[Standup] Daily Standup — 2026-03-17

**Repos scanned**: 22 | **Mode**: hybrid | **Run**: [23189048813](https://github.com/zircote/.github/actions/runs/23189048813)

### Summary

| Metric | Count |
|--------|-------|
| Issues closed (24h) | 25 |
| PRs merged (24h) | 10+ in managed repos |
| In-progress issues | 0 |
| PRs awaiting review | 4 |
| Blockers | 8 |
| Upcoming milestones (7d) | 0 |

> ⚠️ **URGENT**: `subcog` AWS Access Key has been publicly exposed for **~70+ hours** with zero remediation. Immediate action required — see Blockers section.

---

### Yesterday's Completions

#### Issues Closed
_25 issues closed in org (most are automated bot reports — Smart Alerts, Housekeeping, Standup, Triage cycles closing previous runs)._

Notable automated closures:
- `zircote/.github` #320: [Alert] Smart Alerts — 2026-03-17 00:49 UTC (superseded by new run)
- `zircote/.github` #180: [Housekeeping] Dependency Updates report (closed after 7d)

#### PRs Merged
All Dependabot dependency updates — no human-authored merges in last 24h.

- `atlatl` #97: deps: bump clap 4.5.60 → 4.6.0 (by `@dependabot`[bot])
- `atlatl` #98: deps: bump tempfile 3.26.0 → 3.27.0 (by `@dependabot`[bot])
- `atlatl` #99: ci: bump taiki-e/install-action 2.68.25 → 2.68.33 (by `@dependabot`[bot])
- `atlatl` #100: deps: bump fastembed 5.12.0 → 5.12.1 (by `@dependabot`[bot])
- `atlatl` #101: ci: bump sigstore/cosign-installer 4.0.0 → 4.1.0 (by `@dependabot`[bot])
- `subcog` #162: deps: bump clap 4.5.60 → 4.6.0 (by `@dependabot`[bot])
- `subcog` #163: deps: bump uuid 1.21.0 → 1.22.0 (by `@dependabot`[bot])
- `subcog` #164: deps: bump rusqlite 0.38.0 → 0.39.0 (by `@dependabot`[bot])
- `subcog` #165: deps: bump once_cell 1.21.3 → 1.21.4 (by `@dependabot`[bot])
- `subcog` #166: deps: bump tracing-subscriber 0.3.22 → 0.3.23 (by `@dependabot`[bot])

#### Releases
- None in last 24h across managed repos.

---

### Today's Plan

#### In-Progress Work
_No issues are explicitly labeled `status/in-progress`. No open assigned issues found._

#### Awaiting Review
- `github-project-manager` [#4](https://github.com/zircote/github-project-manager/pull/4): ci: bump github/gh-aw from 0.56.2 to 0.58.3 — **quick win: merging fixes CI failure**
- `atlatl-spec` [#189](https://github.com/zircote/atlatl-spec/pull/189): deps: bump astro 5.18.0 → 6.0.4 (MAJOR version bump, needs review)
- `adrscope` [#47](https://github.com/zircote/adrscope/pull/47): ci: bump github/gh-aw 0.51.4 → 0.56.2
- `adrscope` [#48](https://github.com/zircote/adrscope/pull/48): ci: bump taiki-e/install-action (patch)

#### Upcoming Milestones
_No milestones with due dates within 7 days found across managed repos._

---

### Blockers

#### 🔴 CRITICAL — Security

- `subcog` [#153](https://github.com/zircote/subcog/issues/153): AWS Access Key exposed in `src/security/mod.rs` (commit `ad6f61a6`) — **~70+ hours, ZERO response**
  - **Immediate action**: Revoke key → remove from source → purge git history → rotate dependent services

#### 🔴 CI Failures (7 workflows)

| Repo | Issue | Age | Root Cause |
|------|-------|-----|------------|
| `sdlc-quality` | CI failing | ~20d ⚠️ OLDEST | Broken since `chore: update dependabot configuration` (2026-03-01) |
| `vscode-git-adr` | CI failing | ~18d | `actions/upload-artifact` v6→v7 breaking change |
| `atlatl-spec` | Validate Specification | ~14d | Invalid `<br/>` in Mermaid sequence diagram |
| `atlatl` | CI Checks | ~10d | Clippy 1.94 strict lints + broken doc links |
| `atlatl` | Pipeline | ~9d | ONNX Runtime prebuilt targets dropped |
| `daedalus` | Security Audit | ~3d | `sigstore/cosign-installer` 4.1.0 failure |
| `github-project-manager` | Agentic Maintenance | ~3d | gh-aw bump needed → **merge PR #4** (fix ready) |

**Quick win**: Merge `github-project-manager` [PR #4](https://github.com/zircote/github-project-manager/pull/4) (gh-aw bump to 0.58.3) immediately resolves that CI failure.

