[daily regulatory] Regulatory Report - 2026-04-08

[github-actions[bot]]

8 daily reports reviewed for April 8, 2026 (plus 1 April 7 observability report). Overall data quality is good with consistent cross-report metrics, but two operational blockers require urgent attention: static analysis has been dark for 4+ days due to a --runner-guard flag issue, and MCP telemetry coverage sits at a critically low 35.7%. The PR merge rate continues its healthy upward trend (83.2%), safe-output health is at 100% for the fourth consecutive day, and firewall block rates are low and consistent across reports. A 67% single-day spike in [aw] workflow failures (15→25) and 4 untiaged security findings are the most pressing near-term risks.

Cross-report consistency is strong — all shared metrics (firewall block rate, PR merge rate, session counts) agree within acceptable tolerances. No true numerical discrepancies were detected. The main data quality concern is coverage gaps, not data conflicts.

📋 Full Regulatory Report

📊 Reports Reviewed

#	Report	Discussion	Created	Status
1	Safe Output Health	#25308	2026-04-08T13:20Z	✅ Valid
2	Daily Firewall Report	#25286	2026-04-08T11:58Z	✅ Valid
3	Copilot Agent Analysis	#25278	2026-04-08T11:43Z	✅ Valid
4	Copilot Session Insights	#25291	2026-04-08T12:11Z	✅ Valid
5	Daily Team Evolution Insights	#25270	2026-04-08T10:57Z	✅ Valid
6	Static Analysis Report	#25316	2026-04-08T13:54Z	❌ Failed (compile error)
7	DeepReport Intelligence Briefing	#25328	2026-04-08T15:11Z	✅ Valid
8	Sergo Report	#25379	2026-04-08T20:29Z	✅ Valid
9	Observability Coverage Report (Apr 7)	#25197	2026-04-07T23:54Z	⚠️ Issues (MCP gap)

🔍 Data Consistency Analysis

Cross-Report Metrics Comparison

Reference scratchpad/metrics-glossary.md for metric definitions and scopes.

Metric	Firewall Report	DeepReport	Observability	Scope Match	Status
firewall_requests_blocked rate	2.9%	2.9%	4.0% (Apr 7)	⚠️ Different days	✅ Consistent
workflow_runs_analyzed (firewall)	30 (7d)	—	15 (7d)	⚠️ Different windows	ℹ️ See Note 1
agent_prs_total (24h)	—	—	—	✅ Single source	✅
Agent PR merged rate	75% (24/32)	83.2% (7d trend)	—	⚠️ Different scopes	✅ Consistent
Sessions analyzed	50	—	—	✅ Same scope	✅
Safe output success rate	100%	100%	—	✅ Same scope	✅
[aw] failure issues/day	—	25	—	✅ Single source	✅
Static analysis findings	9,956 (Apr 4)	"dark since Apr 5"	—	✅ Same	✅ Consistent

Scope Notes:

• Note 1: Firewall Report analyzed 30 runs (7-day window); Observability Report analyzed 15 runs (also 7-day, but from April 7 run, so different window boundary). Different run counts are expected.
• agent_prs_total (32): Copilot Agent Analysis uses 24h window (Apr 7T11:40Z → Apr 8T11:40Z); Team Evolution uses ~24h with slightly different boundary (~43 commits/40+ PRs) — scopes differ by design.

Consistency Score

• Overall Consistency: 95% — all comparable metrics agree
• True Discrepancies: 0
• Scope Differences (expected): 3
• Coverage Gaps (not discrepancies): 2

⚠️ Issues and Anomalies

Critical Issues

1. Static Analysis Dark Since April 4

• Affected Reports: Static Analysis Report (Static Analysis Report - 2026-04-08 #25316), DeepReport (DeepReport Intelligence Briefing — April 8, 2026 #25328)
• Metric: N/A — coverage failure
• Description: The copilot/add-runner-guard-arg-to-compile branch introduced --runner-guard into the static analysis workflow before the flag was implemented. All scans since April 5 fail at compile time.
• Impact: 9,956 known findings (1,117 High-severity from zizmor) are not being tracked. Growing security blind spot as new workflows are added daily.
• Severity: 🔴 Critical
• Recommended Action: Merge or revert copilot/add-runner-guard-arg-to-compile. Prioritize restoring daily scans.

