Grooming pass — 2026-05-20 UTC
T-3 days to v1 launch (2026-05-23 UTC).
Summary table
| Metric | Count |
|---|---|
| Open issues scanned | 200 |
Moved to groomed this pass |
6 |
New blocked + needs:operator-decision applied |
8 |
| Auto-closed (bandit-in-tests false positives) | 16 |
| Auto-closed (gitleaks test-fixture false positive) | 1 |
| Auto-closed (jinja2 cluster dupe in tests) | 2 |
| Total closed this pass | 19 |
Remaining needs-grooming after pass |
64 |
Total groomed after pass |
117 |
Total blocked after pass |
84 |
Issues moved to groomed
All five rubric axes pass. Ready for pickup.
| # | Title | Size | Area |
|---|---|---|---|
| #2538 | SC-2: implement scan_normalize.py + scan_severity_map.yaml | m | area:ci |
| #2539 | SC-3: implement scan_deduplicate.py | s | area:ci |
| #2540 | SC-4: implement scan_autoclose.yaml + auto-close logic | l | area:ci |
| #2541 | SC-5: implement scan_detect_gap.py + detect-gap workflow | m | area:ci |
| #2543 | SC-6: wire nightly-security-scan.yml to new pipeline | m | area:ci |
| #2547 | P1: design-index 8 topics with non-standard mockup paths | s | area:docs |
Top 5 ready-for-dev by age
| # | Created | Title | Area | Size |
|---|---|---|---|---|
| #1647 | 2026-05-11 | ops(legal): execute DPAs with vendors | area:legal | s |
| #1736 | 2026-05-12 | SC-WAF-00: Phase 0 CF account WAF settings + Logpush | area:devops | xs |
| #2143 | 2026-05-15 | ops(cloudflare): CF Access skip rule for vault.raxx.app | area:devops, area:security | s |
| #2538 | 2026-05-19 | SC-2: scan_normalize.py + scan_severity_map.yaml | area:ci | m |
| #2539 | 2026-05-19 | SC-3: scan_deduplicate.py — one issue per (file, rule_id) | area:ci | s |
Top 5 operator-decision blocked by age
| # | Created | Title | Area | Unanswered question |
|---|---|---|---|---|
| #1473 | 2026-05-09 | refactor(console): cut over all 17 blueprints from SQLite | area:console, area:queue | Queue cutover go/no-go? |
| #1538 | 2026-05-10 | ci: billing-collector-cron all billing secrets unset | area:devops, area:ci | Which billing secret paths are confirmed in vault? |
| #1580 | 2026-05-10 | design(rbac-v2): add flag_promotion_queue read/write | area:security, area:queue | RBAC V2 role schema sign-off? |
| #1595 | 2026-05-10 | feat(ci): migrate GH Actions to AWS CodeBuild | area:devops, area:ci | Is CodeBuild migration in scope for v1? |
| #1645 | 2026-05-11 | reliability: remove CF Access gate from getraxx.com before launch | area:devops | Confirmed pre-launch or post-launch? |
New blocked + needs:operator-decision applied this pass
| # | Title | Unanswered question |
|---|---|---|
| #2470 | Console V2 staging QA punch list | Which P0/P1 items still need atomic sub-cards? |
| #2477 | bandit: blacklist at console/app/services/sentry_preflight.py | SRE triage: is this injectable in production call context? |
| #2476 | bandit: hardcoded_sql_expressions at console/app/services/rbac_grants.py | SRE triage: parameterized or injectable? |
| #2475 | bandit: hardcoded_sql_expressions at console/app/blueprints/api_rbac_grants.py | SRE triage: parameterized or injectable? |
| #1903 | reliability: audit workflows using static CF repo secrets | Which workflows can be migrated to vault before launch? |
| #1873 | Upgrade cloudflare Terraform provider v4.52.7 → v5.x | Is this in scope for v1 or deferred? |
| #1725 | feat(auth): sync Google Workspace groups to Console RBAC | Phase 1 design decision confirmed? |
| #1735 | No CF WAF rules configured — pre-launch blocker | AC checkboxes not added after 5 groomer passes; body update required |
Auto-closed: bandit-in-tests false positives (16)
Rule: hardcoded_sql_expressions in */tests/* paths. Per feedback_bandit_in_tests_policy: test-fixture artifacts, not exploitable. Engineering follow-up in #2427.
Closed: #2559, #2560, #2561, #2562, #2563, #2564, #2565, #2566, #2567, #2568, #2569, #2570, #2571, #2572, #2573, #2574
Auto-closed: cluster dupes in tests (2)
Rule: jinja2_autoescape_false in console/tests/test_promote_deeplink_2504.py — same rule, same file, two line-level duplicates. Per feedback_security_scan_per_file_grouping. Closed as non-exploitable test-fixture: #2557, #2558.
Auto-closed: gitleaks false positive in tests (1)
generic-api-key match on _TOTP_KEY hex constant at console/tests/test_rbac_drift_1967.py:30 — synthetic test fixture, not a live credential. Closed: #2556.
Grooming comments posted but not yet ready (needs-grooming retained)
| # | Title | Failing axes |
|---|---|---|
| #2536 | SC epic: nightly scan-to-issue pipeline rewrite | AC (no done-when), size missing |
| #2537 | SC-1: verify raxx-ops-bot PEM base64 round-trip | operator-action; size+type labels missing |
| #2544 | SC-7: grant raxx-dev-bot Actions:read permission | operator-action; size+type labels missing |
| #2545 | SC-8: seed BILLING_DB_PATH + POSTMARK_BILLING_TIER | operator-action; BILLING_DB_PATH value unconfirmed |
| #2575 | pip-audit: PYSEC-2026-89 in markdown==3.8.1 | area, size, AC missing |
| #2576 | pip-audit: PYSEC-2024-271 in flask-cors==6.0.2 | area, size, AC missing |
Bot identity note
Token minted via scripts/agents/mint_github_token.py --bot raxx-ops-bot. All issue comments and label edits attributed to raxx-ops-bot. No fallback to operator PAT detected.