← knowledge.oriz.in

OSS audit — file real gaps as upstream issues (2026-07-01)

decision ossupstreamissuesauditagentsmcpfleet

OSS audit — 2026-07-01

Decision

We do NOT patch OSS locally when we hit bugs or missing features. We file issues (and PRs where the fix is trivial) at each upstream repo. This is the family default; it composes with no-rebuilding-free-software (don't clone-and-modify) and no-fork-divergence (forks stay byte-identical to upstream).

Why

The 2026-07-01 audit — filed inventory

Across three rounds this session:

Round 1 — Daily-chain + fleet agents (13 tools)

Tool Repo Filed
OmniRoute diegosouzapw/OmniRoute 3 issues (#5749–#5751) + 3 comments (#5692, #5716, #5708) + 1 PR (#5752) + 1 PR (#5766 runtime deps)
Headroom (Hr) headroomlabs-ai/headroom 3 issues (#1616, #1617, #1618)
RTK rtk-ai/rtk 2 issues (#2763, #2764) + 1 comment (#1945)
freellmapi tashfeenahmed/freellmapi 5 issues (#432–#436)
OpenCode anomalyco/opencode 1 issue (#34711) + 3 comments (#30539, #30615, #6479)
Kilo Code Kilo-Org/kilocode 3 issues (#11851–#11853)
MiMoCode XiaomiMiMo/MiMo-Code 2 issues (#1488, #1489)
Codeep VladoIvankovic/Codeep 4 issues (#3, #4, #5, #6 keytar deprecation)
Claurst Kuberwastaken/claurst 2 issues (#201, #202)
gocode AlleyBo55/gocode 2 issues (#31, #32)
Coddy coddy-project/coddy-agent 3 issues (#41, #42, #43)
Ponytail DietrichGebert/ponytail 0 (all 4 candidate angles already tracked upstream)
Caveman JuliusBrussee/caveman 0 (all 4 angles already tracked)

Round 2 — System-wide OSS (chocolatey + winget + scoop + npm globals + forks)

Tool Repo Filed
Docker for Windows docker/for-win 2 issues (#15054, #15055)
Git for Windows git-for-windows/git 2 issues (#6305, #6306)
GitHub CLI cli/cli 2 issues (#13764, #13765)
VS Code microsoft/vscode 2 issues (#323825, #323826)
PowerToys microsoft/PowerToys 0 (all covered)
Wrangler cloudflare/workers-sdk 2 issues (#14500, #14501)
fnm Schniz/fnm 2 issues (#1573, #1574)
SOPS getsops/sops 1 issue (#2237) — 2 candidates verified as not-real via source read
age FiloSottile/age 2 issues (#721, #722)
pnpm pnpm/pnpm 2 issues (#12748, #12749)
Node.js nodejs/node 0 (all covered by open/closed issues)
Smithery CLI smithery-ai/cli 2 issues (#794, #795)
Codex openai/codex 2 issues (#30788, #30789)
Gemini CLI google-gemini/gemini-cli 2 issues (#28227, #28228)
qwen-code QwenLM/qwen-code 2 issues (#6101, #6102)
firebase-tools firebase/firebase-tools 2 issues (#10750, #10751)
Zed zed-industries/zed 1 issue (#60177 — real bug, source-grounded)
Bitwarden CLI bitwarden/clients 2 issues (#21606, #21607)
ai-rewrite fork SupratimRK/Ai-rewrite 3 issues (#8, #9, #10)
youtube (charity) fork code-charity/youtube 2 issues (#4108, #4109)

Round 3 — Skills, MCPs, VS Code extensions (in-flight at time of write)

Agents running for: agent-browser, cavemem, mcp-server-fetch, serena, mcp-searxng, ruff-vscode, biome, vscode_deno, tailwindcss-intellisense, vscode-markdownlint, vscode-github-actions. Results appended to this file when they complete.

Totals

Discipline notes from this audit

Ongoing: our own PR is a follow-up commitment

2026-07-01 fork migration: oriz-org → chirag127

Mid-audit, maintainer feedback on PR #5752 revealed that org-owned forks (oriz-org/*) prevent GitHub's maintainer_can_modify from working. This forced Diego Souza to create an integration PR (#5769) instead of pushing a test onto our PR branch.

Response: migrated all 4 forks (omniroute, freellmapi, ai-rewrite-bs-ext, youtube) from oriz-org/* to chirag127/* in the same session. Full rationale + new rule: fork-thin-upstream-tracking (rewritten 2026-07-01).

Watch these; respond to maintainer questions. If either merges, close the corresponding issue.

Cross-refs