Bumps [github/gh-aw](https://github.com/github/gh-aw) from 0.68.3 to 0.71.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/github/gh-aw/releases">github/gh-aw's releases</a>.</em></p> <blockquote> <h2>v0.71.1</h2> <h2>🌟 Release Highlights</h2> <p>This release focuses on reliability and correctness — fixing several impactful bugs reported by the community, improving agent workflow efficiency, and hardening security boundaries for the Claude engine.</p> <h3>🐛 Bug Fixes & Improvements</h3> <ul> <li> <p><strong><code>protected-files</code> object form compilation fixed</strong> — Workflows using the documented <code>{policy, exclude}</code> object form for <code>protected-files</code> were incorrectly rejected at compile time with <code>expected string or null, got object</code>. The schema now correctly allows the object form alongside the string shorthand. (<a href="https://redirect.github.com/github/gh-aw/pull/28341">#28341</a>)</p> </li> <li> <p><strong>APM-restored skills no longer clobbered in <code>pull_request</code> runs</strong> — Skills installed by <code>pre-agent-steps</code> (e.g. from <code>.github/skills/</code>) were silently overwritten because the "Restore agent config folders" step executed <em>after</em> <code>pre-agent-steps</code>. The step ordering is now correct for <code>pull_request</code> triggers. (<a href="https://redirect.github.com/github/gh-aw/pull/28290">#28290</a>)</p> </li> <li> <p><strong><code>push_to_pull_request_branch</code> patch size now uses incremental diff</strong> — On long-running branches, <code>max_patch_size</code> was measured against the full cumulative diff from the default branch rather than the net change since the last push. Each iteration now measures only the incremental <code>git diff</code> against the PR branch head, preventing spurious size-limit rejections. (<a href="https://redirect.github.com/github/gh-aw/pull/28198">#28198</a>)</p> </li> <li> <p><strong><code>design-decision-gate</code> reliability</strong> — Raised <code>max-turns</code> from 15 → 20 and added <code>git ls-remote:*</code> to allowed tools. The workflow was exhausting all turns on <code>copilot/*</code> PRs before completing useful work. An explicit MCP fallback table ensures the agent switches to GitHub MCP tools when pre-fetched context files are unavailable. (<a href="https://redirect.github.com/github/gh-aw/pull/28353">#28353</a>)</p> </li> <li> <p><strong><code>jsweep</code> workflow no longer runs to 60 turns</strong> — Added explicit exit criteria after PR creation. Previously the agent kept calling <code>create_pull_request</code> in a loop consuming 4.64M tokens/run. (<a href="https://redirect.github.com/github/gh-aw/pull/28322">#28322</a>)</p> </li> <li> <p><strong><code>audit</code>/<code>audit-diff</code> MCP tools now return structured JSON consistently</strong> — These tools were setting <code>IsError: true</code> on failure and routing output to stderr, unlike <code>logs</code> and <code>compile</code> which always return structured JSON. Behaviour is now consistent. (<a href="https://redirect.github.com/github/gh-aw/pull/28291">#28291</a>)</p> </li> <li> <p><strong>Model update in <code>github-remote-mcp-auth-test</code></strong> — Replaced the unavailable <code>gpt-5.1-codex-mini</code> model with <code>gpt-5.4-mini</code>, fixing 3+ days of consecutive workflow failures. (<a href="https://redirect.github.com/github/gh-aw/pull/28321">#28321</a>)</p> </li> <li> <p><strong>MCP Gateway v0.2.30 compatibility</strong> — The <code>mempalace</code> shared config now includes the required <code>container</code> field on stdio server entries, fixing <code>daily-fact</code> workflow failures after the gateway schema tightened. (<a href="https://redirect.github.com/github/gh-aw/pull/28288">#28288</a>)</p> </li> </ul> <h3>✨ What's New</h3> <ul> <li> <p><strong>Hippo memory vector embeddings</strong> — New <code>hippo-embed</code> maintenance workflow generates vector embeddings for all Hippo memories (previously <1% were embedded, making semantic recall nearly non-functional). The <code>daily-hippo-learn</code> workflow now runs <code>hippo embed</code> on every cycle to keep the index current. (<a href="https://redirect.github.com/github/gh-aw/pull/28178">#28178</a>)</p> </li> <li> <p><strong>Claude <code>bypassPermissions</code> tool enforcement documented and hardened</strong> — When Claude Code runs in <code>bypassPermissions</code> mode (triggered by unrestricted bash access), <code>--allowed-tools</code> is silently ignored. The MCP gateway <code>allowed:</code> filter is now the documented sole effective tool boundary in this mode, with implementation notes added to prevent regressions. (<a href="https://redirect.github.com/github/gh-aw/pull/28174">#28174</a>)</p> </li> </ul> <h3>⚡ Performance</h3> <ul> <li><strong><code>docs-noob-tester</code> token usage reduced ~70%</strong> — Server setup (npm install, Astro dev server startup, readiness polling, bridge IP detection) now runs in <code>pre-agent-steps</code> before the agent starts, saving ~700K–1M tokens/run. Timeout reduced from 45 → 30 minutes. (<a href="https://redirect.github.com/github/gh-aw/pull/28343">#28343</a>)</li> </ul> <h3>📚 Documentation</h3> <ul> <li><strong>Docs table wrapping on tablet screens</strong> — Markdown tables on 641px–768px viewports were silently clipped without horizontal scroll. A new rehype plugin wraps tables in a scrollable container. (<a href="https://redirect.github.com/github/gh-aw/pull/28280">#28280</a>)</li> </ul> <h3>🌍 Community Contributions</h3>  <h3><code>@edgeq</code></h3> <ul> <li><a href="https://redirect.github.com/github/gh-aw/issues/28315">[Bug] protected-files object form fails compilation despite being documented</a> <em>(direct issue)</em></li> </ul> <h3><code>@mrjf</code></h3> <ul> <li><a href="https://redirect.github.com/github/gh-aw/issues/28197">push_to_pull_request_branch should compute patch size relative to PR branch head, not checkout base</a> <em>(direct issue)</em></li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/github/gh-aw/commit/f01a9d118afa6e306f3645ca31e43f4ea8fb4d22"><code>f01a9d1</code></a> fix(design-decision-gate): add git ls-remote permission, raise turn limit to ...</li> <li><a href="https://github.com/github/gh-aw/commit/f216a16966711135c417cc99132f719ce3a3fe40"><code>f216a16</code></a> fix(security): remove readiness check from MemPalace MCP server startup (<a href="https://redirect.github.com/github/gh-aw/issues/28340">#28340</a>)</li> <li><a href="https://github.com/github/gh-aw/commit/9c675c394593f1f1ac875cabeb00ce0f4b0bbe8e"><code>9c675c3</code></a> fix: add regression tests for protected-files object form compilation (<a href="https://redirect.github.com/github/gh-aw/issues/28341">#28341</a>)</li> <li><a href="https://github.com/github/gh-aw/commit/7a54b74bdf742d32aa342a6fad2ab7f9cc77cfc6"><code>7a54b74</code></a> optimize: move docs-noob-tester setup to pre-agent-steps, slim prompt, reduce...</li> <li><a href="https://github.com/github/gh-aw/commit/6eef2183c8823f1af6e390a8f540de1170c6f48a"><code>6eef218</code></a> feat: use actions/cache and artifacts for APM bundle with lock file hash + en...</li> <li><a href="https://github.com/github/gh-aw/commit/66e31209e73317c200108d51d0ef7b513bf72f5f"><code>66e3120</code></a> fix: replace unsupported model pins in 5 workflow frontmatters (<a href="https://redirect.github.com/github/gh-aw/issues/28323">#28323</a>)</li> <li><a href="https://github.com/github/gh-aw/commit/04ae1fe186d0da2477e151a8fc55b6605c29cb5f"><code>04ae1fe</code></a> build(deps): Bump go.opentelemetry.io/otel (<a href="https://redirect.github.com/github/gh-aw/issues/28337">#28337</a>)</li> <li><a href="https://github.com/github/gh-aw/commit/53cf9b37f2c73d5e7f5a5529be1355a619e3c9b2"><code>53cf9b3</code></a> fix: replace unsupported gpt-5.1-codex-mini model in github-remote-mcp-auth-t...</li> <li><a href="https://github.com/github/gh-aw/commit/194ffd48d4c6ea6f86cd4e6d1d313bf18aefba5a"><code>194ffd4</code></a> Apply progressive disclosure to firewall blocked domains alert (<a href="https://redirect.github.com/github/gh-aw/issues/28332">#28332</a>)</li> <li><a href="https://github.com/github/gh-aw/commit/75491ff72d1793a05ff26412aec58e72aa8f39a8"><code>75491ff</code></a> jsweep: add Done Conditions to prevent runaway PR creation loop (<a href="https://redirect.github.com/github/gh-aw/issues/28322">#28322</a>)</li> <li>Additional commits viewable in <a href="https://github.com/github/gh-aw/compare/ce1794953e0ec42adc41b6fca05e02ab49ee21c3...f01a9d118afa6e306f3645ca31e43f4ea8fb4d22">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/gh-aw&package-manager=github_actions&previous-version=0.68.3&new-version=0.71.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Andrew Ashikhmin <34320705+yperbasis@users.noreply.github.com>