Daily Org Oversight Report — 2026-05-13 (UTC)

[fro-bot]

Snapshot: 2026-05-13 03:52 UTC. Scope: fro-bot/{agent, .github, systematic, fro-bot.github.io} (tokentoilet archived).

Summary metrics

Metric	Count	Δ vs. 2026-05-12
New issues (<24h, ex-automation)	0	0
Open PRs	7	−2
Aging PRs (>7d, ≤14d)	0	0
Stale PRs (>14d)	1	0
Stale issues (>30d)	2	0
Failing default-branch checks	0	0
Dependabot alerts (open)	5 (all agent)	0
Code-scanning alerts (open, high)	2 (agent) + 1 (.github)	0
Unassigned bugs (label:bug)	0	0

Shipped since yesterday: agent cut v0.43.0 (release PR #606 merged, plus #602 oMo opt-in and #611 streamed-activity tracking). New action-version bump now in flight in fro-bot/.github (PR #3282).

Critical items

Repo	Severity	Item	Recommended action
fro-bot/agent	high	fast-uri host confusion (Dependabot #71)	Day 4 unresolved. v0.43.0 shipped without touching this; the release didn't include a transitive bump. Need a manual pnpm-workspace.overrides PR.
fro-bot/agent	high	fast-uri path traversal (Dependabot #70)	Same overrides PR.
fro-bot/agent	high	fast-xml-builder attribute-quote bypass (Dependabot #69)	Same overrides PR.
fro-bot/agent	medium	fast-xml-builder comment-regex bypass (Dependabot #68)	Resolved alongside #69.
fro-bot/agent	medium	ip-address XSS in Address6 HTML methods (Dependabot #67)	Bump ip-address. Latent risk (no Address6 HTML rendering in tree).
fro-bot/agent	high (Scorecard)	BranchProtectionID, VulnerabilitiesID	Tighten main protection via common-settings.yaml; VulnerabilitiesID clears with the Dependabot block.
fro-bot/.github	high (Scorecard)	BranchProtectionID	Mirror agent's ruleset.

No failing default-branch CI runs. No broken release pipelines — agent v0.43.0 cut cleanly.

Aging PRs

PR	Idle	Note
fro-bot/systematic#2 — feat(deps): configure Renovate	17d	Third cycle past the stale line. Land or close. Three days of "decide on this" recommendations have produced no movement.

All fro-bot/agent PRs and the new .github#3282 action-version bump were updated today.

Stale issues

Issue	Idle	Recommended next step
fro-bot/systematic#1 — Enable code scanning (CodeQL / Scorecard)	65d	Default branch is gh-pages (static docs); no buildable surface for CodeQL. Close as wontfix or rescope to Scorecard-only.
fro-bot/fro-bot.github.io#1 — Enable code scanning (CodeQL / Scorecard)	65d	Static-site repo; same shape. Close with same rationale.

43 daily operational-log / autohealing / oversight issues in fro-bot/.github are inside their automation lifecycle and excluded.

Unassigned bugs / high-signal issues

label:bug + no:assignee org-wide: 0. Nothing to triage.

Repo hotspots

Rank	Repo	Open PRs	Stale items	Notes
1	fro-bot/agent	5	0	v0.43.0 released yesterday; queue cleared three PRs. The Dependabot security block is still untouched after the release window.
2	fro-bot/systematic	1	1	Same two parked items, both aging.
3	fro-bot/.github / fro-bot/fro-bot.github.io	1 / 0	0 / 1	.github now has the agent v0.43.0 action bump; fro-bot.github.io carries one stale issue.

Recommended actions

• Open the pnpm-workspace.overrides PR on fro-bot/agent for fast-uri, fast-xml-builder, and ip-address. v0.43.0 went out without addressing the security block — Renovate has had four cycles to surface it. Stop waiting on Renovate.
• Tighten main branch protection on fro-bot/agent and fro-bot/.github via common-settings.yaml to clear the Scorecard BranchProtectionID highs.
• Land or close fro-bot/systematic#2 — 17d, third recommendation cycle.
• Close or rescope fro-bot/systematic#1 and fro-bot/fro-bot.github.io#1 (CodeQL on non-buildable repos).
• Watch fro-bot/.github#3282 — make sure the v0.43.0 agent rollout propagates cleanly to this repo's workflows.

[fro-bot]

Auto-closed: daily report retention policy (3 days). Superseded by newer reports.