Weekly Report 2026-05-25

[clawgenti]

Org Weekly Report: 2026-05-18 -- 2026-05-25

Generated for kagenti

Org-Wide Summary

Repo	Merged PRs	Open PRs	Open Issues	New Issues	CI Pass Rate	Status
kagenti	27	43	149	12	14/30 (47%)	active
kagenti-extensions	10	13	12	2	15/30 (50%)	active
agent-examples	10	90	6	0	24/30 (80%)	active
kagenti-operator	9	14	10	1	23/30 (77%)	active
automation	3	1	0	0	--	active
agent-skills	3	1	0	0	--	active
workload-harness	1	1	0	0	25/30 (83%)	active
plugins-adapter	1	4	9	0	20/30 (67%)	active
agentic-control-plane	0	6	0	0	30/30 (100%)	active
adk	0	10	13	2	22/30 (73%)	active
OpenShell	0	0	0	0	18/30 (60%)	quiet
ecosystem-guide	0	2	0	0	30/30 (100%)	quiet
.github	0	0	2	0	12/30 (40%)	quiet
openshell-driver-openshift	0	0	0	0	15/16 (94%)	quiet
openshell-credentials-keycloak	0	0	0	0	2/2 (100%)	quiet
adk-starter	0	0	0	0	0/9 (0%)	quiet
capture-the-flag	0	1	0	0	4/7 (57%)	quiet
TOTAL	64	186	201	17

Action Items

#	Action	Repo	Owner	Priority
1	Merge approved #1652 (automate image tag pinning) — security-flagged, approved, release-blocking for next alpha cut	kagenti	@pdettori / release team	P1
2	Merge approved #1639 (local chart tag fix) — approved 3 days, unblocks OCP dev workflow	kagenti	@pdettori / infra team	P1
3	Merge approved #1619 (Pydantic validation UI errors) — fixes #1617, approved 4 days	kagenti	@jeremyeder / UI team	P1
4	Merge approved #1440 (skill linking for agents) — approved but stale 21 days, prerequisite for Skills UI feature	kagenti	@eranra / maintainers	P2
5	Review security-flagged #1657 (major dep bump) — Dependabot, unreviewed, potential breaking changes	kagenti	maintainers	P0
6	Address changes requested on #1651 (protect child manifests from cleanup) — security-flagged, related to merged #1621 CI cleanup	kagenti	@pdettori / infra team	P1
7	Triage #1650 + #1610 — OpenShell CLI incompatibility chain; merged #1646 is partial fix only	kagenti	@pdettori / operator team	P1
8	Investigate #1611 — AgentCard sync fails through ztunnel; blocks mTLS rollout from merged operator PRs #284, #369	kagenti	operator team	P1
9	Fix "CI" workflow — kagenti at 47% pass rate; investigate root cause after #1622 (pin kubernetes<36) and #1623 (rate-limit mitigation) were merged	kagenti	infra team	P1
10	Review OPA plugin #427 — security-flagged, implements #426, open 4 days	kagenti-extensions	@huang195 / maintainers	P1
11	Fix "Security Scans" workflow — kagenti-extensions at 50% pass rate, 2 failures in security scan pipeline	kagenti-extensions	infra team	P1
12	Review Sigstore A2A verification #355 — security-critical supply chain feature, open 12 days	kagenti-operator	operator team	P1
13	Address changes requested on #372 (Consolidate AgentCard into AgentRuntime) — relates to #371	kagenti-operator	@rhuss / operator team	P2
14	Batch-merge or close 90 open Dependabot PRs in agent-examples — 110 across org; consider enabling Dependabot grouping or auto-merge for patch bumps	agent-examples	@evaline-ju / maintainers	P2
15	Review #404 (dependabot consolidation config) — will reduce future Dependabot noise across agent-examples	agent-examples	maintainers	P2
16	Fix "Weekly Docker Build and Test" workflow — adk-starter at 0% pass rate (9/9 failures), completely broken	adk-starter	infra team	P2
17	Fix "Check links in site" workflow — .github at 40% pass rate (12 failures), likely from recent docs reorg	.github	docs team	P2
18	Close or rebase stale PRs: #1078 (65d), #1172 (46d), #1499 (17d), #938 (72d), #1271 (37d)	kagenti	maintainers	P3
19	Batch k8s.io dependency bumps #309-313 — stale 27 days, test together for k8s 0.36.0 compat	kagenti-operator	operator team	P2
20	Review #1498 (ACP backend + WebSocket) — changes requested 17 days ago, foundational for T5/T6 test tiers	kagenti	@Ladas / maintainers	P2
21	Resolve #1605 — MLflow AI Gateway broken (OIDC blocks endpoints); related to merged #1644 and #1659 RHOAI fixes	kagenti	@pdettori / infra team	P1
22	Fix "release" workflow — kagenti-operator at 77% with 2 release failures; blocks next operator image publish	kagenti-operator	@huang195 / infra team	P1

