Skip to content

[integrity-audit] Integrity Filtering Audit — github/gh-aw (2026-07-02) #8482

Description

@github-actions

Integrity Filtering Audit — github/gh-aw

Audit period: Last 24 hours (2026-07-01T06:28Z – 2026-07-02T06:49Z)
Runs analyzed: 30 completed runs in github/gh-aw
Runs with MCP agent artifacts: 7 | Runs fully analyzed: 5
MCP Gateway version: v0.3.32

Findings Summary

Severity Count Description
🔴 Critical 0 No data leaks, guard bypasses, or labeling failures
🟡 Warning 3 JSON config startup failure; WASM cache permission error; Copilot provider auth failure
🟢 Info 3 Zero DIFC events (expected); 16 action_required approval gates; Anthropic API via allowed proxy
Warnings

W-1 — JSON Config Parse Error Breaks Gateway Startup

Run: 28570446454 · Workflow: GitHub Remote MCP Authentication Test · Conclusion: failure

The MCP Gateway failed to start at the Start MCP Gateway step:

[error] Bad escaped character in JSON at position 162 (line 7 column 35)
[error] Likely offending key: Authorization

The github HTTP server's Authorization header token was raw-interpolated into JSON without escaping. The token contained special characters that broke JSON validity. The agent was never invoked and no DIFC filtering occurred.

Fix: Update start_mcp_gateway.cjs to JSON-encode string values (e.g., JSON.stringify(token)) rather than raw-interpolating them. Alternatively use the gateway's ${VAR} environment variable expansion (evaluated inside the container) for secrets.


W-2 — WASM Compilation Cache Permission Denied (Recurring)

Runs: 28570641675 (SubAgent), 28570249641 (Schema Checker)

[WARN] Falling back to in-memory WASM compilation cache after "/tmp/gh-aw/wazero-cache" failed:
       mkdir /tmp/gh-aw/wazero-cache: permission denied

The DIFC proxy sidecar cannot create the Wazero cache directory. Falls back to in-memory recompilation each run — no impact on filtering correctness, but increases cold-start latency.

Fix: Pre-create /tmp/gh-aw/wazero-cache with correct ownership before the proxy sidecar starts, or verify the proxy container has write access to the path.


W-3 — Copilot Provider 403 Causes Run Failure

Run: 28570641675 · Workflow: Daily Sub-Agent Model Resolution Audit · Conclusion: failure

13 consecutive authentication failures: `HTTP 403 at (172.30.0.30/redacted) The MCP Gateway started and the WASM guard was loaded, but the Copilot provider was not configured for this run. The agent never reached a point where GitHub API calls were made.

Fix: Add a pre-flight check that validates the Copilot provider is reachable/authorized before launching the agent, or verify the gpt-5.5 model endpoint credentials are provisioned consistently.

Informational

I-1 — Zero DIFC Labelled Events (Expected)

All analyzed runs showed 0 DIFC events in rpc-messages.jsonl. This is expected: agents used only agenticworkflows and safeoutputs MCP servers. The github MCP server (with WASM guard 00-github-guard.wasm, policy {"allow-only":{"min-integrity":"approved","repos":"all"}}) was configured in AgentRx and SubAgent but the agents only issued tools/list — no tools/call. DIFC metadata only attaches to actual tool call responses.

No direct API bypass attempts (api.github.com via curl/fetch) were detected in any run. All external traffic went through allowed channels.

I-2 — 16× action_required Approval Gates

"Agentic Commands" and "Q" workflows require manual environment approval before the agent starts. No artifacts are produced; no MCP gateway runs. Expected behavior.

I-3 — Anthropic API via Allowed Proxy (AgentRx)

Run 28570677988: 101 TCP_TUNNEL to api.anthropic.com:443 (in squid allowlist). 3 TCP_DENIED for awmg-mcpg:8080 (expected — MCP calls use direct container networking, not squid). No OpenAI/ChatGPT bypass attempts detected.

Runs Analyzed

Run Workflow Conclusion Agent Invoked DIFC (labelled/filtered) Notes
28570677988 Daily AgentRx Trace Optimizer ✅ success 0/0 WASM guard loaded; 22 RPC msgs; no github tool calls
28570641675 Daily Sub-Agent Model Resolution Audit ❌ failure ❌ auth 403×13 0/0 WASM guard loaded; Copilot provider down; WASM cache denied
28571144472 Daily Safe Outputs Conformance Checker ✅ success 0/0 4 RPC msgs (safeoutputs noop only)
28570446454 GitHub Remote MCP Authentication Test ❌ failure ❌ gateway failed 0/0 JSON parse error in Authorization header
28570249641 Schema Consistency Checker ✅ success 0/0 4 RPC msgs (safeoutputs noop only); WASM cache denied
16× Agentic Commands / Q ⏸️ action_required ❌ approval gate N/A Environment protection gate

Recommendations

  1. W-1 Fix JSON config builder: Properly JSON-encode all secret values in start_mcp_gateway.cjs rather than raw string interpolation. Use the gateway's \$\{VAR} expansion for sensitive headers.

  2. W-2 Fix WASM cache permissions: Pre-create /tmp/gh-aw/wazero-cache with correct ownership or confirm proxy container has write access to the path.

  3. W-3 Copilot provider health check: Add a pre-flight validation step to detect unconfigured/unauthorized Copilot providers before the agent is invoked.

  4. Future audits: No runs actually invoked github MCP tools during this period, so the WASM guard filtering logic was not exercised end-to-end. Consider adding a canary test that makes a filtered GitHub API call to verify guard correctness each audit cycle.

Generated by Integrity Filtering Audit · 379.9 AIC · ⊞ 8.6K ·

  • expires on Jul 9, 2026, 7:12 AM UTC

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions