Open Grant Proposal: SafeFIL — Agentic Remediation & Hardened Forks for the Filecoin Ecosystem
Project Name: SafeFIL (XOR Agentic Remediation for Filecoin)
Proposal Category: Developer and data tooling
Individual or Entity Name: XOR.tech
Proposer: XOR-tech (GitHub organization details to be shared with initial repositories before Milestone 1)
Project Repo(s) All work will be open-sourced under a new public GitHub organization for this project; final repository links will be provided prior to Milestone 1 completion. Code will be MIT/Apache-2 dual-licensed.
(Optional) Filecoin ecosystem affiliations: None at present. Prior collaborations with the Linux Foundation, OpenSSF, and Ethereum ecosystem; no paid relationships with Protocol Labs, Filecoin Foundation, or FFDW.
(Optional) Technical Sponsor: None yet; we welcome a technical sponsor from the Filecoin/IPFS teams.
Do you agree to open source all work you do on behalf of this RFP under the MIT/Apache-2 dual-license?: Yes.
Project Summary
The Filecoin and IPFS ecosystems run on large, fast-moving Go, Rust, and JavaScript/TypeScript codebases used by storage providers (SPs), retrieval providers, client developers, and FVM teams. Across these projects, vulnerability triage and patching often remain manual and noisy. This creates long mean-time-to-patch (MTTP), alert fatigue for maintainers, and compliance friction for operators facing growing regulatory requirements. The broader open-source world has seen a sharp rise in supply chain attacks (e.g., dependency hijacking and backdoors similar to the XZ Utils incident). Filecoin cannot afford slow or brittle remediation paths—trust and reliability are core to planetary-scale storage and retrieval.
SafeFIL delivers an open-source, agentic remediation toolkit and hardened forks for the Filecoin stack. We will ship: (1) a GitHub Action + CLI that orchestrates scanners (Snyk, Semgrep, osv.dev) with an AI agent tuned for Go/Rust/TS to auto-triage findings and propose verified pull requests; (2) Filecoin-specific rule packs and tests for Lotus, Boost, FVM components, and common SP ops tooling; (3) SBOM and in-toto/SLSA attestations as first-class build artifacts; and (4) optional “hardened forks” for critical dependencies to accelerate safe upgrades across the ecosystem. The goal is simple: fewer false positives, faster verified fixes, and audit-ready evidence—so Filecoin devs and operators can proceed with confidence.
Impact
Today, maintainers and SP operators spend significant time untangling false alarms and hand-crafting patches across complex dependency graphs. Getting this wrong means higher breach probability, subtle supply chain regressions, and slower protocol adoption by risk-averse partners. Getting it right reduces MTTP from weeks to days, raises maintainer productivity, and gives operators verifiable artifacts they can show to security teams, auditors, and regulators.
For Filecoin specifically, SafeFIL targets three outcomes: (1) speed - measurably reduce MTTP for Lotus/Boost/FVM and popular ecosystem repos; (2) safety - improve patch acceptance rates through verified tests and targeted rule packs that reflect Filecoin’s code idioms; and (3) trust - continuous SBOMs and attestations that strengthen the network’s compliance posture (CRA, NIS2, AI Act adjacent) without centralizing control. Success looks like: 15–25 upstream PRs merged across critical repos within the grant window; ≥10 SPs or ecosystem teams enabling the Action; a public dashboard showing reduced open vulnerability backlog and improved PR acceptance/merge times.
Outcomes
We will deliver:
- An open-source GitHub Action + CLI for agentic remediation tuned for Filecoin codebases (Go/Rust/TS), including reproducible runs and deterministic prompts.
- Filecoin-specific Semgrep/Rule packs and tests (Lotus/Boost/FVM idioms), including guardrails for common error patterns and dependency risks.
- Automated SBOM generation (CycloneDX) and in-toto/SLSA attestations integrated into CI for verifiable provenance.
- A public “MTTP & Patch Acceptance” dashboard for participating repos and SPs.
- A set of 15–25 high-quality upstream PRs to Lotus, Boost, and selected ecosystem repos, each with tests and reviewer notes.
- Documentation, runbooks, and two public workshops for maintainers and operators.
Metrics for success:
- MTTP reduction vs. baseline (target ≥40% reduction on participating repos).
- PR acceptance/merge rate (target ≥70% of submitted security PRs merged).
- False-positive reduction (target ≥60% fewer manual triage hours reported by maintainers/SPs adopting the Action).
- Adoption (≥10 teams running the Action, ≥5 publishing attestations in CI).
- SBOM coverage (≥90% of targeted services produce SBOMs per release).
Data Onboarding
Not applicable. This project does not onboard new datasets to the Filecoin network; it improves the safety and velocity of code changes across the ecosystem.
Adoption, Reach, and Growth Strategies
Target users:
- Core maintainers and contributors to Lotus, Boost, FVM toolchains, and adjacent ecosystem libraries.
- Storage and retrieval providers who must keep fleets patched and auditable.
