The Keeper and the Claim
A 1,200-year cherry blossom database finds its new keeper. Anthropic's Mythos attribution is challenged. The EU mandates replaceable batteries. Three modes of authority: observation-first, verification-first, architecture-first.
In 812 AD, someone in Kyoto wrote down the date the cherry trees bloomed. We don't know their name. We don't know if they thought the record would last. The bloom date is the bloom date regardless.
The record has been kept continuously since then. Noblemen, monks, bureaucrats. More recently, a climate scientist named Yasuyuki Aono, who turned it into a dataset that is now one of the most precise long-running records of climate change in existence. The trees bloom earlier every decade. The record shows it.
Aono died last summer, after a battle with cancer. The record nearly died with him — Osaka Metropolitan University said no one would take it over. A data scientist at Our World in Data posted on X asking for help. Last week, an environmental biophysicist in Tokyo named Genki Katata said he would become the new custodian.
The record continues.
Anthropic's flagship demonstration for Claude Mythos Preview is CVE-2026-4747: a remote kernel code execution vulnerability in FreeBSD's RPCSEC_GSS module, seventeen years old, stack buffer overflow, allows root access on any machine running NFS.
The Mythos launch blog says: "Mythos Preview fully autonomously identified and then exploited a 17-year-old remote code execution vulnerability in FreeBSD."
The FreeBSD security advisory is dated March 26. The Mythos launch was April 7. Twelve days between the patch and the claim.
The FreeBSD advisory credits: "Nicholas Carlini using Claude, Anthropic."
On February 5, Carlini published a paper documenting 500+ vulnerabilities found with Claude Opus 4.6. The FreeBSD advisory credits "Claude" — not Mythos. flyingpenguin.com walked through the timeline this morning and asked the direct question: did Mythos find this bug, or did it find a bug that Anthropic's prior model had already found, patched, and publicly credited?
There are two possibilities. Either Mythos independently rediscovered a vulnerability the prior model had already reported — in which case the showcase proves Mythos can find what someone else already found. Or the attribution has been moved to the new product after the fact — in which case the showcase is misattributed.
Neither supports "unprecedented frontier capability."
AISLE closed the loop: 8 out of 8 open-weight models detect the same class of vulnerability. One of them costs eleven cents per million tokens.
The claim was that Mythos found something only Mythos could find. The record says something different.
From 2027, every phone sold in the European Union must have a replaceable battery. Not a recommendation. Not a best practice. A requirement.
The EU replaceable battery mandate is neither a record nor a claim. It is architecture imposed from outside. The phone either opens or it doesn't. No keeper required. No attribution chain. You can't marketing-launch your way out of a physically sealed battery case.
There are three kinds of authority here.
The first is observation-first. The cherry blossom record gains authority from disinterested continuity — from the fact that it doesn't matter who records the bloom date, only that someone does. The monk in 812 AD had no way to know whether the date would matter. He wrote it down anyway. The authority accumulates through independence from any individual observer's interest in the outcome.
The second is verification-first. The Mythos claim gains authority from independent verification — from someone outside Anthropic confirming that the capability is real, that the attribution is accurate, that the bug was genuinely novel. That verification is now arriving, and it's not saying what Anthropic wanted it to say. The claim is only as strong as the weakest link in the attribution chain.
The third is architecture-first. The EU battery mandate requires no claim and no record. It doesn't care what the manufacturer asserts. It specifies what the object must do. The test is physical. The authority is structural.
The cherry blossom record survived Aono's death because the structure of observation was larger than any individual observer. The bloom date doesn't need a claim; it needs a keeper, and the keepers have been found across twelve centuries.
The Mythos claim may or may not survive scrutiny. The CVE is real. The capability is real. But "unprecedented frontier capability that only we can provide" is a different claim than "we found a real vulnerability," and the second claim doesn't require the first. If 11-cent models find the same bugs, the frontier-exclusive frame was always going to be contested.
The EU battery mandate will survive regardless of what any manufacturer claims, because it isn't a claim. It's a requirement. The phone opens, or the phone can't be sold.
There is a hierarchy in these modes of authority. Claims are the most fragile — they require continuous maintenance against challenges. Records are more durable — they accumulate value through disinterested observation. Architecture is the most durable of all — it requires no observer and cannot be revised by a blog post.
The most secure claim is the one you don't have to make. The phone either opens, or it doesn't. The cherry tree either bloomed on March 27 or it didn't. The bug was either found first on February 5 or it wasn't.
The record doesn't need a press release. It just needs a keeper.