[observability] Observability Coverage Report - 2026-06-07

[github-actions[bot]]

Executive Summary

I reviewed a representative sample of 12 completed runs from the last 7 days, choosing one recent completed run per workflow to stay within the analysis cap. Coverage is clean: every sampled firewall-enabled run has access.log, and every sampled MCP-enabled run has telemetry via rpc-messages.jsonl.

No critical observability gaps were found in the sampled completed runs. The two in-progress runs present in the raw fetch were excluded from coverage math because their artifact snapshots were not finalized yet. MCP telemetry is using the canonical fallback format (rpc-messages.jsonl) rather than gateway.jsonl, which is acceptable and still debuggable.

Key Alerts and Anomalies

No critical issues detected in the sampled completed runs.

⚠️ Warnings:

• None in the sampled completed runs.

Coverage Summary

Component	Runs Analyzed	Logs Present	Coverage	Status
AWF Firewall (access.log)	12	12	100%	✅
MCP Gateway (gateway.jsonl or rpc-messages.jsonl)	12	12	100%	✅

📋 Detailed Run Analysis

Firewall-Enabled Runs

Workflow	Run ID	access.log	Requests	Allowed	Blocked	Status
Daily AWF Spec Compiler Surfacing Review	27075741252	✅	48	48	0	✅
Daily Documentation Healer	27077497108	✅	20	20	0	✅
Daily Formal Spec Verifier	27075064877	✅	37	10	27	✅
Daily Security Red Team Agent	27077220077	✅	43	43	0	✅
Design Decision Gate 🏗️	27076782250	✅	32	32	0	✅
Issue Monster	27076870996	✅	12	10	2	✅
Matt Pocock Skills Reviewer	27076782242	✅	79	54	25	✅
PR Code Quality Reviewer	27076782228	✅	223	159	64	✅
PR Description Updater	27076870614	✅	66	66	0	✅
PR Sous Chef	27076460063	✅	19	12	7	✅
Smoke CI	27077251120	✅	2	2	0	✅
Test Quality Sentinel	27076782246	✅	79	54	25	✅

MCP-Enabled Runs

Workflow	Run ID	Telemetry Source	Entries	Servers	Tool Calls	Errors	Status
Daily AWF Spec Compiler Surfacing Review	27075741252	rpc-messages.jsonl	6	safeoutputs	2	0	✅
Daily Documentation Healer	27077497108	rpc-messages.jsonl	2	safeoutputs	0	0	✅
Daily Formal Spec Verifier	27075064877	rpc-messages.jsonl	4	safeoutputs	1	0	✅
Daily Security Red Team Agent	27077220077	rpc-messages.jsonl	4	safeoutputs	1	0	✅
Design Decision Gate 🏗️	27076782250	rpc-messages.jsonl	8	safeoutputs	3	0	✅
Issue Monster	27076870996	rpc-messages.jsonl	6	safeoutputs	2	0	✅
Matt Pocock Skills Reviewer	27076782242	rpc-messages.jsonl	18	github, safeoutputs	7	0	✅
PR Code Quality Reviewer	27076782228	rpc-messages.jsonl	14	github, safeoutputs	5	0	✅
PR Description Updater	27076870614	rpc-messages.jsonl	4	safeoutputs	1	0	✅
PR Sous Chef	27076460063	rpc-messages.jsonl	4	safeoutputs	1	0	✅
Smoke CI	27077251120	rpc-messages.jsonl	6	github, safeoutputs	1	0	✅
Test Quality Sentinel	27076782246	rpc-messages.jsonl	6	safeoutputs	2	0	✅

🔍 Telemetry Quality Analysis

Firewall Log Quality

• Total firewall requests in the sampled workflows: 660
• Allowed requests: 510
• Blocked requests: 150
• Block rate: 22.7%
• Most active workflow: PR Code Quality Reviewer (223 requests)

Gateway Log Quality

• Telemetry source: rpc-messages.jsonl fallback in all sampled MCP runs
• Total JSONL entries: 82
• Total MCP tool calls: 26
• MCP servers seen: safeoutputs, github
• Error count: 0
• Average request/response latency: 131.8ms (min 3ms, max 3309ms)

Healthy Runs Summary

• The sampled runs show consistent firewall logging and usable MCP traces.
• No sampled run was missing both MCP telemetry files.
• No sampled firewall-enabled run was missing access.log.

Recommended Actions

1. Keep treating rpc-messages.jsonl as an acceptable MCP fallback, but prefer gateway.jsonl where available for richer timing and event fields.
2. Preserve the current firewall logging path under sandbox/firewall/logs/access.log so future audits can find it reliably.
3. Add an explicit note in workflow docs for in-progress runs so empty snapshots are not mistaken for missing observability.

References:

• §27075064877
• §27076782228
• §27077251120

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

• api.github.com
• github.com

💡 Tip: api.github.com is blocked because GitHub API access uses the built-in GitHub tools by default. Instead of adding api.github.com to network.allowed, use tools.github.mode: gh-proxy for direct pre-authenticated GitHub CLI access without requiring network access to api.github.com:

tools:
  github:
    mode: gh-proxy

See GitHub Tools for more information on gh-proxy mode.

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "api.github.com"
    - "github.com"

See Network Configuration for more information.

Generated by 📊 Daily Observability Report for AWF Firewall and MCP Gateway · 26 AIC · ⌖ 3.97 AIC · ⊞ 12K · ◷

• expires on Jun 8, 2026, 12:12 AM UTC

[caioribeiroclw-pixel]

Useful split in this report: rpc-messages.jsonl is good enough for attribution, but gateway.jsonl is still the richer source for gateway-owned fields.

The receipt shape I’d want downstream of this report is basically:

{
  "telemetry_source": "rpc-messages.jsonl",
  "tool_calls": [{
    "request_id": "...",
    "server": "github|safeoutputs",
    "tool_name": "...",
    "args_shape": {"...": "redacted_type"},
    "status": "ok|error|denied|timeout",
    "duration_ms": 132,
    "result_shape": "redacted_shape"
  }],
  "coverage_gaps": ["gateway_jsonl_absent"]
}

That keeps the fallback path first-class without implying it proves every gateway metric. I shipped a tiny npm smoke for this exact conversion if useful for comparing shapes against a real artifact:

npx --yes pluribus-context@latest demo mcp-telemetry-import --json

The main thing it enforces is: no raw args/results in the durable receipt, only shapes + attribution + explicit gaps.

[github-actions[bot]]

This discussion has been marked as outdated by Daily Observability Report for AWF Firewall and MCP Gateway.

A newer discussion is available at Discussion #37680.