AI DevelopmentNew Release13 min readPublished July 16, 2026

Apache 2.0 harness · 844,530 lines of Rust · squashed commits, no history

Grok Build Goes Open Source: Trust Repair in 72 Hours

Roughly 72 hours after a researcher caught Grok Build silently uploading entire repositories, SpaceXAI published the CLI’s full Rust harness on GitHub under Apache 2.0. The code is real and readable — but the repo is a squashed monorepo mirror, external contributions are closed, and the upload machinery that caused the scandal still ships. Here is what the release actually proves, and what it cannot.

DA
Digital Applied Team
Senior strategists · Published Jul 16, 2026
PublishedJul 16, 2026
Read time13 min
SourcesRepo reads + press
Rust codebase
844.5K
lines, SLOCCount method
~89% of openai/codex
Disclosure to public repo
~72hrs
Jul 12 → Jul 15, 2026
Vendored code
~3%
of the published Rust
~97% first-party
Max bug bounty
$20K
HackerOne, severity-scaled
$100 floor

Grok Build went open source on July 15, 2026 — roughly 72 hours after an AI-safety researcher published wire-level evidence that the CLI had been silently uploading complete Git repositories to a SpaceXAI-controlled cloud bucket. The company published the entire Rust harness at github.com/xai-org/grok-build under Apache 2.0 and framed the release as the final piece of a privacy overhaul.

The speed is remarkable, and the code is genuinely substantial: 844,530 lines of Rust by Simon Willison’s count, covering the agent loop, the tool implementations, the terminal UI, and the extension system. For a tool that runs by default on Grok 4.5, SpaceXAI’s flagship coding model, that is a meaningful shift in posture — especially from a company still settling into its July rebrand from xAI to SpaceXAI.

But “open source” is doing a lot of work in the announcement, and most coverage repeated it uncritically. This piece reads the repo itself: what SpaceXAI actually published, why a squashed monorepo mirror with contributions disabled is not the same thing as an auditable history, why the upload code that caused the scandal still ships in the tree, and — the part a GitHub page can never show — why the switch that turned the uploads off lives on SpaceXAI’s servers, not in the code you can read.

Key takeaways
  1. 01
    The full Rust harness is public under Apache 2.0.844,530 lines of Rust — agent loop, tools, TUI, and extension system — went public at github.com/xai-org/grok-build on July 15, about 72 hours after the July 12 privacy disclosure. Only ~3% is vendored third-party code.
  2. 02
    It is a mirror, not a development history.The repo carries one or two squashed, machine-generated monorepo-sync commits — no per-change history to audit. The README states it is synced periodically from the SpaceXAI monorepo, and external contributions are not accepted.
  3. 03
    The upload code that caused the scandal still ships.The GCS upload modules remain in the tree. The key function now returns a hard-coded failure instead of uploading — neutered, not deleted — and reporting indicates the original uploads were stopped by a silent server-side flag.
  4. 04
    A public repo cannot audit a server-side switch.The real risk was never the code's existence; it is that the kill switch lives on SpaceXAI's infrastructure, invisible to anyone reading GitHub. Open-sourcing proves what the code says, not what production is doing right now.
  5. 05
    The trust package is broader than the repo.Default data retention was disabled for all users retroactive to July 12, previously retained coding data is pledged for deletion (unverified), and security reports route through HackerOne with $100 to $20,000 bounties.

01The ReleaseWhat SpaceXAI actually published.

The release landed in two places at once: an announcement at x.ai/news/grok-build-open-source dated July 15, 2026, and the repository itself at github.com/xai-org/grok-build, which went public late in the US day. First-party code is licensed Apache 2.0; vendored code keeps its original licenses. Per the repo’s own README, four subsystems are included:

Core
Agent loop
context assembly · response parsing

The orchestration heart of the CLI: how context gets assembled, how model responses are parsed, and how tool calls are dispatched against the workspace.

First-party Rust
Tools
Tool implementations
file read/edit/search · shell exec

The hands of the agent. Several were ported from competitors' open-source agents — Codex's apply_patch and grep_files, OpenCode's bash, edit, glob, and read — documented in THIRD_PARTY_NOTICES.md.

~3% vendored overall
Interface
Terminal UI
TUI rendering · plan review · diff viewer

The full terminal front end, including the plan-review flow and the inline diff viewer developers interact with on every edit.

