Daily Org Oversight Report — 2026-05-22 (UTC)

[fro-bot]

Scope: all repositories in the fro-bot GitHub organization. Data pulled via gh at run start. Links only; no content duplication.

Previous report: #3352.

Quiet day on the new-issue front (only 4 created, all bot housekeeping), but the backlog from yesterday's audit is entirely untouched. All 4 privacy-gate issues and all 9 reconciler issues remain OPEN with no assignees. The org is accumulating triaged-but-unactioned work faster than it's discharging it.

Summary metrics

Metric	Count	Δ vs yesterday
Repositories scanned	5 (tokentoilet archived)	—
New issues (last 24h, org-wide)	4 (2 op logs, 1 autohealing, 1 oversight — all bot-generated)	−14
Open issues, org-wide	79	+5
Open PRs (org-wide)	9	+2 (2 new Renovate PRs on .github)
Aging PRs (>7d no activity)	1	0
Stale PRs (>14d no activity)	1	0
Stale issues (>30d no activity)	2	0
Operational-log issues >14d	24	+2
Failing main-branch workflows (latest run)	1 (agent → Auto Release, ~61d red)	0
Open code-scanning alerts	9 (.github=3, agent=6)	0
Open Dependabot alerts	0	0
Untriaged P0/P1 carryover from #3352	14 issues (4 privacy-gate + 9 reconciler + 1 social-broadcast TOCTOU)	0

Critical items

Repo	Item	Link	Recommended action
fro-bot/.github	Privacy-gate cluster (P0, unchanged from yesterday): all 4 issues open, no assignees.	#3326, #3327, #3328, #3345	Assign an owner. #3328 (metadata-tampering bypass) still the highest-leverage.
fro-bot/.github	Reconciler cluster (P1, unchanged): all 9 issues open.	#3319, #3320, #3332–#3337, #3340	Pair them into one hardening pass.
fro-bot/.github	Social broadcast TOCTOU (P1, unchanged): #3325 open.	#3325	Patch the recheck-then-broadcast window.
fro-bot/agent	Auto Release failing on main since 2026-03-22 (~61d red). Fifth report.	run 23399265449	The recurring carryover is the carryover. Delete the workflow if no one owns it.
fro-bot/agent	Scorecard: Vulnerabilities (#13), SAST, Fuzzing, CII-Best-Practices, Code-Review, Branch-Protection	code scanning	Verify alert #13 isn't a real CVE. Carryover.
fro-bot/.github	Scorecard: Branch-Protection, CII-Best-Practices, Fuzzing	code scanning	Policy debt. Carryover.

No new Dependabot alerts. No broken release pipelines blocking shipping.

Aging PRs (>7d no activity)

Repo	PR	Age	Author
fro-bot/systematic	#2 feat(deps): configure Renovate	26d	app/fro-bot

All other 8 PRs updated within the last 24h. New on .github: #3354 (actions/stale v10.3.0 bump) and #3357 (Node.js v24.16.0). Note: the actions/stale PR confirms a stale-bot is already deployed somewhere — worth checking why the 47-issue op-log queue isn't being closed by it.

Stale issues (>30d no activity)

Repo	Issue	Age	Recommended next step
fro-bot/systematic	#1 Enable code scanning (CodeQL / Scorecard) for coverage parity	74d	Decide enablement or close. Fifth report.
fro-bot/fro-bot.github.io	#1 Enable code scanning (CodeQL / Scorecard) for coverage parity	74d	Static site — close as N/A. Fifth report.

Op-log entropy: 24 op-log/autohealing issues >14d (+2 since yesterday). If actions/stale is already wired into a workflow (per #3354), then either its config doesn't match op-log titles or its days-before-stale is set too high. Worth a 5-minute config audit.

Unassigned bugs or high-signal issues

No bug-labeled issues open org-wide. The 14 untriaged P0/P1 issues from yesterday's audit are the high-signal items but remain unlabeled:

Cluster	Issues	Status
Privacy gates	#3326, #3327, #3328, #3345	All open, no assignees, no labels
Reconciler correctness	#3319, #3320, #3332–#3337, #3340	All open, no assignees, no labels
Social broadcast	#3325	Open, no assignee, no label

Carryover (×4): apply bug/security labels to these so they surface in standard triage queries.

Repo hotspots

1. fro-bot/.github — 75 open issues (47 op logs + ~14 substantive carryover + 4 autohealing + 3 oversight + survey/dashboard residue), 3 open PRs. Substantive backlog static, noise queue growing.
2. fro-bot/agent — 5 open PRs (all Renovate), 2 open issues. Healthy Renovate churn; Auto Release still the lone red mark.
3. fro-bot/systematic — Sixth report flagging the same stalest PR (fix: add @fro-bot as a collaborator to prevent it from being "removed" #2, 26d) and stalest issue (feat: set default settings #1, 74d). Treat the repeated mention as proof of orphaning.

Recommended actions (checklist)

• Carryover ×2: Assign owners to the privacy-gate cluster (#3326–#3328, #3345). Start with #3328.
• Carryover ×2: Assign owner to the 9-issue reconciler cluster — one hardening pass.
• Carryover ×2: Patch the social-broadcast TOCTOU (#3325).
• New: Audit the actions/stale workflow config in fro-bot/.github. The bump PR #3354 proves it's already wired in — figure out why 24 op-log issues past 14d aren't being closed by it. Saves implementing what already exists.
• Carryover ×5: Decide fro-bot/agent → Auto Release (delete or fix). 61 days red. The repetition is the diagnosis.
• Carryover ×5: Resolve fro-bot/systematic#2 (26d cold).
• Carryover ×5: Close or action fro-bot/systematic#1 and fro-bot/fro-bot.github.io#1 (CodeQL, 74d cold).
• Carryover ×5: Triage the 9 Scorecard alerts. Verify agent's #13 Vulnerabilities.
• Carryover ×4: Apply bug/security labels to the 14 untriaged audit issues.

---

Run Summary

• Event: schedule
• Repo: fro-bot/.github
• Ref: refs/heads/main
• Run ID: 26267812419
• Cache: hit
• Sessions used: ses_1c6ba9e0dffe7oK9VLD2oWDr9c (prior thread)
• Logical Thread: schedule-898cd73a
• Mode: branch-pr (single summary issue)
• Repos scanned: 5
• Data sources: gh issue list, gh pr list, gh api actions/workflows, gh api code-scanning/alerts, gh api dependabot/alerts

[marcusrbrown]

Sunsetting the Fro Bot operational-log journal pipeline. The journal-entry pipeline is removed in PR (link forthcoming); future control-plane activity will route through Discord (in a follow-up integration). Closing as superseded by the sunset.