Skip to content

Weekly Report 2026-07-06 #2148

Description

@rubambiza

Org Weekly Report: 2026-06-29 -- 2026-07-06

Generated for kagenti

⚙️ Dry-run — generated 2026-07-06 via the github-weekly-report skill (agent-skills #21) to validate a scheduled weekly job. Active-epics section produced in sub-issue fallback mode (--skip-projects). Please sanity-check the output.

Org-Wide Summary

Repo Merged PRs Open PRs Open Issues New Issues CI Pass Rate Status
serverless-harness 32 0 11 11 30/30 (100%) active
kagenti 20 19 254 21 28/30 (93%) active
kagenti-extensions 8 13 41 1 25/30 (83%) active
plugins-adapter 4 3 2 0 23/30 (77%) active
agent-examples 3 26 9 5 20/30 (67%) active
agent-skills 2 1 2 2 17/18 (94%) active
automation 2 0 0 0 18/20 (90%) active
ecosystem-guide 1 1 0 0 25/30 (83%) active
adk 0 7 9 0 19/30 (63%) active
kagenti-operator 0 5 21 0 25/30 (83%) quiet
OpenShell 0 2 0 0 15/30 (50%) quiet
agentic-control-plane 0 5 3 0 30/30 (100%) quiet
.github 0 0 1 0 17/30 (57%) quiet
workload-harness 0 2 3 1 12/30 (40%) quiet
pi 0 0 0 0 0/20 (0%) quiet
capture-the-flag 0 1 0 0 5/8 (62%) quiet
openshell-driver-openshift 0 0 0 0 29/30 (97%) quiet
openshell-credentials-keycloak 0 0 0 0 2/2 (100%) quiet
adk-starter 0 0 0 0 0/14 (0%) quiet
TOTAL 72 85 356 41

Cross-Repo Highlights

Where the work concentrated. 72 PRs merged org-wide, but the distribution is lopsided: serverless-harness alone accounts for 32. @pdettori drove 28 of those — a sustained push on the FS-free harness and shared durable sandbox pool: inline /runs + Redis leaf-results (#50), an N:M lease-based sandbox pool (#53), pulling the OCP sandbox image from GHCR (#52), and OpenShift deployment of the two-tier architecture. This is the most active corner of the org by a wide margin.

Multi-repo contributors.

  • @rubambiza — 6 PRs across agent-skills, automation, ecosystem-guide, kagenti, almost all CI/tooling: rolling out the PR-title-verifier workflow and PR-review-impact metrics to the health dashboard, plus an openshell doc fix.
  • @esnible — 4 PRs across agent-examples, kagenti, kagenti-extensions: a2a-sdk dependency upgrade, an AuthBridge decision-sequence diagram, extra container build flags, and hardening how the operator handles failed/progressing agent builds.
  • @app/dependabot — 18 merged across 5 repos; still the single largest source of PR volume.

Org-wide CI: ~72% pass rate (340/472 runs). Three repos are green at 100% — serverless-harness, agentic-control-plane, openshell-credentials-keycloak. The average is dragged down by two repos stuck at 0%: pi (npm audit) and adk-starter (Weekly Docker Build and Test). Also weak: workload-harness 40%, OpenShell 50% (Kagenti CI, 7 failures), .github 57%, adk 63% (npm_and_yarn + CI).

Security review debt. Multiple SECURITY-flagged PRs have sat unreviewed well past a week — worst in adk: #228 (74d), #238 (56d), #243 (55d), #255 (34d). Also aging: kagenti-operator #449 (17d), OpenShell #15 (24d), kagenti-extensions #497 (24d), agentic-control-plane #46/#44 (30d). kagenti #1856 (Keycloak chart removal) has been in CHANGES_REQUESTED for 28 days.

Dependabot backlog. ~49 dependabot PRs open across the org — heaviest in agent-examples (~17), kagenti-extensions (6), adk (5), agentic-control-plane (4). Batchable, and inflating "needs review" counts everywhere.

Themes this week.

Active Epics

Sub-issue-based detection (fallback mode — no read:project scope); ranked by most-recent sub-issue closure. Note: #1789 (OPA) now surfaces correctly — it was the epic missing from last week's report (agent-skills #18).

