Run by: raxx-ops-bot Scope: All 150 open issues Issues scanned: 150 Marked groomed (this run): 17 Already groomed (prior runs): 118 Marked needs-grooming (prior runs, still failing): 15 Total groomed at end of run: 135 / 150
These are high-leverage cards that are ready for dispatch but need operator context or decision before routing autonomously.
priority:high size:m area:security sprint:current
Phase 0 of the RBAC reconciliation is additive-only and has no external dependencies — no Workspace OIDC required. It is the unblock for the entire auth chain (#970–#974). Dispatch this first; everything else in the auth chain gates on it. Needs Kristerpher to confirm migration numbering slot and verify the RBAC seed data against the production admin list before the migration runs in prod.
priority:high size:m area:security sprint:current blocked
Blocked on operator action: create four Google Workspace groups (raxx-platform-admins@raxx.app, raxx-support@raxx.app, raxx-devops@raxx.app, raxx-break-glass@raxx.app) and bind them to CF Access Groups in Zero Trust UI. This is a 20-minute Cloudflare Zero Trust + Google Admin console task only Kristerpher can do. Once done, the feature-dev can dispatch this card and it unblocks #971–#974.
severity:high size:m area:devops
The CF Access service token for vault.raxx.app bootstrap needs to be created in Cloudflare Zero Trust (Access -> Service Tokens) and stored in macOS Keychain. This is a 10-minute operator task documented in the issue body. Once done, the card can be dispatched autonomously. Until then, every new Claude session that touches vault is brittle.
size:m area:security needs-grooming
Needs Kristerpher to confirm: (a) priority label — this should be priority:high but was not labeled; (b) whether #908 (Heroku scaffold) is complete enough for the UI auth card to start. Once those two questions are answered, this is a clean dispatch. Body has full schema, AC, and design doc reference.
severity:medium-low size:s area:devops type:tech-debt
Two overlapping Heroku deploy workflows create a maintenance hazard. Option A (deprecate deploy.yml Heroku jobs) is called out as recommended in the body. Needs Kristerpher to pick the option — that decision takes 2 minutes. After that, it's a clean autonomous dispatch.
These are groomed, unblocked, and have no ambiguity about option selection.
priority:high size:s area:console
Smallest unblocked sub-card in the epic #798 flag promotion chain. Purely additive: add risk: + soak_period_hours: fields to YAML + update flags.py parser. No design decisions left open. Dep #552 is closed.
priority:high size:s area:console
Clean dispatch. Deps #799, #800 are closed. Logic is fully specified in the design doc. Single PR: one listener function + one state transition + one test.
priority:high size:s area:console
Hourly background job with clear spec. Deps #799, #803, #804 all either closed or can be parallelized. Routes autonomously after #803 lands.
size:s area:console
Just groomed this run. Concrete scope: add probe_sentry_24h() reading SENTRY_API_TOKEN. No design ambiguity. Missing priority label — suggest priority:medium. Self-contained, no deps.
area:console (already groomed)
Explicitly marked groomed. No dependencies flagged as open. Part of epic #871 critical path for the env-switcher removal sprint. Autonomous dispatch.
These cannot be dispatched until Kristerpher takes a specific action. Surfaced here so they can be prioritized during his next session.
| # | Title | Blocking action needed |
|---|---|---|
| #970 | CF Access Workspace OIDC IDP swap | Create 4 Google Workspace groups + CF Access Group bindings (~20 min in Zero Trust UI) |
| #971–#974 | Auth RBAC Phases 2–5 | Cascade-blocked on #970 completing first |
| #908 | Velvet: scaffold Heroku app pair | Heroku app creation (raxx-velvet-prod + raxx-velvet-staging) — needs billing confirmation |
| #680 | Claude session bootstrap | Create CF Access service token in Zero Trust; store in Keychain (10-min task, documented in issue body) |
| #595 | vault_env_gap_fill.py | Blocked on #596 (Phase 1 audit) landing — check #596 status and confirm output exists at docs/ops/vault-env-coverage.md |
| #811 | Per-PR test env for console | Decision needed: Option A (Heroku Review Apps) vs Option B (single staging). Option A requires Heroku Pipeline setup. |
| #726 | GH Actions billing posture | Phase 2 (Ubicloud) is threshold-gated — no action now. Phase 1 sub-card (#727) is already groomed and dispatched. Recommend closing #726 or adding a "monitoring" label to reduce noise. |
| # | Title | Decision needed |
|---|---|---|
| #871 | epic(console): env-switcher drop + version manager | Epic needs a "done when all sub-cards closed" checklist added to body; also needs priority:high label. Suggest Kristerpher add a 3-line footer to the epic body. |
| #789 | Persistent alerts bell | Missing explicit AC checkboxes. Scope section acts as implicit AC — suggest Kristerpher add - [ ] checklist to formally pass the rubric, then this is autonomous-dispatchable. |
| #791 | /secrets page renders dynamically from vault | Missing parent epic link. Should reference #146 (console epic). One-line body edit unblocks this for autonomous dispatch. |
| #849 | sprint: 2026-05-01 → 2026-05-08 | Overlaps with #884 (2026-05-02 → 2026-05-09). Recommend closing #849 if all its cards are complete or captured in #884. |
Per scope instructions: these need Kristerpher visibility, not autonomous routing.
| Action | Issues |
|---|---|
| groomed added | #836, #807, #806, #804, #803, #801, #713, #579, #578, #577, #576, #575, #884, #849, #832, #883 |
| needs-grooming added | #964, #871 |
| needs-grooming removed | #836, #807, #806, #804, #803, #801, #713, #579, #578, #577, #576, #575 |
| blocked added | #970, #971, #972, #973, #974 |