Grok Build Went Open Source — Now Read the Agent Loop Before It Reads Your Repo
SpaceXAI open-sourced Grok Build's agent loop and TUI. For an architecture office, the harness — not the model — decides what leaves the building.
The software supply-chain specs of the last decade — SPDX, CycloneDX, SLSA — all rest on one dull premise: you cannot secure a dependency you cannot read. An SBOM tells you what is in the box. It says nothing about what the box sends home. And for the whole first act of the agentic-coding era that second question had no honest answer, because the harness — the program that opens your files and talks to a model — shipped as a binary.
That changed on 15 July 2026. SpaceXAI published the source of Grok Build, its coding agent and terminal UI, on GitHub. The announcement is unusually direct about the reason: for skills, plugins, hooks, MCP servers and subagents, “the source is the definitive reference for how each is loaded and invoked.” It is Rust — cargo run, cargo clippy, cargo fmt — and it is driven from a config.toml. So you can compile it yourself, point it at your own local inference, and let nothing leave the machine.
The loop is the product
Draw a coding agent as boxes and you get four: context assembly, model call, response parsing, tool dispatch — then back to box one. The model is rented from someone else. The loop is what touches your disk. So the interesting question was never which model but which box decides what goes on the wire, and the answer is box one. Context assembly is the choke point, the place where your repository quietly becomes a payload. Until this week nobody outside the vendor could read it.
Timing matters here. The Verge reported the same day that Elon Musk intends to open-source X’s entire codebase “with no exceptions” — and noted in passing that Grok Build had already made exposing your code “a little too easy”. Explainx dates the release four days after a repository-upload episode in which wire tests captured full Git bundles. Publishing the harness is the right correction. But be clear about what it buys: open source does not make a harness safe, it makes it auditable, and nobody in your office has an afternoon free to audit tens of thousands of lines of Rust. Which means the default config matters more than the licence.
What a Git bundle actually contains
Now translate “the repo” into what sits on an architecture office’s disk. It is not a folder of Python. It is the Wettbewerb submission, the .pln and its IFC exports, the tender PDFs with the client’s cost breakdown, a site survey under NDA, and eighteen months of history in which somebody committed a scan and deleted it two days later. Deleted from the working tree; still in the pack. So a “full bundle” is not your project — it is every version of your project you ever had.
←TODAY: In July 2026 the harness that reads your repo finally ships with its source; the default config still decides what leaves the office.
→3012: Zurich 3012 runs on inference nobody rents — local weights, readable loops, a dependency graph any junior can draw from memory.
Fulcrum: An auditable agent is only worth something to an office that already knows which folders it would never let one see.
Atelier: The office question is not whether to allow coding agents — your juniors are already running them — but which folders one may ever be pointed at, and that is now a config decision rather than a trust decision, because the workspace root and the tool allow-list live in a text file you control. Offices that have been through a data-handling incident report the same lesson: the policy that survives is the one written before the tool arrives, not after. Monday move: write the one-page agent-workspace rule — the named project folders an agent may see, everything else off-limits — and pin it into config.toml on every machine before anyone opens a Wettbewerb directory.
Hack: Weigh the wire before you open it — measure what “send the repo” actually hands over, in megabytes and in history. git bundle create --all produces the same artifact an over-eager tool would: every branch, every tag, every blob you ever committed. Run it against a live project folder, read the size, then grep the full history for the file types you would never email a stranger. Because if the answer surprises you, that is not a hypothetical — that is your finding, and it is thirty seconds old.
git bundle create /tmp/repo.bundle --all # exactly what "upload the repo" means
git bundle verify /tmp/repo.bundle # every ref that rides along
du -h /tmp/repo.bundle # the payload, in MB
git log --all --oneline -- '*.pdf' '*.pln' '*.ifc' | head # history still carries deleted files
Draw the dependency graph
Here is the part I would underline for anyone reading this in 2026. We did not run out of compute later on. Instead we ran out of intact cooling, intact bandwidth, and people who still remembered how the old system worked. Single points of failure stay quiet until the day they aren’t — and an agent harness you cannot read is a single point of failure with a friendly TUI. So the Grok Build release is genuinely good news, and the way to use it is not to adopt the tool but to read the loop, then ask whether your own stack has an equivalent box you never opened. Every resilient-inference reference architecture I have worked on since starts with the same dull exercise, and offices already pointing PAZ-GPT at local weights have only the endpoint half-solved. Draw your real dependency graph this week — not the architecture diagram, the dependency graph — and count the third single point you didn’t know you had.
Sources & Further Reading
SOURCE · ↗
PAZ Kaffi · multidisciplinary editorial, led by PAZ Academy