The Theodosian Walls protected Constantinople for over a thousand years. Built in the fifth century, they were a triple line of fortification — an outer wall, an inner wall rising forty feet, and a moat — stretching four miles across the only land approach to the city. Armies came and broke against them for a millennium: Arab sieges, Bulgar assaults, Rus invasions, even the Fourth Crusade. The walls held. Siege after siege, century after century, the engineering held.

In April 1453, the Ottoman sultan Mehmed II positioned a new kind of weapon outside those walls — a massive bronze cannon called the Basilica, large enough that its stone projectiles could shatter sections of wall with a single shot. The bombardment went on for weeks, blasting the fortifications chunk by chunk into rubble. Defenders scrambled to patch the breaches each night with earth and timber, but by late May the city had fallen. Walls that had endured a thousand years of siege were undone in less than two months.

The walls hadn’t gotten weaker. The nature of the attack had changed. A technology had arrived that made the sheer effort of building thick, tall stone fortifications irrelevant — not because the walls were poorly constructed, but because they were brittle against a force they were never designed to absorb.

Something similar is playing out in software right now.

The Wall Was Effort

Some of the most durable business models in software aren’t built on patents or trade secrets. They’re built on effort — engineering complexity so deep that replicating it is, for all practical purposes, not worth attempting.

Consider Vercel and Next.js. Vercel gives away the framework for free. It’s open source — anyone can read the code, fork it, build with it. The business isn’t the framework. The business is the deployment platform, and the moat is how tightly the two are coupled. Routing, middleware, server-side rendering, image optimization — all of it works best, and in some cases only, on Vercel’s infrastructure. The framework and the platform are stitched together through years of engineering, and that stitching is what makes it hard to leave.

The same pattern shows up across the industry. Microsoft’s Office formats are technically public — the .docx specification runs thousands of pages — but Google Docs and LibreOffice have spent years trying to render them faithfully, with interoperability that’s still imperfect. Adobe’s PDF spec is an open ISO standard, and yet most third-party viewers choke on edge cases that Adobe handles effortlessly. QuickBooks has decades of tax rules and jurisdiction-specific payroll logic baked into its codebase. In each case, the moat isn’t secrecy — the specifications are available, the code is sometimes even open source. The moat is the accumulated engineering effort required to match it.

The effort to replicate the coupling was the wall. Everyone could see it. Nobody could afford to climb it.

The Clean Room

Climbing an effort-wall through reimplementation is an old playbook. In 1982, Compaq wanted to build a computer compatible with the IBM PC, but IBM’s moat was its BIOS — the firmware that made a PC an IBM PC. Compaq couldn’t copy it. So they reverse-engineered it in a clean room: one team disassembled IBM’s BIOS and documented every function call, every interrupt, every timing behavior, stripping it down to pure specification. A second team, completely isolated from the first, rebuilt the BIOS from scratch using only those specs. Nine months. $1 million. And it worked — Compaq sold $150 million worth of PCs in their first year and broke IBM’s lock on the personal computer industry.

The clean room works. It’s just always been expensive enough that only the most determined competitors attempt it.

$1,100

Cloudflare had been one of those determined competitors. A project called OpenNext reverse-engineered Next.js’s build output to make it deployable on other platforms, but the approach was fragile — a game of catch-up that broke whenever Vercel changed something upstream. Cloudflare tried a ground-up reimplementation of the Next.js API themselves and failed. As they later put it, “a project like this would normally take a team of engineers months, if not years.”

Then, on the evening of February 13th, 2026, an engineering manager at Cloudflare opened Claude Code and started again — rebuilding Next.js from scratch as a reimplementation of its API, built on Vite.

By the end of that first night, both the Pages Router and App Router had basic server-side rendering, middleware, server actions, and streaming working. Within three days the project could deploy to Cloudflare Workers with full client hydration, and by the end of the week it covered 94% of the Next.js 16 API surface, backed by 1,700 unit tests and 380 end-to-end tests.

One person. One week. $1,100 in API tokens.

The project is called vinext, and it reimplements the full surface — routing, server rendering, React Server Components, middleware, caching, static export.

Cloudflare was careful to note the conditions that made this possible: “All of those things had to be true at the same time — well-documented target API, comprehensive test suite, solid build tool underneath, and a model that could actually handle the complexity.” This wasn’t just “point an AI at code and press go.” It required a clear target, a way to verify correctness, and a human providing architecture and direction across more than 800 sessions.

The reaction was swift. Vercel’s CEO disclosed seven security vulnerabilities in the project. Critics coined a term for it — “slop fork” — a replication built by AI that’s rough, incomplete, not ready for production. And that’s probably fair today. vinext is experimental, and 94% coverage still leaves real gaps. But even an imperfect replication changes things, because the threat doesn’t have to succeed to make people rethink their defenses. Compaq’s clean room cost $1 million (in 1980s dollars) and nine months. Cloudflare’s cost $1,100 and a week. Even if vinext never ships to production, that price difference is hard to unsee.

After the Walls

After Constantinople fell, word spread across Europe. Commanders in fortified cities everywhere understood what had happened — a weapon had arrived that rendered their defenses, built over generations, suddenly uncertain. Some began redesigning, lowering their walls, thickening them, angling the stone to deflect rather than absorb. Others reinforced what they had and hoped. Nobody knew yet what the right answer looked like.

There are a lot of companies sitting inside software fortifications right now, watching what happened to Vercel’s wall and wondering about their own. When tldraw’s founder joked about moving test files to a private repository to prevent AI replication, the post went viral — not because of the proposal, but because of how plausible the threat felt.

The old walls are still standing. But everyone can hear the cannon.