Cross-Repo Highlights

• @rubambiza contributed to agent-examples, agent-skills, automation, kagenti — 10 PRs merged

• @huang195 contributed to kagenti, kagenti-extensions, kagenti-operator — 16 PRs merged

• @akram contributed to kagenti-extensions, kagenti-operator — 2 PRs merged

• @app/dependabot contributed to agent-examples, plugins-adapter — 9 PRs merged

• CI concern: kagenti at 47% pass rate — failing: CI

• CI concern: .github at 40% pass rate — failing: Check links in site

• CI concern: adk-starter at 0% pass rate — failing: Weekly Docker Build and Test

• Security concern: unreviewed security-related PRs:

  • kagenti/kagenti#1657 — chore(deps): Bump the major group across 1 directory with 2 updates
  • kagenti/kagenti#1652 — fix(release): automate image tag pinning across both charts
  • kagenti/kagenti#1651 — fix(ci): protect referenced child manifests from cleanup deletion

• Dependabot wave: 110 dependabot PRs awaiting review across org. Consider batching.

• kagenti saw massive activity (27 merged PRs)

---

kagenti

Merged PRs (27)

Top contributors: @pdettori (14), @huang195 (3), @rubambiza (3), @RyanJenkins99 (3), @mrsabath (1)

#	Title	Author	Merged
#1659	fix(ocp): MLflow RHOAI integration and OpenShift registry...	@pdettori	2026-05-23
#1658	fix(chart): add sandboxes/finalizers RBAC for operator on...	@pdettori	2026-05-23
#1656	chore(release): bump image pins to v0.6.0-alpha.4 / 0.3.0...	@huang195	2026-05-23
#1655	fix(ocp): skip remote tag detection when --kagenti-repo i...	@pdettori	2026-05-23
#1653	feat: align kagenti with kagenti-extensions go-spiffe SDK...	@huang195	2026-05-23
#1649	docs: fix OpenShift section in sandbox guide and add trou...	@pdettori	2026-05-22
#1646	fix(openshell): use correct CLI subcommand to remove gate...	@pdettori	2026-05-22
#1644	fix(ocp): MLflow integration gaps on RHOAI	@pdettori	2026-05-22
#1643	docs: Fix broken AuthBridge Binary README links	@rubambiza	2026-05-22
#1641	feat(ui): gate Skills UI behind feature flag	@pdettori	2026-05-22
#1640	docs(ocp): rewrite installation guide for clarity	@pdettori	2026-05-22
#1635	fix: Update HyperShift PR workflow to use 4.20.11	@RyanJenkins99	2026-05-21
#1633	fix(ui): add OpenShift Internal Registry option to Import...	@pdettori	2026-05-22
#1631	fix(ocp): enable Build from Source with OpenShift interna...	@pdettori	2026-05-22
#1629	fix(ocp): add --reset-values to helm upgrade to prevent s...	@pdettori	2026-05-21
...	+12 more

Open PRs (43)

Ready to Merge (4)

#	Title	Author	Notes
#1652	fix(release): automate image tag pinning across bo...	@pdettori	SECURITY
#1639	fix(ocp): use local chart tag when --kagenti-repo ...	@pdettori
#1619	fix(ui): render Pydantic validation errors as read...	@jeremyeder
#1440	feat: Add skill linking support for agents	@eranra	stale (21d)

Changes Requested (5)

