[Alert] Smart Alerts — 2026-03-10 (00:46 UTC)

[github-actions]

Monitoring window: 2026-03-09 18:46–2026-03-10 00:46 UTC | Repos scanned: 22 | Run: 22881719848

⚠️ Prior alert #189 is still open (opened 2026-03-09T18:30Z) — no fixes observed in this monitoring window.

---

🔴 Critical — Escalated

daedalus — Security Audit Failing for 24+ Hours (Escalated from Warning)

• Workflow: Security Audit #23
• Latest failure: 2026-03-10T00:24:43Z (run ci: bump github/codeql-action from 3.28.0 to 4.32.4 #23) — no fix attempted since prior alert
• Failing since: ~2026-03-09T00:27Z — over 24 hours of unresolved Security Audit failure
• Failure pattern: cargo deny / cargo audit dependency tree scan exits with code 1; vulnerable dependencies flagged in daedalus 0.1.0's transitive dependency chain (includes getrandom 0.4.1, proptest 1.10.0)
• Impact: Security audit is non-functional; all commits to main during this window are unscanned for known CVEs
• Action:
  1. Run cargo audit locally on daedalus to identify the specific advisory(ies) triggering the failure
  2. Check deny.toml — add an [advisories] ignore entry for any accepted/low-risk advisories as a short-term workaround
  3. Update or patch affected crates if a fix is available upstream

---

🔴 Critical — New This Window

atlatl — Security Audit Now Also Failing (in addition to CodeQL)

• Workflow: Security Audit #54
• Failed at: 2026-03-10T00:42:11Z (scheduled run, run [org-monitor] Daily Report — 2026-03-02 #54)
• Head commit: dad1f306 — refactor(iteration 5/5): replace confirm/prompt with modals (pushed 2026-03-09T13:58Z)
• Failure pattern: cargo deny or cargo audit dependency scan exits with code 1; vulnerable dependencies in the deep dependency chain including: rsa 0.9.10, jsonwebtoken 10.3.0, ed25519-dalek 2.2.0, aes-gcm 0.10.3, argon2 0.5.3
• Context: atlatl already had CodeQL failing (reported in #189). Now both CodeQL and Security Audit are broken. The repository's primary security pipeline is entirely non-functional.
• Impact: All code merged to atlatl/main since ~2026-03-09T06:00Z has bypassed both CodeQL analysis and dependency vulnerability scanning.
• Action:
  1. Run cargo audit locally to identify specific advisories
  2. Run cargo deny check advisories to see the full deny report
  3. Check if rsa, jsonwebtoken, or ed25519-dalek have patched versions available; update Cargo.lock accordingly
  4. Fix CodeQL (from prior alert) concurrently — both failures need to be resolved before merging new PRs

---

🟡 Warning — Ongoing (no fix observed)

atlatl — CodeQL Security Scan Still Failing (14+ hours)

• Last known failure: CodeQL #125 — failing since 2026-03-09T14:10Z
• No new run or fix attempt observed in this window
• See prior alert #189 for details; situation has only worsened with Security Audit now also failing
• Action: Review CodeQL job logs; check language matrix and build-mode config in .github/workflows/codeql-analysis.yml

atlatl-spec — Validate Specification Failing (3+ days)

• Last successful Validate Specification run: unknown (last run seen was dependabot update 2026-03-09T03:13Z, not the failing workflow)
• No fix or new push observed since prior alert
• Action: Check the validate-specification workflow logs; this has been failing for ≥3 days with no remediation attempt

.github — Dependabot Rollout & Sweep Still Failing

• Rollout: Has never succeeded since 2026-03-02
• Sweep: Failing since 2026-03-08
• Impact: Dependabot PRs across all managed repos are accumulating and not being auto-merged
• Action: Verify GITHUB_TOKEN has pull-requests: write and contents: write permissions in both workflow files; check workflow run logs for the specific permission error

---

ℹ️ Info

CI Health Summary — This Window (18:46–00:46 UTC)

Repo	Latest Run	Status
zircote/.github	Agent Health Monitor (23:53Z)	✅ Success
rlm-rs	Daily QA (11:24Z, prior window)	✅ Success
subcog	Push on main / CodeQL (19:51Z)	✅ Success
MIF	Daily Documentation Review (20:57Z)	✅ Success
ccpkg	Daily Documentation Review (20:57Z)	✅ Success
sdlc-quality	Dependabot update (22:48Z)	✅ Success
github-project-manager	Dependabot update (13:57Z)	✅ Success
atlatl	Security Audit (00:42Z)	❌ Failure
daedalus	Security Audit (00:24Z)	❌ Failure

Issue Activity — No Spike Detected

No repos exceeded the 5-new-issues-in-6-hours threshold. Zero new issues opened across all managed repos in this monitoring window.

Review Backlog

No review backlog threshold exceeded. No pending review requests observed.

---

Recommended Actions (Priority Order)

1. [Critical] Fix atlatl Security Audit — both CodeQL and Security Audit are broken simultaneously; no security scanning on primary project
2. [Critical] Fix daedalus Security Audit — 24+ hours unresolved; run cargo audit locally to identify advisory, then patch or suppress
3. [High] Fix atlatl CodeQL — has been broken since ~2026-03-09T06:00Z; investigate CodeQL workflow config
4. [Medium] Fix atlatl-spec Validate Specification — 3+ days failing, no investigation started
5. [Medium] Restore .github Dependabot Rollout/Sweep — automated merges blocked across all managed repos

---

Generated by smart-alerts workflow — https://github.com/zircote/.github/actions/runs/22881719848

gh-aw-workflow-id: smart-alerts

Generated by Smart Alerts · ◷

Generated by Smart Alerts · ◷

[github-actions]

This issue is being closed as outdated. A newer issue has been created: #196

View newer issue

---

This action was performed automatically by the Smart Alerts workflow.