2. MCP Telemetry Coverage at 35.7%

• Affected Reports: Observability Coverage Report ([observability] Observability Coverage Report - 2026-04-07 #25197)
• Metric: observability_coverage_percentage (MCP)
• Description: Only 5 of 14 MCP-enabled workflow runs have any telemetry (rpc-messages.jsonl or gateway.jsonl). 9 runs have zero MCP telemetry.
• Impact: Root-cause analysis for MCP tool/runtime failures is blocked for 64.3% of MCP runs.
• Severity: 🔴 Critical
• Recommended Action: Enforce MCP telemetry artifact publication in all MCP-enabled workflows.

Warnings

3. Workflow Failure Spike (+67% Single Day)

• Details: [aw] failure issues: 18 (Apr 6) → 15 (Apr 7) → 25 (Apr 8). A 67% day-over-day increase on April 8.
• Possible Cause: Cascading effects from runner-guard PR compilation disruption; Copilot engine instability (7+ exit code 1 failures noted by Team Evolution).
• Impact: Elevated noise in issue tracker; possible systemic infrastructure issue.

4. Cross-Repo Credentials Failing for 3+ Days

• Details: Smoke Create Cross-Repo PR and Smoke Update Cross-Repo PR have been failing with Bad credentials to githubnext/gh-aw-side-repo since at least April 6.
• Impact: Cross-repo smoke tests consistently failing; potential regression coverage gap.

5. Security Findings Untiaged (24h+)

• Details: 4 open gh-aw-security-finding issues (MCP container images pulled without SHA-256 digest pinning; node:lts-alpine uses floating LTS tag #25071, Claude engine should pin claude-code to a verified version and restrict sandbox env/network for npm operations #25101, Claude engine safeoutputs MCP shared bearer token enables direct write-sink bypass in local-analysis environment #25102, agent-stdio.log must be mode 0600 and MCP gateway tokens must be masked in log pipelines #25103) from April 7 carry no severity labels or assignees after 24+ hours.
• Impact: Security SLA risk; high-severity themes include token masking and write-sink bypass.

6. Two Copilot Branches Stalled (HIGH Abandonment Risk)

• Details: copilot/fix-duplicate-https-scheme and copilot/fix-actionlint-failure-handling — each with 14 sessions today, all review-bot action_required, zero Copilot coding agent activity.
• Impact: CI resource drain; stalled work blocking progress.

Data Quality Notes

• Static Analysis Report acknowledged its failure and clearly attributed it to the --runner-guard compile issue — good transparency
• Observability Report covered April 7 data (not April 8); the Observability workflow itself was one of the missing-log runs (firewall=Critical)
• DeepReport referenced discussion [repository-quality] Repository Quality: Oversized File Decomposition #25307 (Repository Quality) not fetched in this review — out of scope for this run
• agent_prs_total discrepancy between Copilot Agent Analysis (32 PRs) and Team Evolution (~40+ PRs merged) is explained by different time windows and scope — not a true discrepancy

📈 Trend Analysis

Week-over-Week Comparison

Metric	Apr 8, 2026	Apr 7, 2026	Apr 6, 2026	Direction
PR merge rate (7d)	83.2%	~82%	—	↑
Agent PRs (24h)	32	52	48	↓ (but faster)
Avg PR duration (min)	89	110	106	↓ improving
Safe output success rate	100%	~96% (1 failure)	100%	→ stable
[aw] failures/day	25	15	18	↑ spike
Stale lock files	0	0	0	→ resolved
Firewall block rate	2.9%	~4.0%	—	↓ improving
MCP telemetry coverage	N/A	35.7%	—	🔴 low

Notable Trends

• PR throughput is lower but faster: 32 PRs in 24h vs 52 yesterday, but avg duration improved 19% (89 vs 110 min). Quality-over-quantity pattern.
• Safe-output health excellent: 100% success rate for 4 consecutive days since the April 2 rate-limit burst.
• Security hardening theme: Multiple security PRs merged (RUNNER_TEMP guard, URL bypass fix, CLI version pinning) — proactive security investment.
• Copilot engine instability: 7+ unexpected termination (exit code 1) issues filed today — potential CLI version 1.0.20→1.0.21 regression worth investigating.