#	Title	Author	Days	Notes
#1651	fix(ci): protect referenced child manifests from c...	@pdettori	2	SECURITY
#1498	feat(acp): backend deployment, ACP WebSocket, T5/T...	@Ladas	17	stale (17d)
#1438	docs: Add Skills documentation and update architec...	@eranra	21	stale (21d)
#1172	fix: use DNS_PING for Keycloak JGroups cluster dis...	@Ladas	46	stale (46d)
#1078	feat: Add automated zombie cleanup workflow for CI...	@RyanJenkins99	65	stale (65d)

Needs Review (15)

#	Title	Author	Days	Notes
#1661	fix(backend): skip Service creation for Sandbox ag...	@pdettori	0
#1660	fix(backend): use agent card url for A2A JSON-RPC ...	@jordigilh	0
#1657	chore(deps): Bump the major group across 1 directo...	@app/dependabot	1	SECURITY
#1642	docs: restructure sandbox guide with unified steps	@pdettori	3
#1630	fix docs: correct feature flag endpoint path in CL...	@YuuGR1337	3
#1596	fix(test): retry agent conversation on LLM connect...	@Ladas	7
#1595	chore(deps): Bump the minor-and-patch group across...	@app/dependabot	8
#1594	chore(deps): Bump nginx from 1.29-alpine to 1.31.1...	@app/dependabot	8
...	+7 more

Draft PRs (19)

19 drafts from @Ladas, @Alan-Cha, @usize, @kevincogan, @pdettori, @akram, @mrsabath, @esnible

CI Health

• 14/30 (47%) passed
• Failing: "CI" — 1 failure(s)

New Issues (12)

#	Title	Created
#1650	🐛 Latest OpenShell CLI does not work with Kagenti	2026-05-22
#1647	🐛 Openshell sandboxes can't access internal cluster s...	2026-05-22
#1636	epic: Secure mTLS Communication Between Agents via AuthBr...	2026-05-21
#1634	fix(ocp): sandbox UI option not shown when agent-sandbox ...	2026-05-21
#1617	UI: API validation errors render as [object Object] inste...	2026-05-20
#1616	🐛 Broken link in docs/research/openshell-mvp.md: http...	2026-05-20
#1614	🐛 Broken link in docs/authbridge/deployment-guide.md:...	2026-05-20
#1611	🐛 AgentCard sync fails — operator cannot reach /.wel...	2026-05-19
#1610	🐛 Openshell reports "unrecognized subcommand 'set'"	2026-05-18
#1608	Weekly Report 2026-05-18	2026-05-18
#1606	bug: OTel Collector span filters cause orphaned spans in ...	2026-05-18
#1605	bug: MLflow AI Gateway and evaluation jobs non-functional...	2026-05-18

kagenti-extensions

Merged PRs (10)

Top contributors: @huang195 (9), @akram (1)

#	Title	Author	Merged
#433	docs: Simplify ibac demo — drop redundant authbridge rebu...	@huang195	2026-05-23
#432	feat(authbridge): replace spiffe-helper with in-process g...	@huang195	2026-05-23
#430	✨ feat(forwardproxy): support HTTPS CONNECT as raw TCP pa...	@huang195	2026-05-22
#429	🌱 refactor(authlib): drop unused actor-token-chaining plu...	@huang195	2026-05-22
#424	feat(authbridge): mTLS between proxy-sidecar listeners vi...	@huang195	2026-05-20
#423	feat(abctl): Events-table PHASE rendering — hide skips, t...	@huang195	2026-05-20
#422	refactor(authlib): Extract LLM-judge boilerplate into aut...	@huang195	2026-05-20
#421	feat(authbridge): Add ibac plugin + end-to-end demo	@huang195	2026-05-19
#404	fix(plugins): Drop mutex between token-exchange and token...	@huang195	2026-05-21
#356	feat: Support AllowedAudiences for inbound JWT validation	@akram	2026-05-18

Open PRs (13)

Needs Review (8)

