Integrity Filtering Audit — github/gh-aw
Audit period: Last 24 hours (2026-05-11T06:47Z – 2026-05-12T06:47Z)
Runs analyzed: 60 completed runs in github/gh-aw (30+30 from two pages)
Runs with agent artifacts: 9
MCP Gateway version: v0.3.6 (all runs)
Findings Summary
| Severity |
Count |
Description |
| 🔴 Critical |
0 |
None |
| 🟡 Warning |
2 |
Direct API bypass attempts (W-1), package registry blocks (expected firewall) |
| 🟢 Info |
5 |
Normal observations — DIFC pipeline healthy, no WASM errors |
Critical Findings
None.
Warnings
W-1: Direct API Bypass Attempt — Duplicate Code Detector
Run: 25717161421 — Duplicate Code Detector
Workflow: .github/workflows/daily-dup-code.lock.yml
Branch: main
The codex_exec/0.129.0 tool running inside the agent sandbox made direct network requests to GitHub's APIs, which were blocked by the firewall:
| Domain |
Count |
User-Agent |
Decision |
api.github.com:443 |
1 |
codex_exec/0.129.0 |
❌ TCP_DENIED (403) |
github.com:443 |
1 |
git/2.53.0 |
❌ TCP_DENIED (403) |
chatgpt.com:443 |
2 |
codex_exec/0.129.0 |
✅ TCP_TUNNEL (allowed — in network.allowDomains) |
files.openai.com:443 |
1 |
codex_exec/0.129.0 |
✅ TCP_TUNNEL (allowed) |
Root cause: The Duplicate Code Detector uses the OpenAI Codex execution environment (codex exec). Codex appears to have invoked git operations and direct api.github.com calls rather than routing through the MCP Gateway. The chatgpt.com access is expected (the workflow explicitly allows chatgpt.com in network.allowDomains for Codex telemetry/model routing).
DIFC impact: GitHub API calls were correctly blocked by the network firewall before they could bypass the MCP Gateway. No unfiltered data was returned. However, the attempted bypass indicates the agent is not exclusively using tools.github for GitHub access.
Recommended fix:
- Strengthen the agent system prompt in the Duplicate Code Detector to use MCP Gateway tools exclusively for GitHub API access — see
shared/mcp-api-routing.md for reusable constraint language.
- Verify whether
codex exec is configured with fetch=disabled and web_search=disabled (it currently uses --dangerously-bypass-approvals-and-sandbox which may allow git operations).
- Consider removing
git from the sandbox PATH or adding github.com to the deny-list to prevent direct git clones.
W-2 (Low): Package Registry Firewall Blocks — Schema Consistency Checker
Run: 25717271687 — Schema Consistency Checker
Blocked: 8× index.crates.io:443, 2× proxy.golang.org:443 (all TCP_DENIED 403)
Cargo and Go tooling attempted to download/update packages from external registries. These were correctly blocked by the firewall. This is not a DIFC concern but suggests the workflow's build step may fail silently due to missing registry access.
Informational
-
Zero DIFC tags in rpc-messages.jsonl (expected): All runs show 0 difc_integrity fields in the JSONL. This is because "guards sink server ID" enrichment is disabled across all runs (No sink server IDs configured). DIFC events are present in mcp-gateway.log via the label_agent call/response pattern. This is by design, not a failure.
-
All runs use difc_mode=filter: The WASM guard uses filter mode (not strict). Items that fail the allow-only policy are silently filtered rather than generating an error. For the 3 runs with a GitHub WASM guard, the label_agent response returned integrity: ["none:all", "unapproved:all", "approved:all"] — meaning the agent is granted access to all repos at all integrity levels.
-
Integrity tags are unscoped (approved:all): Three runs (mcp-auth-test, cli-version-checker, dup-code-detector) use repos:"all" in the allow-only policy. The guard returns approved:all (applies to all repositories) rather than scoped tags. This is expected for broad-scope workflows.
-
action_required runs (copilot/ branches)*: 19 runs on copilot/refactor-workflow-helpers-code and copilot/update-compiler-slash-commands branches are awaiting human approval. Agent was never invoked; no MCP traffic generated.
-
daily-fact.lock.yml failures: 3 failure-conclusion runs show 0 jobs in the run — workflow appears to fail at activation (before any jobs start). Not a DIFC concern.
