[observability] Observability Coverage Report - 2026-06-19

[github-actions[bot]]

Executive Summary

Sampled 19 completed runs from the last 7 days, all with firewall_enabled=true. Firewall observability is mostly healthy: 17/19 runs uploaded usable sandbox/firewall/logs/access.log data, and those logs show both allowed and blocked traffic. Two Avenger failures are missing access.log entirely, which is a critical gap because it removes the primary debugging artifact for egress enforcement.

MCP telemetry is complete across the sample. Every run had mcp-logs/rpc-messages.jsonl; gateway.jsonl was not present in this sample, so the canonical RPC fallback is carrying observability. No RPC response errors were found.

Key Alerts and Anomalies

🔴 Critical Issues:

• Avenger run 27794601855: sandbox/firewall/logs/access.log missing.
• Avenger run 27792293897: sandbox/firewall/logs/access.log missing.

⚠️ Warnings:

• None.

Coverage Summary

Component	Runs Analyzed	Logs Present	Coverage	Status
AWF Firewall (access.log)	19	17	89.5%	🔴
MCP Gateway (gateway.jsonl or rpc-messages.jsonl)	19	19	100%	✅

📋 Detailed Run Analysis

All sampled runs had rpc-messages.jsonl; none had gateway.jsonl.

Workflow	Run ID	Conclusion	access.log	Allowed/Blocked	MCP telemetry	RPC lines	Tool calls	Status
Auto-Triage Issues	27796287297	success	✅	14/16	rpc-messages.jsonl	4	1	✅
PR Sous Chef	27795905247	success	✅	89/60	rpc-messages.jsonl	4	1	✅
Daily Security Red Team Agent	27796815866	success	✅	110/128	rpc-messages.jsonl	4	1	✅
Smoke CI	27794663422	success	✅	2/5	rpc-messages.jsonl	6	1	✅
PR Description Updater	27794663460	success	✅	37/59	rpc-messages.jsonl	8	3	✅
Auto-Triage Issues	27795865604	success	✅	15/16	rpc-messages.jsonl	4	1	✅
Test Quality Sentinel	27794654794	success	✅	21/20	rpc-messages.jsonl	4	1	✅
Daily Reliability Review	27795432593	success	✅	76/197	rpc-messages.jsonl	130	63	✅
PR Code Quality Reviewer	27794654813	success	✅	33/49	rpc-messages.jsonl	10	4	✅
Design Decision Gate 🏗️	27794654816	success	✅	17/14	rpc-messages.jsonl	4	1	✅
Daily BYOK Ollama Test	27794407926	failure	✅	22/34	rpc-messages.jsonl	4	0	✅
Avenger	27794601855	failure	❌	0/0	rpc-messages.jsonl	28	1	🔴
Matt Pocock Skills Reviewer	27794654773	success	✅	35/50	rpc-messages.jsonl	10	3	✅
PR Sous Chef	27793964843	success	✅	63/64	rpc-messages.jsonl	4	1	✅
Daily AWF Spec Compiler Surfacing Review	27794063020	success	✅	107/115	rpc-messages.jsonl	6	2	✅
Smoke CI	27791765228	success	✅	2/5	rpc-messages.jsonl	6	1	✅
PR Description Updater	27791765234	success	✅	27/67	rpc-messages.jsonl	8	3	✅
Avenger	27792293897	failure	❌	0/0	rpc-messages.jsonl	30	2	🔴
Daily Regulatory Report Generator	27791592821	success	✅	106/189	rpc-messages.jsonl	20	7	✅

🔍 Telemetry Quality Analysis

• Firewall log volume: 1,864 access entries; 776 allowed and 1,088 blocked.
• Unique allowed destinations: 6.
• Top allowed destinations: api.githubcopilot.com:443 (279), api.anthropic.com:443 (174), o205451.ingest.us.sentry.io:443 (159).
• MCP telemetry volume: 294 RPC entries; 97 tool calls; 0 response errors.
• Tool-call servers observed: sentry 62, safeoutputs 33, mcpscripts 2.
• gateway.jsonl was absent in the sample; rpc-messages.jsonl was the sole MCP telemetry source.

Recommended Actions

1. Ensure sandbox/firewall/logs/access.log is emitted on failure paths, especially for Avenger.
2. Add a workflow assertion or upload guard so missing firewall logs are flagged immediately.
3. If you want richer MCP metrics, emit gateway.jsonl alongside the RPC fallback.

Analysis window: Last 7 days | Runs analyzed: 19

References:

• §27797268990
• §27794601855
• §27792293897

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

• api.github.com
• github.com

[!TIP]
api.github.com is blocked because GitHub API access uses the built-in GitHub tools by default. Instead of adding api.github.com to network.allowed, use tools.github.mode: gh-proxy for direct pre-authenticated GitHub CLI access without requiring network access to api.github.com:

tools:
  github:
    mode: gh-proxy

See GitHub Tools for more information on gh-proxy mode.

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "api.github.com"
    - "github.com"

See Network Configuration for more information.

Generated by 📊 Daily Observability Report for AWF Firewall and MCP Gateway · 24 AIC · ⌖ 8.56 AIC · ⊞ 17.2K · ◷

• expires on Jun 19, 2026, 4:22 PM UTC-08:00

[github-actions[bot]]

This discussion has been marked as outdated by Daily Observability Report for AWF Firewall and MCP Gateway.

A newer discussion is available at Discussion #40403.