[audit-workflows] Daily Audit 2026-06-07 — prod-main 92.9% healthy; 3 config-drift recurrences (day 3), minimatch crash resolved

[github-actions[bot]]

Overview

Daily audit of agentic workflow runs for 2026-06-07. The 24h window was small and quiet (Sunday): the continuation fetch confirmed all runs landed in a ~3.7h cluster (17:56–21:38Z), 56 runs / 54 completed (2 still in progress, including this agent). Headline: 46 success / 8 failure = 85.2% overall, but on production main the real success rate is 92.9% (39/42, excluding one intentional-failure test workflow). Four of the eight failures are confined to a single feature PR branch.

Good news up top: the minimatch SDK-driver crash that dominated 06-06 (6 workflows) is gone — not seen in any of 28 copilot runs. The token-budget 429, safe-output partial-failure, and detection-parse failures were also all absent. The firewall blocked 0 of 2516 requests.

Summary

Metric	Value
Completed runs	54 (46 ✅ / 8 ❌) + 2 in-progress
Overall success	85.2%
Prod main success (real)	92.9% (39/42, excl. 1 intentional-fail)
Tokens / effective	23.99M / 152.1M
AIC	3,595
Turns / API calls	422 / 691
Missing tools / data / MCP failures	1 / 0 / 0
Firewall blocked	0 / 2516 (0%)
Engines	copilot 28, claude 9, codex 2, unclassified 17

Critical Issues (recurring on prod main)

These three have now failed a prod-main schedule three consecutive days (06-05/06/07) — all static config, all cheap-but-total (0 useful tokens), all should be one-line fixes:

1. Daily Caveman Optimizer [claude] — 400 "This model does not support the effort parameter" (run 27104658186; now retries 11×). Fix: drop the effort/reasoning-effort param from the workflow frontmatter.
2. Daily Cache Strategy Analyzer [codex] — 404 "Model not found gpt-5-codex-alpha-2025-11-07" (run 27101492605). The model id was rotated from adelie-alpha-2026-02-19 but still 404s — chasing a moving endpoint. Fix: pin a stable/aliased codex model id rather than another snapshot.
3. Daily Safe Output Integrator [copilot] — copilot-sdk-driver tool-permission lockout (run 27101776716): 13 denials of read(pkg/workflow/*_test.go) + shell(sed ... safe_outputs_config.go), aborted after the 5-denial threshold. Persisting 5+ windows (narrower than 06-06). Fix: reconcile the sdk-driver allow-tool mapping with the workflow's declared tools.

New This Window

activation-guardrail-cjs-module-not-found (MEDIUM) — All 4 PR-review workflows on branch copilot/fix-daily-credit-limit-test failed identically: the activation job crashes with Cannot find module 'check_daily_effective_workflow_guardrail.cjs'. The agent job is then correctly skipped, but the activation failure reds the run. This is dev-confined to the feature PR building the daily-credit-limit guardrail, but it's a reproducible packaging gap — the compiled lock files require() a .cjs that isn't bundled in the action package. It will redden main if merged unbundled. Affected: Test Quality Sentinel, PR Code Quality Reviewer, Design Decision Gate, Matt Pocock Skills Reviewer (runs 27103538546/47/66/67). Fix: bundle the .cjs before merge + add a CI smoke test that node-requires every .cjs the activation job references (same class as the now-fixed minimatch gap).

Full failure breakdown (8 failures / 4 classes)

Class	Count	Workflows	Scope
activation-guardrail-cjs MODULE_NOT_FOUND	4	TQS, PR Code Quality Reviewer, Design Decision Gate, Matt Pocock Skills Reviewer	PR branch (dev)
model-param-config (effort 400 / model 404)	2	Caveman, Cache Strategy	prod main, RECUR day 3
copilot-sdk tool-permission-lockout	1	Daily Safe Output Integrator	prod main, RECUR
by-design intentional fail	1	Daily Max AI Credits Test (Intentionally Fails)	expected

Trend Charts (to 2026-06-07)

Workflow Health

Success rate sits at 85.2% for the window (7-day avg ~86.5%), holding just below the 90% line. The dip vs. recent ~90% days is almost entirely the dev-branch guardrail cluster — prod-main real success is 92.9%, so platform health is steady, not regressing.

Token Usage

Daily tokens came in at 24.0M, below the 7-day moving average of ~29.3M — expected for a low-volume Sunday with fewer PR-triggered runs. No runaway-cost or token-cap (25M) pressure this window; the prior 429 risk on Daily Ambient Context Optimizer stayed quiet.

Top cost runs (claude-measured, all successful)

• Daily Safe Output Tool Optimizer — $6.19
• Documentation Unbloat — $5.44
• [aw] Failure Investigator (6h) — $3.78
• Daily Code Metrics and Trend Tracking Agent — $2.59

Note: codex/copilot cost is not reported by the harness, so $ totals are claude-only. PR Sous Chef showed execution drift (0/7/21 turns across 3 runs, all success) — flagged by observability, not a failure.

Recommendations

1. Fix the 3 recurring prod-main configs now — they waste a scheduled run every day and are trivial: drop effort (Caveman), stable codex id (Cache Strategy), sdk-driver tool-permission reconciliation (Safe Output Integrator).
2. Add model/param preflight validation at compile/activation time so stale model ids (404) and unsupported params (400) fail fast at compile, not on every scheduled run.
3. Bundle check_daily_effective_workflow_guardrail.cjs before merging the daily-credit-limit feature; extend the CI smoke test to node-require every activation .cjs.
4. Confirm the minimatch fix holds one more window, then close the issue.

References: §27104658186 · §27101492605 · §27103538546

Generated by 🔍 Agentic Workflow Audit Agent · 547.6 AIC · ⌖ 32.4 AIC · ⊞ 8.2K · ◷

• expires on Jun 8, 2026, 1:58 PM UTC-08:00

[github-actions[bot]]

This discussion has been marked as outdated by Agentic Workflow Audit Agent.

A newer discussion is available at Discussion #37950.