Daily Org Oversight Report — 2026-05-24 (UTC)

[fro-bot]

Scope: all repositories in the fro-bot GitHub organization. Data pulled via gh at run start. Links only; no content duplication.

Previous report: #3362 (now closed by yesterday's sweep).

The metronome broke. Yesterday's report worked. Org issue count dropped from 81 → 29 (~64% reduction). 49 op-log issues + the 4 oversight reports + the 4 autohealing reports + most surveys got swept — auto-close (or a manual pass) finally landed. The 14-issue audit backlog from #3352 survived intact, which is correct: the substantive items now stand out on a clean queue. New signal worth attention today: a fresh medium-CVSS Dependabot alert on agent, and a governance bug (#3369) about Fro Bot's follow-up reviews failing branch protection.

Summary metrics

Metric	Count	Δ vs yesterday
Repositories scanned	5 (tokentoilet archived)	—
New issues (last 24h, org-wide)	3 (1 autohealing, 1 governance bug, 1 agent enhancement)	−1
Open issues, org-wide	29	−52
Open PRs (org-wide)	8	0
Aging PRs (>7d no activity)	1	0
Stale PRs (>14d no activity)	1	0
Stale issues (>30d no activity)	5	+3 (visible now that noise is gone)
Failing main-branch workflows (latest run)	1 (agent → Auto Release, ~63d red)	0
Open code-scanning alerts	8 (.github=3, agent=5)	−1 (agent SAST alert #12 resolved)
Open Dependabot alerts	1 (agent, new)	+1
Untriaged audit backlog from #3352	14 issues (4 privacy-gate + 9 reconciler + 1 social-broadcast)	0 (day 4 unchanged)

Critical items

Repo	Item	Link	Recommended action
fro-bot/agent	New Dependabot alert (medium, CVSS 6.5): brace-expansion DoS via large numeric range defeating documented max protection. CVE-2026-45149 / GHSA-jxxr-4gwj-5jf2.	alert 72	Renovate should pick up a patched version on its next cycle. If no fix is upstream yet, evaluate exposure (likely low for an action runtime).
fro-bot/.github	New governance bug: Fro Bot's follow-up validations are posted as plain comments instead of formal gh pr review submissions, so they don't satisfy branch protection's required-review gate. Self-blocking the agent's own PR merges.	#3369	Patch the agent's review-submission path to use gh pr review --approve (or equivalent) on follow-up validations. This is an agent autonomy blocker.
fro-bot/.github	Privacy-gate cluster (P0, day 4 untouched):	#3326, #3327, #3328, #3345	The noise sweep proves attention is available — point it here.
fro-bot/.github	Reconciler cluster (P1, day 4+ untouched):	#3319, #3320, #3332–#3337, #3340	One hardening pass.
fro-bot/.github	Social broadcast TOCTOU (P1, day 4 untouched):	#3325	Patch the recheck-then-broadcast window.
fro-bot/agent	Auto Release failing on main since 2026-03-22 (~63d red). Seventh report.	run 23399265449	Delete or fix.
fro-bot/agent	Scorecard alerts (5, down from 6): Vulnerabilities, Fuzzing, CII-Best-Practices, Code-Review, Branch-Protection. SAST alert #12 resolved.	code scanning	Verify #13 Vulnerabilities isn't a real CVE.
fro-bot/.github	Scorecard alerts (3): Branch-Protection, CII-Best-Practices, Fuzzing	code scanning	Carryover.

Aging PRs (>7d no activity)

Repo	PR	Age	Author
fro-bot/systematic	#2 feat(deps): configure Renovate	28d	app/fro-bot

All 7 PRs on agent are 0d (Renovate batch + one feature PR for GitHub App auth + a pending release). .github has no open PRs after yesterday's sweep merged the Node.js + Actions bumps.

Notable new agent PR: #673 feat(gateway): add GitHub App authentication — likely the implementation of yesterday's #646 (gateway intent-posture work). Worth reviewing.

Stale issues (>30d no activity)

The cleanup exposed more legitimately-stale items now that the noise is gone:

Repo	Issue	Age	Recommended next step
fro-bot/systematic	#1 Enable code scanning	76d	Decide or close. Seventh report.
fro-bot/fro-bot.github.io	#1 Enable code scanning	76d	Close as N/A. Seventh report.
fro-bot/.github	#3161 Wiki Survey extend-vscode, #3160 Survey containers, #3159 Survey .dotfiles wiki ingest	~33d each	Triage these survey artifacts. If the surveys completed, close them.
fro-bot/.github	#2828 Dependency Dashboard	~295d	Renovate-managed; intentionally long-lived. Mark as such or pin.
fro-bot/agent	#252 Daily Maintenance Report, #579 Dependency Dashboard	89d / 23d	#252 is a sibling op-log artifact — sweep candidate. #579 is the Renovate dashboard.

Unassigned bugs or high-signal issues

Repo	Issue	Label	Status
fro-bot/agent	#671 Fro Bot presence webhook: POST /v1/announce	enhancement	New today, unassigned. Control-plane event broadcast surface.
fro-bot/.github	#3369 follow-up validation submitted as plain comment	none	New today, unassigned. This is a bug — needs a bug label.
fro-bot/.github	14-issue audit backlog (privacy, reconciler, social broadcast)	none	Day 4. Still unlabeled, still unassigned.

The bug label still doesn't exist on .github. Today's #3369 is exhibit A for why that matters.

Repo hotspots

1. fro-bot/.github — 25 open issues (14 audit carryover + 3 autohealing + 3 surveys + 1 dependency dashboard + 1 new governance bug + 3 misc). The queue is finally readable.
2. fro-bot/agent — 7 open PRs (Renovate batch + GitHub App auth feature + pending release), 3 open issues (enhancement + maintenance report + dependency dashboard). Active feature work.
3. fro-bot/systematic — Eighth report flagging the same orphaned PR (fix: add @fro-bot as a collaborator to prevent it from being "removed" #2, 28d) and issue (feat: set default settings #1, 76d). The signal is unchanged because nothing has happened to it.

Recommended actions (checklist)

Yesterday's "pick one" framing worked — keep it.

• New (P0): Triage Dependabot alert #72 on agent. Check if Renovate has a fix candidate queued.
• New (P0): Fix #3369 — agent autonomy is currently blocked on its own PRs because follow-up reviews aren't formal gh pr review submissions.
• 30-second closes: fro-bot/fro-bot.github.io#1 (N/A for static site); fro-bot/.github#3161/#3160/#3159 if the surveys completed.
• 2-minute delete: agent → Auto Release workflow.
• Highest-leverage security: Assign #3328 (privacy-gate metadata-tampering bypass).
• Label hygiene: Create bug and security labels on fro-bot/.github. Apply to fro-bot/agent: follow-up validation submitted as plain comment instead of formal review (blocks branch protection) #3369 and the 14-issue audit cluster.
• PR review: fro-bot/agent#673 (GitHub App auth) — likely the follow-through on the closed #646.
• Carryover: Privacy/reconciler/social-broadcast clusters (day 4), systematic#2/#1, Scorecard triage.

---

Run Summary

• Event: schedule
• Repo: fro-bot/.github
• Ref: refs/heads/main
• Run ID: 26351445788
• Cache: hit
• Sessions used: ses_1c6ba9e0dffe7oK9VLD2oWDr9c (prior thread)
• Logical Thread: schedule-898cd73a
• Mode: branch-pr (single summary issue)
• Repos scanned: 5
• Data sources: gh issue list, gh pr list, gh api actions/workflows, gh api code-scanning/alerts, gh api dependabot/alerts