[Schema Consistency] Schema Consistency Check — 2026-04-13

[github-actions[bot]]

Summary

• Inconsistencies Found: 11 active findings (2 new, 9 persistent)
• Strategy Used: Cross-Layer Field Diff (proven, run Weekly Research Report: AI Workflow Automation Landscape and Strategic Opportunities - August 2025 #12)
• New This Run: 2 stale safe-inputs references in autocomplete files after rename to mcp-scripts
• Trigger: One new commit since last run (§24325988909) — d1c210e Add exception.type to OTel exception span events; sanitize event attributes

---

NEW Findings (2026-04-13)

1. Stale safe-inputs in autocomplete generator script

File: docs/scripts/generate-autocomplete-data.js:40

The generate-autocomplete-data.js script still lists 'safe-inputs' as a frontmatter key after the rename to mcp-scripts (.changeset/minor-rename-safe-inputs-to-mcp-scripts.md). It should be replaced with 'mcp-scripts'.

// Line 40 — still has the old name:
'secret-masking', 'bots', 'rate-limit', 'strict', 'safe-inputs',
//                                                  ^^^^^^^^^^^^ should be 'mcp-scripts'

Impact: Running generate-autocomplete-data.js regenerates autocomplete-data.json with the stale key, perpetuating the issue.

2. Stale safe-inputs entry in generated autocomplete data

File: docs/public/editor/autocomplete-data.json:1917

The generated file has both "mcp-scripts" (line 1694, correct) and "safe-inputs" (line 1917, stale). The old entry should be removed.

Impact: The web editor's autocomplete suggests the deprecated safe-inputs: key, which users must then migrate via codemod.

---

Persistent Findings (Confirmed Still Present)

Documentation Gaps — Schema fields undocumented (9 issues)

A. pre-steps and run-install-scripts missing from frontmatter-full.md

Both fields are in the schema with detailed descriptions but have no dedicated sections in docs/src/content/docs/reference/frontmatter-full.md.

• pre-steps — Runs custom workflow steps before checkout; outputs usable in checkout.token
• run-install-scripts — Allows npm pre/post install scripts (supply chain risk; requires strict-mode warning)

B. observability.otlp sub-fields undocumented

frontmatter-full.md shows only:

observability: {}

...with no mention of otlp.endpoint or otlp.headers. The schema defines both with full descriptions.

C. mcp-scripts section stub in frontmatter-full.md

frontmatter-full.md shows only mcp-scripts: {} — no documentation of sub-fields (description, inputs, script/run/py/go, env, timeout). A dedicated doc exists at mcp-scripts.md but frontmatter-full.md should at minimum reference it and show the shape.

D. Two safe-outputs tools missing from frontmatter-full.md

report-incomplete and upload-artifact are defined in the schema but absent from the 126 KB safe-outputs section in frontmatter-full.md. All other ~60 tools are documented.

E. Five undocumented feature flags

pkg/constants/feature_constants.go defines these flags but none appear in frontmatter.md or frontmatter-full.md:

Flag	Purpose
copilot-integration-id	Gates GITHUB_COPILOT_INTEGRATION_ID env injection (added 2026-04-11)
cli-proxy	Enables AWF CLI proxy sidecar with --difc-proxy-* injection
copilot-requests	No secrets validation; adds copilot-requests:write permission
mcp-gateway	Enables MCP gateway routing
disable-xpia-prompt	Disables XPIA prompt injection

F. 12 schema fields missing from frontmatter.md (quick-reference page)

check-for-updates, disable-model-invocation, import-schema, infer, inlined-imports, mcp-servers, observability, pre-steps, rate-limit, run-install-scripts, secret-masking, tracker-id

G. aw.json repo-level config undocumented

.github/workflows/aw.json has a full schema (repo_config_schema.json) and Go implementation (repo_config.go) but is not documented anywhere in docs/.

Constraint Validation Gaps — Schema bounds not enforced in Go (5 issues)

The schema defines these constraints but the Go parser/compiler does not enforce them — invalid values pass through silently:

Field	Schema Constraint	Go Validation	Gap
tracker-id	maxLength: 128	Checks minLength:8 and pattern only	Values >128 chars accepted
rate-limit.max	maximum: 10	Accepts any positive integer	Values >10 accepted
rate-limit.window	minimum: 1, maximum: 180	Only checks > 0	window: 0 silently uses default; window: 999 accepted
safe-outputs.max-patch-size	maximum: 10240	Checks >= 1 only	Values >10240 accepted
upload-artifact.defaults.if-no-files	enum: ['error', 'ignore']	Accepts any non-empty string	Invalid values like 'warn' accepted

Code refs: pkg/workflow/role_checks.go:175-195, pkg/workflow/safe_outputs_config.go:408-427, pkg/workflow/publish_artifacts.go:147-153

Dead Code — MCP Config Schema unused (1 issue)

pkg/parser/schemas/mcp_config_schema.json is compiled via getCompiledMcpConfigSchema() but ValidateMCPConfigWithSchema in pkg/parser/schema_validation.go has no function body — it is a comment stub. The validateWithSchema() function has a case for mcpConfigSchema but it is unreachable since no caller passes that value. The compiled schema is never used for actual MCP server configuration validation.

Naming Inconsistency — create-code-scanning-alert(s) plural/singular (1 issue)

pkg/workflow/compiler_types.go:503 has yaml tag create-code-scanning-alerts (plural) while the schema, raw-map access paths, and all other code use the singular create-code-scanning-alert. Parsing uses the raw map path (singular) so there is no runtime bug, but the struct tag is misleading and could cause confusion in JSON marshalling scenarios.

---

Recommendations

1. Fix autocomplete generator — Replace 'safe-inputs' with 'mcp-scripts' in docs/scripts/generate-autocomplete-data.js:40 and regenerate docs/public/editor/autocomplete-data.json
2. Document pre-steps and run-install-scripts in frontmatter-full.md
3. Expand observability and mcp-scripts stubs in frontmatter-full.md to show actual sub-field shapes
4. Add upload-artifact and report-incomplete to the safe-outputs section of frontmatter-full.md
5. Document feature flags — Add a "Feature Flags" subsection to the features: section in frontmatter.md listing all supported flags with descriptions
6. Enforce schema constraints in Go — Add maxLength, maximum, and enum validation in role_checks.go, frontmatter_extraction_metadata.go, safe_outputs_config.go, and publish_artifacts.go
7. Fix or remove dead MCP schema validation — Either implement ValidateMCPConfigWithSchema or remove the dead code and compiled schema

---

References:

• §24325988909

Generated by Schema Consistency Checker · ● 325.2K · ◷

• expires on Apr 14, 2026, 4:48 AM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Schema Consistency Checker.

A newer discussion is available at Discussion #26159.