AI coding agents move beyond chat, treating codebases as living systems

AI coding agents are evolving from single-file chat helpers into fleet-scale systems that treat entire codebases as living directories. On Wednesday, Vercel launched eve, an open-source framework that models each agent as a directory of files, tools, and prompts. Block, the payments company formerly known as Square, now runs hundreds of AI coding agents managed entirely from Slack. Chainguard has matured its agent security capabilities to scan and sign agent-generated code.

Vercel introduced eve to handle what its engineers call "agent sprawl." The framework represents each agent as a folder containing a prompt.md, a tools subdirectory, and optionally an examples folder. This directory-level approach makes agents version-controllable, portable across teams, and inspectable by code review. Vercel demonstrated an agent that could refactor a React component across 12 files in under 90 seconds.

Slack as the agent command center

Block disclosed that it operates a fleet of AI coding agents that span more than 200 microservices. Rather than embedding chat interfaces into IDEs, Block routes agent requests through Slack channels. Each agent receives a dedicated Slack channel where developers can issue commands, review pull requests, and roll back changes. Block reports that this model reduced the time to triage cross-service bugs by 40 percent. The company uses a custom orchestrator that limits each agent to a maximum of five minutes of execution before requiring human approval.

• Vercel's eve is available on GitHub under an Apache 2.0 license.
• Block runs agents on ephemeral Kubernetes pods that are destroyed after each task.
• Chainguard's agent skills module signs all code output with cryptographic attestation.
• An open-source project called Polypore routes code agents through a pipeline of planned vs. actual behavior.
• Greptile's TREX tool executes injected code in a sandbox to verify reviewer suggestions before commit.

Security and observability become agent prerequisites

Chainguard expanded its agent security toolkit to include runtime scanning of agent-generated code. The company reported that nearly 15 percent of agent-suggested patches it scanned contained at least one dependency with a known CVE. Chainguard's toolchain now automatically rebuilds agent outputs inside hardened containers before allowing merges. Block enforces a similar policy: no agent-generated code can reach production without passing a separate human review step and a signed attestation from Chainguard's in-toto integration.

Several open-source projects are challenging the assumption that agent tools should live inside VS Code or a chat panel. The Polypore project, for example, introduces a planned-behavior file that an agent writes before executing any change. The file describes what the agent intends to do, and a reviewer can compare the plan against the actual diff. Greptile's TREX takes this further by executing any code suggested by a reviewer inside a sandboxed runtime, showing the actual output before the developer accepts the change.

What comes next: expect more companies to adopt directory-as-agent models and Slack-native orchestration. The directory approach makes agents auditable by existing code review workflows. Security vendors will continue racing to sign and scan agent outputs before merge. The chat-only era of AI coding tools appears to be closing.