| Domain | Allowed | Denied |
|----------------|---------|--------|
| github.com | 2 | 0 |
| chatgpt.com | 0 | 1 |
| api.openai.com | 1 | 0 |
| ab.chatgpt.com | 0 | 1 |
```
- **Likely cause**: The AI Moderator workflow (or one of its npm/runtime dependencies) attempts to reach the ChatGPT web UI (`chatgpt.com`, `ab.chatgpt.com`) — possibly for analytics, a telemetry beacon, or an unintended dependency. The `api.openai.com` access is explicitly allowed (the workflow uses the OpenAI API for moderation) and routes directly — **not** through the MCP Gateway.
- **Note**: `api.openai.com` being in the allow list is intentional, but it bypasses the MCP Gateway entirely for AI model calls.
- **Recommended fix**:
1. Audit the AI Moderator workflow dependencies for any code that contacts `chatgpt.com` or `ab.chatgpt.com`. Remove or block those calls.
2. Verify whether `api.openai.com` should remain in the allow list or be routed through the MCP Gateway for auditability.
3. Strengthen the agent system prompt (see `shared/mcp-api-routing.md`) to restrict all non-approved external network calls.
---
#### W-1b — Running Copilot cloud agent: Direct `api.github.com` access via `gh api graphql`
- **Workflow**: Running Copilot cloud agent (Copilot coding agent)
- **Run affected**: [24421151449](https://github.com/github/gh-aw/actions/runs/24421151449) (failure, 2026-04-14T20:24)
- **Blocked domain**: `api.github.com`
- **Block count**: 3 blocked attempts (from test binary, `git rev-list`, and `gh api graphql`)
**Firewall warning in job log:**
```
⚠️ Warning: I tried to connect to the following addresses, but was blocked by firewall rules:
- `api.github.com`
- Triggering Command: /tmp/go-build.../cli.test ... -test.run=^Test
- Triggering Command: /usr/bin/gh api graphql -f query=query($owner:String!, $name:String!) { repository(...) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw
```
- **Likely cause**: The `gh-aw` test suite contains integration tests that call `api.github.com` directly via `gh api graphql` instead of routing through the MCP Gateway. The Copilot coding agent ran these tests during task execution on branch `copilot/split-logs-report-by-section`, triggering the firewall blocks.
- **Additional issue**: The "Setup uv" step also failed in this run (and in run [24421130214](https://github.com/github/gh-aw/actions/runs/24421130214)), causing the Copilot coding agent workflow to fail. This is an infrastructure issue unrelated to DIFC but contributed to the failure.
- **Recommended fix**:
1. The `gh-aw` repo's integration tests should mock or skip `api.github.com` calls when running inside the Copilot coding agent sandbox (where the firewall is active and GitHub API calls must go through the MCP Gateway).
2. Review `shared/mcp-api-routing.md` for constraint language to add to the agent system prompt.
3. Consider adding the GitHub API route to the test runner's approved path via MCP Gateway rather than direct access.
</details>
<details>
<summary><b>Informational</b></summary>
#### I-1 — DIFC guard functioning correctly (AI Moderator)
Run [24418807601](https://github.com/github/gh-aw/actions/runs/24418807601) shows the DIFC guard is initialized and processing requests:
- Guard initialized: `[DIFC] Initializing guard session state: server=github, session=***, policy_source=server`
- WASM guard active and responding without errors
- `label_agent` called: policy `{"allow-only":{"repos":"all","min-integrity":"none"}}`, response: `{"agent":{"secrecy":[],"integrity":["none:all"]},"difc_mode":"filter"}`
- `label_resource` called for `issue_read` on `github/gh-aw` — guard verified repo visibility via `search_repositories` backend call
- No WASM traps, no guard errors, no `unreachable` panics
#### I-2 — AI Moderator DIFC policy is maximally permissive
The AI Moderator workflow uses `min-integrity: none` and `repos: all` with `difc_mode: filter`. This means:
- No items are filtered (all integrity levels allowed)
- All repositories are in scope
- The guard runs but produces no filtering — this appears intentional for a content moderation workflow that needs to read all issues regardless of integrity.
#### I-3 — GitHub API rate limit hit (AI Moderator unlock job)
Run [24420822519](https://github.com/github/gh-aw/actions/runs/24420822519): the `unlock` job failed with HTTP 403:
```
GET /repos/github/gh-aw/issues/26276 - 403
API rate limit exceeded for installation.
The GitHub REST API's 3,300-result pagination cap limits this audit to approximately the most recent 3.5 hours (19:03–22:36 UTC, 2026-04-14). Runs from the earlier 20+ hours of the 24-hour window are not accessible via the current method. For full 24-hour coverage, consider using time-filtered queries or artifact-based log aggregation.
Integrity Filtering Audit — github/gh-aw
Audit period: Last 24 hours (2026-04-13T22:36Z – 2026-04-14T22:36Z)
Runs analyzed: ~3,300 completed runs (~3.5 hours of history — GitHub REST API pagination cap)
Runs with MCP/DIFC artifacts: 2 (AI Moderator runs with full agent artifacts)
Runs with detailed job logs analyzed: 5 key agent runs
Findings Summary
Critical Findings
None detected in the analyzed runs.
Warnings
W-1a — AI Moderator: Direct connections to external AI services (
chatgpt.com,ab.chatgpt.com)ai-moderator.lock.yml)chatgpt.com(1 block/run),ab.chatgpt.com(1 block/run)api.openai.com(1 allowed/run — present in firewall allow list)Firewall table (identical in both runs):
This caused the overall workflow conclusion to be
failure. The DIFC/agent portion ran correctly; the failure was in the post-agent cleanup phase.I-4 — Audit window is partial (API pagination limit)
The GitHub REST API's 3,300-result pagination cap limits this audit to approximately the most recent 3.5 hours (19:03–22:36 UTC, 2026-04-14). Runs from the earlier 20+ hours of the 24-hour window are not accessible via the current method. For full 24-hour coverage, consider using time-filtered queries or artifact-based log aggregation.
Runs Analyzed
#26306Recommendations
AI Moderator —
chatgpt.comprobes (W-1a): Audit the workflow's npm dependencies and agent invocation code for anything that toucheschatgpt.comorab.chatgpt.com. These domains are not in the allow list and are being blocked — but the fact that the code attempts the connection at all is a signal worth investigating. Verify whetherapi.openai.comshould stay in the allow list or route through the MCP Gateway.Copilot coding agent —
api.github.combypass (W-1b): Thegh-awrepo's integration tests callapi.github.comdirectly. Update these tests to either: (a) skip when running inside the Copilot sandbox, (b) use the MCP Gateway, or (c) mock the API. Seeshared/mcp-api-routing.mdfor reusable MCP routing constraint language for agent prompts.Setup uvfailures: Two Copilot coding agent runs failed duringSetup uv. This may be a transient issue or a version/registry access problem — investigate if it recurs.Expand audit window: The current method only covers ~3.5 hours. For full 24-hour coverage, consider querying workflow runs with time-based filters or using artifact-level log aggregation (JSONL/gateway.md).
DIFC policy review for AI Moderator: The
min-integrity: none, repos: allpolicy means the guard runs but filters nothing. Confirm this is intentional and document the rationale in the workflow config.