Repository: stevenschling13/Trading-App
Author: stevenschling13
## Sentinel Ops Report — 2026-04-26
| Check | Rating | Notes |
|----------------------|--------|-------|
| CI Health | PASS | `main` HEAD is `c2dd3d4e` ("fix(agents): move @opentelemetry/* to dependencies…", PR #364, 2026-04-18 03:19 UTC) — no new commits to `main` in 8 days. `list_workflow_runs` is still not exposed by the loaded GitHub MCP tools, so last-N-runs state on `main` was not inspected directly (same structural visibility gap as 2026-04-17 / 2026-04-19 / 2026-04-25). Indirect positive signal: PR #366's `trading-app - sentinel-engine` Railway preview status was updated yesterday (2026-04-25T18:29:04Z) with `state=success`, confirming the Railway preview pipeline is functional. No failure-context commits, no `security`/`ci`-labeled issues opened. |
| Open PRs | WARN | 17 open dependabot PRs (#366–#382), all created 2026-04-20T20:19–20:27 UTC. At today's UTC date, every one of them is **6 days old** — squarely inside the 5–10 day WARN window. None have been reviewed or merged. PRs #366, #382 received minor automated activity yesterday (CI status updates) but no human review. **They will all trip the FAIL threshold (>10 days) on 2026-04-30 — 4 days from now.** Mixture of npm/pip patch+minor bumps across `apps/web`, `apps/agents`, `apps/engine`, plus a github-actions group bump (#381) and a root-dev group bump (#382, 16 packages). |
| Issues Triage | PASS | 4 open issues, all labeled and owned by @stevenschling13: #203 (deferred majors — protobuf 7 / wrapt 2 / importlib-metadata 9 still pending; 19 days old, last updated 2026-04-17), #343 (ops report 2026-04-17), #365 (ops report 2026-04-19), #383 (ops report 2026-04-25). All within the 14-day update window per rubric. #203 will trip the 30-day staleness threshold on 2026-05-07 (11 days). |
| Security Advisories | WARN | Dependabot alerts API still not exposed by the loaded GitHub MCP tools — direct enumeration not possible this run (same structural gap flagged 2026-04-17 / 2026-04-19 / 2026-04-25). No `security`-labeled issues in the open queue. Security workflows on `main` are intact: `codeql.yml`, `dependabot-alerts-monitor.yml`, `gitleaks.yml`, `scorecards.yml`, `dependency-review.yml` all present on `c2dd3d4e`. Indirect signal: 17 fresh dependabot dependency-update PRs imply the alerts pipeline is producing output; none flagged as security-priority in their titles. |
| Deployment Health | WARN | **Production target is healthy**: latest production Vercel deploy `dpl_GyiXu6...` for `c2dd3d4e` (PR #364) is `READY`; prior production deploy `dpl_Ann2Jg...` for `c1c28902` (PR #363) is also `READY`. No new production deploys since 2026-04-18 (consistent with no `main` activity). **Preview health is degraded**: among the 17 dependabot PRs, **5 web-targeted previews are in `ERROR`** — PR #369 (next 16.2.4), #376 (eslint-config-next), #378 (web sdk-trace-node), #379 (web supabase-js), #380 (vite 8.0.9). Engine/pip and agents-targeted PRs are mostly `CANCELED` via "Ignored Build Step" (expected — those paths do not trigger web builds). Most recent preview is PR #382 root-dev group = `READY`. |
| Branch Hygiene | PASS | 19 branches total: `main` (protected), 17 dependabot branches each backed by an open PR, 1 orphaned: `claude/create-trading-app-routines-hhHyT` (head of the closed-unmerged PR #338, sha `f665f1fd`, ~9 days since PR closure on 2026-04-17). Orphan is below the 14-day threshold; `stale-branch-cleanup.yml` workflow is present on `main` and will pick it up on schedule. No branch over 30 days. |
| Dependency Freshness | WARN | 17 open dependabot PRs sitting **6 days unreviewed** — pipeline producing output but consumption stalled. Backlog spans engine pip (fastapi, ruff, setuptools, gunicorn, hypothesis, testing group), web/agents npm (next, supabase-js, vite, eslint-config-next, @opentelemetry/* minor bumps, @anthropic-ai/sdk), github-actions grou…