[observability] Observability Coverage Report - 2026-06-23

[github-actions[bot]]

Caution

agentic threat detected
Threat detection flagged this output in warn mode. Manual review is REQUIRED before any follow-up automation.

Details

The threat detection engine failed to produce results.

Review the workflow run logs for details.

Executive Summary

I reviewed 7 recent runs from Daily Firewall Logs Collector and Reporter. Firewall telemetry is mostly intact: 6 of 7 firewall-enabled runs include the Squid access log bundle, and 1 run is missing it entirely. MCP telemetry is healthy on the 6 MCP-enabled runs and is consistently captured through rpc-messages.jsonl rather than gateway.jsonl.

The main gap is a single firewall-enabled run that exited without preserving any access log artifact. That is a real debugging blocker for network issues. The remaining runs are usable for incident triage, with one run showing blocked egress as expected.

Key Alerts and Anomalies

Caution

Critical issue: 27927563395 is missing the firewall access log bundle. No access.log artifact was found for that run, so egress debugging would be blind for that execution.

Warning

Warnings:

• MCP telemetry is present via rpc-messages.jsonl in all 6 MCP-enabled runs, but gateway.jsonl is absent across the sample, so duration metrics are not available from the preferred format.
• The Squid logs are parseable, but transaction-end-before-headers noise is frequent. It does not block analysis, but it does make the access logs noisier than ideal.

Coverage Summary

Component	Runs Analyzed	Logs Present	Coverage	Status
AWF Firewall (access.log)	7	6	85.7%	Warning
MCP Gateway (gateway.jsonl or rpc-messages.jsonl)	6	6	100%	Healthy

📋 Detailed Run Analysis

Firewall-Enabled Runs

Workflow	Run ID	access.log	Entries	Allowed	Blocked	Status
Daily Firewall Logs Collector and Reporter	27927563395	No	0	0	0	Critical
Daily Firewall Logs Collector and Reporter	27858646068	Yes	87	29	0	Healthy
Daily Firewall Logs Collector and Reporter	27892124686	Yes	79	25	0	Healthy
Daily Firewall Logs Collector and Reporter	27663612723	Yes	325	169	0	Healthy
Daily Firewall Logs Collector and Reporter	27803421463	Yes	758	304	0	Healthy
Daily Firewall Logs Collector and Reporter	27591918514	Yes	766	272	0	Healthy
Daily Firewall Logs Collector and Reporter	27734553421	Yes	2206	935	16	Healthy

Missing Firewall Logs (access.log)

Workflow	Run ID	Date	Link
Daily Firewall Logs Collector and Reporter	27927563395	2026-06-22	§27927563395

MCP-Enabled Runs

Workflow	Run ID	Telemetry Source	Entries	Servers	Tool Calls	Errors	Status
Daily Firewall Logs Collector and Reporter	27858646068	rpc-messages.jsonl	8	2	2	0	Healthy
Daily Firewall Logs Collector and Reporter	27892124686	rpc-messages.jsonl	8	2	2	0	Healthy
Daily Firewall Logs Collector and Reporter	27663612723	rpc-messages.jsonl	6	2	1	0	Healthy
Daily Firewall Logs Collector and Reporter	27803421463	rpc-messages.jsonl	24	2	10	0	Healthy
Daily Firewall Logs Collector and Reporter	27591918514	rpc-messages.jsonl	6	2	1	0	Healthy
Daily Firewall Logs Collector and Reporter	27734553421	rpc-messages.jsonl	18	2	7	0	Healthy

Missing MCP Telemetry

No MCP-enabled run in the analyzed set was missing both gateway.jsonl and rpc-messages.jsonl.

🔍 Telemetry Quality Analysis

Firewall Log Quality

• Total access.log entries analyzed: 4,221
• Allowed requests: 1,734
• Blocked requests: 16
• Runs with blocked requests visible: 1
• Log format: parseable Squid access lines

Gateway Log Quality

• Telemetry source: rpc-messages.jsonl (canonical fallback)
• Total RPC entries analyzed: 70
• MCP servers used: agenticworkflows, safeoutputs
• Total tool calls: 23
• Error rate: 0%
• Average response time: N/A from RPC fallback alone

Healthy Runs Summary

6 runs have complete firewall + MCP observability coverage. The only gap is the single firewall run that ended before an access log bundle was preserved.

Recommended Actions

1. Preserve sandbox/firewall/logs/access.log on every firewall-enabled run, including early-exit and no-op paths.
2. Keep rpc-messages.jsonl as the fallback MCP telemetry source, but add gateway.jsonl if you want per-call duration metrics in the daily report.
3. If the transaction-end-before-headers noise is expected, document it; otherwise, reduce aborted proxy transactions or filter them in the report.

Historical Trends

No multi-day trend baseline was assembled beyond this 7-day sample.

---

Report generated automatically by the Daily Observability Report workflow
Analysis window: Last 7 days | Runs analyzed: 7

References:

• §27927563395
• §27734553421
• §27803421463

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

• api.github.com
• github.com

[!TIP]
api.github.com is blocked because GitHub API access uses the built-in GitHub tools by default. Instead of adding api.github.com to network.allowed, use tools.github.mode: gh-proxy for direct pre-authenticated GitHub CLI access without requiring network access to api.github.com:

tools:
  github:
    mode: gh-proxy

See GitHub Tools for more information on gh-proxy mode.

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "api.github.com"
    - "github.com"

See Network Configuration for more information.

Generated by 📊 Daily Observability Report for AWF Firewall and MCP Gateway · 37.9 AIC · ⊞ 12.4K · ◷

• expires on Jun 23, 2026, 4:16 PM UTC-08:00

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-06-24T00:16:41.443Z.

Closed by Workflow