Daily Org Oversight Report — 2026-05-12 (UTC)

[fro-bot]

Snapshot: 2026-05-12 03:42 UTC. Scope: fro-bot/{agent, .github, systematic, fro-bot.github.io} (tokentoilet archived).

Summary metrics

Metric	Count	Δ vs. 2026-05-11
New issues (<24h)	3 (all daily-automation logs)	+2
Open PRs	9	+1
Aging PRs (>7d, ≤14d)	0	0
Stale PRs (>14d)	1	0
Stale issues (>30d)	2	0
Failing default-branch checks	0	0
Dependabot alerts (open)	5 (all agent)	0
Code-scanning alerts (open, high)	2 (agent) + 1 (.github)	0
Unassigned bugs (label:bug)	0	0

Critical items

Repo	Severity	Item	Recommended action
fro-bot/agent	high	fast-uri host confusion (Dependabot #71)	Day 3 unresolved. Renovate isn't surfacing it; force the transitive pin via pnpm-workspace.overrides or open a manual PR.
fro-bot/agent	high	fast-uri path traversal (Dependabot #70)	Bundle with #71.
fro-bot/agent	high	fast-xml-builder attribute-quote bypass (Dependabot #69)	Bundle in same overrides PR.
fro-bot/agent	medium	fast-xml-builder comment-regex bypass (Dependabot #68)	Resolved alongside #69.
fro-bot/agent	medium	ip-address XSS in Address6 HTML methods (Dependabot #67)	Bump ip-address; latent risk only (no Address6 HTML rendering in tree).
fro-bot/agent	high (Scorecard)	BranchProtectionID, VulnerabilitiesID	Tighten main protection through common-settings.yaml; VulnerabilitiesID clears with the Dependabot block.
fro-bot/.github	high (Scorecard)	BranchProtectionID	Mirror agent's ruleset.

No failing default-branch CI runs. No broken release pipelines — agent's pending release v0.42.10 (fro-bot/agent#606) is open and queued.

Aging PRs

PR	Idle	Note
fro-bot/systematic#2 — feat(deps): configure Renovate	16d	Day 2 past the stale line. Land or close — sitting longer just adds drift between the PR's view of the dependency graph and main.

All seven fro-bot/agent PRs are within 4 days. fro-bot/agent#602 (feat: disable oMo by default) is 3 days old but was updated 8h ago — moving, not aging.

Stale issues

Issue	Idle	Recommended next step
fro-bot/systematic#1 — Enable code scanning (CodeQL / Scorecard)	64d	Default branch is gh-pages (static docs); no buildable surface for CodeQL. Close as wontfix or rescope to Scorecard-only.
fro-bot/fro-bot.github.io#1 — Enable code scanning (CodeQL / Scorecard)	64d	Static-site repo; same shape. Close with same rationale.

42 daily operational-log / autohealing / oversight issues in fro-bot/.github are inside their automation lifecycle and excluded from the stale count.

Unassigned bugs / high-signal issues

label:bug + no:assignee org-wide: 0. Nothing to triage.

Repo hotspots

Rank	Repo	Open PRs	Stale items	Notes
1	fro-bot/agent	8	0	Renovate queue active (#607–#610 opened yesterday). Security block still squatting on fast-uri / fast-xml-builder / ip-address for the third cycle.
2	fro-bot/systematic	1	1	Same two items. Both aging.
3	fro-bot/fro-bot.github.io	0	1	Single stale issue; placeholder repo.

Recommended actions

• Force-resolve the fast-uri / fast-xml-builder / ip-address Dependabot block on fro-bot/agent — Day 3 unresolved. Add pnpm-workspace.overrides entries for the transitive packages. Renovate has had three cycles to surface these and hasn't.
• Tighten main branch protection on fro-bot/agent and fro-bot/.github via common-settings.yaml to clear the Scorecard BranchProtectionID highs.
• Decide on fro-bot/systematic#2 (Renovate config) — 16d stale, second cycle past threshold.
• Close or rescope fro-bot/systematic#1 and fro-bot/fro-bot.github.io#1 (CodeQL on non-buildable repos).
• Watch fro-bot/agent#606 (pending release v0.42.10) — make sure it doesn't block while the security overrides land.

[fro-bot]

Auto-closed: daily report retention policy (3 days). Superseded by newer reports.