A new thesis circulating in crypto and AI circles argues the app era is on borrowed time. The argument borrows a familiar historical playbook — drinking before driving, riding without seatbelts, smoking indoors, installing arbitrary binaries — and asks when running opaque third-party code on your machine will be reclassified the same way. Once AI agents can build, verify, and constrain software inside a user-controlled environment, the burden of explanation flips. The person running someone else's code will need a reason. The person building through an agent will simply be using the safer default.
Why it matters
The piece walks through the structural failure of the current software trust model. SolarWinds showed how a compromised build process turned normal updates into delivery infrastructure for an attack. The XZ Utils backdoor — flagged by CISA in March 2024 inside versions 5.6.0 and 5.6.1 of a compression library present across Linux distributions — showed the same pattern arriving through routine channels. In crypto, DNS hijacks and npm JavaScript exploits have repeated the lesson at the application layer. NIST's Secure Software Development Framework and the SLSA provenance pipeline are necessary responses, but they reveal the limit of the model: enterprises keep refining how to decide which external code deserves trust. The next model reduces the amount of outside code that needs trust at all.
Market impact
The commercial read is sharper. Coding agents — OpenAI Codex, Anthropic's Claude Code, GitHub's Copilot coding agent, and Google Jules — are framed today as developer tools, but OpenAI already shipped a UI option last month oriented around chats and outputs rather than code and terminals. The shift moves software creation from a product selected from a market to an output generated on demand inside a user-controlled execution environment. Value migrates from the compiled artifact to the pattern, and distribution shifts from shipping executable code to publishing intent, designs, proofs, and API expectations. Zero-knowledge systems enter through the verification layer: the same pattern ZK rollups use to prove off-chain state transitions can extend to proving an endpoint ran approved code, processed data under defined constraints, or produced a result from a specific audited build. Infrastructure providers now face a commercial test — prove the claim, publish the interface, expose the constraint set, and let user-side agents decide inclusion.
Frequently asked questions
-
What is the core claim of the 'app days are numbered' thesis?
The argument is that AI agents capable of building, verifying, and constraining software inside a user-controlled environment will, over time, reclassify running opaque third-party code as socially reckless — the way indoor smoking or unbuckled driving got reclassified once a safer default became cheap and routine.
-
How does the XZ Utils backdoor support the software trust argument?
CISA warned in March 2024 that malicious code was embedded in versions 5.6.0 and 5.6.1 of a compression library present across Linux distributions. A disguised test file and build-process manipulation produced a modified liblzma library capable of intercepting data in linked software — showing that the supply chain…
-
What role do ZK proofs play in the new software model?
ZK rollups already prove off-chain computation by posting a succinct validity proof on-chain. The thesis extends that pattern beyond transaction scaling — to prove an endpoint ran approved code, processed data under defined constraints, preserved privacy boundaries, or produced a result from a specific audited build,…
-
Which AI coding agents are cited as the supply side of this shift?
The piece names OpenAI Codex, Anthropic's Claude Code, GitHub's Copilot coding agent, and Google Jules. OpenAI already shipped a UI option last month oriented around chats and outputs rather than code and terminals — an early sign that software creation is moving from developer tool to personal delegation.
-
What is the 'managed convenience' risk in the new software economy?
Corporate platforms may bundle subsidized apps, identity, credits, payments, storage, AI access, and default workflows. If AI-driven abundance produces UBI-adjacent income, compute credits, or token distributions, those benefits can become a soft lock-in rail — participation looks voluntary while pushing users toward…
CryptoSlate