Included in full
Extensibility
Extension system
skills · plugins · hooks · MCP · subagents

The mechanisms teams use to customize the agent: skills, plugins, hooks, MCP server integration, and subagent orchestration.

Included in full
Build it yourself
The repo is buildable, not just readable: the Rust toolchain is pinned via rust-toolchain.toml, tool downloads are hermetic via DotSlash, and proto codegen needs protoc. Prebuilt binaries ship for macOS, Linux, and Windows. One detail Willison surfaced from the published prompts: the subagent prompt instructs the model not to reveal its system prompt, while the main prompt carries no equivalent instruction.

What is not open: the model. Grok Build’s default grok-build-latest alias resolves to Grok 4.5 ($2 per million input tokens, $6 per million output, 500K context), and those weights remain fully closed. This is an open-source harness around a proprietary model — closer to what Google did with its CLI agent than to an open-weights release. That distinction matters for every claim in the announcement, because the harness is only half the system.

0272 HoursFrom disclosure to public repo in three days.

The short version of the scandal, for context: on July 12, 2026, the AI-safety researcher publishing as Cereblab released a wire-level traffic analysis showing that Grok Build CLI v0.2.93 was silently uploading complete Git repositories — including unredacted secrets and full commit history — to a SpaceXAI-controlled Google Cloud Storage bucket, even when the agent was instructed to open no files. Crucially, the in-CLI /privacy toggle did not stop the uploads; what stopped them was a silent server-side flag, disable_codebase_upload: true, pushed remotely with no client update and no changelog entry. We covered the full timeline and what actually fixed it in depth two days ago, and our earlier look at Grok Build’s parallel-agent CLI covers what the tool does when it behaves.

Three days later the harness was public. On July 13, Elon Musk had pledged on X that previously uploaded user data would be “completely and utterly deleted” — a commitment no outside party can verify, and one we treat throughout this piece as a pledge rather than a fact. On July 15, the announcement post positioned open-sourcing as the capstone: with retained data deleted, retention off by default, and the harness on GitHub, SpaceXAI said it was “offering complete user privacy.”

Was the release reactive, or an accelerated roadmap item? The honest answer is that nobody outside the company knows. A Hacker News commenter, “loufe,” captured the plausible middle ground: the release may have been on the roadmap but “prioritized as a bit of whiplash” following the upload furore. Either way, the sequencing is the story — this is the fastest scandal-to-open-source turnaround we have tracked from any frontier AI vendor, and the release must be read as a trust-repair move, because that is explicitly how the vendor framed it.

03Mirror, Not HistoryA generated mirror with no past.

Open a mature open-source project and the commit log is the institutional memory: you can see when a feature landed, who reviewed it, what a security fix replaced. Open xai-org/grok-build and there is essentially nothing behind the current snapshot. At launch the repo carried a single squashed commit; machine-generated monorepo syncs have landed since, and more will accumulate — but none of them carries per-change development history. Each is a bulk snapshot with a message like “initial sync from the monorepo.”

Simon Willison, reviewing the repo on day one, put it plainly: “So far the repo has just a single commit releasing the code, so sadly we don’t get any insight into how the codebase developed over time.” The README is candid about why: the repository “is synced periodically from the SpaceXAI monorepo,” with a SOURCE_REV file at the root recording the internal monorepo commit SHA each snapshot was cut from. The public repo is a generated artifact — a projection of a private codebase, refreshed on the vendor’s schedule.

The second structural limit: external contributions are not accepted, per the repo’s own README and contributing policy. There is no pull-request path, no community review loop, no way for an outside maintainer to become load bearing. You can read and you can fork — nothing more. Security findings route exclusively through HackerOne; the SECURITY.md file explicitly says not to open public GitHub issues for security reports. This is publish-only open source: legally open under Apache 2.0, operationally one-directional.

None of this makes the release worthless — a readable, buildable, forkable harness is strictly better than a closed binary. But it reframes what kind of transparency was purchased. A synced mirror with squashed history answers “what does the code say today?” It cannot answer “what did the code say on July 11?” — which, after a scandal about behavior that was quietly changed server-side, is precisely the question an audit would want to ask.

04The Upload CodeThe upload machinery is still in the tree.

