type: decision
status: active
timestamp: 2026-07-01
tags: [oss, upstream, issues, audit, agents, mcp, fleet]

OSS audit — file real gaps as upstream issues (2026-07-01)

Systematic audit of every OSS tool we depend on. 60+ issues + comments + PRs filed across 29 upstream repos in one session. Filing at upstream, never patching locally, is the family default.

OSS audit — 2026-07-01

Decision

We do NOT patch OSS locally when we hit bugs or missing features. We file issues (and PRs where the fix is trivial) at each upstream repo. This is the family default; it composes with no-rebuilding-free-software (don’t clone-and-modify) and no-fork-divergence (forks stay byte-identical to upstream).

Why

The 2026-07-01 audit — filed inventory

Across three rounds this session:

Round 1 — Daily-chain + fleet agents (13 tools)

ToolRepoFiled
OmniRoutediegosouzapw/OmniRoute3 issues (#5749–#5751) + 3 comments (#5692, #5716, #5708) + 1 PR (#5752) + 1 PR (#5766 runtime deps)
Headroom (Hr)headroomlabs-ai/headroom3 issues (#1616, #1617, #1618)
RTKrtk-ai/rtk2 issues (#2763, #2764) + 1 comment (#1945)
freellmapitashfeenahmed/freellmapi5 issues (#432–#436)
OpenCodeanomalyco/opencode1 issue (#34711) + 3 comments (#30539, #30615, #6479)
Kilo CodeKilo-Org/kilocode3 issues (#11851–#11853)
MiMoCodeXiaomiMiMo/MiMo-Code2 issues (#1488, #1489)
CodeepVladoIvankovic/Codeep4 issues (#3, #4, #5, #6 keytar deprecation)
ClaurstKuberwastaken/claurst2 issues (#201, #202)
gocodeAlleyBo55/gocode2 issues (#31, #32)
Coddycoddy-project/coddy-agent3 issues (#41, #42, #43)
PonytailDietrichGebert/ponytail0 (all 4 candidate angles already tracked upstream)
CavemanJuliusBrussee/caveman0 (all 4 angles already tracked)

Round 2 — System-wide OSS (chocolatey + winget + scoop + npm globals + forks)

ToolRepoFiled
Docker for Windowsdocker/for-win2 issues (#15054, #15055)
Git for Windowsgit-for-windows/git2 issues (#6305, #6306)
GitHub CLIcli/cli2 issues (#13764, #13765)
VS Codemicrosoft/vscode2 issues (#323825, #323826)
PowerToysmicrosoft/PowerToys0 (all covered)
Wranglercloudflare/workers-sdk2 issues (#14500, #14501)
fnmSchniz/fnm2 issues (#1573, #1574)
SOPSgetsops/sops1 issue (#2237) — 2 candidates verified as not-real via source read
ageFiloSottile/age2 issues (#721, #722)
pnpmpnpm/pnpm2 issues (#12748, #12749)
Node.jsnodejs/node0 (all covered by open/closed issues)
Smithery CLIsmithery-ai/cli2 issues (#794, #795)
Codexopenai/codex2 issues (#30788, #30789)
Gemini CLIgoogle-gemini/gemini-cli2 issues (#28227, #28228)
qwen-codeQwenLM/qwen-code2 issues (#6101, #6102)
firebase-toolsfirebase/firebase-tools2 issues (#10750, #10751)
Zedzed-industries/zed1 issue (#60177 — real bug, source-grounded)
Bitwarden CLIbitwarden/clients2 issues (#21606, #21607)
ai-rewrite forkSupratimRK/Ai-rewrite3 issues (#8, #9, #10)
youtube (charity) forkcode-charity/youtube2 issues (#4108, #4109)

Round 3 — Skills, MCPs, VS Code extensions (in-flight at time of write)

Agents running for: agent-browser, cavemem, mcp-server-fetch, serena, mcp-searxng, ruff-vscode, biome, vscode_deno, tailwindcss-intellisense, vscode-markdownlint, vscode-github-actions. Results appended to this file when they complete.

Totals

Discipline notes from this audit

Ongoing: our own PR is a follow-up commitment

2026-07-01 fork migration: oriz-org → chirag127

Mid-audit, maintainer feedback on PR #5752 revealed that org-owned forks (oriz-org/*) prevent GitHub’s maintainer_can_modify from working. This forced Diego Souza to create an integration PR (#5769) instead of pushing a test onto our PR branch.

Response: migrated all 4 forks (omniroute, freellmapi, ai-rewrite-bs-ext, youtube) from oriz-org/* to chirag127/* in the same session. Full rationale + new rule: fork-thin-upstream-tracking (rewritten 2026-07-01).

Watch these; respond to maintainer questions. If either merges, close the corresponding issue.

Cross-refs


Edit on GitHub · Back to index