- dApp teams building on FVM that need fast, verifiable remediation.
Go-to-market within the ecosystem:
- “Enable in 5 minutes” onboarding via GitHub Action template and a one-command CLI.
- Two open workshops (coordinated with FF if possible) and step-by-step runbooks for maintainers/SPs.
- Initial 10 users: hand-onboard 5 SPs and 5 maintainers across Lotus/Boost/FVM; configure CI, open 1–2 PRs per repo to demonstrate value.
- First 100 users: publish quickstarts, record short screencasts, and template repos; showcase the public dashboard and early success metrics.
Development Roadmap
Milestone 1 — SafeFIL Action/CLI and Rule Packs (Nov 1–Dec 10, 2025)
- Functionality: OSS release of SafeFIL GitHub Action + CLI; Semgrep/OSV integration; initial Filecoin rule packs (Lotus/Boost idioms); baseline CycloneDX SBOM and in-toto attestations; deterministic agent prompts; CI templates.
- Team: 3 people (Lead Engineer/AI agent, Standards/Attestations, Security Engineer).
- Funding: $15,000
- Duration: ~6 weeks
- Expected result: Action/CLI works on 3 pilot repos with green CI; docs and quickstart published.
Milestone 2 — Upstream PRs and Hardened Forks (Dec 11, 2025–Jan 20, 2026)
- Functionality: 10–15 upstream PRs to Lotus/Boost/selected ecosystem repos; optional hardened forks for critical deps to de-risk upgrades; expanded tests; SBOM/attestations default-on in pilot repos; public metrics dashboard v1.
- Team: 3–4 people (adds DevRel/Docs part-time).
- Funding: $20,000
- Duration: ~6 weeks
- Expected result: Material upstream progress (accepted PRs, reduced MTTP), forks published when safer than in-place bumps.
Milestone 3 — FVM Coverage, Workshops, and Dashboard v1.1 (Jan 21–Feb 15, 2026)
- Functionality: Extend rule packs and tests to FVM stacks; add fuzz/regression harnesses for common patterns; host two open workshops; publish runbooks; finalize dashboard with MTTP, PR acceptance, SBOM, attestation coverage.
- Team: 3 people (Lead Engineer, Standards/Attestations, DevRel/Docs).
- Funding: $15,000
- Duration: ~4 weeks
- Expected result: ≥15–25 merged PRs total; ≥10 adopters running the Action; reproducible build/attestation examples in the wild.
Total Budget Requested
| 1 | SafeFIL Action/CLI + initial rule packs | Action/CLI, rule packs, SBOM + attestations, docs | 2025-12-10 | $15,000 |
| 2 | Upstream PRs + hardened forks + dashboard v1 | 10–15 PRs, optional forks, metrics v1 | 2026-01-20 | $20,000 |
| 3 | FVM coverage + workshops + dashboard v1.1 | FVM rules/tests, 2 workshops, runbooks, metrics v1.1 | 2026-02-15 | $15,000 |
Total requested: $50,000 (or equivalent in FIL/USDC per program guidelines).
Maintenance and Upgrade Plans
We will maintain the Action/CLI, rule packs, and dashboards for at least 12 months post-grant. We will:
- Track and update for Lotus/Boost/FVM changes and dependency CVEs.
- Keep SBOM and attestation integrations current with SLSA and in-toto specs.
- Respond to issues/PRs publicly within 3 business days.
- Propose graduation of stable components to relevant Filecoin ecosystem orgs if desired by maintainers.
Team
Team Members
- Tobias Heldt — CEO, Security/AI (product lead, remediation agent)
- Henk Birkholz — Chief Trust & Standards (attestations, SBOM/provenance)
- Senior Security Engineer (implementation, rule packs, CI)
- DevRel/Docs (part-time, workshops, adoption)
Team Member LinkedIn Profiles
Team Website
https://www.xor.tech/
Relevant Experience
- Built and benchmarked agentic remediation outperforming leading LLM dev tools on patch success and build stability across large codebases.
- Deep standards expertise (IETF RATS/SCITT, TCG Attestation) and open-source security leadership (OpenSSF, Linux Foundation).
- Delivered SLA-backed hardened forks (“Diamond Forks”) and audit-ready pipelines for regulated environments (CRA, NIS2, EU AI Act adjacent).
- Active PoCs and design partnerships with large enterprises and ecosystem foundations; published executive training content and workshops.
Team code repositories
- All SafeFIL repositories will be public and MIT/Apache-2 dual-licensed; links will be provided with Milestone 1 delivery and referenced in the dashboard and documentation.
Additional Information
- How did you learn about the Open Grants Program? Filecoin Foundation DevGrants (GitHub) and ecosystem contributor recommendations.
- Best email for grant agreement and next steps: tobias@xor.tech
- Additional notes: SafeFIL is a public-good oriented project. All outputs are open-source, enabling any maintainer or operator to benefit without vendor lock-in. We welcome a technical sponsor to ensure tight alignment with Lotus/Boost/FVM roadmaps and SP needs.
