[observability] Observability Coverage Report - 2026-06-12

[github-actions[bot]]

Executive Summary

I sampled 16 completed workflow runs from the last 7 days. Every firewall-enabled run had sandbox/firewall/logs/access.log, and every MCP-enabled run had telemetry via mcp-logs/rpc-messages.jsonl. Coverage is 100% for both components in the analyzed set.

The sample is clean overall. Firewall logs are populated and show both allow and deny behavior, including one TCP_DENIED to proxy.golang.org:443. MCP telemetry is complete, but only in the RPC fallback format; no sampled run emitted gateway.jsonl.

Key Alerts and Anomalies

No critical issues detected.

Coverage Summary

Component	Runs Analyzed	Logs Present	Coverage	Status
AWF Firewall (access.log)	16	16	100%	✅
MCP Gateway (gateway.jsonl or rpc-messages.jsonl)	16	16	100%	✅

Detailed Run Analysis

Firewall-Enabled Runs

Workflow	Run ID	access.log	Entries	Allowed	Blocked	Status
Daily Security Red Team Agent	27385195164	✅	142	43	0	success
PR Sous Chef	27384957170	✅	198	68	0	success
Design Decision Gate 🏗️	27383667211	✅	451	106	0	failure
Matt Pocock Skills Reviewer	27383667191	✅	407	129	1	success
PR Code Quality Reviewer	27383667185	✅	382	125	0	success
Test Quality Sentinel	27383667182	✅	401	132	0	success
Daily Reliability Review	27383658881	✅	276	69	0	success
Smoke CI	27383595654	✅	8	2	0	success
PR Sous Chef	27383359815	✅	101	36	0	success
Daily BYOK Ollama Test	27382565727	✅	55	22	0	failure
Daily AWF Spec Compiler Surfacing Review	27382266132	✅	85	31	0	success
Issue Monster	27382027638	✅	53	25	0	success
Smoke CI	27382020252	✅	7	2	0	success
PR Sous Chef	27381978065	✅	114	44	0	success
Design Decision Gate 🏗️	27381668167	✅	28	13	0	success
PR Code Quality Reviewer	27381668130	✅	375	128	0	success

MCP-Enabled Runs

Workflow	Run ID	Telemetry Source	Entries	Servers	Tool Calls	Errors	Status
Daily Security Red Team Agent	27385195164	rpc-messages.jsonl	4	1	1	0	success
PR Sous Chef	27384957170	rpc-messages.jsonl	8	1	3	0	success
Design Decision Gate 🏗️	27383667211	rpc-messages.jsonl	6	1	2	0	failure
Matt Pocock Skills Reviewer	27383667191	rpc-messages.jsonl	10	2	3	0	success
PR Code Quality Reviewer	27383667185	rpc-messages.jsonl	14	2	5	0	success
Test Quality Sentinel	27383667182	rpc-messages.jsonl	6	1	2	0	success
Daily Reliability Review	27383658881	rpc-messages.jsonl	70	2	33	0	success
Smoke CI	27383595654	rpc-messages.jsonl	6	2	1	0	success
PR Sous Chef	27383359815	rpc-messages.jsonl	8	1	3	0	success
Daily BYOK Ollama Test	27382565727	rpc-messages.jsonl	4	2	0	0	failure
Daily AWF Spec Compiler Surfacing Review	27382266132	rpc-messages.jsonl	4	1	1	0	success
Issue Monster	27382027638	rpc-messages.jsonl	16	1	7	0	success
Smoke CI	27382020252	rpc-messages.jsonl	6	2	1	0	success
PR Sous Chef	27381978065	rpc-messages.jsonl	12	1	5	0	success
Design Decision Gate 🏗️	27381668167	rpc-messages.jsonl	4	1	1	0	success
PR Code Quality Reviewer	27381668130	rpc-messages.jsonl	14	2	5	0	success

Telemetry Quality Analysis

• Firewall log entries analyzed: 3,083
• Unique host targets: 6
• Most accessed hosts: api.githubcopilot.com (411), o205451.ingest.us.sentry.io (270), api.anthropic.com (260)
• Blocked requests: 1 (TCP_DENIED to proxy.golang.org:443)
• MCP telemetry entries analyzed: 192
• MCP servers observed: safeoutputs, github, sentry
• Tool calls: 73 total
• Error rate: 0%
• Average response time: N/A for rpc-messages.jsonl

Recommended Actions

1. Keep the RPC fallback path healthy until gateway.jsonl is emitted consistently again.
2. Retain a deterministic blocked-request case in one scheduled run so deny-path debugging stays exercised.
3. Add a validation check that alerts when both MCP telemetry files are absent.

Context

• Analysis window: last 7 days
• Runs sampled: 16 completed runs
• Excluded from coverage: 4 recent runs still in progress or waiting

References:

• §27383667191
• §27383658881
• §27385195164

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

• api.github.com
• github.com

[!TIP]
api.github.com is blocked because GitHub API access uses the built-in GitHub tools by default. Instead of adding api.github.com to network.allowed, use tools.github.mode: gh-proxy for direct pre-authenticated GitHub CLI access without requiring network access to api.github.com:

tools:
  github:
    mode: gh-proxy

See GitHub Tools for more information on gh-proxy mode.

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "api.github.com"
    - "github.com"

See Network Configuration for more information.

Generated by 📊 Daily Observability Report for AWF Firewall and MCP Gateway · 60.3 AIC · ⌖ 10.3 AIC · ⊞ 12.1K · ◷

• expires on Jun 12, 2026, 4:18 PM UTC-08:00

[github-actions[bot]]

Smoke club tap. Me leave mark. Fire still warm.

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 243.1 AIC · ⌖ 10.5 AIC · ⊞ 20.3K · ◷

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-06-13T00:18:29.799Z.

Closed by Workflow