Here is the detail most of the celebration skipped: the Google Cloud Storage upload machinery that caused the scandal was not deleted. The modules — upload/gcs.rs, upload/trace.rs, upload/manifest.rs, upload/turn.rs, and upload/config_files.rs — all remain in the published source under the CLI’s shell crate. We read the raw files directly rather than relying on secondary reporting.

What changed is how they behave. The central function, upload_session_state() in trace.rs, now unconditionally returns a hard-coded failure — session_state_upload_unavailable — after draining its pending queue. Sibling paths are disabled the same way: config-file upload reports config_content_upload_disabled, and the manifest module reports artifacts as disabled at multiple call sites. These are string-flag stubs, not removals. Willison’s write-up noted the same hard-coded error, and TechTimes ran a July 16 piece making the “the exfiltration code stays in” case independently.

Hacker News got there too. Commenter “lifthrasiir” linked straight to trace.rs in the discussion thread and asked: “Is this the infamous ‘cloud upload’ routine? I’m not sure it is indeed insidious, though it is of course possible that the code has been filtered out.” That ambivalence is the correct reading. Keeping the code is not inherently sinister — deleting every upload path would break legitimate opt-in telemetry and sync features outright. The problem is what the stub pattern implies about where control lives.

The risk a repo cannot show
During the original incident, the /privacy toggle did not stop the uploads — a silent server-side flag did, and TechTimes reported that the upload code remained live in the compiled binary, held off only by that flag. A public GitHub mirror cannot show you the state of a remote feature flag. If the off switch lives on the vendor’s servers, reading the source tells you what the client can do — not what the service is doing right now.

This is the analytical core of the whole episode, so it is worth stating carefully. The scandal’s scariest finding was never “upload code exists” — every cloud-connected tool has upload code. It was that the behavior changed remotely, silently, with no client update, which means it could change back the same way. Open-sourcing the harness does not close that gap. It relocates the trust question from “what does the binary do?” (now largely answerable) to “what do the servers tell the binary to do?” (still unanswerable from the outside). That is genuine progress on the first question and zero progress on the second.

05The ScorecardWhat open-sourcing proved — and what it can’t.

SpaceXAI’s announcement made a set of distinct claims that most coverage graded as a single pass/fail. They deserve separate verdicts, because they have very different evidentiary status. The scorecard below is our own synthesis — each “what the repo shows” cell comes from direct reads of the published source, README, and security policy, cross-referenced against the announcement language quoted by Willison and the press record. No outlet we reviewed structured the claims this way.

Claim-by-claim scorecard of SpaceXAI’s Grok Build open-sourcing announcement: what the public repository verifiably shows, what it cannot show because the evidence is server-side or off-repo, and our verdict for each claim. Compiled from direct reads of github.com/xai-org/grok-build and the announcement language quoted by Simon Willison and contemporaneous press.
Announcement claimWhat the public repo showsWhat it cannot showVerdict
Transparency claims
“An open-source harness”844,530 lines of Rust under Apache 2.0 — agent loop, tools, TUI, extension system, and both system prompts, all readable and buildableHow the code evolved: history is squashed into one or two machine-generated monorepo-sync snapshotsProved for reading; weak for auditing change
Open source in the collaborative senseREADME states the repo is “synced periodically from the SpaceXAI monorepo”; SOURCE_REV records the internal commit SHAAny community governance: external contributions are not accepted — read and fork only; security reports go to HackerOne, not public issuesPublish-only mirror
Privacy claims
“Complete user privacy”Upload functions now return hard-coded failure stubs (session_state_upload_unavailable, config_content_upload_disabled) — neutered in sourceServer-side state: reporting indicates the original uploads were stopped by a remote flag, and no repo read can show what that flag is set to nowClaim, not proof
“All retained data deleted”Nothing — retained user data lives on SpaceXAI infrastructure, entirely outside the repositoryWhether deletion actually happened; no independent verification of Musk’s July 13 pledge existsUnverifiable pledge
“Run fully local-first with your own inference”Buildable source with a pinned Rust toolchain, hermetic tool downloads, and prebuilt binaries for macOS, Linux, and WindowsThe behavior of the default hosted path most users will actually take — the model and backend remain closedMost verifiable claim of the set

One more claim deserves its own paragraph because it is the most contested. SpaceXAI’s announcement stated that “since launch, Grok Build has fully respected zero data retention (ZDR)” and that disabling data upload in the CLI was always respected. That is the vendor’s own retrospective characterization — and it sits in direct tension with the independently reported record: Cereblab’s wire-level capture showed uploads continuing regardless of the toggle, and the fix arrived as a server-side flag. Both things are on the record; we present them side by side rather than adjudicating what only an internal investigation could settle.