Open Grant Proposal: SafeFIL — Agentic Remediation & Hardened Forks for the Filecoin Ecosystem
Project Name: SafeFIL (XOR Agentic Remediation for Filecoin)
Proposal Category: Developer and data tooling
Individual or Entity Name: XOR.tech
Proposer: XOR-tech (GitHub organization details to be shared with initial repositories before Milestone 1)
Project Repo(s) All work will be open-sourced under a new public GitHub organization for this project; final repository links will be provided prior to Milestone 1 completion. Code will be MIT/Apache-2 dual-licensed.
(Optional) Filecoin ecosystem affiliations: None at present. Prior collaborations with the Linux Foundation, OpenSSF, and Ethereum ecosystem; no paid relationships with Protocol Labs, Filecoin Foundation, or FFDW.
(Optional) Technical Sponsor: None yet; we welcome a technical sponsor from the Filecoin/IPFS teams.
Do you agree to open source all work you do on behalf of this RFP under the MIT/Apache-2 dual-license?: Yes.
Project Summary
The Filecoin and IPFS ecosystems run on large, fast-moving Go, Rust, and JavaScript/TypeScript codebases used by storage providers (SPs), retrieval providers, client developers, and FVM teams. Across these projects, vulnerability triage and patching often remain manual and noisy. This creates long mean-time-to-patch (MTTP), alert fatigue for maintainers, and compliance friction for operators facing growing regulatory requirements. The broader open-source world has seen a sharp rise in supply chain attacks (e.g., dependency hijacking and backdoors similar to the XZ Utils incident). Filecoin cannot afford slow or brittle remediation paths—trust and reliability are core to planetary-scale storage and retrieval.
SafeFIL delivers an open-source, agentic remediation toolkit and hardened forks for the Filecoin stack. We will ship: (1) a GitHub Action + CLI that orchestrates scanners (Snyk, Semgrep, osv.dev) with an AI agent tuned for Go/Rust/TS to auto-triage findings and propose verified pull requests; (2) Filecoin-specific rule packs and tests for Lotus, Boost, FVM components, and common SP ops tooling; (3) SBOM and in-toto/SLSA attestations as first-class build artifacts; and (4) optional “hardened forks” for critical dependencies to accelerate safe upgrades across the ecosystem. The goal is simple: fewer false positives, faster verified fixes, and audit-ready evidence—so Filecoin devs and operators can proceed with confidence.
Impact
Today, maintainers and SP operators spend significant time untangling false alarms and hand-crafting patches across complex dependency graphs. Getting this wrong means higher breach probability, subtle supply chain regressions, and slower protocol adoption by risk-averse partners. Getting it right reduces MTTP from weeks to days, raises maintainer productivity, and gives operators verifiable artifacts they can show to security teams, auditors, and regulators.
For Filecoin specifically, SafeFIL targets three outcomes: (1) speed - measurably reduce MTTP for Lotus/Boost/FVM and popular ecosystem repos; (2) safety - improve patch acceptance rates through verified tests and targeted rule packs that reflect Filecoin’s code idioms; and (3) trust - continuous SBOMs and attestations that strengthen the network’s compliance posture (CRA, NIS2, AI Act adjacent) without centralizing control. Success looks like: 15–25 upstream PRs merged across critical repos within the grant window; ≥10 SPs or ecosystem teams enabling the Action; a public dashboard showing reduced open vulnerability backlog and improved PR acceptance/merge times.
Outcomes
We will deliver:
Metrics for success:
Data Onboarding
Not applicable. This project does not onboard new datasets to the Filecoin network; it improves the safety and velocity of code changes across the ecosystem.
Adoption, Reach, and Growth Strategies
Target users:
Go-to-market within the ecosystem:
Development Roadmap
Milestone 1 — SafeFIL Action/CLI and Rule Packs (Nov 1–Dec 10, 2025)
Milestone 2 — Upstream PRs and Hardened Forks (Dec 11, 2025–Jan 20, 2026)
Milestone 3 — FVM Coverage, Workshops, and Dashboard v1.1 (Jan 21–Feb 15, 2026)
Total Budget Requested
| 1 | SafeFIL Action/CLI + initial rule packs | Action/CLI, rule packs, SBOM + attestations, docs | 2025-12-10 | $15,000 |
| 2 | Upstream PRs + hardened forks + dashboard v1 | 10–15 PRs, optional forks, metrics v1 | 2026-01-20 | $20,000 |
| 3 | FVM coverage + workshops + dashboard v1.1 | FVM rules/tests, 2 workshops, runbooks, metrics v1.1 | 2026-02-15 | $15,000 |
Total requested: $50,000 (or equivalent in FIL/USDC per program guidelines).
Maintenance and Upgrade Plans
We will maintain the Action/CLI, rule packs, and dashboards for at least 12 months post-grant. We will:
Team
Team Members
Team Member LinkedIn Profiles
Team Website
https://www.xor.tech/
Relevant Experience
Team code repositories
Additional Information