Epic Lead Focus This Week
kagenti#1997 Rename to Rosso & public touchpoints @Ibrahim2595 Rebrand / public presence 1 sub-issue closed (Jul 1), 7 open
kagenti#2106 Centralized Policy Decision for Pipelines Policy / authz 1 closed (Jul 1), 1 open
kagenti#1469 Documentation & Usability Docs 1 closed (Jul 1), 10 open
kagenti#1789 OPA Fine-Grained Authorization @davidhadas Identity / authz 1 closed (Jun 29), 4 open
kagenti#1468 Agent Platform Auth UX @esnible Identity / UX PR #2127 merged, 1 open
kagenti#2087 AIAC Quality Framework @omerboehm Guardrails / eval 4 open
kagenti#2074 Skill-bound agent identity (DRAFT) Identity 6 open
kagenti#1826 Data Security & Governance @ariel-farkash Security 4 open
kagenti#1460 Auth for Event-Driven Agents @aslom Identity 8 open
kagenti#1435 Human-In-the-Loop Auth @davidhadas Identity 3 open

Action Items

# Action Repo Owner Priority
1 Clear 0% CI: npm audit failing on main pi P0
2 Clear 0% CI: Weekly Docker Build and Test adk-starter P0
3 Review/close SECURITY dep PRs stale 55–74d (#228, #238, #243) adk @app/dependabot P0
4 Resolve SECURITY PR #1856 (Keycloak chart), CHANGES_REQUESTED 28d kagenti @ChristianZaccaria P1
5 Review SPIFFE JWT-SVID auth PRs #2141 / operator #473 kagenti / kagenti-operator @Alan-Cha P1
6 Review SECURITY token-broker PR #449 (stale 17d) kagenti-operator @davidhadas P1
7 Batch-review the ~49 open dependabot PRs (start with agent-examples ~17) org-wide P2
8 Fix CI (40% pass) workload-harness P2
9 Fix Kagenti CI (7 failures, 50%) OpenShell @Ladas P2
10 Review stale SECURITY dep PRs #46/#44 (30d) agentic-control-plane @app/dependabot P2
11 Unblock CHANGES_REQUESTED AuthBridge OTel PR #497 (24d) kagenti-extensions @husky-parul P2
12 Merge the weekly-report epic fix (source of this report) agent-skills #21 @rubambiza P2
13 Close out 69-day "PR title verifier" PRs adk #232, agentic-control-plane #34, capture-the-flag #3 @rubambiza P3

serverless-harness

Merged PRs (32)

Top contributors: @pdettori (28), @app/dependabot (4)

# Title Author Merged
#68 fix: Converge fetches per-leaf repoUrl and self-heals (#67) @pdettori 2026-07-06
#65 docs: E6 authoritative OCP result (closes #64) @pdettori 2026-07-04
#63 P3.1: E6 workload-parameterized sandbox-load (#62) @pdettori 2026-07-04
#61 Docs: Record authoritative P3 E6/E7 results on OCP 4.20.8 @pdettori 2026-07-04
#60 Fix: Add git to the pre-baked OCP sandbox image for the c... @pdettori 2026-07-04
#58 P3: Sandbox sharing-ratio experiments — E6/E7 on runc + g... @pdettori 2026-07-03
#53 Feat: P2 shared sandbox pool with N:M lease-based routing @pdettori 2026-07-03
#52 Pull OCP sandbox image from GHCR instead of in-cluster build @pdettori 2026-07-03
#51 Deploy the FS-free harness on OpenShift with a durable sa... @pdettori 2026-07-03
#50 P1: FS-free harness — inline /runs + Redis leaf-result + ... @pdettori 2026-07-02
#44 Docs: Add model selection guide to Kind and OCP READMEs @pdettori 2026-07-01
#43 feat(deploy): add OpenShift setup script (setup-ocp.sh) @pdettori 2026-07-01
#42 fix(docker): link work-queue workspace deps in harness image @pdettori 2026-07-01
#40 Fix: leaf smokes seed world-writable /work dirs for the n... @pdettori 2026-07-01
#38 feat(knative-server): rename /run-leaf execution route to... @pdettori 2026-07-01
... +17 more

