[Retro] Sprint Retrospective — 2026-03-01 to 2026-03-15 (Updated)

[github-actions[bot]]

Sprint: Week 10–11 · Period: 2026-03-01 → 2026-03-15 · Run: #23108113984 · Updated: 2026-03-15 10:03 UTC

This is an updated retrospective for the same sprint period. A preliminary version was posted at 00:57 UTC (#270). This version reflects current incident status (+9h) and final sprint metrics.

---

Executive Summary

Sprint 2026-W10–W11 delivered meaningful technical progress — 5 critical atlatl bugs fixed, +23 unit tests in rlm-rs, significant atlatl-spec spec work (batch audit run9 closes), and two consecutive Friday Roundups published on zircote.github.io. However, the sprint closes under significant infrastructure stress. The most urgent unresolved item is a critical security incident in subcog (exposed AWS Access Key, reported externally 2026-03-14, now 28+ hours with zero action). Three CI pipelines remain offline across atlatl, daedalus, and atlatl-spec, and org-wide Dependabot automation has been disabled for 14+ days — directly enabling those breakages.

---

Sprint Metrics

Throughput

Metric	This Sprint (W10–W11)	Prev Sprint (W8–W9)	Delta
Issues closed (all)	~333	—	—
Issues closed (human/engineering)	~123	—	—
New issues opened	~361	—	—
Issue close rate	0.92×	—	⚠️ Backlog growing
PRs merged (all authors)	~315	~473	-34%
PRs merged (human + AI agents)	~103	~97	+6%
PRs merged (Dependabot only)	~212	~376	-44%
Repos with engineering activity	8 / 22	—	—

Dependabot decline is expected: automation was disabled mid-sprint, reducing auto-merge throughput.

Cycle Time (estimated)

Category	Avg Time	Notes
atlatl bug filing → close	~1 day	Fast turnaround on blocking lro-bench issues
atlatl-spec audit issues (run9)	~2.5 hours	Batch file + close on 2026-03-01
atlatl-spec Validate Specification	8 days unresolved	Mermaid <br/> HTML tag failure
subcog AWS key exposure → response	28+ hours, unresolved	⛔ Critical SLA violation
atlatl CI offline → fix	71+ hours, unresolved
daedalus CI offline → fix	72+ hours, unresolved

Review Metrics

Metric	Value
External PRs awaiting review	1 (subcog#152 — mgildea, CONTRIBUTOR, 2 approvals required)
Review backlog (>10 items)	✅ Within threshold
Avg PR open → merge (human PRs)	~12 min (most zircote PRs self-merged immediately)

---

Key Accomplishments

🦀 atlatl — MCP Server Platform (5 Blocking Bugs Fixed)

All five issues were root causes blocking valid lro-bench benchmark runs:

Issue	Title	Impact
atlatl#46	reindex fails: migration missing	Search indexes never built; benchmark data invalid
atlatl#50	Automated JSON Schema validation vs Rust EventPayload	Prevents silent schema/Rust drift
atlatl#65	recall_memories limit schema hardcodes max:50	Agent capped at 50 results; E4 benchmark scored 0.000
atlatl#66	MCP server crashes on large inline responses over stdio	Blocked inline/control benchmarks (E4, E2 C5, E5)
atlatl#62	Hybrid search falls back to vector-only on field-qualified queries	BM25 silently disabled on structured queries

🔬 atlatl-spec — Specification Completeness (Batch Audit Run9)

Batch close of 15+ spec inconsistency issues filed and resolved on 2026-03-01, including:

• DetailLevel enum canonical definition added to data-model.md
• MemoryCreate struct formally defined
• list_memories added to proxy routing table
• MCP auth scopes default aligned to least-privilege (memory:read, memory:write)
• Level 2 event emission requirement clarified (SHOULD → MUST when CustodialScheduler active)

