Add a compile/CI guard that fails when the generated Safe Outputs MCP server require()s a .cjs module the emitted bundle does not include — a missing safe_outputs_mcp_arguments.cjs shipped to main and crashed 8 agentic workflows before being caught manually.
Parent incident: #37230
Problem
PR #37208 added require('./safe_outputs_mcp_arguments.cjs') to the generated Safe Outputs MCP server, but the file was not emitted next to the server in the workflow runtime. Every safe-outputs agentic workflow on main then crashed at startup:
Error: Cannot find module './safe_outputs_mcp_arguments.cjs'
ERROR: Server process <pid> has died
##[error]Process completed with exit code 1.
The runtime fix landed in #37224/#37225, but nothing in compile or CI would have caught the broken emission — it was only detected after 8 production failures.
Affected workflows / runs
Daily Documentation Healer (§27046499438), Semantic Function Refactoring (§27046530357), Daily Observability Report (§27046551778), Auto-Triage Issues (§27046620355), PR Sous Chef (§27046719576), Daily Model Inventory Checker (§27046929440), Daily Sentrux Report (§27046950309), Daily Security Red Team Agent (§27046121207).
Probable root cause
The heredoc/asset emission for the safe-outputs MCP server did not bundle every require()d sibling .cjs. #37224 ("derive heredoc separators from content hash for build stability") addressed emission stability but did not add a guard against the broken-reference class.
Proposed remediation
- During
gh aw compile, statically scan each emitted MCP server .cjs for relative require('./*.cjs') calls and assert every referenced module is emitted into the same lock-file/heredoc bundle; fail compilation otherwise.
- Add a CI smoke step that starts the generated Safe Outputs MCP server (e.g. via
safe_outputs_mcp_server.cjs) in a clean temp dir and asserts it stays alive — catches missing siblings at PR time, not in production.
Success criteria / verification
Generated by 🔍 [aw] Failure Investigator (6h) · agent 220.1 AIC · threat-detection 13.2 AIC · ◷
Add a compile/CI guard that fails when the generated Safe Outputs MCP server
require()s a.cjsmodule the emitted bundle does not include — a missingsafe_outputs_mcp_arguments.cjsshipped tomainand crashed 8 agentic workflows before being caught manually.Parent incident: #37230
Problem
PR #37208 added
require('./safe_outputs_mcp_arguments.cjs')to the generated Safe Outputs MCP server, but the file was not emitted next to the server in the workflow runtime. Every safe-outputs agentic workflow onmainthen crashed at startup:The runtime fix landed in #37224/#37225, but nothing in compile or CI would have caught the broken emission — it was only detected after 8 production failures.
Affected workflows / runs
Daily Documentation Healer (§27046499438), Semantic Function Refactoring (§27046530357), Daily Observability Report (§27046551778), Auto-Triage Issues (§27046620355), PR Sous Chef (§27046719576), Daily Model Inventory Checker (§27046929440), Daily Sentrux Report (§27046950309), Daily Security Red Team Agent (§27046121207).
Probable root cause
The heredoc/asset emission for the safe-outputs MCP server did not bundle every
require()d sibling.cjs. #37224 ("derive heredoc separators from content hash for build stability") addressed emission stability but did not add a guard against the broken-reference class.Proposed remediation
gh aw compile, statically scan each emitted MCP server.cjsfor relativerequire('./*.cjs')calls and assert every referenced module is emitted into the same lock-file/heredoc bundle; fail compilation otherwise.safe_outputs_mcp_server.cjs) in a clean temp dir and asserts it stays alive — catches missing siblings at PR time, not in production.Success criteria / verification
safe_outputs_mcp_arguments.cjsreference makesgh aw compile/CI fail with a clear message.mainand would have failed on the [safeoutputs] Clarify flat MCP arguments and add SafeOutputMCP wrapped-argument fallback #37208 → pre-feat: derive heredoc separators from content hash for build stability #37224 state.Related to [aw-failures] P0 (resolved): Safe Outputs MCP crash — missing safe_outputs_mcp_arguments.cjs broke 8 main agentic workflows #37230