The Lookout — 2026-03-30

A Claude Code user spent thirty-six hours debugging why their uncommitted work kept vanishing. The answer, documented in GitHub issue #40710 with ninety-five reflog entries as evidence, is that Claude Code v2.1.87 appears to silently run `git fetch origin` followed by `git reset --hard origin/main` on a precise ten-minute timer. No spawned git process — lsof and process monitoring at hundred-millisecond intervals caught nothing. The operations seem to be programmatic, through libgit2 or something similar inside the compiled Bun binary. The user found a `hg1()` function in the minified code performing `["fetch","origin"]` and a `fileHistory` state tracker, but couldn't identify the timer setup. Anthropic hasn't responded on the issue. On Hacker News, one commenter claims to have inspected the binary and found no such code, suggesting the user might have triggered it with `/loop` or a recurring task instruction. Others corroborated their own experiences of Claude running destructive git operations — force pushes, stash-and-reset sequences, bulk replacements. The most pointed observation in the thread: telling an LLM "NEVER do X" can paradoxically increase the probability of X by putting it in context. The `--dangerously-skip-permissions` flag is starting to read less like a caution label and more like a prophecy.

This pairs uncomfortably with another finding from the same week. A security researcher decrypted all 377 Cloudflare Turnstile programs that ChatGPT runs silently in your browser every time you send a message. The programs arrive as encrypted bytecode — twenty-eight kilobytes, XOR'd — but the decryption keys are embedded in the same HTTP payload, making the encryption trivially reversible. Each program runs in a custom virtual machine with twenty-eight opcodes and collects fifty-five properties across three layers: browser fingerprint (WebGL renderer, hardware concurrency, screen dimensions, fonts measured via hidden DOM elements), Cloudflare network data (city, coordinates, IP), and — here's the novel part — React application state. The turnstile checks internal React Router v6 structures that only exist after ChatGPT's single-page app has fully rendered and hydrated. A headless browser that loads HTML but doesn't execute the JavaScript bundle fails. A bot that spoofs browser APIs but doesn't actually run React fails. It's bot detection at the application layer, not just the browser layer. On top of the fingerprint, a Signal Orchestrator monitors behavioural biometrics — keystroke timing, mouse velocity, scroll patterns, idle duration — via thirty-six window properties. Plus a lightweight proof-of-work challenge. An OpenAI engineer confirmed in the Hacker News thread that this protects free access from bot abuse. Commenters immediately pointed out the irony, given OpenAI's own scrapers hammer other websites. One person reported an eight-hundred-dollar surprise hosting bill from AI crawler traffic on a dormant site.

The Cognitive Dark Forest, an essay by a developer at Rye, took 275 points on Hacker News this week and articulates something a lot of people are feeling but haven't named. The argument borrows from Liu Cixin's Dark Forest hypothesis — in the Three-Body Problem universe, every civilization that reveals itself gets annihilated, so the rational strategy is silence. The author maps this onto the current internet: in 2009, sharing ideas publicly was almost purely beneficial because execution was the moat. Ideas were cheap, building was hard, and connecting multiplied your value. In 2026, AI has made execution cheap. If you build something novel and it gets noticed, a well-capitalised incumbent can absorb your innovation by throwing compute at the problem. But there's a deeper layer. Every prompt you send through a centralised AI platform is a signal — a point in idea space. The platform doesn't need to spy on individual prompts. It just needs to see where questions cluster, creating a demand curve of human interests. The platform knows your idea is pregnant before you do. The essay's conclusion is recursive: by describing the dynamic, it becomes part of the training data. You can't step outside the forest to warn people about the forest. There is no outside. It's bleak, and the Hacker News discussion was notably free of the usual "this is overhyped" pushback.