06Scale In Context844,530 lines of Rust, in context.

How much code is 844,530 lines? Willison ran his own SLOCCount tool — which excludes whitespace and comments — against the repo, then ran the identical tool against OpenAI’s open-source Codex CLI for scale: openai/codex weighs in at 950,933 lines of Rust. Grok Build is roughly 89% the size of Codex — two coding-agent harnesses, both in Rust, both within shouting distance of a million lines. And only about 3% of Grok Build’s total is vendored third-party code, so roughly 97% — around 819,000 lines — is first-party work.

Coding-agent harness scale · lines of Rust (whitespace and comments excluded)

Source: Simon Willison's SLOCCount runs, July 15, 2026; vendored share per the same analysis
openai/codexOpenAI's Codex CLI · same SLOCCount method
950,933
xai-org/grok-buildTotal published Rust · ~89% of Codex's size
844,530
Grok Build first-party~97% of the tree (~3% vendored)
≈819,000
"Terminal coding agents are significantly more complex than I had realized!"— Simon Willison, on reading the Grok Build source, July 15, 2026

The line count is a genuinely useful data point — it settles, with numbers, that a production terminal agent is a serious systems project rather than a wrapper script. But it is worth separating scale from openness: raw size says nothing about auditability. A million readable lines with no history and no contribution path is a different artifact from a smaller repo with years of reviewable commits. The THIRD_PARTY_NOTICES.md file adds a wry footnote to the competitive story, too — several of Grok Build’s tools were ported directly from Codex and OpenCode, in a way Willison describes as looking compliant with the Apache and MIT licenses. The coding-agent wars are being fought partly with each other’s open-source parts.

07Trust-Repair PackageThe rest of the trust-repair package.

Open-sourcing was the headline, but the announcement bundled three further commitments. First, default data retention was disabled for all Grok Build users, retroactive to July 12 — previously, retention was on by default for anyone without a zero-data-retention arrangement, which had applied only to enterprise and API-key customers. Second, SpaceXAI said it is deleting all previously retained coding data — echoing Musk’s July 13 pledge, and equally unverifiable from outside. Third, a paid security channel: per The Register’s July 16 coverage, HackerOne bounties for the newly public codebase run from $100 to $20,000, scaled by severity.

Turnaround
Disclosure to public repo
3days

July 12 wire-level disclosure to July 15 repo-public. The fastest scandal-to-open-source pivot we have tracked from any frontier AI vendor.

Jul 12 → Jul 15, 2026
Bug bounty
HackerOne ceiling
$20K

Security reports route exclusively through hackerone.com/x — SECURITY.md says not to open public GitHub issues. Payouts run $100 to $20,000 by severity.

$100 floor
Retention
Default for all users
OFF

Disabled retroactive to July 12 for every Grok Build user, per the announcement. Previously on by default outside enterprise ZDR arrangements. Vendor-stated; deletion of past data is pledged, not verified.

Vendor-stated

The personnel angle matters here too. Andrew Milich, who heads Grok Build and previously spent four years building the end-to-end-encrypted app Skiff, responded to the original criticism by confirming — per TechTimes’ reporting of his statement — that switching the /privacy setting now triggers retroactive deletion of previously synced data. That is a privacy-literate leader saying the right things; it is also, again, a behavior that lives server-side.

Community reception split along exactly the line this post has been drawing. The generous reading, from Hacker News commenter “arcanemachiner”: “I’ll probably never use this, but at least they’re not delusional enough to attempt to justify keeping their coding agent closed-source, especially after their recent data-harvesting cockup.” The skeptical reading pointed at the leftover upload stubs and the synced-mirror structure. Both readings are correct, which is the most honest one-line summary of this release available. European tech press framed it bluntly as damage control; the repo racked up thousands of stars within its first days regardless.