#	Title	Author	Days	Notes
#427	Adding an opa plugin	@davidhadas	4	SECURITY
#419	chore(deps): Bump github/codeql-action from 4.35.3...	@app/dependabot	9
#418	chore(deps): Bump google.golang.org/grpc from 1.80...	@app/dependabot	9
#417	chore(deps): Bump google.golang.org/grpc from 1.80...	@app/dependabot	9
#416	chore(deps): Bump github.com/fsnotify/fsnotify fro...	@app/dependabot	9	SECURITY
#415	chore(deps): Bump github.com/charmbracelet/x/ansi ...	@app/dependabot	9
#410	Feat: Role-based scope gating for github-issue demo	@omerboehm	10	SECURITY
#402	build(deps): Bump actions/dependency-review-action...	@app/dependabot	12

Draft PRs (5)

• #382 — feat: Add CI/CD and documentation polish (Phase 4)
• #381 — feat: Add webhook integration guide (Phase 3)
• #380 — feat: Add vault-fetcher CLI tool (Phase 2)
• #379 — feat: Add Vault integration library to authlib
• #272 — feat(webhook): Add waypoint authentication mode as default

CI Health

• 15/30 (50%) passed
• Failing: "Security Scans" — 2 failure(s)

New Issues (2)

#	Title	Created
#431	feature: language-runtime HTTPS interception via Node/Pyt...	2026-05-22
#426	feature: AuthBridge OPA Plugin	2026-05-21

agent-examples

Merged PRs (10)

Top contributors: @app/dependabot (8), @esnible (1), @rubambiza (1)

#	Title	Author	Merged
#439	chore(deps): Bump cryptography from 46.0.7 to 48.0.0 acro...	@esnible	2026-05-20
#435	chore(deps): Bump boto3 from 1.40.69 to 1.43.8 in /mcp/cl...	@app/dependabot	2026-05-18
#429	chore(deps): Bump google-cloud-storage from 3.5.0 to 3.10...	@app/dependabot	2026-05-18
#428	chore(deps): Bump openinference-instrumentation-langchain...	@app/dependabot	2026-05-18
#425	chore(deps): Bump azure-storage-blob from 12.27.1 to 12.2...	@app/dependabot	2026-05-18
#424	chore(deps): Bump litellm from 1.83.14 to 1.84.0 in /a2a/...	@app/dependabot	2026-05-18
#420	chore(deps): Bump langchain-mcp-adapters from 0.1.12 to 0...	@app/dependabot	2026-05-18
#417	chore(deps): Update ag2[mcp,openai,tracing] requirement f...	@app/dependabot	2026-05-18
#401	chore(deps): Update ag2[mcp,openai] requirement from >=0....	@app/dependabot	2026-05-20
#277	CI: Add PR title verifier workflow	@rubambiza	2026-05-19

Open PRs (90)

Needs Review (86)

#	Title	Author	Days	Notes
#485	chore(deps): Bump langchain-openai from 1.1.12 to ...	@app/dependabot	2
#484	chore(deps): Bump langgraph from 1.0.2 to 1.2.1 in...	@app/dependabot	2
#483	chore(deps): Bump protobuf from 6.33.6 to 7.35.0 i...	@app/dependabot	2
#482	chore(deps): Bump opentelemetry-exporter-otlp from...	@app/dependabot	2
#481	chore(deps): Bump python-multipart from 0.0.28 to ...	@app/dependabot	2
#480	chore(deps): Bump python-multipart from 0.0.28 to ...	@app/dependabot	2
#479	chore(deps): Bump opentelemetry-api from 1.41.0 to...	@app/dependabot	2
#478	chore(deps): Bump lxml from 6.1.0 to 6.1.1 in /a2a...	@app/dependabot	2	SECURITY
...	+78 more

Draft PRs (4)

• #184 — feat: add sandbox agent packaging — Dockerfile, pyproject, config
• #183 — test: add sandbox agent test suite
• #182 — feat: add sandbox agent core — reasoning, execution, graph
• #126 — feat: add sandbox_agent with per-context workspace isolation

CI Health

• 24/30 (80%) passed

kagenti-operator

Merged PRs (9)

Top contributors: @huang195 (4), @akram (1), @rh-dnagornuks (1), @Alan-Cha (1), @varshaprasad96 (1)

