Crash Override
Home / Blog / Software Engineering /

Code Sprawl is the Sleeper Cell of Vibe Coding

By Mark Curphey

Code Sprawl is the Sleeper Cell of Vibe Coding

I am enamored by agentic development, vibe coding, prompt engineering, or whatever you want to call it. Over the last two weeks, I have been down the rabbit hole and hardly seen daylight. No hyperbole, I think this is as big a deal to humanity as the birth of the Internet. 

It started for me when two board members, one from Google Ventures (GV) and one from Syn Ventures, suggested we try GenAI coding.

 “It has made huge advances in the last six months, just give it a go.” 

How I Went From Skeptic to Believer in a Late-Night GenAI Bender

Like my co-founder, John, I’ve been skeptical and sitting on the sidelines, but one Friday night, when Mrs. C was out, I bought a nice bottle of Marguax, and off I went down the rabbit hole.

Step one: Watch some quick YouTube videos and a bit of ChatGPT to understand the landscape. 

Step two: Sign up for an account on Replit

Maybe it was unconscious conditioning from hearing horror stories of it deleting production databases, maybe it was bias from hearing others mock the concept of it, maybe something else, but frankly, it didn't matter. I was instantly hooked, and I mean like Arthur C. Clarke, “Any sufficiently advanced technology is indistinguishable from magic,” type hooked. I was up until very late that night building prototypes to try and create better versions of Strava, a better version of RideWithGPS, and I started to experiment with prototypes of alternative approaches to features in our own platform. 

It was probably the wine, but The Jam’s “A Town Called Malice” was playing over and over in my head.

Better stop dreaming of the quiet life
'Cos it's the one we'll never know
And quit running for that runaway bus
'Cos those rosy days are few
And...stop apologising for the things you've never done
'Cos time is short and life is cruel
But it's up to us to change

I have built over 20 prototypes at this point, ranging from experimenting with parsing CODEOWNERS files for best practices, auto-forcing manual reviews for sensitive files that have been touched, to features that have driven me mad in Training Peaks for years. Not everything is plain sailing, in fact, far from it. Trying to get oAuth apps to work is like waking up with a hangover from hell, you swear you will never do it again, until you do. You spend hours in endless loops trying to fix things, passing the same place in the loop over and over like deja vu. You learn to hate the agent when it patronizingly says, “the issue is clear now,” and “you are right, I can see the issue now,” or “the system is now working perfectly,” knowing well it's probably not. 

This technology is absolutely incredible, and like I said upfront, it is like an industrial revolution. Very soon, the entire world can code, and that spells endless possibilities for the world to be a better place, but armed with a hangover and not brave enough for a ‘hair of the dog,’ there are two things that also strike me as concerning. 

What Happens When Everyone Becomes a Developer?

The first is that without a stream of junior developers growing through the ranks to become senior developers, we may all be in for a crisis in a few years. The horse has bolted on that one, but I hope that the entry bar for becoming a developer has just gone up, and skilled developers will just jump right in further up the ranks. It's not unlike what used to happen when people had to know about memory management and other low-level programming techniques. Software development gets abstracted higher and higher, but we always need brain surgeons to develop the abstractions and really know how to drive them for maximum effect.

I am not worried that someone can replicate Crash Override. They can't. We have special sauce that is highly defensible IP under the hood that no AI can build, at least not in the foreseeable future, and it's not available to anyone not using the commercial platform. This tech won’t replace our frontend team anytime soon either, it will just super-charge them to do more, and empower product-minded people like me to prototype. It will increase our velocity as a team, and that's exciting for us and our customers.

The second thing that is concerning may sound self-serving because it is one that I am close to. What the heck happens when the entire world becomes developers and starts slinging code? We know we have a problem today that companies can’t track the code from their team of dedicated developers. They don’t know what is deployed, where it is, who created it, and what has changed along the code-to-cloud pipeline. That results in cost, efficiency, and security issues. That's a fact, it's what we do, the problem we solve for customers, and we know from inbound interest and demos that almost everyone has this same problem. 

So, how the heck are we going to cope when marketing and sales, audit and finance, catering and HR, all start creating their own software? Not only that, if we think of shadow engineering, the case where developers use unsupported tools rather than companies' shared supported services, how do we get ahead of that when Jack in finance builds an app using Bolt to analyze company performance ahead of the IPO and sends the company's SEC filing report somewhere he shouldn't by mistake? How the heck are we going to cope when we can’t put security checks inline of the CI/CD because the CI/CD is running in a browser, driven by an agent creating boilerplate? It’s fast and clever boilerplate, but try creating a default web app with user management (React and Postgres) in Replit, and you will see the password is stored in cleartext by default.

The Visibility Crisis is About to Explode

I don't know all the answers, but what I do know is that generative AI coding has taken off exponentially, and the core problem of visibility into what is happening across this new, vast redefined SDLC is about to become exponentially worse. 

Without sounding smug, it's good times for us and our customers, but not for people still thinking about the problem. If this is you, it’s a great time to sign up for a demo.

Oh yeah, and on the “it dropped our production database” story, I don't know the details, but if you push code straight to production without anyone checking it, it's like committing to main with auto-deploy. That's why we have PRs, so that's a case of ‘blame the player and not the game.’