Repo-Health Check — 2026-06-02 — Dependabot live, 10/11 repos failing CI (P1 GREEN)

Importance: HIGH. Tasks status: mostly DONE (scan, report, QA export complete); 2 items PENDING Sam approval (P7, P8).

What was done

Ran the daily repo-health scan across all 12 in-scope SAIL repos. The local runner hit the 45s sandbox ceiling rebuilding a ~48h-stale checkpoint, so I fell back to the hosted Cloudflare Worker (Step 1a) plus per-repo detail=full calls and a live local git scan. Cross-checked one failing run against the GitHub API directly.
Wrote the full report to ~/Documents/Codex/repo-health/2026-06-02.md (all 11 required sections) and mirrored the QA block to ~/Documents/Codex/_qa-queue/2026-06-02.md.

Headline: Yesterday's 11 chore/add-dependabot-* PRs auto-merged to main overnight — dependabot coverage is now 11/11 (was 0/11). But the standard template declares npm + pip + github-actions on every repo, and most repos have none of those manifests (e.g. sail-cases has no package.json or requirements.txt). Dependabot now fails daily on 10 of 11 repos (~42 failing jobs in 24h). Self-inflicted by the 06-01 rollout, not a code regression. Only sail-seo partially succeeds.
P1 GREEN: Notion-wiki carries NOTION_TOKEN (+ ANTHROPIC_API_KEY). No recurrence of the Apr 22–30 outage condition.
P2: 0 disabled workflows. P4: coverage complete. P5: no repo-name drift.
Dirty trees dropped sharply vs yesterday (agents switched/committed branches): sail-litify 628→285 (now on agent/jon-hollan-pilot-agent-2026-06-01, no upstream — active agent work), sail-command-center 30 on main, others small.
Secret diffing degraded: the hosted worker flags every secret github_only because it compares to an empty server-side vault; the local vault.env (296 keys) is the real source and does contain the keys. True diff needs the local runner (couldn't finish under the ceiling).
0 net autonomous writes — the actionable fix is a config change to main (always-blocked for direct write); the big dirty tree is another agent's live work.

Scheduled run completed its scope: scan + report + QA export. Stopping is correct; remaining work needs Sam's decision on P7/P8.

P7 [top]: Scope each repo's dependabot.yml to ecosystems actually present (or remove from manifest-less repos) to stop the daily failing CI. Recommended: open one fix/scope-dependabot-2026-06-02 PR per repo, no auto-merge. Better long-term: fix the auto-allow rule/skill so the template detects ecosystems before declaring them.
P8: Restore reliable vault-vs-GitHub secret diffing (add a ?detail=secrets worker path, or run the secrets check via Desktop Commander host shell).
P3/P6 (deferred): leave sail-litify pilot branch and the two no-upstream branches alone until their owners finish.

You're as capable as I am — a few things that will save you time, not requirements:

The local runner short-circuits on a fresh checkpoint; repo-health-latest.json is ~48h stale, so it rebuilds and times out. Refreshing it via the Desktop Commander host shell (outside the 45s sandbox) would let future runs use the fast path. Worth doing if you have host-shell access.