-
No WASM guard errors or panics: Zero wasm error: or WASM guard trap entries across all runs. The 00-github-guard.wasm (306 KB) loaded and executed successfully.
-
Runs without GitHub MCP server (no tools.github): 5 of 9 runs only use safeoutputs or write-sink guards and have no GitHub API DIFC filtering. These are expected to have no DIFC labeling events.
DIFC Event Summary
| Run |
Workflow |
Agent Invoked |
WASM Guard |
DIFC label_agent Calls |
Firewall Blocks |
Status |
| 25717361921 |
CLI Version Checker |
✅ |
github (allow-only:approved) |
2 |
0 |
✅ |
| 25717356528 |
GitHub Remote MCP Auth Test |
✅ |
github (allow-only:approved) |
2 |
0 |
✅ |
| 25717271687 |
Schema Consistency Checker |
✅ |
none (write-sink only) |
1 |
10 (index.crates.io, proxy.golang.org) |
⚠️ |
| 25717161421 |
Duplicate Code Detector |
✅ |
github (allow-only:approved) |
3 |
2 (api.github.com, github.com) |
⚠️ W-1 |
| 25716942218 |
Daily CLI Tools Exploratory Tester |
✅ |
write-sink (agenticworkflows) |
2 |
0 |
✅ |
| 25716254303 |
Contribution Check |
✅ |
none (write-sink only) |
1 |
0 |
✅ |
| 25716057035 |
Static Analysis Report |
✅ |
none (write-sink only) |
1 |
0 |
✅ |
| 25715699041 |
Workflow Health Manager |
✅ |
none (write-sink only) |
1 |
0 |
✅ |
| 25715507009 |
Daily Semgrep Scan |
✅ |
semgrep (write-sink) |
2 |
0 |
✅ |
DIFC Event JSONL Summary
| Run |
DIFC Events Labelled |
DIFC Events Filtered |
| 25717361921 (CLI Version Checker) |
0* |
0 |
| 25717356528 (MCP Auth Test) |
0* |
0 |
| 25717271687 (Schema Checker) |
0* |
0 |
| 25717161421 (Dup Code Detector) |
0* |
0 |
| 25716942218 (CLI Tools Tester) |
0* |
0 |
| 25716254303 (Contribution Check) |
0* |
0 |
| 25716057035 (Static Analysis) |
0* |
0 |
| 25715699041 (Workflow Health) |
0* |
0 |
| 25715507009 (Semgrep Scan) |
0* |
0 |
*Zero DIFC tags in JSONL is expected — guards sink server ID enrichment is disabled in all runs. DIFC labeling occurs in mcp-gateway.log via label_agent call/response.
Recommendations
-
Duplicate Code Detector (W-1): Investigate why codex exec is making direct api.github.com calls. Strengthen the agent system prompt to restrict tool use to MCP Gateway endpoints exclusively — see shared/mcp-api-routing.md for reusable constraint language. Verify fetch=disabled in the Codex config prevents arbitrary git/curl operations. Consider adding github.com and api.github.com to the network deny-list at the firewall layer as defense-in-depth.
-
Enable guards sink logging: Consider enabling MCP_GATEWAY_GUARDS_SINK_SERVER_IDS in workflows with active GitHub WASM guards (e.g., the auth-test and version-checker workflows). This would populate difc_integrity fields in rpc-messages.jsonl, making DIFC event counts auditable from the JSONL without parsing gateway logs.
-
Schema Consistency Checker package registry blocks: If the workflow needs to build Rust or Go code, add index.crates.io and proxy.golang.org to the allow-list, or pre-cache dependencies in the container image.
Generated by Integrity Filtering Audit · ● 4.1M · ◷
Integrity Filtering Audit — github/gh-aw
Audit period: Last 24 hours (2026-05-11T06:47Z – 2026-05-12T06:47Z)
Runs analyzed: 60 completed runs in github/gh-aw (30+30 from two pages)
Runs with agent artifacts: 9
MCP Gateway version: v0.3.6 (all runs)
Findings Summary
Critical Findings
None.