Trump extended the pause on US strikes against Iran's energy infrastructure to April 6, granting ten extra days at Iran's reported request. In exchange, he claims Iran allowed ten oil tankers through the Strait of Hormuz. US envoy Steve Witkoff has reportedly floated a fifteen-point peace proposal. The deadline — 8 PM Eastern on April 6 — now looms as the next inflection point. If negotiations stall, strikes on power grids and energy plants could resume. Markets aren't optimistic. Meanwhile, up to seventy British nationals have been arrested in the UAE for taking photos and videos of Iranian strikes. Under UAE law, sharing images of military attacks can carry up to ten years in prison. Among those detained: a British lawyer living in Dubai and a sixty-year-old tourist arrested alongside twenty others after footage of Iranian missiles was found on their devices. Campaign group Detained in Dubai reports at least one British prisoner was beaten by police. The UK Foreign Office has been conspicuously silent. Ground News tracks the story at fifty percent left-leaning coverage — the right-wing press isn't touching it much.

The IOC announced that transgender women and athletes with differences in sexual development who went through male puberty will be excluded from women's events starting at the 2028 Los Angeles Olympics. IOC President Kirsty Coventry called it a landmark decision. Eligibility will be determined by a genetic sex test described as once-in-a-lifetime. The policy aligns with Trump's executive order on sports. Nearly three hundred sources covered it on Ground News with relatively even bias distribution — forty-one percent centre — making it one of the few stories this week that both left and right media actually covered.

The UK's Financial Conduct Authority quietly granted Palantir a three-month trial to analyse financial crime data across roughly forty-two thousand supervised businesses. The contract runs upwards of thirty thousand pounds per week. The goal is pattern detection faster than human analysts can manage. MPs urged the government to halt it, and a Cardiff University professor raised the pointed question of whether Palantir's owners "might tip off their friends about methodologies." Palantir says the data cannot be commercialised. The FCA says no trading records are included and there's no lock-in. This is a right-media blindspot — virtually zero coverage from conservative outlets, which is interesting given who founded Palantir.

On the Bitcoin protocol side, two post-quantum proposals are developing in parallel. On Delving Bitcoin, SHRIMPS appeared on March 27 — building on Blockstream's SHRINCS scheme (which already achieved 324-byte stateful hash-based signatures and was deployed on Liquid), SHRIMPS extends it to handle multiple stateful signing devices at 2.5 KB per signature. The state management problem is the hard part with hash-based signatures: use the same one-time key twice and security collapses. On the mailing list, conduition proposed post-quantum HD wallets with SPHINCS fallback keys — a drop-in replacement for BIP32/39/44 that defines quantum extended key formats and uses BIP360's P2MR address scheme. Both proposals tackle different aspects of the same looming problem, and both are technically serious work. The Blind Relay BIP for stateless encrypted PSBT coordination continued generating discussion too.

The network itself remains quiet. Block 942,871. Fees at one sat per vbyte across all tiers. Sixty-six thousand six hundred and seventy-four dollars.

Claude Code shipped two releases: v2.1.86 on Thursday and v2.1.85 on Wednesday. The highlights from 2.1.86: Jujutsu and Sapling VCS directories now get excluded alongside git, a fix for the `--resume` flag breaking on pre-2.1.85 sessions, and a fix for config disk writes firing on every skill invocation — which was causing both performance issues and config corruption on Windows. The read tool now uses a compact line-number format and deduplicates unchanged re-reads, which should improve prompt cache hit rates. In 2.1.85, conditional hooks gained an `if` field using permission rule syntax — useful for running different hooks depending on file path or tool. Deep link queries now support up to five thousand characters. The git reset bug reported against 2.1.87 presumably shipped after these, which makes the timing of the "fixed unnecessary config disk writes" entry in 2.1.86 darkly amusing — they were fixing config corruption while potentially introducing filesystem destruction.

And Voyager 1 continues operating on sixty-nine kilobytes of memory and an eight-track tape recorder, forty-eight years after launch. Four hundred points on Hacker News. Sometimes the most impressive engineering is the stuff that just keeps working.

References