Daily Org Oversight Report — 2026-05-23 (UTC)

[fro-bot]

Scope: all repositories in the fro-bot GitHub organization. Data pulled via gh at run start. Links only; no content duplication.

Previous report: #3358.

This is the third consecutive day with zero progress on the 14-issue audit backlog from #3352. Same 4 bot-generated issues created today (oversight, autohealing, two op logs), same metrics row-for-row. When the report becomes a metronome rather than a diagnostic, the system isn't being read.

Summary metrics

Metric	Count	Δ vs yesterday
Repositories scanned	5 (tokentoilet archived)	—
New issues (last 24h, org-wide)	4 (2 op logs, 1 autohealing, 1 oversight — all bot-generated)	0
Open issues, org-wide	81	+2
Open PRs (org-wide)	8	−1 (a .github Renovate PR landed)
Aging PRs (>7d no activity)	1	0
Stale PRs (>14d no activity)	1	0
Stale issues (>30d no activity)	2	0
Operational-log issues >14d	26	+2
Failing main-branch workflows (latest run)	1 (agent → Auto Release, ~62d red)	0
Open code-scanning alerts	9 (.github=3, agent=6)	0
Open Dependabot alerts	0	0
Untriaged P0/P1 audit backlog	14 issues (4 privacy-gate + 9 reconciler + 1 social-broadcast)	0 (third day unchanged)

Critical items

Repo	Item	Link	Recommended action
fro-bot/.github	Privacy-gate cluster (P0, day 3 untouched): all 4 issues open, no assignees, no labels.	#3326, #3327, #3328, #3345	Assign. #3328 (metadata-tampering bypass) remains the highest-leverage.
fro-bot/.github	Reconciler cluster (P1, day 3+ untouched): all 9 issues open, no assignees.	#3319, #3320, #3332–#3337, #3340	One hardening pass.
fro-bot/.github	Social broadcast TOCTOU (P1, day 3 untouched): #3325.	#3325	Patch the recheck-then-broadcast window.
fro-bot/agent	Auto Release still failing on main since 2026-03-22 (~62d red). Sixth report.	run 23399265449	When a daily report cites the same failure six days in a row, the workflow has effectively been deleted by neglect. Make it official.
fro-bot/agent	Scorecard: 6 alerts including #13 Vulnerabilities	code scanning	Carryover ×6.
fro-bot/.github	Scorecard: 3 alerts (Branch-Protection, CII-Best-Practices, Fuzzing)	code scanning	Carryover ×6.

No new Dependabot alerts. No broken release pipelines blocking shipping.

Aging PRs (>7d no activity)

Repo	PR	Age	Author
fro-bot/systematic	#2 feat(deps): configure Renovate	27d	app/fro-bot

All other 7 PRs updated within the last 48h. The Renovate batch is healthy; the .github actions/stale v10.3.0 bump from yesterday merged.

Stale issues (>30d no activity)

Repo	Issue	Age	Recommended next step
fro-bot/systematic	#1 Enable code scanning	75d	Decide or close. Sixth report.
fro-bot/fro-bot.github.io	#1 Enable code scanning	75d	Close as N/A for a static site. Sixth report.

Op-log entropy: 26 op-log/autohealing issues >14d (+2 since yesterday). actions/stale v10.3.0 just merged into .github. If a stale workflow exists, its title/label filters don't match the op-log pattern. The 5-minute config audit recommended yesterday remains the cheapest win.

Unassigned bugs or high-signal issues

No bug-labeled issues. The 14 untriaged audit issues remain unlabeled — same as yesterday, same as the day before.

Cluster	Issues	Status
Privacy gates	#3326, #3327, #3328, #3345	Open, no assignees, no labels (day 3)
Reconciler correctness	#3319, #3320, #3332–#3337, #3340	Open, no assignees, no labels (day 3)
Social broadcast	#3325	Open, no assignee, no label (day 3)

Repo hotspots

1. fro-bot/.github — 77 open issues (49 op logs + 14 audit carryover + autohealing/oversight/survey residue), 2 open PRs. Noise queue +2/day; substantive queue static.
2. fro-bot/agent — 5 open PRs (all Renovate), 2 open issues. Healthy except Auto Release.
3. fro-bot/systematic — Seventh report flagging the same orphaned PR (fix: add @fro-bot as a collaborator to prevent it from being "removed" #2, 27d) and issue (feat: set default settings #1, 75d). At this point, archive the repo or commit to it.

Recommended actions (checklist)

A different framing today, because repetition isn't moving anything: pick one item from below and close it before tomorrow's report. The list isn't the work; the list is the symptom.

• Quickest: Close fro-bot/fro-bot.github.io#1 as not-applicable. 30 seconds. Removes one carryover line from every future report.
• Cheapest non-trivial: Delete the agent → Auto Release workflow. Prepare Release PR already does the work. ~2 minutes. Removes the failing-main item entirely.
• 5-minute config win: Audit the actions/stale workflow in fro-bot/.github (just bumped to v10.3.0). Tune days-before-stale + label/title filters to match the op-log pattern. Frees the issue queue passively going forward.
• Highest-leverage security: Assign #3328 (privacy-gate metadata-tampering bypass) to someone with merge rights.
• Rest of the carryover list (privacy cluster, reconciler cluster, social TOCTOU, Scorecard alerts, systematic#2, label taxonomy) — unchanged from #3358.

---

Run Summary

• Event: schedule
• Repo: fro-bot/.github
• Ref: refs/heads/main
• Run ID: 26322582649
• Cache: hit
• Sessions used: ses_1c6ba9e0dffe7oK9VLD2oWDr9c (prior thread)
• Logical Thread: schedule-898cd73a
• Mode: branch-pr (single summary issue)
• Repos scanned: 5
• Data sources: gh issue list, gh pr list, gh api actions/workflows, gh api code-scanning/alerts, gh api dependabot/alerts

[marcusrbrown]

Sunsetting the Fro Bot operational-log journal pipeline. The journal-entry pipeline is removed in PR (link forthcoming); future control-plane activity will route through Discord (in a follow-up integration). Closing as superseded by the sunset.