Daily Repo-Health Check — 2026-06-09

Importance: Medium. Tasks: Pending (5 QA items await Sam). Session end reason: Completed normally (scheduled run).

What was done

Ran the canonical runner (checkpoint-first, watchdog fresh — no miss; newest prior report 06-08 ~24h old).
Assembled today-dated truth from three live sources: fresh local git sweep, hosted Cloudflare Worker (HTTP 200, remote heads + 24h CI), and direct GitHub API (workflows, dependabot, secrets, open PRs, failing-run detail). Rate limit healthy.
Verified all permanent checks live (not cached): P1 Notion-wiki holds NOTION_TOKEN; P2 no disabled workflows; P4 Dependabot 11/11; P5 spec=disk.
Wrote canonical report Codex/repo-health/2026-06-09.md, mirrored QA to Codex/_qa-queue/2026-06-09.md, and refreshed repo-health-latest.json atomically (31,518 bytes) so tomorrow's checkpoint-first run serves clean today-dated data.
No repo-level changes (deferred to approvals below). Two safe local writes only (checkpoint + report).

Key findings

Dependabot wave rolled to its last 2 latent repos: 6 runs failed on main — sail-marketing (npm/pip/github-actions, 05:23Z) and sail-templates (same, 07:23Z). Same config defect (3 ecosystems declared, no manifests). Every weekly-Dependabot repo has now thrown this once across 06-07→06-09. Benign, but a day-3 recurring CI red.
No commits on any default branch; all remote heads frozen at the 06-01 push window (sail-seo at its 06-06 head).
One local change: sail-marketing dirty 0→23 from another agent's staged locations-hub-merge work on agent/projects-reorg (HEAD unchanged). Monitor-only.
Open-PR backlog holds at 23, composition unchanged. The 9 chore/add-dependabot-* PRs confirmed mergeable_state=dirty (conflict with the file already on main) → redundant, not mergeable, so the one permitted auto-merge correctly did not fire.

Recommended next actions (handoff for next agent)

Nothing is blocked. The next agent can pick up cleanly: the report + QA queue + checkpoint are all current; data path is checkpoint-first + hosted Worker + git/API (the local full-rebuild still exceeds the ~45s ceiling). If Sam approves any QA item, execute via the GitHub MCP (no gh CLI in sandbox). Do not touch the dirty trees (litify 315, command-center 33, marketing 23) — active other-agent work.

QA Recommendations Pending Approval

1. RECURRING (day 3): Dependabot failing on main org-wide (npm/pip with no manifests).

A. Narrow each repo's dependabot.yml to only the ecosystems it has, one config-only PR per repo, staged for one-click merge. (Recommended)
B. Authorize me to do A autonomously on future runs (always-allowed; config-only, revertable, pending 3 days).
C. Disable Dependabot on no-dependency repos, narrow the rest.
D. Other (monthly schedule / single shared config).