Warnings
W-1: Direct API Bypass Attempt — Duplicate Code Detector
Run: 25717161421 — Duplicate Code Detector
Workflow:
.github/workflows/daily-dup-code.lock.ymlBranch:
mainThe
codex_exec/0.129.0tool running inside the agent sandbox made direct network requests to GitHub's APIs, which were blocked by the firewall:api.github.com:443codex_exec/0.129.0github.com:443git/2.53.0chatgpt.com:443codex_exec/0.129.0network.allowDomains)files.openai.com:443codex_exec/0.129.0Root cause: The Duplicate Code Detector uses the OpenAI Codex execution environment (
codex exec). Codex appears to have invokedgitoperations and directapi.github.comcalls rather than routing through the MCP Gateway. Thechatgpt.comaccess is expected (the workflow explicitly allowschatgpt.cominnetwork.allowDomainsfor Codex telemetry/model routing).DIFC impact: GitHub API calls were correctly blocked by the network firewall before they could bypass the MCP Gateway. No unfiltered data was returned. However, the attempted bypass indicates the agent is not exclusively using
tools.githubfor GitHub access.Recommended fix:
shared/mcp-api-routing.mdfor reusable constraint language.codex execis configured withfetch=disabledandweb_search=disabled(it currently uses--dangerously-bypass-approvals-and-sandboxwhich may allow git operations).gitfrom the sandbox PATH or addinggithub.comto the deny-list to prevent direct git clones.W-2 (Low): Package Registry Firewall Blocks — Schema Consistency Checker
Run: 25717271687 — Schema Consistency Checker
Blocked: 8×
index.crates.io:443, 2×proxy.golang.org:443(all TCP_DENIED 403)Cargo and Go tooling attempted to download/update packages from external registries. These were correctly blocked by the firewall. This is not a DIFC concern but suggests the workflow's build step may fail silently due to missing registry access.
Informational
Zero DIFC tags in rpc-messages.jsonl (expected): All runs show 0
difc_integrityfields in the JSONL. This is because "guards sink server ID" enrichment is disabled across all runs (No sink server IDs configured). DIFC events are present inmcp-gateway.logvia thelabel_agentcall/response pattern. This is by design, not a failure.All runs use
difc_mode=filter: The WASM guard uses filter mode (not strict). Items that fail the allow-only policy are silently filtered rather than generating an error. For the 3 runs with a GitHub WASM guard, thelabel_agentresponse returnedintegrity: ["none:all", "unapproved:all", "approved:all"]— meaning the agent is granted access to all repos at all integrity levels.Integrity tags are unscoped (
approved:all): Three runs (mcp-auth-test, cli-version-checker, dup-code-detector) userepos:"all"in the allow-only policy. The guard returnsapproved:all(applies to all repositories) rather than scoped tags. This is expected for broad-scope workflows.action_requiredruns (copilot/ branches)*: 19 runs oncopilot/refactor-workflow-helpers-codeandcopilot/update-compiler-slash-commandsbranches are awaiting human approval. Agent was never invoked; no MCP traffic generated.daily-fact.lock.ymlfailures: 3 failure-conclusion runs show 0 jobs in the run — workflow appears to fail at activation (before any jobs start). Not a DIFC concern.No WASM guard errors or panics: Zero
wasm error:orWASM guard trapentries across all runs. The00-github-guard.wasm(306 KB) loaded and executed successfully.Runs without GitHub MCP server (no
tools.github): 5 of 9 runs only usesafeoutputsor write-sink guards and have no GitHub API DIFC filtering. These are expected to have no DIFC labeling events.DIFC Event Summary
DIFC Event JSONL Summary
*Zero DIFC tags in JSONL is expected — guards sink server ID enrichment is disabled in all runs. DIFC labeling occurs in
mcp-gateway.logvialabel_agentcall/response.Recommendations
Duplicate Code Detector (W-1): Investigate why
codex execis making directapi.github.comcalls. Strengthen the agent system prompt to restrict tool use to MCP Gateway endpoints exclusively — seeshared/mcp-api-routing.mdfor reusable constraint language. Verifyfetch=disabledin the Codex config prevents arbitrary git/curl operations. Consider addinggithub.comandapi.github.comto the network deny-list at the firewall layer as defense-in-depth.Enable guards sink logging: Consider enabling
MCP_GATEWAY_GUARDS_SINK_SERVER_IDSin workflows with active GitHub WASM guards (e.g., the auth-test and version-checker workflows). This would populatedifc_integrityfields inrpc-messages.jsonl, making DIFC event counts auditable from the JSONL without parsing gateway logs.Schema Consistency Checker package registry blocks: If the workflow needs to build Rust or Go code, add
index.crates.ioandproxy.golang.orgto the allow-list, or pre-cache dependencies in the container image.