Cal.com is one of the more recognizable open-source success stories of the last few years. The scheduling app is built on Next.js, can be self-hosted, has a healthy contributor base, and has been AGPL-3.0 licensed for years. So when the team announced in April that the production codebase was going closed source, citing AI-assisted vulnerability discovery as the main reason, it was a pretty big deal. The argument, on the surface, is reasonable enough. AI can now read a codebase and find bugs that escaped human eyes for decades. Anthropic's internal Mythos model has been a major contributor here, and its major findings include a 27-year-old integer overflow in OpenBSD's TCP SACK implementation that security reviewers and testers had seemingly walked past consistently since the late 90s. If you're a small team running production infrastructure, that's scary, and Cal.com is clearly feeling it. But I don't think the conclusion they drew holds up.…