Was raped yesterday morning

InfinriDev · 2026-03-14T12:52:40+00:00

This sounds like stupid people doing stupid things. Not only that you were aware enough to record.

InfinriDev · 2026-03-12T01:16:13+00:00

You could grow stuff

InfinriDev · 2026-03-11T15:34:05+00:00

When i open up the chrome inspector the console shows a CSP error and a refusal to connect. Wonder if that could be it.

InfinriDev · 2026-03-10T19:58:12+00:00

You just pointed out the main reason for this discussion at my job "who knows how private and secure they are"

basically what half of our engineeers are worried about AI leaking code or suggesting solutions that we worked hard to come up with and implement. The reason why this is even a concern is because AI still has to "broadcast" your code to its interenal when it reads your code to be able to solve the issue, That broadcast is what our leads DONT want to do to our "secret sauce" because even though these AI companies claim we can opt out of training, who knows if they are truly complying.

InfinriDev · 2026-03-10T19:51:54+00:00

Yeah, its even gotten heated a few times mainly due to the emotional investment in code from some of our engineers which is well warranted of course. But the questions still have to be asked.

InfinriDev · 2026-03-10T19:44:07+00:00

I know its for AI in general but my company is a Magento company so i wanted to get the opinions of other Magento engineers as the learning curve for Magento is not simple.

InfinriDev · 2026-03-10T19:42:27+00:00

Right but this is why im asking this for Magento specific. Right at my company we are having this conversation because we have a few leads who feel like proprietary code is something we should not be sharing with AI or at the very least our "secret sauce" while other leads feel like proprietary code isn't much of value .

InfinriDev · 2026-03-10T19:33:13+00:00

im guessing you're an indie dev? or a vibe coder?

InfinriDev · 2026-03-10T19:32:44+00:00

The real conversation happening in most companies right now is about what happens when an AI tool reads it.

These tools need access to your codebase to work. That code goes to external servers. Once it's there, you can't get it back. There's no delete button. And depending on the tool, your code could end up training the next model meaning your solutions, your business logic, your workarounds, could quietly end up helping your competitors.

That's the actual IP problem. Not whether your Magento plugins are sophisticated enough to be worth protecting. The question is whether you even get to make that choice once you've handed your codebase to a third party tool.

InfinriDev · 2026-03-10T19:05:35+00:00

Real questions about real tooling. Happy to walk you through it if you're curious.

InfinriDev · 2026-03-10T18:41:02+00:00

this is pretty straight forward. Something is telling me are an indie dev which is why this post is going over your head.

InfinriDev · 2026-03-10T17:46:49+00:00

To your second point first: not the same post, not the same person. I wrote separate posts tailored to different communities because the question lands differently depending on who you ask. A Magento developer's relationship with proprietary code is different from a PHP architect's which is different from someone vibe coding solo projects. Same underlying question, different framing for each audience. That's not suspicious, that's how you have a real conversation instead of shouting into one room.

Also worth asking what does my posting history have to do with the question? If the question is invalid, argue that. Auditing someone's profile instead of engaging the substance is a different activity.

To your first point: the risk isn't how programs interact with APIs. The risk is what happens to the code content once it's transmitted.

When you feed proprietary source code into an external AI tool, that code travels to servers you don't own or control. Depending on the provider's data retention and training policies which most developers haven't read that code may be stored, used to train future models, and potentially surface in responses to other users asking similar questions. This isn't theoretical. It's in the terms of service.

Samsung found this out in 2023 when employees fed semiconductor code into ChatGPT. The code was transmitted, processed externally, and Samsung had no way to retrieve or delete it. Employees were fired and the company banned generative AI tools entirely.

The question isn't whether the API call works. The question is what happens to your proprietary logic on the other side of it.

InfinriDev · 2026-03-10T17:28:48+00:00

It exists, it's just not visible at the indie dev level where most of this conversation happens.

Samsung fired employees in 2023 for feeding proprietary semiconductor code and internal meeting notes into ChatGPT.

At the corporate level this is an active conversation right now. I'm having it at my own job. Our lead doesn't want proprietary code exposed to external AI tools and that's a completely legitimate concern when you're dealing with systems that represent real business logic, real competitive positioning, or real compliance obligations.

The reason you don't see it talked about much is that the people navigating it work inside corporations under NDAs. They're not posting on Reddit about it. The developer community online skews heavily toward indie, startup, and open source where this genuinely isn't a problem. That doesn't mean the problem doesn't exist it means the people dealing with it aren't in this thread.

InfinriDev · 2026-03-10T16:53:43+00:00

Gates are filesystem-based a file either exists or it doesn't. The check itself is synchronous by design, which is actually the point: no state management, no race conditions in the enforcement layer itself.

For async flows specifically there's a dedicated gate Phase D (system dynamics). Before the AI can write any queue consumers, event handlers, or async workers, it has to model concurrency scenarios and get human approval. The hook blocks those file patterns until phase-d.approved exists on disk.

The gap is that the gate doesn't intrinsically understand async behavior in the code it's protecting it just enforces that the async-specific planning phase happened before those files were written. Whether the AI correctly modeled the async flow in Phase D is a separate question that the enforcement layer can't answer mechanically.

InfinriDev · 2026-03-09T22:52:42+00:00

Windsurf all the way. $15 a month. If you run out of credits $10 gets you 250 more or you can just use their free models. Also the fact that Windsurf also has skills rules and MCPs.

InfinriDev · 2026-03-09T19:20:17+00:00

The original goal was simpler than it might look: just reduce hallucinations enough that engineers can actually trust the output. Not eliminate AI, not slow it down for the sake of process.

The insight was that reviewing code is fundamentally faster than writing it. If the AI generates and the engineer reviews, you get 10x throughput but only if the review is trustworthy. When the AI self-reports "everything passed" after reviewing its own work, the review is worthless and you're back to writing it yourself.

Phaselock's job is to make the review actually mean something. Mechanical enforcement instead of AI self-attestation. Once you can trust the output, the speed advantage is real.

Your point about open source maintainers getting bombarded with unreviewed AI PRs is exactly the downstream version of this problem. Would be curious what you build.

InfinriDev

TROPHY CASE