You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Both are dependency PRs and have successful checks; skipped under the dependency/security ownership rule.
Security
Dependabot security alerts: data unavailable (gh api repos/fro-bot/dashboard/dependabot/alerts returned 404).
Reviewed secret/error handling and auth boundaries in src/logger.ts, src/secrets.ts, src/server.ts, src/github/metadata.ts, and src/github/aggregator.ts; no new leak path found.
Protected routes remain deny-by-default with only health, auth endpoints, and static PWA assets public.
Code Quality
pnpm bootstrap: pass.
pnpm check-types: pass.
pnpm lint: pass.
pnpm test: pass, 20 files and 1115 tests.
Node 24 strip-only production import check over src/**/*.ts excluding tests: pass.
Working tree after checks: clean.
Workflow Integrity
.github/workflows/main.yaml, .github/workflows/release.yaml, .github/workflows/fro-bot.yaml, and .github/actions/setup/action.yaml use full-SHA third-party action pins with version comments.
Workflow permissions are scoped to contents: read by default, with release-only packages: write where needed.
Jobs that install dependencies use ./.github/actions/setup; release-specific standalone setup steps are tied to release guard/tagging and image workflow needs.
Strip-only TypeScript drift scan found no production enum, namespace, parameter properties, or TS import aliases.
fro-bot/agent still uses the same O_NOFOLLOW secret-file pattern and sensitive-field logger redaction shape mirrored by this dashboard.
marcusrbrown/infra deploy-dashboard workflow validates CalVer/digest before secret-bearing deployment, matching this repo's release dispatch validation direction.
Needs Human Attention
Security alerts unavailable: the token received 404 from gh api repos/fro-bot/dashboard/dependabot/alerts --paginate -F state=open. Smallest safe fix is not in this repo's code; verify repository security settings/token scopes expose Dependabot alerts to the scheduled Fro Bot run. Do not guess advisory state from dependency versions alone.
Session history tools requested by the harness (session_search / session_read) were not available in this tool environment, so prior-session review could not be performed. Do not retry this as a code change; verify the CI harness exposes those tools if session recall is required.
Daily Fro Bot Report — 2026-06-27 (UTC)
Run Summary
pnpm bootstrap,pnpm check-types,pnpm lint,pnpm test, and Node strip-only production imports passed.Errored PRs
Both are dependency PRs and have successful checks; skipped under the dependency/security ownership rule.
Security
gh api repos/fro-bot/dashboard/dependabot/alertsreturned 404).src/logger.ts,src/secrets.ts,src/server.ts,src/github/metadata.ts, andsrc/github/aggregator.ts; no new leak path found.Code Quality
pnpm bootstrap: pass.pnpm check-types: pass.pnpm lint: pass.pnpm test: pass, 20 files and 1115 tests.src/**/*.tsexcluding tests: pass.Workflow Integrity
.github/workflows/main.yaml,.github/workflows/release.yaml,.github/workflows/fro-bot.yaml, and.github/actions/setup/action.yamluse full-SHA third-party action pins with version comments.contents: readby default, with release-onlypackages: writewhere needed../.github/actions/setup; release-specific standalone setup steps are tied to release guard/tagging and image workflow needs.enum,namespace, parameter properties, or TS import aliases.Progressive Improvement
pnpm outdated --format jsonreports routine drift:vite8.0.16 -> 8.1.0,@hono/node-server1.19.14 -> 2.0.6,@types/node24.12.0 -> 26.0.1, andeslint-plugin-erasable-syntax-only0.4.0 -> 0.4.2.actions/cache: chore(dev): update Vite packages #118 and chore(deps): update GitHub Actions #120.TODO/FIXMEannotations found undersrc/.Cross-Project Intelligence
fro-bot/.github,fro-bot/agent,marcusrbrown/infra, andbfra-me/.githubpackage metadata were readable viagh.@bfra.me/eslint-config0.51.1,@bfra.me/tsconfig0.13.1, ESLint 10.5.0, TypeScript 6.0.3, and Vitest 4.1.9..github/workflows/fro-bot.yamlpinsfro-bot/agent@e376c3687630e2d467ed97e7ae877687f086b5ab # v0.78.0.fro-bot/agentstill uses the sameO_NOFOLLOWsecret-file pattern and sensitive-field logger redaction shape mirrored by this dashboard.marcusrbrown/infradeploy-dashboard workflow validates CalVer/digest before secret-bearing deployment, matching this repo's release dispatch validation direction.Needs Human Attention
gh api repos/fro-bot/dashboard/dependabot/alerts --paginate -F state=open. Smallest safe fix is not in this repo's code; verify repository security settings/token scopes expose Dependabot alerts to the scheduled Fro Bot run. Do not guess advisory state from dependency versions alone.session_search/session_read) were not available in this tool environment, so prior-session review could not be performed. Do not retry this as a code change; verify the CI harness exposes those tools if session recall is required.