---

<details>
<summary>Per-Repo Details (22 repos scanned)</summary>

#### atlatl
- Merged: #97 (clap), #98 (tempfile), #99 (taiki-e/install-action), #100 (fastembed), #101 (sigstore/cosign-installer) — all Dependabot
- Pending PRs with failing CI: #91 (docker/build-push-action v7), #92 (docker/metadata-action v6), #73 (aging 7d+)
- CI: ❌ CI Checks (~10d), ❌ Pipeline (~9d)

#### subcog
- Merged: #162 (clap), #163 (uuid), #164 (rusqlite), #165 (once_cell), #166 (tracing-subscriber) — all Dependabot
- 🔴 SECURITY: [#153](https://github.com/zircote/subcog/issues/153) — AWS key exposed ~70h, unresolved

#### github-project-manager
- PR awaiting merge: [#4](https://github.com/zircote/github-project-manager/pull/4) — gh-aw 0.56.2 → 0.58.3
- CI: ❌ Agentic Maintenance (~3d) — fixed by merging PR #4

#### atlatl-spec
- Open Dependabot PRs: #187 (`@redocly/cli` patch), #188 (`@astrojs/starlight` patch), #189 (astro MAJOR v6)
- CI: ❌ Validate Specification (~14d) — invalid Mermaid `<br/>` syntax

#### adrscope
- Open Dependabot PRs: #47 (gh-aw minor), #48 (taiki-e/install-action patch)

#### daedalus
- Open Dependabot PR: #15 (zircote/adrscope pin update, CI ✅)
- CI: ❌ Security Audit (~3d) — sigstore/cosign-installer 4.1.0

#### sdlc-quality
- CI: ❌ CI failing ~20d — investigate `chore: update dependabot configuration` commit

#### vscode-git-adr
- CI: ❌ CI failing ~18d — update workflow to `actions/upload-artifact` v7 API

#### lro-bench
- Open PR: #23 (docker/build-push-action v7, CI unstable)

#### .github, rlm-rs, MIF, homebrew-tap, ccpkg, refactor, human-voice, rlm-rs-plugin, memory-capture-plugin, documentation-review, adr, git-adr, structured-madr
- No activity in last 24h.

</details>

---

*Generated by [daily-standup workflow](https://github.com/zircote/.github/actions/runs/23189048813)*







> Generated by [Daily Standup](https://github.com/zircote/.github/actions/runs/23189048813) · [◷](https://github.com/search?q=repo%3Azircote%2F.github+is%3Aissue+%22gh-aw-workflow-id%3A+daily-standup%22&type=issues)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Standup] Daily Standup — 2026-03-17 #326

Summary

Yesterday's Completions

Issues Closed

PRs Merged

Releases

Today's Plan

In-Progress Work

Awaiting Review

Upcoming Milestones

Blockers

🔴 CRITICAL — Security

🔴 CI Failures (7 workflows)

atlatl

subcog

github-project-manager

atlatl-spec

adrscope

daedalus

sdlc-quality

vscode-git-adr

lro-bench

.github, rlm-rs, MIF, homebrew-tap, ccpkg, refactor, human-voice, rlm-rs-plugin, memory-capture-plugin, documentation-review, adr, git-adr, structured-madr

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Metric	Count
Issues closed (24h)	25
PRs merged (24h)	10+ in managed repos
In-progress issues	0
PRs awaiting review	4
Blockers	8
Upcoming milestones (7d)	0

Repo	Issue	Age	Root Cause
`sdlc-quality`	CI failing	~20d ⚠️ OLDEST	Broken since `chore: update dependabot configuration` (2026-03-01)
`vscode-git-adr`	CI failing	~18d	`actions/upload-artifact` v6→v7 breaking change
`atlatl-spec`	Validate Specification	~14d	Invalid `<br/>` in Mermaid sequence diagram
`atlatl`	CI Checks	~10d	Clippy 1.94 strict lints + broken doc links
`atlatl`	Pipeline	~9d	ONNX Runtime prebuilt targets dropped
`daedalus`	Security Audit	~3d	`sigstore/cosign-installer` 4.1.0 failure
`github-project-manager`	Agentic Maintenance	~3d	gh-aw bump needed → merge PR #4 (fix ready)

[Standup] Daily Standup — 2026-03-17 #326

Description

Summary

Yesterday's Completions

Issues Closed

PRs Merged

Releases

Today's Plan

In-Progress Work

Awaiting Review

Upcoming Milestones

Blockers

🔴 CRITICAL — Security

🔴 CI Failures (7 workflows)

atlatl

subcog

github-project-manager

atlatl-spec

adrscope

daedalus

sdlc-quality

vscode-git-adr

lro-bench

.github, rlm-rs, MIF, homebrew-tap, ccpkg, refactor, human-voice, rlm-rs-plugin, memory-capture-plugin, documentation-review, adr, git-adr, structured-madr

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions