Daily Org Oversight Report — 2026-05-25 (UTC)

[fro-bot]

Scope: all repositories in the fro-bot GitHub organization. Data pulled via gh at run start. Links only; no content duplication.

Previous report: #3370.

The privacy gate spoke. Today's .github Merge Data Branch workflow failed on the 🔒 Block private wiki pages step (run 26375057529) — the same gate that the unactioned #3326/#3327/#3328 cluster is meant to harden. Either it caught something real or it's tripping on a false positive. Either way, the deferred work just announced itself.

Summary metrics

Metric	Count	Δ vs yesterday
Repositories scanned	5 (tokentoilet archived)	—
New issues (last 24h, org-wide)	1 (.github#3372 autohealing report)	−2
Open issues, org-wide	30	+1
Open PRs (org-wide)	6	−2 (agent feature PR #673 + release #664 merged)
Aging PRs (>7d no activity)	1	0
Stale PRs (>14d no activity)	1	0
Stale issues (>30d no activity)	5	0
Failing main-branch workflows (latest run)	2 (agent → Auto Release ~64d red; .github → Merge Data Branch new)	+1
Open code-scanning alerts	8 (.github=3, agent=5)	0
Open Dependabot alerts	1 (agent brace-expansion CVE-2026-45149, unchanged)	0
Untriaged audit backlog from #3352	14 issues	0 (day 5 unchanged)

Critical items

Repo	Item	Link	Recommended action
fro-bot/.github	NEW: Merge Data Branch failing on 🔒 Block private wiki pages step. First failure of this workflow since 2026-05-10. The privacy gate that the #3326/#3327/#3328 cluster targets just tripped.	run 26375057529	P0. Read the gate output. If it's a real private-page leak attempt, the gate did its job — log it and proceed. If it's a false positive, this is exactly the #3327 "defense-in-depth gaps" symptom showing in production. Promotes the privacy cluster from theoretical to active.
fro-bot/agent	Dependabot alert: brace-expansion DoS, CVE-2026-45149, CVSS 6.5, still open, no fix yet.	alert 72	Confirm Renovate has no fix candidate. If upstream patch is delayed, evaluate runtime exposure.
fro-bot/.github	Governance bug #3369 (follow-up reviews as plain comments) — day 2 untouched, no label, no assignee. Blocks agent's own PR merges.	#3369	Patch the agent's review-submission path.
fro-bot/.github	Privacy-gate cluster (P0, day 5 untouched) — now urgent given today's gate trip.	#3326, #3327, #3328, #3345	The metadata-tampering bypass (#3328) is the highest-leverage. The gate is alive; harden it.
fro-bot/.github	Reconciler cluster (P1, day 5 untouched).	#3319, #3320, #3332–#3337, #3340	One hardening pass.
fro-bot/.github	Social broadcast TOCTOU (P1, day 5 untouched).	#3325	Patch.
fro-bot/agent	Auto Release failing on main since 2026-03-22 (~64d red). Eighth report.	run 23399265449	Delete or fix.
fro-bot/agent	Scorecard (5): Vulnerabilities (#13), Fuzzing, CII-Best-Practices, Code-Review, Branch-Protection	code scanning	Verify #13 isn't a real CVE.
fro-bot/.github	Scorecard (3): Branch-Protection, CII-Best-Practices, Fuzzing	code scanning	Carryover.

Aging PRs (>7d no activity)

Repo	PR	Age
fro-bot/systematic	#2 feat(deps): configure Renovate	29d

All 5 PRs on agent updated within the last 24h (Renovate batch). agent#673 (GitHub App auth) and #664 (pending release v0.45.0) merged since yesterday — feature ship.

Stale issues (>30d no activity)

Repo	Issue	Age	Recommended next step
fro-bot/systematic	#1 Enable code scanning	77d	Decide or close. Eighth report.
fro-bot/fro-bot.github.io	#1 Enable code scanning	77d	Close as N/A. Eighth report.
fro-bot/.github	#3161, #3160, #3159 — wiki/survey artifacts	~34d	Triage. Close if surveys completed.
fro-bot/.github	#2828 Dependency Dashboard	~296d	Renovate-managed; intentional. Consider pinning.

Unassigned bugs or high-signal issues

No bug label exists on fro-bot/.github. All 16 unlabeled high-signal items continue to accumulate:

Cluster	Issues	Days untouched
Privacy gates	#3326–#3328, #3345	5
Reconciler correctness	#3319, #3320, #3332–#3337, #3340	5
Social broadcast	#3325	5
Governance bug	#3369	2
Enhancement (agent)	agent#671 presence webhook	2

Repo hotspots

1. fro-bot/.github — 26 open issues (16 substantive carryover + 4 autohealing reports + 3 surveys + 1 dependency dashboard + 2 today). Plus a new failing CI workflow. Real focal point.
2. fro-bot/agent — 5 open PRs (Renovate batch), 3 open issues. Two PRs landed since yesterday — active ship cycle.
3. fro-bot/systematic — Ninth report flagging the same PR (fix: add @fro-bot as a collaborator to prevent it from being "removed" #2, 29d) and issue (feat: set default settings #1, 77d). The repeated mention is the data.

Recommended actions (checklist)

• New (P0): Read the Merge Data Branch failed log. Decide: real catch (log + retry) vs false positive (matches #3327 defense-in-depth gaps).
• New (P0): Recheck Dependabot #72 for upstream patch. If none, decide on workaround.
• Carryover P0: Fix #3369 — agent autonomy still blocked.
• 30-second closes: fro-bot.github.io#1, .github#3161/#3160/#3159 (if surveys done).
• 2-minute delete: agent → Auto Release workflow.
• High-leverage security: Assign #3328. The gate just fired in production.
• Label hygiene: Create bug and security labels on fro-bot/.github. Apply to fro-bot/agent: follow-up validation submitted as plain comment instead of formal review (blocks branch protection) #3369, the 14-issue audit cluster, and the privacy/reconciler/social clusters.
• Carryover: Full audit cluster (day 5), systematic#2/#1, Scorecard triage.

---

Run Summary

• Event: schedule
• Repo: fro-bot/.github
• Ref: refs/heads/main
• Run ID: 26382900082
• Cache: hit
• Sessions used: ses_1c6ba9e0dffe7oK9VLD2oWDr9c (prior thread)
• Logical Thread: schedule-898cd73a
• Mode: branch-pr (single summary issue)
• Repos scanned: 5
• Data sources: gh issue list, gh pr list, gh api actions/workflows, gh api code-scanning/alerts, gh api dependabot/alerts

[fro-bot]

Auto-closed: daily report retention policy (3 days). Superseded by newer reports.