#	Title	Author	Merged
#374	ci(release): parallelize image builds + add buildx cache ...	@huang195	2026-05-23
#373	chore(injector): remove unused JWTAudience field	@huang195	2026-05-23
#370	Wire AllowedAudiences from AgentRuntime CRD to AuthProxy ...	@akram	2026-05-21
#369	feat(authbridge): Wire mtlsMode through to per-agent config	@huang195	2026-05-21
#367	fix(injector): Mount spire-agent-socket into authbridge c...	@huang195	2026-05-21
#366	feat(controller): scope MLflow RBAC to per-agent namespac...	@rh-dnagornuks	2026-05-21
#365	refactor: consolidate redundant spireEnabled checks	@Alan-Cha	2026-05-20
#353	docs: update README and docs for dev preview readiness	@varshaprasad96	2026-05-20
#284	✨ feat: Add mTLS runtime identity verification for AgentC...	@kevincogan	2026-05-20

Open PRs (14)

Changes Requested (1)

#	Title	Author	Days	Notes
#372	Consolidate AgentCard Data Into AgentRuntime Statu...	@rhuss	3

Needs Review (8)

#	Title	Author	Days	Notes
#375	chore(deps): Bump github/codeql-action from 4.35.3...	@app/dependabot	0
#355	Feat: Implementing Sigstore-A2A verification for A...	@DeanKelly751	12	SECURITY
#354	chore(deps): Bump github.com/fsnotify/fsnotify fro...	@app/dependabot	12	SECURITY
#347	chore(deps): Bump actions/dependency-review-action...	@app/dependabot	14
#313	chore(deps): Bump k8s.io/apiextensions-apiserver f...	@app/dependabot	27	stale (27d)
#312	chore(deps): Bump k8s.io/client-go from 0.35.4 to ...	@app/dependabot	27	stale (27d)
#311	chore(deps): Bump k8s.io/apimachinery from 0.35.4 ...	@app/dependabot	27	stale (27d)
#309	chore(deps): Bump k8s.io/api from 0.35.4 to 0.36.0...	@app/dependabot	27	stale (27d)

Draft PRs (5)

• #349 — feat: SPIFFE-based Dynamic Client Registration (DCR)
• #334 — docs: update SPIRE signing demo for Kind and OpenShift
• #332 — WIP: Add OCI skill image mounting to AgentRuntime
• #283 — Docs: add RFC for Sigstore integration for AgentCard supply chain verification
• #259 — feat: Add waypoint mode with automatic gateway provisioning

CI Health

• 23/30 (77%) passed
• Failing: "release" — 2 failure(s)

New Issues (1)

#	Title	Created
#371	Consolidate AgentCard into AgentRuntime status	2026-05-21

automation

Merged PRs (3)

Top contributors: @rubambiza (3)

#	Title	Author	Merged
#3	fix: Rewrite issue_has_open_pr with three-layer detection	@rubambiza	2026-05-22
#2	fix: Propagate status normalization and path-prefix scori...	@rubambiza	2026-05-22
#1	fix: Add security hardening and BSD-compatible parsing	@rubambiza	2026-05-22

Open PRs (1)

Needs Review (1)

#	Title	Author	Days	Notes
#4	feat: Add dependency bump scanner (Story 3, epic #...	@rubambiza	2

agent-skills

Merged PRs (3)

Top contributors: @rubambiza (3)

#	Title	Author	Merged
#6	fix: Rewrite issue_has_open_pr with three-layer detection	@rubambiza	2026-05-22
#5	fix: Add path-prefix scoring to resolve ambiguous candida...	@rubambiza	2026-05-22
#4	fix: Normalize scanner HTTP status to enum tokens, suppre...	@rubambiza	2026-05-22

Open PRs (1)

Needs Review (1)

#	Title	Author	Days	Notes
#7	feat: Add dependency bump scanner skill	@rubambiza	2

workload-harness

Merged PRs (1)

Top contributors: @yoavkatz (1)

#	Title	Author	Merged
#17	feat: add Prometheus metrics, MLflow tracing, and MCP Gat...	@yoavkatz	2026-05-21

Open PRs (1)

Needs Review (1)

#	Title	Author	Days	Notes
#18	feat: IBAC integration via authbridge plugin pipeline	@kellyaa	2

CI Health

• 25/30 (83%) passed
• Failing: "Close Stale Issues and PRs" — 1 failure(s)

plugins-adapter

Merged PRs (1)