🧪 rlm-rs — Quality & Documentation

• +23 unit tests for SqliteStorage embedding functions via automated Test Improver (0 → full coverage)
• Docs corrected: usearch version constraint updated from <2.24 to <2.25 across 4 files
• Performance PR submitted: parallel cosine similarity (rayon), pre-sized embedding buffers, buffer_fully_embedded SQLite optimization

📝 zircote.github.io — Content Pipeline

• Friday Roundup Week 10 published — Claude Code 3.7 Sonnet, ecosystem news
• Friday Roundup Week 11 published — Claude Code v2.1.72–74, PACED distillation, agricultural data sovereignty, OpenAPI Overlay v1.1.0
• Week 11 expanded with agent security, MCP maturity, AI review fatigue research (+SkillNet, RoboPocket papers)

📚 nsip — Workflow Documentation

• nsip#178: 18 workflow reference docs added (zero-coverage → complete); full docs/README.md index updated

🔧 Infrastructure / Dependabot

• ~212 Dependabot dependency bumps processed across 22 repos before automation was disabled
• ccpkg#20 and multiple other repos received github/gh-aw bump PRs (note: this bump introduced a breaking change — see Incidents)

---

🚨 Active Incidents (Unresolved at Sprint Close)

Priority	Repo	Issue	Age at Sprint Close	Required Fix
🔴 CRITICAL	subcog	#153 AWS Access Key in src/security/mod.rs	~28h, zero action	Revoke key now; git filter-repo history purge
🔴 CRITICAL	atlatl	Security Audit + CI offline since 2026-03-13	~71h	Pin sigstore/cosign-installer to SHA faadad0c (v4.0.0); fix Clippy 1.94 lints
🔴 CRITICAL	daedalus	Security Audit offline since 2026-03-13	~72h	Same cosign-installer pin fix (batch with atlatl)
🔴 CRITICAL	atlatl-spec	Validate Specification + API Docs (Pages) offline since 2026-03-07/11	~95h	Pin @redocly/cli back to 2.20.0 in package.json
🟠 HIGH	rlm-rs	Daily QA failing — github/gh-aw 0.56.2 breaking change	~2.5 days	Pin github/gh-aw to SHA 88319be7 (0.51.5)
🟠 HIGH	github-project-manager	Agentic Maintenance failing — gh-aw 0.56.2	~71h	Pin github/gh-aw to SHA 88319be7 (0.51.5) in agentics-maintenance.yml
🟡 MEDIUM	.github	Dependabot Rollout & Sweep disabled (14+ days)	Ongoing	Re-enable with PR review guardrails
🟡 MEDIUM	.github	Board API 403 for zircote-org-monitor App	All sprint	Add Projects: Read/Write to GitHub App permissions

Root Cause Analysis: CI Cascade

Three independent breaking changes hit simultaneously due to Dependabot automation being disabled:

cosign-installer 4.0.0 → 4.1.0  ──▶  atlatl Security Audit  ✗
                                  ──▶  daedalus Security Audit ✗

gh-aw 0.51.5 → 0.56.2            ──▶  github-project-manager  ✗
                                  ──▶  rlm-rs Daily QA         ✗

`@redocly/cli` 2.20.0 → 2.20.4    ──▶  atlatl-spec Validate Spec ✗
                                  ──▶  atlatl-spec Pages deploy  ✗

The Dependabot sweep being disabled was a direct enabler. With auto-merge + review guardrails active, each breaking PR would have been flagged (CI failure on the PR itself) before merging to main.

---

Contributor Highlights

Contributor	Role	Highlights
zircote	Owner	5 atlatl bugs filed+fixed; 15+ atlatl-spec spec issues resolved; rlm-rs docs+perf; nsip docs PR; 2 Friday Roundups
Copilot (AI agent)	AI collaborator	Week 11 expanded roundup; subcog external review triage; spec consistency assists
github-actions[bot]	Automation	Test Improver (+23 tests in rlm-rs); Perf Improver PR submitted; content pipeline (Friday Roundup automation)
mgildea	External contributor	subcog#152 feat(http): /healthz endpoint — CI passing, production-deployed per PR, awaiting 2 reviews
dependabot[bot]	Automation	~212 dependency bump PRs processed

