Integrity Filtering Audit — github/gh-aw
Audit period: Last 24 hours (2026-07-01T06:28Z – 2026-07-02T06:49Z)
Runs analyzed: 30 completed runs in github/gh-aw
Runs with MCP agent artifacts: 7 | Runs fully analyzed: 5
MCP Gateway version: v0.3.32
Findings Summary
| Severity |
Count |
Description |
| 🔴 Critical |
0 |
No data leaks, guard bypasses, or labeling failures |
| 🟡 Warning |
3 |
JSON config startup failure; WASM cache permission error; Copilot provider auth failure |
| 🟢 Info |
3 |
Zero DIFC events (expected); 16 action_required approval gates; Anthropic API via allowed proxy |
Warnings
W-1 — JSON Config Parse Error Breaks Gateway Startup
Run: 28570446454 · Workflow: GitHub Remote MCP Authentication Test · Conclusion: failure
The MCP Gateway failed to start at the Start MCP Gateway step:
[error] Bad escaped character in JSON at position 162 (line 7 column 35)
[error] Likely offending key: Authorization
The github HTTP server's Authorization header token was raw-interpolated into JSON without escaping. The token contained special characters that broke JSON validity. The agent was never invoked and no DIFC filtering occurred.
Fix: Update start_mcp_gateway.cjs to JSON-encode string values (e.g., JSON.stringify(token)) rather than raw-interpolating them. Alternatively use the gateway's ${VAR} environment variable expansion (evaluated inside the container) for secrets.
W-2 — WASM Compilation Cache Permission Denied (Recurring)
Runs: 28570641675 (SubAgent), 28570249641 (Schema Checker)
[WARN] Falling back to in-memory WASM compilation cache after "/tmp/gh-aw/wazero-cache" failed:
mkdir /tmp/gh-aw/wazero-cache: permission denied
The DIFC proxy sidecar cannot create the Wazero cache directory. Falls back to in-memory recompilation each run — no impact on filtering correctness, but increases cold-start latency.
Fix: Pre-create /tmp/gh-aw/wazero-cache with correct ownership before the proxy sidecar starts, or verify the proxy container has write access to the path.
W-3 — Copilot Provider 403 Causes Run Failure
Run: 28570641675 · Workflow: Daily Sub-Agent Model Resolution Audit · Conclusion: failure
13 consecutive authentication failures: `HTTP 403 at (172.30.0.30/redacted) The MCP Gateway started and the WASM guard was loaded, but the Copilot provider was not configured for this run. The agent never reached a point where GitHub API calls were made.
Fix: Add a pre-flight check that validates the Copilot provider is reachable/authorized before launching the agent, or verify the gpt-5.5 model endpoint credentials are provisioned consistently.
Informational
I-1 — Zero DIFC Labelled Events (Expected)
All analyzed runs showed 0 DIFC events in rpc-messages.jsonl. This is expected: agents used only agenticworkflows and safeoutputs MCP servers. The github MCP server (with WASM guard 00-github-guard.wasm, policy {"allow-only":{"min-integrity":"approved","repos":"all"}}) was configured in AgentRx and SubAgent but the agents only issued tools/list — no tools/call. DIFC metadata only attaches to actual tool call responses.
No direct API bypass attempts (api.github.com via curl/fetch) were detected in any run. All external traffic went through allowed channels.
I-2 — 16× action_required Approval Gates
"Agentic Commands" and "Q" workflows require manual environment approval before the agent starts. No artifacts are produced; no MCP gateway runs. Expected behavior.
I-3 — Anthropic API via Allowed Proxy (AgentRx)
Run 28570677988: 101 TCP_TUNNEL to api.anthropic.com:443 (in squid allowlist). 3 TCP_DENIED for awmg-mcpg:8080 (expected — MCP calls use direct container networking, not squid). No OpenAI/ChatGPT bypass attempts detected.
Runs Analyzed
| Run |
Workflow |
Conclusion |
Agent Invoked |
DIFC (labelled/filtered) |
Notes |
| 28570677988 |
Daily AgentRx Trace Optimizer |
✅ success |
✅ |
0/0 |
WASM guard loaded; 22 RPC msgs; no github tool calls |
| 28570641675 |
Daily Sub-Agent Model Resolution Audit |
❌ failure |
❌ auth 403×13 |
0/0 |
WASM guard loaded; Copilot provider down; WASM cache denied |
| 28571144472 |
Daily Safe Outputs Conformance Checker |
✅ success |
✅ |
0/0 |
4 RPC msgs (safeoutputs noop only) |
| 28570446454 |
GitHub Remote MCP Authentication Test |
❌ failure |
❌ gateway failed |
0/0 |
JSON parse error in Authorization header |
| 28570249641 |
Schema Consistency Checker |
✅ success |
✅ |
0/0 |
4 RPC msgs (safeoutputs noop only); WASM cache denied |
| 16× |
Agentic Commands / Q |
⏸️ action_required |
❌ approval gate |
N/A |
Environment protection gate |
Recommendations
-
W-1 Fix JSON config builder: Properly JSON-encode all secret values in start_mcp_gateway.cjs rather than raw string interpolation. Use the gateway's \$\{VAR} expansion for sensitive headers.