📝 Per-Report Analysis

Safe Output Health Report (#25308)

Time Period: Last 24 hours / last 50 runs (302 total run directories)
Quality: ✅ Valid

Metric	Value	Validation
safe_output_executions	12	✅
safe_output_failures	0	✅
Safe output success rate	100%	✅
Workflow runs reaching SO stage	2	ℹ️ Low activity day
SO jobs skipped (agent failed first)	51	✅ expected

Notes: Only 2 of 302 total workflow run directories triggered safe outputs today — very low activity. Cross-repo bad credentials recurring for 3+ days without resolution.

---

Daily Firewall Report (#25286)

Time Period: Last 7 days (analysis date: April 8, 2026)
Quality: ✅ Valid

Metric	Value	Validation
firewall_enabled_workflows	30	✅
firewall_requests_total	626	✅
firewall_requests_allowed	608	✅
firewall_requests_blocked	18	✅
Block rate	2.9%	✅ (608+18=626 ✓)
firewall_domains_blocked	5	✅

Notes: Math checks pass (608+18=626). 72% of blocked requests are Codex engine ChatGPT telemetry — expected, benign. Changeset Generator missing github preset is a misconfiguration flagged for immediate fix.

---

Copilot Agent Analysis (#25278)

Time Period: 24h window (Apr 7T11:40Z → Apr 8T11:40Z)
Quality: ✅ Valid

Metric	Value	Validation
agent_prs_total	32	✅
agent_prs_merged	24	✅
Closed (unmerged)	4	✅
Open	4	✅
agent_success_rate	86%	ℹ️ Note 1
Avg duration	89 min	✅

Notes: Note 1 — "Success rate 86%" counts merged (24) + still open (4) as 28 non-failures out of 32 total. This differs from a strict merged/total ratio (75%). The report's success rate methodology is internally consistent. Yesterday's comparison shows 41/52 = 79% merged, 86% reported success rate — same methodology.

---

Copilot Session Insights (#25291)

Time Period: April 8, 2026 + 10-day historical trend
Quality: ✅ Valid

Metric	Value	Validation
Sessions analyzed	50	✅
Successful completions	1 (2%)	✅
Failed / action_required	43 (86%)	✅
Skipped	6 (12%)	✅
Copilot agent sessions	1	✅
agent_success_rate (Copilot only)	100%	✅
10-day Copilot success rate	27.2% (25/92)	✅

Notes: 1+43+6=50 ✓. Overall 2% completion rate reflects review bots returning action_required by design — not true failures. 10-day data adds useful longitudinal context.

---

Daily Team Evolution Insights (#25270)

Time Period: Last 24h (Apr 7–8, 2026)
Quality: ✅ Valid

Metric	Value	Validation
Commits (approx)	~43	ℹ️ Narrative estimate
PRs merged	40+	ℹ️ Narrative estimate
Contributors	7+	✅
Integrity filter blocked items	6	✅

Notes: Estimates are narrative-derived, not precise counts — a reporting limitation for this workflow. The "40+ PRs merged" is broadly consistent with Copilot Agent Analysis's 24 agent PRs + human/bot PRs.

---

Static Analysis Report (#25316)

Time Period: April 8 scan ❌ (last successful: April 4, 2026)
Quality: ❌ Failed

Metric	Value	Validation
Scan status (Apr 8)	❌ Failed	Critical
Total findings (Apr 4)	9,956	✅ (historical)
Workflows scanned (Apr 4)	181	✅ (historical)
Days since last scan	4	🔴

Notes: Report transparently documented the failure cause and historical data. Trend shows +35% growth in findings over 7 scans (7,383 → 9,956) as new workflows are added.