CI Health

  • 30/30 (100%) passed

New Issues (11)

# Title Created
#66 Harden the harness: confine egress to the model + the san... 2026-07-04
#62 E6 knee detector is noise-sensitive: use multi-sample run... 2026-07-04
#59 converge.ts not self-healing against a partial/non-git /w... 2026-07-03
#57 P4: Kata/VM isolation + intra-pod hardening (infra-gated) 2026-07-03
#56 Add unit test for selectPoolSandbox empty-pod-list branch 2026-07-03
#55 Sync-path saturation: bounded wait + 503 Retry-After per ... 2026-07-03
#54 Point setup-kind.sh at the sandbox pool manifest 2026-07-03
#49 Epic: Two-tier FS-free harness + shared durable sandbox pool 2026-07-02
#48 P3: Sandbox sharing-ratio experiments (CAP/N tuning) 2026-07-02
#47 P0′: OpenShift deployment of the two-tier architecture 2026-07-02
#46 P2: Shared sandbox pool + harness→sandbox routing 2026-07-02

kagenti

Merged PRs (20)

Top contributors: @moonlight16 (3), @app/dependabot (2), @esnible (2), @cwiklik (2), @clawgenti (2)

# Title Author Merged
#2137 Feat: 💬 chat falls back to message/send for non-streaming... @moonlight16 2026-07-02
#2136 chore(deps): Bump the minor-and-patch group across 1 dire... @app/dependabot 2026-07-02
#2128 feat(backend): auto-inject MCP_URL and LLM env on agent i... @amit-chaubey 2026-07-01
#2127 Fix: Allow user to supply additional container build flag... @esnible 2026-07-02
#2126 Fix: reuse platform Keycloak for token-exchange E2E on Kind @cwiklik 2026-07-01
#2122 fix(v0.6.1, ocp): make weather-agent CLI deploy work on O... @webchang 2026-07-01
#2121 Docs: Access Control Documentation @davidhadas 2026-07-01
#2114 Feat: 🖥️ Add options for persistent storage to Kagenti CLI @moonlight16 2026-07-01
#2112 Chore: bump operator chart to 0.3.0-alpha.6 and authbridg... @cwiklik 2026-06-30
#2111 Fix: Don't forget about failed and progressing Agent builds @esnible 2026-07-01
#2109 fix: Correct dtach repo URL in openshell doc @rubambiza 2026-06-29
#2107 docs: Link health dashboard (auto-updated) @clawgenti 2026-07-01
#2099 docs: Automation health dashboard (auto-updated) @clawgenti 2026-07-01
#2096 chore(deps): Bump the minor-and-patch group across 1 dire... @app/dependabot 2026-07-02
#2005 docs: correct feature flag endpoint path in CLAUDE.md @YuuGR1337 2026-07-01
... +5 more

Open PRs (19)

Changes Requested (1)

# Title Author Days Notes
#1856 Refactor: remove Keycloak operand/realm from chart... @ChristianZaccaria 28 SECURITY, stale (28d)

Needs Review (6)

# Title Author Days Notes
#2144 chore(deps): Bump DavidAnson/markdownlint-cli2-act... @app/dependabot 1
#2143 chore(deps): Bump the minor-and-patch group with 7... @app/dependabot 1 SECURITY
#2142 chore(deps): Bump the minor-and-patch group in /ka... @app/dependabot 1
#2141 feat(operator): add SPIFFE authentication bootstra... @Alan-Cha 3 SECURITY
#2140 docs: Automation health dashboard (auto-updated) @clawgenti 3
#2139 Docs: Describing how to get OPA to work pre-relase... @davidhadas 4

Draft PRs (12)

12 drafts from @mrsabath, @pdettori, @Ladas, @Alan-Cha, @yoavkatz, @aslom

CI Health

  • 28/30 (93%) passed

New Issues (21)