-
W-2 Fix WASM cache permissions: Pre-create /tmp/gh-aw/wazero-cache with correct ownership or confirm proxy container has write access to the path.
-
W-3 Copilot provider health check: Add a pre-flight validation step to detect unconfigured/unauthorized Copilot providers before the agent is invoked.
-
Future audits: No runs actually invoked github MCP tools during this period, so the WASM guard filtering logic was not exercised end-to-end. Consider adding a canary test that makes a filtered GitHub API call to verify guard correctness each audit cycle.
Generated by Integrity Filtering Audit · 379.9 AIC · ⊞ 8.6K · ◷
Integrity Filtering Audit — github/gh-aw
Audit period: Last 24 hours (2026-07-01T06:28Z – 2026-07-02T06:49Z)
Runs analyzed: 30 completed runs in
github/gh-awRuns with MCP agent artifacts: 7 | Runs fully analyzed: 5
MCP Gateway version: v0.3.32
Findings Summary
Warnings
W-1 — JSON Config Parse Error Breaks Gateway Startup
Run: 28570446454 · Workflow: GitHub Remote MCP Authentication Test · Conclusion: failure
The MCP Gateway failed to start at the
Start MCP Gatewaystep:The
githubHTTP server'sAuthorizationheader token was raw-interpolated into JSON without escaping. The token contained special characters that broke JSON validity. The agent was never invoked and no DIFC filtering occurred.Fix: Update
start_mcp_gateway.cjsto JSON-encode string values (e.g.,JSON.stringify(token)) rather than raw-interpolating them. Alternatively use the gateway's${VAR}environment variable expansion (evaluated inside the container) for secrets.W-2 — WASM Compilation Cache Permission Denied (Recurring)
Runs: 28570641675 (SubAgent), 28570249641 (Schema Checker)
The DIFC proxy sidecar cannot create the Wazero cache directory. Falls back to in-memory recompilation each run — no impact on filtering correctness, but increases cold-start latency.
Fix: Pre-create
/tmp/gh-aw/wazero-cachewith correct ownership before the proxy sidecar starts, or verify the proxy container has write access to the path.W-3 — Copilot Provider 403 Causes Run Failure
Run: 28570641675 · Workflow: Daily Sub-Agent Model Resolution Audit · Conclusion: failure
13 consecutive authentication failures: `HTTP 403 at (172.30.0.30/redacted) The MCP Gateway started and the WASM guard was loaded, but the Copilot provider was not configured for this run. The agent never reached a point where GitHub API calls were made.
Fix: Add a pre-flight check that validates the Copilot provider is reachable/authorized before launching the agent, or verify the
gpt-5.5model endpoint credentials are provisioned consistently.Informational
I-1 — Zero DIFC Labelled Events (Expected)
All analyzed runs showed 0 DIFC events in
rpc-messages.jsonl. This is expected: agents used onlyagenticworkflowsandsafeoutputsMCP servers. ThegithubMCP server (with WASM guard00-github-guard.wasm, policy{"allow-only":{"min-integrity":"approved","repos":"all"}}) was configured in AgentRx and SubAgent but the agents only issuedtools/list— notools/call. DIFC metadata only attaches to actual tool call responses.No direct API bypass attempts (
api.github.comvia curl/fetch) were detected in any run. All external traffic went through allowed channels.I-2 — 16× action_required Approval Gates
"Agentic Commands" and "Q" workflows require manual environment approval before the agent starts. No artifacts are produced; no MCP gateway runs. Expected behavior.
I-3 — Anthropic API via Allowed Proxy (AgentRx)
Run 28570677988: 101 TCP_TUNNEL to
api.anthropic.com:443(in squid allowlist). 3 TCP_DENIED forawmg-mcpg:8080(expected — MCP calls use direct container networking, not squid). No OpenAI/ChatGPT bypass attempts detected.Runs Analyzed
Recommendations
W-1 Fix JSON config builder: Properly JSON-encode all secret values in
start_mcp_gateway.cjsrather than raw string interpolation. Use the gateway's\$\{VAR}expansion for sensitive headers.W-2 Fix WASM cache permissions: Pre-create
/tmp/gh-aw/wazero-cachewith correct ownership or confirm proxy container has write access to the path.W-3 Copilot provider health check: Add a pre-flight validation step to detect unconfigured/unauthorized Copilot providers before the agent is invoked.
Future audits: No runs actually invoked github MCP tools during this period, so the WASM guard filtering logic was not exercised end-to-end. Consider adding a canary test that makes a filtered GitHub API call to verify guard correctness each audit cycle.