---

DeepReport Intelligence Briefing (#25328)

Time Period: Apr 1 → Apr 8, 2026 (7-day primary analysis)
Quality: ✅ Valid

Metric	Value	Validation
PR merge rate (7d trend)	83.2%	✅ consistent with agent analysis
[aw] failures today	25	✅
Safe output health	100%	✅ consistent
Stale lock files	0	✅
Open security findings	4	✅
Firewall block rate	2.9%	✅ matches firewall report exactly

Notes: DeepReport explicitly cited sources for its numbers, enabling traceability. Good cross-report methodology.

---

Sergo Report (#25379)

Time Period: April 8, 2026 (code analysis)
Quality: ✅ Valid

Metric	Value	Validation
Findings generated	3	✅
High priority	1	✅
Medium priority	2	✅
Success score	8/10	✅

Notes: Code quality analysis focused on io.Writer refactor opportunity (19 unsafe stdout-swap patterns in tests), vestigial init() functions (3rd consecutive report), and context-unaware time.Sleep. Consistent with prior Sergo reports.

---

Observability Coverage Report (#25197, April 7)

Time Period: Last 7 days (from April 7 run)
Quality: ⚠️ Issues

Metric	Value	Validation
workflow_runs_analyzed	15	✅
Firewall coverage	93.3% (14/15)	⚠️ 1 missing
MCP telemetry coverage	35.7% (5/14)	🔴 Critical
Total access.log entries	911	✅
Blocked requests	36 (4.0%)	✅

Notes: The observability workflow itself was the run missing its firewall access.log — an ironic self-reference. MCP coverage at 35.7% is the most urgent systemic gap.

---

💡 Recommendations

Process Improvements

1. Restore Static Analysis Immediately: Merge or revert copilot/add-runner-guard-arg-to-compile. Four days without scans on a growing codebase (181 workflows, 9,956 known findings) is a material security risk.

2. Mandate MCP Telemetry in All MCP Workflows: Add a post-run observability check that fails runs when MCP is enabled but no telemetry artifact is published. 35.7% coverage is insufficient for incident response.

3. Renew Cross-Repo PAT: githubnext/gh-aw-side-repo credentials have been invalid for 3+ consecutive days. This blocks smoke test coverage for cross-repo workflows.

Data Quality Actions

1. Triage Security Findings Within 24h: Establish SLA for gh-aw-security-finding issues. The 4 open April 7 findings (MCP container images pulled without SHA-256 digest pinning; node:lts-alpine uses floating LTS tag #25071, Claude engine should pin claude-code to a verified version and restrict sandbox env/network for npm operations #25101, Claude engine safeoutputs MCP shared bearer token enables direct write-sink bypass in local-analysis environment #25102, agent-stdio.log must be mode 0600 and MCP gateway tokens must be masked in log pipelines #25103) need severity labels and owners today.

2. Standardize PR Count Methodology: Team Evolution and Copilot Agent Analysis report slightly different PR counts due to different time windows. Align on UTC cutoff time for daily reporting windows.

3. Investigate Copilot Engine Exit Code 1 Failures: 7+ unexpected terminations today may be related to CLI version 1.0.20→1.0.21 bump. Correlate with version bump commit timestamp.

Workflow Suggestions

1. Add Firewall Block Rate Cross-Check: Both Firewall Report and DeepReport independently reported 2.9% block rate with exact agreement — evidence that DeepReport's source attribution is working well. Formalize this cross-check.

2. Track Branch Stall Rate Metric: As suggested by DeepReport — flag branches with 5+ consecutive action_required sessions. Two currently stalled branches are consuming CI resources.

📊 Regulatory Metrics

Metric	Value
Reports Reviewed	9
Reports Passed (Valid)	7
Reports with Issues	1 (Observability - MCP gap)
Reports Failed	1 (Static Analysis - compile error)
True Cross-Report Discrepancies	0
Scope Differences (expected)	3
Critical Operational Blockers	2
Overall Data Consistency Score	95%
Overall Health Score	72% (5/7 no open blockers)

---

References:

• §24158866250 — This regulatory report run
• §24133703694 — Daily Firewall Report source
• §24142292722 — DeepReport source

Generated by Daily Regulatory Report Generator · ● 595.1K · ◷

• expires on Apr 11, 2026, 9:15 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Daily Regulatory Report Generator.

A newer discussion is available at Discussion #25706.