# Title Created
#2147 feature: implement event bridge and event mesh for poc demo 2026-07-06
#2146 feature: measure serverless harness performance against o... 2026-07-06
#2145 feature: compelling local use case for RossoCortex 2026-07-06
#2138 Doc: Document the OPA feature 2026-07-02
#2132 feature: update observability UI and deployment scripts f... 2026-07-01
#2131 feature: update observability UI and deployment scripts f... 2026-07-01
#2130 feature: Add token-exchange step before sending a token f... 2026-07-01
#2129 token-exchange E2E: tx-e2e-agent pod not Ready at test ti... 2026-06-30
#2124 feature: Validate required agent env at startup — no sile... 2026-06-30
#2123 feature: UI import should auto-inject MCP_URL from select... 2026-06-30
#2119 [openshell] gateway OIDC discovery fails on HyperShift — ... 2026-06-30
#2118 Design the rossoctl landing page 2026-06-30
#2117 Propose docs IA and content strategy for the v0.7 release 2026-06-30
#2116 Draft positioning.md for the landing page and README 2026-06-30
#2115 Set up the website folder structure in the rossoctl repo ... 2026-06-30
#2113 connect rossoctl.dev domain CNAME to the website 2026-06-29
#2110 🐛 MountVolume.SetUp failed for volume "spire-agent-so... 2026-06-29
#2108 Upgrade agent-sandbox v0.4.6 → v0.5.0 (v1beta1) — track b... 2026-06-29
#2106 epic: Centralized Policy Decision for Agent Platform Pipe... 2026-06-29
#2105 feature: Authbridge HTTP to HTTPs support 2026-06-29
#2104 Weekly Report 2026-06-29 2026-06-29

kagenti-extensions

Merged PRs (8)

Top contributors: @app/dependabot (6), @esnible (1), @evaline-ju (1)

# Title Author Merged
#629 Docs: Diagram of AuthBridge plugin decision sequence @esnible 2026-07-01
#627 chore: 🔧 Update PR review workflow for title case ... @evaline-ju 2026-06-30
#536 build(deps): Bump rojopolis/spellcheck-github-actions fro... @app/dependabot 2026-06-30
#535 build(deps): Bump actions/checkout from 6.0.3 to 7.0.0 @app/dependabot 2026-06-30
#517 build(deps): Bump library/alpine from 3.23 to 3.24 in /au... @app/dependabot 2026-07-02
#487 build(deps): Bump github/codeql-action from 4.36.1 to 4.36.2 @app/dependabot 2026-06-30
#474 build(deps): Bump docker/setup-qemu-action from 4.0.0 to ... @app/dependabot 2026-06-30
#472 build(deps): Bump docker/metadata-action from 6.0.0 to 6.1.0 @app/dependabot 2026-06-30

Open PRs (13)

Changes Requested (1)

# Title Author Days Notes
#497 Feat: Add OTel trace context propagation to AuthBr... @husky-parul 24 SECURITY, stale (24d)

Needs Review (6)

# Title Author Days Notes
#628 build(deps): Bump github.com/open-policy-agent/opa... @app/dependabot 6 SECURITY
#541 build(deps): Bump github.com/spiffe/go-spiffe/v2 f... @app/dependabot 13
#540 build(deps): Update python-dotenv requirement from... @app/dependabot 13
#539 build(deps): Bump langgraph from 1.2.5 to 1.2.7 @app/dependabot 13
#538 build(deps): Bump langchain-openai from 1.3.2 to 1... @app/dependabot 13
#537 build(deps): Bump langchain-core from 1.4.7 to 1.4.8 @app/dependabot 13 SECURITY

Draft PRs (6)

6 drafts from @Alan-Cha, @araujof, @huang195

CI Health

  • 25/30 (83%) passed

New Issues (1)

# Title Created
#630 [dep-bump] Stale routine bump: library/alpine in kagenti-... 2026-07-02

plugins-adapter

Merged PRs (4)

Top contributors: @app/dependabot (4)

# Title Author Merged
#153 chore(deps): bump docker/metadata-action from 6.1.0 to 6.2.0 @app/dependabot 2026-07-06
#151 chore(deps): bump astral-sh/setup-uv from 8.2.0 to 8.3.0 @app/dependabot 2026-07-06
#150 chore(deps): bump actions/setup-python from 6.2.0 to 6.3.0 @app/dependabot 2026-06-29
#149 chore(deps): bump actions/cache from 5.0.5 to 6.1.0 @app/dependabot 2026-06-29

