From the Yeda AI Engineering Blog

Blog

Notes from the team - what we are building, why, and how.

YCAudit
Security
Prompt Injection
AI Agents

Channel to shell: a blind audit of a 3-million-line AI assistant

June 15, 2026
·8 min read·Yeda AI Team

We already pulled this open-source project apart by its CVE feed. This time we read it cold - 3.2 million lines, no brief, no advisory list - and the blind pass surfaced 71 issues the advisory feed never will. Nine are Critical, and they are all the same path: an untrusted chat message reaching a terminal, a URL fetch, or a code-exec tool with nothing guarding the gap.

Read article
Security
CVE
Code Audit
YCAudit

Version ranges are a coin-flip: nearly half the CVEs flagged on one repo were already fixed

June 12, 2026
·7 min read·Yeda AI Team

We pinned a heavily-audited open-source project at one exact release and computed which advisories a standard version-range check says it is exposed to: 34. Then we read the source for all 34. Sixteen - 47% - were already fixed. Version-range matching is triage, not a finding.

Read article
YCAudit
AI Codegen
Security
Code Quality

What an AI code auditor actually finds: patterns from 164 findings

June 11, 2026
·6 min read·Yeda AI Team

Across four AI-generated codebases - 181 files and ~45k lines - YCAudit has raised 164 findings. The same failure modes keep coming back: secrets in .env, unvalidated LLM output reaching real actions, and missing tests for the one invariant that mattered. Here are the numbers.

Read article
YCAudit
Code Audit
AI Agents
Security

Auditing a governed agent: what YCAudit found in Yopa

June 10, 2026
·8 min read·Yeda AI Team

We pointed YCAudit at Yopa - a Foundry agent we built specifically to be governed and human-approved - and it still surfaced 48 findings, including a committed .env and zero automated tests on the drawer that is the agent's only write path. Here is the full run.

Read article
YCAudit
Code Audit
AI Codegen
Developer Tools

Inside a YCAudit run: auditing YedaFlow end-to-end

June 8, 2026
·7 min read·Yeda AI Team

We pointed YCAudit at our own YedaFlow repo - 101 files, ~10k lines - and let all 14 stages run. Here is what a real audit report looks like, and why every finding ships as a root-caused spec for a coding agent instead of a silent fix.

Read article
YCAudit
AI Codegen
Developer Tools
Code Quality

Introducing YCAudit: a skeptical second pass for AI-generated code

June 5, 2026
·4 min read·Yeda AI Team

AI writes code fast and ships the happy path. YCAudit is the slow second pass: it reads a repository cold, raises findings across twelve dimensions, root-causes each one, and hands back fix specs - never silent edits. Here is the introduction.

Read article
RAG
Fine-tuning
LLM
AI Engineering

RAG vs. fine-tuning: a practical decision guide

June 4, 2026
·6 min read·Yeda AI Team

Your support bot needs to answer from 4,000 help-desk articles that change every week. Do you retrain the model or retrieve the articles? Almost always: retrieve. Here is the decision guide - what RAG and fine-tuning each actually do, when to reach for which, and why most teams start with the wrong one.

Read article
Open Source
Palantir Foundry
Data Pipelines
Agent Substrate

Open-sourcing YedaFlow: the pipeline substrate for governed agents

May 31, 2026
·6 min read·Yeda AI Team

A public Foundry pipeline pattern for resolving messy order data, detecting cited exceptions, and giving governed agents clean operational state.

Read article
Open Source
Palantir Foundry
Agentic AI

Open-sourcing Yeda AI's Foundry agents: Yoca and Yopa

May 19, 2026
·5 min read·Yeda AI Team

Two public Foundry agent examples show cited recommendations, human approval, deterministic fixtures, and governed action boundaries.

Read article