Learn

Resources

Everything we have written down in one place - engineering articles, a plain-language glossary, and the open-source code behind our products. Start anywhere; they all link back to each other.

From the blog

Notes from the team on how we build governed AI, audit AI-generated code, and run data pipelines.

YCAudit
Security
Prompt Injection

Channel to shell: a blind audit of a 3-million-line AI assistant

We already pulled this open-source project apart by its CVE feed. This time we read it cold - 3.2 million lines, no brief, no advisory list - and the blind pass surfaced 71 issues the advisory feed never will. Nine are Critical, and they are all the same path: an untrusted chat message reaching a terminal, a URL fetch, or a code-exec tool with nothing guarding the gap.

Read article
Security
CVE
Code Audit

Version ranges are a coin-flip: nearly half the CVEs flagged on one repo were already fixed

We pinned a heavily-audited open-source project at one exact release and computed which advisories a standard version-range check says it is exposed to: 34. Then we read the source for all 34. Sixteen - 47% - were already fixed. Version-range matching is triage, not a finding.

Read article
YCAudit
AI Codegen
Security

What an AI code auditor actually finds: patterns from 164 findings

Across four AI-generated codebases - 181 files and ~45k lines - YCAudit has raised 164 findings. The same failure modes keep coming back: secrets in .env, unvalidated LLM output reaching real actions, and missing tests for the one invariant that mattered. Here are the numbers.

Read article
YCAudit
Code Audit
AI Agents

Auditing a governed agent: what YCAudit found in Yopa

We pointed YCAudit at Yopa - a Foundry agent we built specifically to be governed and human-approved - and it still surfaced 48 findings, including a committed .env and zero automated tests on the drawer that is the agent's only write path. Here is the full run.

Read article
YCAudit
Code Audit
AI Codegen

Inside a YCAudit run: auditing YedaFlow end-to-end

We pointed YCAudit at our own YedaFlow repo - 101 files, ~10k lines - and let all 14 stages run. Here is what a real audit report looks like, and why every finding ships as a root-caused spec for a coding agent instead of a silent fix.

Read article
YCAudit
AI Codegen
Developer Tools

Introducing YCAudit: a skeptical second pass for AI-generated code

AI writes code fast and ships the happy path. YCAudit is the slow second pass: it reads a repository cold, raises findings across twelve dimensions, root-causes each one, and hands back fix specs - never silent edits. Here is the introduction.

Read article
RAG
Fine-tuning
LLM

RAG vs. fine-tuning: a practical decision guide

Your support bot needs to answer from 4,000 help-desk articles that change every week. Do you retrain the model or retrieve the articles? Almost always: retrieve. Here is the decision guide - what RAG and fine-tuning each actually do, when to reach for which, and why most teams start with the wrong one.

Read article
Open Source
Palantir Foundry
Data Pipelines

Open-sourcing YedaFlow: the pipeline substrate for governed agents

A public Foundry pipeline pattern for resolving messy order data, detecting cited exceptions, and giving governed agents clean operational state.

Read article
Open Source
Palantir Foundry
Agentic AI

Open-sourcing Yeda AI's Foundry agents: Yoca and Yopa

Two public Foundry agent examples show cited recommendations, human approval, deterministic fixtures, and governed action boundaries.

Read article
AI & data glossary

Plain-language definitions of the terms that come up across our articles - from RAG and embeddings to prompt injection and governance.

Open the glossary
Open source

The public slices of our agent and pipeline work, Apache-2.0 licensed, each runnable locally with a deterministic fixture - clone and read the pattern end to end.

Browse on GitHub