Open PRs (3)

Needs Review (3)

# Title Author Days Notes
#155 chore(deps): bump github/codeql-action/init from 4... @app/dependabot 0
#154 chore(deps): bump docker/setup-buildx-action from ... @app/dependabot 0
#152 chore(deps): bump github/codeql-action/analyze fro... @app/dependabot 0

CI Health

  • 23/30 (77%) passed
  • Failing: "Security Scans" — 2 failure(s)

agent-examples

Merged PRs (3)

Top contributors: @app/dependabot (2), @esnible (1)

# Title Author Merged
#649 chore: Upgrade a2a-sdk dependencies @esnible 2026-07-01
#630 chore(deps): Bump pytest from 9.1.0 to 9.1.1 in /mcp/rese... @app/dependabot 2026-06-29
#627 chore(deps): Bump actions/setup-python from 6.2.0 to 6.3.... @app/dependabot 2026-06-29

Open PRs (26)

Needs Review (25)

# Title Author Days Notes
#661 fix mcp never failing till timeout bug @davidhadas 1
#659 chore(deps): Bump the minor-and-patch group across... @app/dependabot 3 SECURITY
#658 chore(deps): Bump the minor-and-patch group across... @app/dependabot 3
#657 chore(deps): Bump the minor-and-patch group across... @app/dependabot 3 SECURITY
#656 chore(deps): Bump the minor-and-patch group across... @app/dependabot 3 SECURITY
#655 chore(deps): Bump the minor-and-patch group across... @app/dependabot 3 SECURITY
#654 chore(deps): Bump the minor-and-patch group across... @app/dependabot 3 SECURITY
#653 chore(deps): Bump the minor-and-patch group with 8... @app/dependabot 3
... +17 more

Draft PRs (1)

  • #126 — feat: add sandbox_agent with per-context workspace isolation

CI Health

  • 20/30 (67%) passed
  • Failing: "CI" — 1 failure(s)

New Issues (5)

# Title Created
#660 🐛 git issue always wait for timeout to drop an mcp call 2026-07-05
#648 [dep-bump] Stale high bump: minor-and-patch group in agen... 2026-06-30
#647 [dep-bump] Stale high bump: minor-and-patch group in agen... 2026-06-30
#646 [dep-bump] Stale major bump: protobuf in agent-examples 2026-06-30
#645 [dep-bump] Stale major bump: protobuf in agent-examples 2026-06-30

agent-skills

Merged PRs (2)

Top contributors: @rubambiza (2)

# Title Author Merged
#20 ci: Update pr-verifier reusable workflow reference @rubambiza 2026-06-30
#17 feat: Add PR review metrics to health dashboard @rubambiza 2026-07-06

Open PRs (1)

Needs Review (1)

# Title Author Days Notes
#21 fix: Detect active epics via sub-issue activity @rubambiza 3 SECURITY

CI Health

  • 17/18 (94%) passed
  • Failing: "PR Verifier" — 1 failure(s)

New Issues (2)

# Title Created
#22 Normalize db_repos to use short names in coverage dashb... 2026-07-02
#18 🐛 Missing Active Epics from Weekly Report 2026-06-30

automation

Merged PRs (2)

Top contributors: @rubambiza (2)

# Title Author Merged
#22 ci: Update pr-verifier reusable workflow reference @rubambiza 2026-06-30
#20 Feat: Add PR review impact metrics producer @rubambiza 2026-06-29

CI Health

  • 18/20 (90%) passed
  • Failing: "PR Verifier" — 2 failure(s)

ecosystem-guide

Merged PRs (1)

Top contributors: @rubambiza (1)

# Title Author Merged
#6 CI: Add PR title verifier workflow @rubambiza 2026-06-30

Open PRs (1)

Needs Review (1)

# Title Author Days Notes
#12 build(deps): bump the minor-and-patch group across... @app/dependabot 5

CI Health

  • 25/30 (83%) passed

adk

Open PRs (7)

Needs Review (7)

