[observability] Observability Coverage Report - 2026-05-05

[github-actions[bot]]

Executive Summary

Analyzed 82 downloaded workflow runs from the last 7 days, with coverage metrics calculated across 77 completed runs. The downloader returned 77 completed runs before the bridge timeout limit; in-progress runs were excluded from missing-artifact criticals because final log upload may still be pending.

AWF Firewall observability is 100% across 7 firewall-enabled completed runs. MCP telemetry file coverage is 100% across 8 MCP-enabled completed runs, with observed MCP telemetry coming from the canonical rpc-messages.jsonl fallback rather than gateway.jsonl.

Key Alerts and Anomalies

🔴 Critical Issues:

• No critical issues detected.

⚠️ Warnings:

• MCP telemetry file is present but empty or has parse issues for §25347551171 (Smoke Pi).
• MCP telemetry file is present but empty or has parse issues for §25347488563 (Auto-Triage Issues).
• MCP telemetry file is present but empty or has parse issues for §25343896484 (Contribution Check).

Coverage Summary

Component	Runs Analyzed	Logs Present	Coverage	Status
AWF Firewall (access.log)	7	7	100%	✅ Healthy
MCP Gateway (gateway.jsonl or rpc-messages.jsonl)	8	8	100%	⚠️ Warning

📋 Detailed Run Analysis

Firewall-Enabled Runs

Workflow	Run ID	access.log	Raw Entries	Requests	Allowed	Blocked	Status
Daily Security Red Team Agent	§25349690918	✅	249	46	46	0	✅
AI Moderator	§25349210698	✅	33	9	7	2	✅
Auto-Triage Issues	§25347488563	✅	70	7	7	0	✅
Smoke CI	§25344909418	✅	10	2	2	0	✅
Daily Regulatory Report Generator	§25344798129	✅	298	39	19	20	✅
Agentic Workflow Audit Agent	§25344690910	✅	1344	80	80	0	✅
Contribution Check	§25343896484	✅	296	64	64	0	✅

Missing Firewall Logs (access.log)

None.

MCP-Enabled Runs

Workflow	Run ID	Telemetry Source	Entries	Servers	Tool Calls	Errors	Status
Daily Security Red Team Agent	§25349690918	rpc-messages.jsonl	4	safeoutputs	1	0	✅
AI Moderator	§25349210698	rpc-messages.jsonl	12	github, safeoutputs	4	0	✅
Smoke Pi	§25347551171	rpc-messages.jsonl	0	N/A	0	0	⚠️
Auto-Triage Issues	§25347488563	rpc-messages.jsonl	0	N/A	0	0	⚠️
Smoke CI	§25344909418	rpc-messages.jsonl	6	github, safeoutputs	1	0	✅
Daily Regulatory Report Generator	§25344798129	rpc-messages.jsonl	16	github, mcpscripts, safeoutputs	5	0	✅
Agentic Workflow Audit Agent	§25344690910	rpc-messages.jsonl	22	agenticworkflows, github, safeoutputs	8	0	✅
Contribution Check	§25343896484	rpc-messages.jsonl	0	N/A	0	0	⚠️

Missing MCP Telemetry (no gateway.jsonl or rpc-messages.jsonl)

None.

🔍 Telemetry Quality Analysis

Firewall Log Quality

• Total raw access.log entries analyzed: 2300
• Parsed firewall requests: 247
• Domains accessed: 10 unique
• Blocked requests: 22 (8.9%)
• Most accessed domains: api.anthropic.com:443 (111), api.githubcopilot.com:443 (86), (unknown) (20), 151.101.64.223:443 (13), api.github.com:443 (6)

Gateway Log Quality

• Telemetry source: rpc-messages.jsonl canonical fallback in observed MCP runs; gateway.jsonl was not present in the completed sample
• Total entries analyzed: 60
• MCP servers used: agenticworkflows, github, mcpscripts, safeoutputs
• Total tool calls: 19
• Error rate: 0%
• Average response time: N/A

Healthy Runs Summary

7 firewall-enabled runs had non-empty Squid access logs, and 5 MCP-enabled runs had non-empty, parse-clean telemetry. Empty rpc-messages files were treated as warnings, not criticals, because the telemetry artifact exists but does not provide useful per-call debugging detail.

Recommended Actions

1. Keep publishing sandbox/firewall/logs/access.log for all firewall-enabled workflows and document this current artifact path in the observability runbook.
2. Continue accepting rpc-messages.jsonl as MCP telemetry, but investigate whether preferred structured gateway.jsonl emission should be restored.
3. Review the blocked-request hotspots in Smoke Pi and Daily Regulatory Report Generator to decide whether the blocks are expected policy enforcement or workflow configuration drift.

📊 Historical Trends

No historical baseline file was available in this run. This report records the current sample as a baseline: firewall coverage 100%, MCP telemetry file coverage 100%.

References: §25350293267, §25349690918, §25349690918

---

Report generated automatically by the Daily Observability Report workflow
Analysis window: Last 7 days | Runs analyzed: 82 downloaded (77 completed)

Warning

Firewall blocked 4 domains

The following domains were blocked by the firewall during workflow execution:

• ab.chatgpt.com
• api.github.com
• chatgpt.com
• github.com

💡 Tip: api.github.com is blocked because GitHub API access uses the built-in GitHub tools by default. Instead of adding api.github.com to network.allowed, use tools.github.mode: gh-proxy for direct pre-authenticated GitHub CLI access without requiring network access to api.github.com:

tools:
  github:
    mode: gh-proxy

See GitHub Tools for more information on gh-proxy mode.

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"
    - "api.github.com"
    - "chatgpt.com"
    - "github.com"

See Network Configuration for more information.

Generated by Daily Observability Report for AWF Firewall and MCP Gateway · ◷

• expires on May 6, 2026, 12:13 AM UTC