Blog
Notes from the team - what we are building, why, and how.
Channel to shell: a blind audit of a 3-million-line AI assistant
We already pulled this open-source project apart by its CVE feed. This time we read it cold - 3.2 million lines, no brief, no advisory list - and the blind pass surfaced 71 issues the advisory feed never will. Nine are Critical, and they are all the same path: an untrusted chat message reaching a terminal, a URL fetch, or a code-exec tool with nothing guarding the gap.
Read articleVersion ranges are a coin-flip: nearly half the CVEs flagged on one repo were already fixed
We pinned a heavily-audited open-source project at one exact release and computed which advisories a standard version-range check says it is exposed to: 34. Then we read the source for all 34. Sixteen - 47% - were already fixed. Version-range matching is triage, not a finding.
Read articleWhat an AI code auditor actually finds: patterns from 164 findings
Across four AI-generated codebases - 181 files and ~45k lines - YCAudit has raised 164 findings. The same failure modes keep coming back: secrets in .env, unvalidated LLM output reaching real actions, and missing tests for the one invariant that mattered. Here are the numbers.
Read articleAuditing a governed agent: what YCAudit found in Yopa
We pointed YCAudit at Yopa - a Foundry agent we built specifically to be governed and human-approved - and it still surfaced 48 findings, including a committed .env and zero automated tests on the drawer that is the agent's only write path. Here is the full run.
Read articleInside a YCAudit run: auditing YedaFlow end-to-end
We pointed YCAudit at our own YedaFlow repo - 101 files, ~10k lines - and let all 14 stages run. Here is what a real audit report looks like, and why every finding ships as a root-caused spec for a coding agent instead of a silent fix.
Read articleIntroducing YCAudit: a skeptical second pass for AI-generated code
AI writes code fast and ships the happy path. YCAudit is the slow second pass: it reads a repository cold, raises findings across twelve dimensions, root-causes each one, and hands back fix specs - never silent edits. Here is the introduction.
Read articleRAG vs. fine-tuning: a practical decision guide
Your support bot needs to answer from 4,000 help-desk articles that change every week. Do you retrain the model or retrieve the articles? Almost always: retrieve. Here is the decision guide - what RAG and fine-tuning each actually do, when to reach for which, and why most teams start with the wrong one.
Read articleOpen-sourcing YedaFlow: the pipeline substrate for governed agents
A public Foundry pipeline pattern for resolving messy order data, detecting cited exceptions, and giving governed agents clean operational state.
Read articleOpen-sourcing Yeda AI's Foundry agents: Yoca and Yopa
Two public Foundry agent examples show cited recommendations, human approval, deterministic fixtures, and governed action boundaries.
Read article