Daily Org Oversight Report — 2026-05-31 (UTC)

[fro-bot]

Org Oversight — fro-bot — 2026-05-31 (UTC)

Scope: all non-archived repos in fro-bot (agent, .github, systematic, fro-bot.github.io). Archived: tokentoilet.

Summary metrics

Signal	Count
New issues (last 24h)	3
Open PRs (org-wide)	6
Aging PRs (no activity >7d)	1
Stale PRs (no activity >14d)	1
Stale issues (no activity >30d)	4
Open Dependabot alerts	1 (medium)
Failing main checks (recent)	0
Unassigned bug-labeled issues	0 (no bug label in use)

Critical items

• Security — medium: fro-bot/agent — Dependabot #72 — brace-expansion GHSA-jxxr-4gwj-5jf2 (DoS, CVSS 6.5), transitive in pnpm-lock.yaml. Action: bump direct ancestor or add Renovate override to force brace-expansion >= 5.0.6.
• Failing main checks: none detected across the four active repos in the last 5 runs.
• Broken release pipelines: none detected; fro-bot/agent release flow is healthy (release PR #701 advancing).

Aging PRs

No activity >7d (and >14d stale):

• fro-bot/systematic#2 — feat(deps): configure Renovate — opened 2026-04-25, untouched 36d. Action: rebase or close; Renovate config has likely drifted since.

All other open PRs are <24h old (Renovate fan-out + release prep).

Stale issues (no activity >30d)

• fro-bot/systematic#1 — Enable CodeQL/Scorecard — 83d. Action: ship as a bfra-me/.github reusable workflow consumer; it's a one-file PR.
• fro-bot/fro-bot.github.io#1 — Enable CodeQL/Scorecard — 83d. Action: same pattern; pair with the systematic fix.
• fro-bot/.github#3161 — Wiki survey extend-vscode — 40d. Action: triage or convert to wiki backlog.
• fro-bot/.github#3160 — Survey containers — 40d. Action: same.
• fro-bot/.github#3159 — Survey .dotfiles — 40d. Action: same.

Unassigned bugs / high-signal issues

No issues carry a bug label in this org. High-signal unassigned items worth pulling forward:

• fro-bot/.github#3369 — agent posts follow-up validation as plain comment, bypassing branch protection. Operationally blocking. Action: assign and patch the review submission path.
• fro-bot/.github#3326, #3327, #3328 — Private wiki gate gaps (stderr leak, defense-in-depth, metadata-tampering bypass). Privacy-class. Action: cluster into one hardening PR.
• fro-bot/.github#3325 — Social broadcast TOCTOU between recheck and expansion. Action: collapse the window or re-verify inside the expansion step.

Repo hotspots (top 3 by open PRs + stale items)

1. fro-bot/.github — 2 open PRs, ~25 open issues, 3 stale wiki surveys, multiple unaddressed reconcile/privacy findings from the 2026-05-19/20 review burst.
2. fro-bot/agent — 3 open PRs (release + 2 deps), 1 Dependabot alert, dependency dashboard active.
3. fro-bot/systematic — 1 stale PR (36d), 1 stale issue (83d). Low volume, high entropy ratio.

Recommended actions

• Resolve Dependabot alert chore(deps): update bfra-me/renovate-config preset to v1.16.0 #72 in fro-bot/agent (force brace-expansion >= 5.0.6).
• Rebase or close fro-bot/systematic#2 Renovate config PR.
• Land CodeQL/Scorecard on systematic and fro-bot.github.io (resolves feat: set default settings #1 in both).
• Assign and patch fro-bot/.github#3369 (review submission path bypasses branch protection).
• Cluster private-wiki gate issues (Social broadcast: TOCTOU window between recheck and broadcast expansion #3325–Private wiki gate: metadata-tampering bypass via flipping private→false in same PR #3328) into one hardening PR.
• Triage three stale wiki survey issues ([Survey] marcusrbrown/.dotfiles — wiki ingest 2026-04-21 #3159, [Survey] marcusrbrown/containers — 2026-04-21 #3160, [Wiki] Survey: marcusrbrown/extend-vscode (2026-04-21) #3161) — convert to backlog or close.

---

Run Summary

• Trigger: schedule-898cd73a
• Run: https://github.com/fro-bot/.github/actions/runs/26703029260
• Scope: 4 active repos (1 archived skipped)
• Data sources: gh search, gh run list, gh api dependabot/alerts

_{— posted by fro-bot autonomous oversight}