Monitoring window: 2026-03-09 18:46–2026-03-10 00:46 UTC | Repos scanned: 22 | Run: 22881719848

⚠️ Prior alert #189 is still open (opened 2026-03-09T18:30Z) — no fixes observed in this monitoring window.

🔴 Critical — Escalated

daedalus — Security Audit Failing for 24+ Hours (Escalated from Warning)

• Workflow: Security Audit #23
• Latest failure: 2026-03-10T00:24:43Z (run ci: bump github/codeql-action from 3.28.0 to 4.32.4 #23) — no fix attempted since prior alert
• Failing since: ~2026-03-09T00:27Z — over 24 hours of unresolved Security Audit failure
• Failure pattern: cargo deny / cargo audit dependency tree scan exits with code 1; vulnerable dependencies flagged in daedalus 0.1.0's transitive dependency chain (includes getrandom 0.4.1, proptest 1.10.0)
• Impact: Security audit is non-functional; all commits to main during this window are unscanned for known CVEs
• Action:
  1. Run cargo audit locally on daedalus to identify the specific advisory(ies) triggering the failure
  2. Check deny.toml — add an [advisories] ignore entry for any accepted/low-risk advisories as a short-term workaround
  3. Update or patch affected crates if a fix is available upstream

🔴 Critical — New This Window

atlatl — Security Audit Now Also Failing (in addition to CodeQL)

• Workflow: Security Audit #54
• Failed at: 2026-03-10T00:42:11Z (scheduled run, run [org-monitor] Daily Report — 2026-03-02 #54)
• Head commit: dad1f306 — refactor(iteration 5/5): replace confirm/prompt with modals (pushed 2026-03-09T13:58Z)
• Failure pattern: cargo deny or cargo audit dependency scan exits with code 1; vulnerable dependencies in the deep dependency chain including: rsa 0.9.10, jsonwebtoken 10.3.0, ed25519-dalek 2.2.0, aes-gcm 0.10.3, argon2 0.5.3
• Context: atlatl already had CodeQL failing (reported in #189). Now both CodeQL and Security Audit are broken. The repository's primary security pipeline is entirely non-functional.
• Impact: All code merged to atlatl/main since ~2026-03-09T06:00Z has bypassed both CodeQL analysis and dependency vulnerability scanning.
• Action:
  1. Run cargo audit locally to identify specific advisories
  2. Run cargo deny check advisories to see the full deny report
  3. Check if rsa, jsonwebtoken, or ed25519-dalek have patched versions available; update Cargo.lock accordingly
  4. Fix CodeQL (from prior alert) concurrently — both failures need to be resolved before merging new PRs

🟡 Warning — Ongoing (no fix observed)

atlatl — CodeQL Security Scan Still Failing (14+ hours)

• Last known failure: CodeQL #125 — failing since 2026-03-09T14:10Z
• No new run or fix attempt observed in this window
• See prior alert #189 for details; situation has only worsened with Security Audit now also failing
• Action: Review CodeQL job logs; check language matrix and build-mode config in .github/workflows/codeql-analysis.yml

atlatl-spec — Validate Specification Failing (3+ days)

• Last successful Validate Specification run: unknown (last run seen was dependabot update 2026-03-09T03:13Z, not the failing workflow)
• No fix or new push observed since prior alert
• Action: Check the validate-specification workflow logs; this has been failing for ≥3 days with no remediation attempt

.github — Dependabot Rollout & Sweep Still Failing

• Rollout: Has never succeeded since 2026-03-02
• Sweep: Failing since 2026-03-08
• Impact: Dependabot PRs across all managed repos are accumulating and not being auto-merged
• Action: Verify GITHUB_TOKEN has pull-requests: write and contents: write permissions in both workflow files; check workflow run logs for the specific permission error

ℹ️ Info

CI Health Summary — This Window (18:46–00:46 UTC)

Issue Activity — No Spike Detected

No repos exceeded the 5-new-issues-in-6-hours threshold. Zero new issues opened across all managed repos in this monitoring window.

Review Backlog

No review backlog threshold exceeded. No pending review requests observed.

Recommended Actions (Priority Order)

1. [Critical] Fix atlatl Security Audit — both CodeQL and Security Audit are broken simultaneously; no security scanning on primary project
2. [Critical] Fix daedalus Security Audit — 24+ hours unresolved; run cargo audit locally to identify advisory, then patch or suppress
3. [High] Fix atlatl CodeQL — has been broken since ~2026-03-09T06:00Z; investigate CodeQL workflow config
4. [Medium] Fix atlatl-spec Validate Specification — 3+ days failing, no investigation started
5. [Medium] Restore .github Dependabot Rollout/Sweep — automated merges blocked across all managed repos

Generated by smart-alerts workflow — https://github.com/zircote/.github/actions/runs/22881719848

gh-aw-workflow-id: smart-alerts

Generated by Smart Alerts · ◷

Generated by Smart Alerts · ◷