[observability] Observability Coverage Report - 2026-06-16

[github-actions[bot]]

Executive Summary

I analyzed 17 completed runs from the last 7 days. Every sampled run had Squid firewall telemetry under sandbox/firewall/logs/access.log, and every sampled run had MCP telemetry via mcp-logs/rpc-messages.jsonl. steps.firewall was squid in every sampled aw_info.json.

The coverage problem is quality, not missing artifacts. The firewall logs consistently capture egress, but none of the sampled runs showed a blocked request, so the logs do not currently prove deny-path observability. MCP telemetry is healthy through the JSON-RPC fallback: valid logs, 76 outgoing tool calls, 0 protocol errors, and 3 servers observed (github, safeoutputs, sentry).

Warning

Firewall observability is present but weak on enforcement signal: no denied requests were visible in any sampled Squid log.

Key Alerts and Anomalies

Note

No critical log gaps detected in the sampled runs.

Warning

No blocked requests were visible in any sampled access.log, which limits debugging value for firewall regressions.

Coverage Summary

Component	Runs Analyzed	Logs Present	Coverage	Status
AWF Firewall (access.log)	17	17	100%	Warning
MCP Gateway (gateway.jsonl or rpc-messages.jsonl)	17	17	100%	Healthy

Detailed Run Analysis

Firewall + MCP Runs

Workflow	Run ID	access.log	Entries	Allowed	Blocked	MCP telemetry	Tool Calls	Status
Daily Observability Report for AWF Firewall and MCP Gateway	27584400903	yes	9	2	0	rpc-messages.jsonl	1	Warning
PR Description Updater	27584400944	yes	87	27	0	rpc-messages.jsonl	1	Warning
Daily Security Red Team Agent	27584598509	yes	115	35	0	rpc-messages.jsonl	1	Warning
Smoke CI	27583773725	yes	7	2	0	rpc-messages.jsonl	1	Warning
PR Description Updater	27583784278	yes	190	51	0	rpc-messages.jsonl	1	Warning
Smoke CI	27583855533	yes	7	2	0	rpc-messages.jsonl	1	Warning
PR Sous Chef	27583689576	yes	114	61	0	rpc-messages.jsonl	1	Warning
Smoke CI	27583784588	yes	7	2	0	rpc-messages.jsonl	1	Warning
Issue Monster	27583685427	yes	69	32	0	rpc-messages.jsonl	7	Warning
Smoke CI	27583482176	yes	7	2	0	rpc-messages.jsonl	1	Warning
Daily BYOK Ollama Test	27581947650	yes	56	0	0	rpc-messages.jsonl	0	Warning
Daily Reliability Review	27582993044	yes	240	53	0	rpc-messages.jsonl	44	Warning
PR Sous Chef	27581838772	yes	83	38	0	rpc-messages.jsonl	1	Warning
Daily AWF Spec Compiler Surfacing Review	27581611612	yes	114	37	0	rpc-messages.jsonl	2	Warning
Issue Monster	27581513957	yes	96	46	0	rpc-messages.jsonl	6	Warning
AI Moderator	27580037266	yes	69	26	0	rpc-messages.jsonl	3	Warning
PR Sous Chef	27579400732	yes	132	59	0	rpc-messages.jsonl	4	Warning

Missing Firewall Logs

None in the sampled runs.

MCP-Enabled Runs

All sampled runs had rpc-messages.jsonl; none required gateway.jsonl. The fallback was valid JSON-RPC telemetry in every case, with 0 parse errors and 76 total outgoing tools/call requests across the sample.

Missing MCP Telemetry

None in the sampled runs.

Telemetry Quality Analysis

Firewall Log Quality

• Total access.log entries analyzed: 1402
• Successful egress events observed: 475
• Blocked requests observed: 0
• Common destinations: api.githubcopilot.com, o205451.ingest.us.sentry.io
• Most logs are useful for traceability, but not for proving deny-path enforcement.

Gateway Log Quality

• Telemetry source: rpc-messages.jsonl (canonical fallback)
• Total outgoing tool calls: 76
• MCP servers used: github, safeoutputs, sentry
• Error rate: 0%
• Average response time: N/A from RPC-only telemetry

Healthy Runs Summary

All sampled runs had both firewall and MCP telemetry present. The only material gap was the lack of blocked firewall traffic in the sample.

Recommended Actions

1. Add or preserve a deterministic blocked-request probe so the daily report always has at least one deny-path Squid event to validate.
2. Keep accepting rpc-messages.jsonl as the MCP fallback, but emit gateway.jsonl where the runtime supports it for richer latency metrics.
3. Document the actual firewall log path used here (sandbox/firewall/logs/access.log) so future audits do not miss it.

Historical Trends

No prior trend series was computed in this pass.

References:

• §27582993044
• §27583689576
• §27584598509

---

Report generated automatically by the Daily Observability Report workflow
Analysis window: Last 7 days | Runs analyzed: 17

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

• api.github.com
• github.com

[!TIP]
api.github.com is blocked because GitHub API access uses the built-in GitHub tools by default. Instead of adding api.github.com to network.allowed, use tools.github.mode: gh-proxy for direct pre-authenticated GitHub CLI access without requiring network access to api.github.com:

tools:
  github:
    mode: gh-proxy

See GitHub Tools for more information on gh-proxy mode.

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "api.github.com"
    - "github.com"

See Network Configuration for more information.

Generated by 📊 Daily Observability Report for AWF Firewall and MCP Gateway · 21.2 AIC · ⌖ 10.2 AIC · ⊞ 11.7K · ◷

• expires on Jun 16, 2026, 4:26 PM UTC-08:00

[github-actions[bot]]

This discussion has been marked as outdated by Daily Observability Report for AWF Firewall and MCP Gateway.

A newer discussion is available at Discussion #39709.