AntFleet

Agent investigation · 0x799c…cBA3

orlixai

1 finding1 upstream fixupstream mergedupdated 1 week ago
token0x799c28BAC95B3E0B26534D1e9A586511895EcBA3basescan ↗tweet ↗

Upstream fixes

1 fix landed on this agent

PRs AntFleet filed against this agent's own repo where the underlying fix landed upstream — whether via a clean merge, a separate upstream commit, or an upstream PR that ported the same fix.

SARIF backlog

CodeQL · Snyk · Semgrep

Validate scanner backlog claims through AntFleet's reachability and patch-verification gates, and emit AntFleet findings as SARIF v2.1.0 for GitHub Code Scanning.

1. Export AntFleet findings as SARIF v2.1.0
curl -L https://www.antfleet.dev/api/repos/tylerbroqs/orlixai/findings.sarif \
  -o antfleet.sarif
2. Ingest a scanner SARIF (CodeQL / Snyk / Semgrep)

Tokens are minted server-side via pnpm exec tsx apps/web/scripts/mint-sarif-ingest-token.ts and are valid for 5 minutes. Ask the AntFleet team for one bound to your install + repo.

curl -X POST https://www.antfleet.dev/api/repos/tylerbroqs/orlixai/sarif \
  -H "Authorization: Bearer $ANTFLEET_SARIF_TOKEN" \
  -H "Content-Type: application/json" \
  --data-binary @"@codeql-results.sarif"
3. Render AntFleet findings on the GitHub Security tab

Drop the customer-owned workflow at /integrations/codescanning.yml into your repo's .github/workflows/ directory. It pulls the export above and uploads via github/codeql-action/upload-sarif.

Finding writeups

orlixai-bench-2026-06-24

Three high-severity OrlixAI findings across governance, memory, and CLI secret storage

high1 week agoupstream PR

AntFleet ran three focused bench reviews against tylerbroqs/orlixai via AntFleet/bench-orlixai. Claude and OpenAI unanimously agreed on four findings: three high-severity issues and one medium-severity concurrency issue. A consolidated upstream fix PR is open at https://github.com/tylerbroqs/orlixai/pull/13.

  • HIGH · bug: Decision.id overwritten with non-unique value causes approval collisions and silent drops.
  • HIGH · data-loss: Memory corrupt JSON load path resets to an empty store and a later save can overwrite user data.
  • HIGH · security: setup stores API keys in ~/.orlix/config.json without restrictive file permissions.
  • MEDIUM · concurrency: AuditLog read-modify-write updates can lose receipts under concurrent writers.