You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Dependabot alerts accessible; 0 open alerts. Secret/auth review found existing redaction and protected-route controls intact.
Code Quality
✅
pnpm bootstrap, pnpm check-types, pnpm lint, pnpm test, and Node strip-only production imports passed.
Workflow Integrity
✅
Actions are SHA-pinned with version comments; permissions are scoped; dependency jobs use the shared setup action.
Progressive Improvement
⚠️
Routine version drift observed; Renovate-owned, no auto-heal performed.
Cross-Project Intelligence
⚠️
Sibling pattern scan found one hardening pattern to consider: persist-credentials: false on the Fro Bot checkout.
Errored PRs
None
Security
Dependabot security alerts: 0 open.
Reviewed secret/error handling paths in src/logger.ts, src/secrets.ts, src/github/app-client.ts, src/routes/auth.ts, and src/server.ts; no new leak path found.
Protected-route boundary remains deny-by-default: /api/healthz, /auth/login, /auth/callback, /auth/logout, and static PWA assets are public; /api/status, /, and /operator/* require auth/session handling.
Code Quality
pnpm bootstrap: pass.
pnpm check-types: pass.
pnpm lint: pass.
pnpm test: pass, 20 files and 1115 tests.
Node 24 strip-only production import check over src/**/*.ts excluding tests: pass.
Working tree after checks: clean.
Workflow Integrity
.github/workflows/main.yaml, .github/workflows/release.yaml, .github/workflows/fro-bot.yaml, and .github/actions/setup/action.yaml use full-SHA third-party action pins with version comments.
Workflow permissions are scoped to contents: read by default, with release-only packages: write where needed.
Jobs that install dependencies use ./.github/actions/setup; release’s later standalone actions/setup-node step appears intentional for tag/release scripting after image smoke testing.
Strip-only TypeScript drift scan found no production enum, namespace, parameter properties, or TS import aliases.
fro-bot/agent currently uses matching core versions for @bfra.me/es, @bfra.me/eslint-config, @bfra.me/tsconfig, eslint, typescript, vite, and vitest; dashboard’s pinned Fro Bot action is already fro-bot/agent@f51adbd546b94721ab75ea21b6a91118131e6b46 # v0.77.0.
fro-bot/.github and bfra-me/.github Renovate presets continue using branch-mode post-upgrade tasks; dashboard aligns with branch-mode Renovate post-upgrade tasks.
marcusrbrown/infra uses persist-credentials: false on its secret-bearing Fro Bot checkout. Consider adopting the same hardening in .github/workflows/fro-bot.yaml if compatible with this repository’s checkout/token needs.
Local cloned dependency source under .slim/clonedeps/repos/fro-bot__agent/ was unavailable in this CI workspace; remote gh/raw content was used instead.
Needs Human Attention
Session history tools requested by the harness (session_search / session_read) were not available in this tool environment, so prior-session review could not be performed. Do not retry this as a code change; verify the CI harness exposes those tools if session recall is required.
Consider hardening .github/workflows/fro-bot.yaml checkout with persist-credentials: false, mirroring marcusrbrown/infra. Smallest safe fix: add persist-credentials: false under the existing checkout with: block, then verify the Fro Bot action still receives secrets.FRO_BOT_PAT through its explicit github-token input and that pnpm check-types, pnpm lint, and workflow syntax checks remain green. Do not apply if the action depends on persisted Git credentials for same-run operations.
Daily Fro Bot Report — 2026-06-26 (UTC)
Run Summary
pnpm bootstrap,pnpm check-types,pnpm lint,pnpm test, and Node strip-only production imports passed.persist-credentials: falseon the Fro Bot checkout.Errored PRs
None
Security
src/logger.ts,src/secrets.ts,src/github/app-client.ts,src/routes/auth.ts, andsrc/server.ts; no new leak path found./api/healthz,/auth/login,/auth/callback,/auth/logout, and static PWA assets are public;/api/status,/, and/operator/*require auth/session handling.Code Quality
pnpm bootstrap: pass.pnpm check-types: pass.pnpm lint: pass.pnpm test: pass, 20 files and 1115 tests.src/**/*.tsexcluding tests: pass.Workflow Integrity
.github/workflows/main.yaml,.github/workflows/release.yaml,.github/workflows/fro-bot.yaml, and.github/actions/setup/action.yamluse full-SHA third-party action pins with version comments.contents: readby default, with release-onlypackages: writewhere needed../.github/actions/setup; release’s later standaloneactions/setup-nodestep appears intentional for tag/release scripting after image smoke testing.enum,namespace, parameter properties, or TS import aliases.Progressive Improvement
pnpm outdated --format jsonreports routine drift:hono4.12.26 -> 4.12.27,vite8.0.16 -> 8.1.0,eslint-plugin-erasable-syntax-only0.4.0 -> 0.4.2,@hono/node-server1.19.14 -> 2.0.6, and@types/node24.12.0 -> 26.0.1.TODO/FIXMEannotations found undersrc/.main.yamlruns onmainare green: https://github.com/fro-bot/dashboard/actions/runs/28208769364.Cross-Project Intelligence
fro-bot/agentcurrently uses matching core versions for@bfra.me/es,@bfra.me/eslint-config,@bfra.me/tsconfig,eslint,typescript,vite, andvitest; dashboard’s pinned Fro Bot action is alreadyfro-bot/agent@f51adbd546b94721ab75ea21b6a91118131e6b46 # v0.77.0.fro-bot/.githubandbfra-me/.githubRenovate presets continue using branch-mode post-upgrade tasks; dashboard aligns with branch-mode Renovate post-upgrade tasks.marcusrbrown/infrausespersist-credentials: falseon its secret-bearing Fro Bot checkout. Consider adopting the same hardening in.github/workflows/fro-bot.yamlif compatible with this repository’s checkout/token needs..slim/clonedeps/repos/fro-bot__agent/was unavailable in this CI workspace; remotegh/raw content was used instead.Needs Human Attention
session_search/session_read) were not available in this tool environment, so prior-session review could not be performed. Do not retry this as a code change; verify the CI harness exposes those tools if session recall is required..github/workflows/fro-bot.yamlcheckout withpersist-credentials: false, mirroringmarcusrbrown/infra. Smallest safe fix: addpersist-credentials: falseunder the existing checkoutwith:block, then verify the Fro Bot action still receivessecrets.FRO_BOT_PATthrough its explicitgithub-tokeninput and thatpnpm check-types,pnpm lint, and workflow syntax checks remain green. Do not apply if the action depends on persisted Git credentials for same-run operations.