# Title Author Days Notes
#261 chore(deps): bump the github-actions group across ... @app/dependabot 3 SECURITY
#255 chore(deps-dev): bump vitest from 4.0.18 to 4.1.0 ... @app/dependabot 34 SECURITY, stale (34d)
#243 test: Resolve MemoryHub E2E URL from discovery end... @rdwj 55 SECURITY, stale (55d)
#238 chore(deps): bump the uv-security group across 3 d... @app/dependabot 56 SECURITY, stale (56d)
#232 CI: Add PR title verifier workflow @rubambiza 69 stale (69d)
#228 chore(deps): bump the uv group across 28 directori... @app/dependabot 74 SECURITY, stale (74d)
#226 chore(deps): bump uuid from 13.0.0 to 14.0.0 in /a... @app/dependabot 74 stale (74d)

CI Health

  • 19/30 (63%) passed
  • Failing: "npm_and_yarn in /. for @babel/core, @babel/plugin-transform-modules-systemjs, axios, axios, axios, axios, axios, axios, axios, axios, axios, axios, axios, axios, axios, axios, axios, axios, axios, axios, axios, axios, axios, axios, axios, basic-ftp, basic-ftp, basic-ftp, basic-ftp, brace-expansion, brace-expansion, brace-expansion, brace-expansion, dompurify, dompurify, dompurify, dompurify, dompurify, dompurify, dompurify, dompurify, dompurify, dompurify, dompurify, dompurify, esbuild, fast-uri, fast-ur..." — 2 failure(s)
  • Failing: "CI" — 1 failure(s)

kagenti-operator

Open PRs (5)

Changes Requested (1)

# Title Author Days Notes
#449 Feat: Add token-broker service for OAuth session a... @davidhadas 17 SECURITY, stale (17d)

Needs Review (4)

# Title Author Days Notes
#473 Feat(operator): implement SPIFFE JWT-SVID authenti... @Alan-Cha 3 SECURITY
#472 build(deps): bump actions/cache from 5.0.5 to 6.1.... @app/dependabot 6 SECURITY
#471 build(deps): bump the minor-and-patch group with 4... @app/dependabot 6
#470 build(deps): bump the minor-and-patch group in /ka... @app/dependabot 6 SECURITY

CI Health

  • 25/30 (83%) passed
  • Failing: "PR Verifier" — 4 failure(s)
  • Failing: "CI" — 1 failure(s)

OpenShell

Open PRs (2)

Needs Review (2)

# Title Author Days Notes
#16 feat(sandbox): Landlock TCP port restriction for m... @Ladas 24 stale (24d)
#15 feat(sandbox): add Platform network mode for restr... @Ladas 24 SECURITY, stale (24d)

CI Health

  • 15/30 (50%) passed
  • Failing: "Kagenti CI" — 7 failure(s)

agentic-control-plane

Open PRs (5)

Needs Review (5)

# Title Author Days Notes
#54 build(deps): Bump the minor-and-patch group across... @app/dependabot 9
#49 build(deps): Update fastmcp requirement from >=0.2... @app/dependabot 23 SECURITY, stale (23d)
#46 build(deps): Update uvicorn requirement from >=0.2... @app/dependabot 30 SECURITY, stale (30d)
#44 build(deps): Update kubernetes requirement from >=... @app/dependabot 30 SECURITY, stale (30d)
#34 CI: Add PR title verifier workflow @rubambiza 69 stale (69d)

CI Health

  • 30/30 (100%) passed

workload-harness

Open PRs (2)

Needs Review (2)

# Title Author Days Notes
#27 feat(exgentic-runner): in-cluster execution support @yoavkatz 4 SECURITY
#26 docs: Fix broken internal link in workload-harness @clawgenti 6

CI Health

  • 12/30 (40%) passed

New Issues (1)

# Title Created
#28 feat: add e2e test script for tool_calling agent across a... 2026-07-05

capture-the-flag

Open PRs (1)

Needs Review (1)

# Title Author Days Notes
#3 CI: Add PR title verifier workflow @rubambiza 69 stale (69d)

CI Health

  • 5/8 (62%) passed
  • Failing: "PR Verifier" — 2 failure(s)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    New/ToDo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions