[observability] Observability Coverage Report - 2026-06-15

[github-actions[bot]]

Executive Summary

The sampled runs show strong observability coverage for the two components under review. The firewall-enabled run has a populated Squid access.log, and the MCP-enabled run has canonical telemetry via rpc-messages.jsonl, so there is no critical logging gap blocking debugging.

Coverage is complete for the observed firewall and MCP cases in this sample, but the firewall log is only showing allowed egress in the analyzed run. That means the proxy path is visible, but we do not have a blocked-request example in this window to exercise the denial path.

Key Alerts and Anomalies

Note

No critical issues detected.

Warning

The firewall-enabled run recorded 41 allowed requests and 0 blocked requests, so the denial path was not exercised in this sample.

Coverage Summary

Component	Runs Analyzed	Logs Present	Coverage	Status
AWF Firewall (access.log)	1	1	100%	Healthy
MCP Gateway (gateway.jsonl or rpc-messages.jsonl)	1	1	100%	Healthy

Detailed Run Analysis

Firewall-Enabled Runs

Workflow	Run ID	access.log	Entries	Allowed	Blocked	Status
Daily Security Red Team Agent	27515981947	Present	136	41	0	Warning

Missing Firewall Logs (access.log)

None in the analyzed firewall-enabled sample.

MCP-Enabled Runs

Workflow	Run ID	Telemetry Source	Entries	Servers	Tool Calls	Errors	Status
Daily Security Red Team Agent	27515981947	rpc-messages.jsonl	4	1	1	0	Healthy

Missing MCP Telemetry

None in the analyzed MCP-enabled sample.

Telemetry Quality Analysis

Firewall Log Quality

• Total access.log entries analyzed: 136
• Unique domains: 1 (api.anthropic.com:443)
• Blocked requests: 0
• Allowed requests: 41
• Format check: entries are parseable Squid-style lines, including CONNECT 200 TCP_TUNNEL records

Gateway Log Quality

• Telemetry source: rpc-messages.jsonl fallback
• Total entries analyzed: 4
• MCP servers used: 1 (safeoutputs)
• Total tool calls: 1
• Error rate: 0%
• Average response time: N/A from raw RPC messages

Healthy Runs Summary

• 27515981947 captured both firewall and MCP telemetry with usable detail for debugging.
• 27516331431, 27516314038, and 27516295396 had no firewall/MCP artifacts in the fetched sample and are treated as N/A for this audit.

Recommended Actions

1. Keep access.log collection enabled for firewall runs, since it is present and usable here.
2. Add or preserve a blocked-request test case in at least one firewall run so the denial path is observable in the daily sample.
3. Continue emitting rpc-messages.jsonl when gateway.jsonl is unavailable, since it provides sufficient MCP telemetry for debugging.

References:

• §27516331431
• §27515981947
• §27516314038

---

Report generated automatically by the Daily Observability Report workflow
Analysis window: Last 7 days | Runs analyzed: 4

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

• api.github.com
• github.com

[!TIP]
api.github.com is blocked because GitHub API access uses the built-in GitHub tools by default. Instead of adding api.github.com to network.allowed, use tools.github.mode: gh-proxy for direct pre-authenticated GitHub CLI access without requiring network access to api.github.com:

tools:
  github:
    mode: gh-proxy

See GitHub Tools for more information on gh-proxy mode.

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "api.github.com"
    - "github.com"

See Network Configuration for more information.

Generated by 📊 Daily Observability Report for AWF Firewall and MCP Gateway · 14.2 AIC · ⌖ 3.65 AIC · ⊞ 11.7K · ◷

• expires on Jun 15, 2026, 4:10 PM UTC-08:00

[github-actions[bot]]

This discussion has been marked as outdated by Daily Observability Report for AWF Firewall and MCP Gateway.

A newer discussion is available at Discussion #39469.