OSS audit — file real gaps as upstream issues (2026-07-01)
OSS audit — 2026-07-01
Decision
We do NOT patch OSS locally when we hit bugs or missing features. We file issues (and PRs where the fix is trivial) at each upstream repo. This is the family default; it composes with no-rebuilding-free-software (don't clone-and-modify) and no-fork-divergence (forks stay byte-identical to upstream).
Why
- Force multiplier. One filed issue → the maintainer fixes it → every user benefits. One local patch → we alone benefit → drift → merge conflicts → abandonment.
- Signal to upstream. Maintainers cannot prioritise pain they don't see. Our reports become their triage inputs.
- Zero maintenance burden. No local patch queue to rebase.
- Discovery. The act of filing forces reading source and dedupe search; often reveals we misdiagnosed the problem.
The 2026-07-01 audit — filed inventory
Across three rounds this session:
Round 1 — Daily-chain + fleet agents (13 tools)
| Tool | Repo | Filed |
|---|---|---|
| OmniRoute | diegosouzapw/OmniRoute | 3 issues (#5749–#5751) + 3 comments (#5692, #5716, #5708) + 1 PR (#5752) + 1 PR (#5766 runtime deps) |
| Headroom (Hr) | headroomlabs-ai/headroom | 3 issues (#1616, #1617, #1618) |
| RTK | rtk-ai/rtk | 2 issues (#2763, #2764) + 1 comment (#1945) |
| freellmapi | tashfeenahmed/freellmapi | 5 issues (#432–#436) |
| OpenCode | anomalyco/opencode | 1 issue (#34711) + 3 comments (#30539, #30615, #6479) |
| Kilo Code | Kilo-Org/kilocode | 3 issues (#11851–#11853) |
| MiMoCode | XiaomiMiMo/MiMo-Code | 2 issues (#1488, #1489) |
| Codeep | VladoIvankovic/Codeep | 4 issues (#3, #4, #5, #6 keytar deprecation) |
| Claurst | Kuberwastaken/claurst | 2 issues (#201, #202) |
| gocode | AlleyBo55/gocode | 2 issues (#31, #32) |
| Coddy | coddy-project/coddy-agent | 3 issues (#41, #42, #43) |
| Ponytail | DietrichGebert/ponytail | 0 (all 4 candidate angles already tracked upstream) |
| Caveman | JuliusBrussee/caveman | 0 (all 4 angles already tracked) |
Round 2 — System-wide OSS (chocolatey + winget + scoop + npm globals + forks)
| Tool | Repo | Filed |
|---|---|---|
| Docker for Windows | docker/for-win | 2 issues (#15054, #15055) |
| Git for Windows | git-for-windows/git | 2 issues (#6305, #6306) |
| GitHub CLI | cli/cli | 2 issues (#13764, #13765) |
| VS Code | microsoft/vscode | 2 issues (#323825, #323826) |
| PowerToys | microsoft/PowerToys | 0 (all covered) |
| Wrangler | cloudflare/workers-sdk | 2 issues (#14500, #14501) |
| fnm | Schniz/fnm | 2 issues (#1573, #1574) |
| SOPS | getsops/sops | 1 issue (#2237) — 2 candidates verified as not-real via source read |
| age | FiloSottile/age | 2 issues (#721, #722) |
| pnpm | pnpm/pnpm | 2 issues (#12748, #12749) |
| Node.js | nodejs/node | 0 (all covered by open/closed issues) |
| Smithery CLI | smithery-ai/cli | 2 issues (#794, #795) |
| Codex | openai/codex | 2 issues (#30788, #30789) |
| Gemini CLI | google-gemini/gemini-cli | 2 issues (#28227, #28228) |
| qwen-code | QwenLM/qwen-code | 2 issues (#6101, #6102) |
| firebase-tools | firebase/firebase-tools | 2 issues (#10750, #10751) |
| Zed | zed-industries/zed | 1 issue (#60177 — real bug, source-grounded) |
| Bitwarden CLI | bitwarden/clients | 2 issues (#21606, #21607) |
| ai-rewrite fork | SupratimRK/Ai-rewrite | 3 issues (#8, #9, #10) |
| youtube (charity) fork | code-charity/youtube | 2 issues (#4108, #4109) |
Round 3 — Skills, MCPs, VS Code extensions (in-flight at time of write)
Agents running for: agent-browser, cavemem, mcp-server-fetch, serena, mcp-searxng, ruff-vscode, biome, vscode_deno, tailwindcss-intellisense, vscode-markdownlint, vscode-github-actions. Results appended to this file when they complete.
Totals
- ~65+ new issues across 30+ upstream repos
- 7+ inline comments on existing issues where we had unique repro info
- 2 upstream PRs (OmniRoute #5752 version-banner, OmniRoute #5766 missing deps)
- 0 local patches kept in any fork (fork's
mainclean againstupstream/mainafter this session)
Discipline notes from this audit
- Read source before claiming a bug. SOPS audit killed 2 of 3 claims as not-real after grep+read. Same discipline caught PowerToys candidates as duplicates of open issues.
- Dedupe pass every time. Ponytail, Caveman, Node.js, PowerToys audits all returned 0 filed because every angle was already tracked upstream. That's a success, not a failure.
- Comment > new issue when the pain matches an existing thread. Used for OmniRoute #5692, OpenCode #30539, RTK #1945.
- Cite file:line in reports. Every source-grounded finding includes the exact file+line so upstream triage doesn't have to re-hunt.
Ongoing: our own PR is a follow-up commitment
- PR #5752 (OmniRoute version banner) — merged into
release/v3.8.43via maintainer's integration PR #5769; original closed. Authorship preserved. - PR #5766 (OmniRoute missing runtime deps) — auto-closed on
oriz-orgfork deletion during 2026-07-01 fork migration. Replaced by PR #5771 fromchirag127/OmniRoute.
2026-07-01 fork migration: oriz-org → chirag127
Mid-audit, maintainer feedback on PR #5752 revealed that org-owned forks (oriz-org/*) prevent GitHub's maintainer_can_modify from working. This forced Diego Souza to create an integration PR (#5769) instead of pushing a test onto our PR branch.
Response: migrated all 4 forks (omniroute, freellmapi, ai-rewrite-bs-ext, youtube) from oriz-org/* to chirag127/* in the same session. Full rationale + new rule: fork-thin-upstream-tracking (rewritten 2026-07-01).
Watch these; respond to maintainer questions. If either merges, close the corresponding issue.
Cross-refs
no-fork-divergence— the rule this audit was executed underfork-discipline— how forks live inrepos/frk/no-rebuilding-free-software— never clone-and-modify