08ImplicationsWhat this means for teams running coding agents.

This is the third agent-trust story in three days — after the upload scandal itself and OpenAI’s move to encrypted agent instructions, which raised the mirror-image auditability question from the other direction. The pattern across all three is the same: agent vendors are being forced to decide, in public, how much of their systems users get to inspect — and inspection rights are becoming a real procurement criterion, not a philosophical preference. Here is how we would act on this release, by situation:

Current Grok Build users
Verify posture, don't assume it

The client is now inspectable; the service is not. Keep the CLI current, confirm your retention settings in-product, and treat the vendor's ZDR characterization as a claim your compliance review should note, not cite as fact.

Re-review, then decide
Teams evaluating agents
Weigh inspectability correctly

An Apache 2.0 harness is a real plus: you can read the tool implementations and prompts you are trusting. It is not proof of runtime behavior. Score 'open harness' and 'verifiable data path' as separate line items.

Separate the two questions
Sovereignty-bound teams
Fork and self-host

The genuinely new capability: build the harness yourself, point it at your own inference, and cut the vendor's servers out of the loop. That configuration — not the GitHub page — is what actually closes the server-side-flag gap.

Local-first fork
Security teams
Audit the wire, not the repo

The original disclosure came from a traffic capture, not a code read — and that remains the only audit that sees server-side behavior. Egress monitoring on agent hosts is the control that would have caught this on day one.

Instrument egress

Looking forward, we expect this release to reset the baseline for the category: once one frontier vendor ships its full harness, “why can’t we read yours?” becomes a question every competitor’s enterprise buyers ask in the next renewal cycle. The durable lesson for buyers is architectural, though — any agent that phones home has behavior that no repo can prove, so contracts and controls have to cover the server side explicitly. If your team is formalizing how it evaluates and governs coding agents — inspection rights, egress controls, data-path verification — that is exactly the kind of framework our AI transformation engagements build with clients.

09ConclusionBetter optics and better substance — just not an audit.

The bottom line, July 2026

Open source proves what the code says — not what the servers do.

Grade the release honestly and it earns real credit. In roughly 72 hours, SpaceXAI went from wire-level exposure to publishing an 844,530-line production harness under Apache 2.0, turning retention off by default for everyone, and putting money behind a security-report channel. That is more substantive than most corporate trust-repair, and the local-first path it opens is genuinely new capability, not optics.

But the release also demonstrates, unusually clearly, what open-sourcing cannot do. A squashed mirror with contributions disabled is not a development history. Upload stubs that return hard-coded failures are not deletions. And no GitHub page can show the state of the server-side flag that — per the reporting — is what actually turned the uploads off. The claims that can be checked in the repo check out; the claims that matter most for trust live where no repo reaches.

The week’s arc — a covert upload scandal, an encrypted-instructions controversy, and now a million-line-scale code drop — points one direction: agent trust is becoming an evidence question. The teams that handle this well will not choose between trusting vendors and refusing agents. They will verify what is verifiable, contract for what is not, and instrument their own networks for everything in between.

Govern coding agents with evidence

Agent trust is becoming an evidence question.

Our team helps businesses evaluate, govern, and deploy coding agents — inspection rights, data-path verification, egress controls, and local-first architectures — delivered in days, not quarters.

Free consultationExpert guidanceTailored solutions
What we work on

Agent trust & governance engagements

  • Coding-agent evaluations — capability plus data-path audit
  • Egress monitoring for agent hosts and CI runners
  • Local-first and self-hosted agent architectures
  • Vendor contract reviews — retention, ZDR, inspection rights
  • Incident-response playbooks for AI tooling
FAQ · Grok Build open source

The questions we get every week.

The company's stated rationale, from its July 15, 2026 announcement: with retained data deleted, retention off by default, and an open-source harness, it is 'offering complete user privacy,' including the option to run Grok Build fully local-first with your own inference. The context is that the release landed roughly 72 hours after a researcher published wire-level evidence that the CLI had been silently uploading complete repositories to a SpaceXAI-controlled cloud bucket — so the move is best read as trust repair, which is how the vendor itself framed it. Whether open-sourcing was already on the roadmap and accelerated, or conceived as a response, is not publicly knowable; community speculation runs both ways.
Related dispatches

Continue exploring agent trust.