  prompt? vibe? a somewhat-comprehensive next.js alternative in a week. Because Next.js is incredibly well documented. Innumerous hours invested by Vercel to carefully write documentation, define software contracts, and of course: write a comprehensive and powerful test suite. Vercel has attempted to re-build their foundational architecture: re-creating webpack in their new Turbopack. Building their own mdx parser. Innovating on a complex layouting paradigm. Inventing partial pre-rendering, allowing users to blend cached and dynamic content in a compositional manner.

But Cloudflare can prompt an AI to rebuild next.js without all of that baggage. They can contain their API surface to just the latest version–no need for backwards compatibility because they have no prior users. They can tell the AI to build on top of vite foundationally instead of turbopack, a more performant and mature bundler. All of a sudden, you find yourself with a sleeker, slimmer ship with which to start from. Though this project is hardly "complete"–it's already been deployed on a US government website: https://www.cio.gov. So it's not just a toy either.

Cloudflare claimts to have 94% of the next.js surface API coverage passing. 1,700 vitest tests. 380 playwright tests. Those tests are far more valuable than loose words on a docs page.

So, once again, that divergence of incentives rears its head. If next.js is valuable to Vercel-the-company, they may have to choose between pure altruism and their business' incentives. In my view, they've largely erred towards the former in the past–but I don't think it's been absolute–nor could it be.

Δ Change

As always, when the world shifts and changes, we can look back and see the one group that saw just a little bit further than everyone else. In this case: it's SQLite. Though the entire core is open-source, they keep much of their rigorous test-suite closed-source, claiming it contains as many as 92 million lines of tests²²  From their own docs: https://www.sqlite.org/testing.html (592x the amount of core source code). In some ways, this cutting of incentives can be considered hostile towards the way many view open source work. In others, it's viewed as the moat that keeps the project sustainable. Either way, I expect we'll see more commercial-backed projects bend towards this path, as they figure out how to protect the laissez faire cloning of their work. In this new AI-world, the better you document your work, the stronger contracts you define, the easier it becomes for someone to clone your work.

Of course it would be better for end-users if the SQLite test-suite was open source as well. But, those users are not owed it. If they have figured that is the best way for them to build their moat, then that is their prerogative. Just as users have the autonomy to elect which database to use. For long, open source has pretended to be purely altruistic, but we've seen the many ways in which that breaks down at scale. Though corporations have contributed immensely to open source work, we've also seen the other side: extracting its value with no impulse to return.

As AI becomes better at cloning people's work, what ends up becoming most valuable are software contracts, tests, and API surface area. Prior, it was the overhead of writing, understanding, and maintaining the code itself. This clashes the incentives of commercialized open source work: clearly defining and communicating your open source software's APIs and the desire to protect your investment.