Top contributors: @app/dependabot (1)

#	Title	Author	Merged
#132	chore(deps-dev): bump requests from 2.33.1 to 2.34.2	@app/dependabot	2026-05-18

Open PRs (4)

Needs Review (3)

#	Title	Author	Days	Notes
#133	chore(deps-dev): bump betterproto2-compiler from 0...	@app/dependabot	6
#131	chore(deps): bump github/codeql-action from 4.35.4...	@app/dependabot	6
#127	chore(deps): bump betterproto2 from 0.9.1 to 0.10.0	@app/dependabot	13

Draft PRs (1)

• #81 — feat: prompt pre fetch plugin call

CI Health

• 20/30 (67%) passed
• Failing: "CI" — 2 failure(s)
• Failing: "docker in /. - Update #1371886980" — 1 failure(s)

agentic-control-plane

Open PRs (6)

Needs Review (6)

#	Title	Author	Days	Notes
#39	build(deps): Bump the minor-and-patch group across...	@app/dependabot	2
#38	build(deps): Update kubernetes requirement from >=...	@app/dependabot	2
#37	build(deps): Update uvicorn requirement from >=0.2...	@app/dependabot	9
#36	build(deps): Update fastmcp requirement from >=0.2...	@app/dependabot	9	SECURITY
#34	CI: Add PR title verifier workflow	@rubambiza	26	stale (26d)
#22	feat: bootstrap orchestrate skills for self-suffic...	@pdettori	72	stale (72d)

CI Health

• 30/30 (100%) passed

adk

Open PRs (10)

Needs Review (9)

#	Title	Author	Days	Notes
#249	chore(deps): bump the github-actions group across ...	@app/dependabot	2
#246	docs: Remove broken discussions link from adk-py R...	@clawgenti	6
#243	test: Resolve MemoryHub E2E URL from discovery end...	@rdwj	12	SECURITY
#238	chore(deps): bump the uv-security group across 3 d...	@app/dependabot	13	SECURITY
#236	docs: Fix broken internal links (agent-integration...	@clawgenti	24	stale (24d)
#232	CI: Add PR title verifier workflow	@rubambiza	26	stale (26d)
#228	chore(deps): bump the uv group across 28 directori...	@app/dependabot	32	SECURITY, stale (32d)
#226	chore(deps): bump uuid from 13.0.0 to 14.0.0 in /a...	@app/dependabot	32	stale (32d)
...	+1 more

Draft PRs (1)

• #73 — [DRAFT] feat(adk-ts): update A2A protocol schemas and types to v1 spec

CI Health

• 22/30 (73%) passed
• Failing: "npm_and_yarn in /. for @babel/plugin-transform-modules-systemjs, axios, axios, axios, axios, axios, axios, axios, axios, axios, axios, axios, axios, axios, axios, axios, basic-ftp, basic-ftp, basic-ftp, basic-ftp, brace-expansion, brace-expansion, brace-expansion, brace-expansion, dompurify, dompurify, dompurify, dompurify, fast-uri, fast-uri, flatted, flatted, follow-redirects, ip-address, lodash, lodash, lodash-es, lodash-es, mermaid, mermaid, mermaid, mermaid, next, next, next, next, next, next, next,..." — 2 failure(s)

New Issues (2)

#	Title	Created
#248	🐛 Broken link in skills/kagenti-adk-wrapper/reference...	2026-05-20
#247	🐛 Broken link in skills/kagenti-adk-wrapper/reference...	2026-05-20

ecosystem-guide

Open PRs (2)

Needs Review (2)

#	Title	Author	Days	Notes
#7	build(deps): bump the minor-and-patch group across...	@app/dependabot	19	stale (19d)
#6	CI: Add PR title verifier workflow	@rubambiza	26	stale (26d)

CI Health

• 30/30 (100%) passed

capture-the-flag

Open PRs (1)

Needs Review (1)

#	Title	Author	Days	Notes
#3	CI: Add PR title verifier workflow	@rubambiza	26	stale (26d)

CI Health

• 4/7 (57%) passed
• Failing: "PR Verifier" — 2 failure(s)

[clawgenti]

Superseded by this week's report.