---

Retrospective Notes

✅ What Went Well

• Fast atlatl bug turnaround: All 5 blocking lro-bench issues resolved within ~1 day of filing — indicates good issue-to-fix velocity when priority is clear
• Spec audit batch efficiency: atlatl-spec run9 filed and resolved 15+ issues in a single 2.5-hour session
• Content pipeline on schedule: Friday Roundup published Week 10 + Week 11 consecutively; Week 11 expanded via async research
• Alert system functional: Smart Alerts detected subcog AWS key exposure within hours of the external disclosure and has escalated correctly each cycle
• Automated quality tooling paying off: Test Improver added 23 meaningful tests without manual effort; Perf Improver identified 3 optimizations

⚠️ What Needs Improvement

• Security incident response time is inadequate: subcog#153 has been live for 28+ hours without action. Credential exposure requires a <2h response SLA — the current response time is ~14× that threshold
• Dependabot automation must stay enabled: Disabling it for 14+ days directly enabled 3+ CI failures and a security gap. Re-enable with review guardrails, not by removing automation
• Cross-repo breaking changes lack blast-radius analysis: Both cosign-installer and gh-aw bumps broke multiple repos simultaneously with no staged rollout. Action version bumps need canary validation before org-wide adoption
• External contributor PR left waiting: subcog#152 from mgildea has been open 4 days with CI passing and prod-deployed per PR description. External contributions need a clear review SLA (≤48h for CI-passing PRs)
• Board API access gap persists all sprint: The zircote-org-monitor App has been blocked from project board audit access for the entire sprint — no fix attempted

🎯 Next Sprint Focus Areas

1. ⛔ Immediate — Revoke and rotate subcog AWS credentials; purge from git history
2. 🔴 Day 1 — Fix CI pipelines: pin cosign-installer (atlatl + daedalus), gh-aw (rlm-rs + gpm), @redocly/cli (atlatl-spec)
3. 🟠 Week 1 — Re-enable Dependabot Rollout + Sweep with review guardrails
4. 🟠 Week 1 — Review and merge subcog#152 (external healthz PR, CI passing)
5. 🟠 Week 1 — Grant Projects: Read/Write to zircote-org-monitor GitHub App
6. 🟡 Week 2 — Run lro-bench E1–E6 experiments end-to-end (atlatl blocking bugs now fixed)
7. 🟡 Week 2 — Address atlatl Clippy 1.94 strict lint violations on main

---

Repository Health at Sprint Close

Repo	Status	CI	Open Eng Issues	Trending
atlatl	🔴 CI failing	❌ 4 workflows	0 code	Bugs fixed ✅ / CI broken ❌
atlatl-spec	🔴 Docs offline	❌ Validate Spec	3 features	Backlog growing
rlm-rs	🟠 QA failing	⚠️ Daily QA	2	Quality improving ✅
subcog	🔴 Security incident	✅ CI passing	1 (critical)	Needs immediate action
daedalus	🔴 CI failing	❌ Security Audit	0	No code activity
github-project-manager	🟠 Maint. failing	⚠️ Agentics	0	Automation blocked
.github	🟡 Degraded	✅ Main CI	—	Dependabot disabled
lro-bench	🟡 Partial	⬜ No data	2	Ready to run (atlatl fixed)
nsip	🟢 Healthy	✅	0	Docs complete
zircote.github.io	🟢 Healthy	✅	0	Active content ✅
Others (12 repos)	🟢 Healthy	✅ / ⬜	0	Quiet / maintenance

Org CI Health Score: 13 passing / 16 repos with CI history = 81% (down from ~90%+ start of sprint)

---

Generated by smart-retro workflow — https://github.com/zircote/.github/actions/runs/23108113984

AI generated by Smart Retrospective · history

• expires on Mar 29, 2026, 10:03 AM UTC

AI generated by Smart Retrospective · history

• expires on Mar 29, 2026, 10:07 AM UTC