🔍 Agentic Workflow Audit Report — 2026-02-27

[github-actions[bot]]

Audit Summary

• Period: 2026-02-26T05:42 UTC → 2026-02-27T05:42 UTC (last 24 hours)
• Runs Analyzed: 12 completed runs
• Workflows Active: 12 distinct workflows
• Success Rate: 58.3% (7/12) ⚠️
• Issues Found: 4 distinct issues (5 failures, 3 missing tools)
• Total Tokens: 35,133,423
• Total Estimated Cost: $3.02
• Total Turns: 90

This audit identified two critical recurring failure patterns causing 5 out of 12 run failures: Issue Monster's lockdown mode misconfiguration (3 failures) and a transient safeoutputs MCP server crash due to a missing module (2 failures, self-resolved by ~04:00 UTC).

---

Workflow Health

The 58.3% success rate is below healthy targets. Five failures were observed across 4 workflows. Issue Monster accounted for 3 consecutive failures due to a persistent configuration issue (missing GH_AW_GITHUB_TOKEN), while 2 other failures (jsweep and Scout) resulted from a transient module-loading error in the safeoutputs MCP server that appeared to resolve itself after ~04:00 UTC.

---

Token Usage & Cost

Duplicate Code Detector (Codex engine) consumed a disproportionately large 26.5M tokens (75% of all tokens). Only 2 workflows reported estimable costs: Daily Documentation Updater ($2.15) and Scout ($0.87). Note: Copilot-engine token costs are not tracked in the current pipeline.

---

Critical Errors

🔴 Issue Monster — Lockdown Mode Token Not Configured (3 failures)

Issue Monster failed 3 consecutive times (runs §22471028273, §22472570736, §22473547444) due to the same root cause:

Lockdown mode is enabled (lockdown: true) but no custom GitHub token is configured.
Please configure one of the following as a repository secret:
  - GH_AW_GITHUB_TOKEN (recommended)
  - GH_AW_GITHUB_MCP_SERVER_TOKEN (alternative)
```

**Action Required**: Set `GH_AW_GITHUB_TOKEN` secret via `gh aw secrets set GH_AW_GITHUB_TOKEN --value "YOUR_FINE_GRAINED_PAT"`

#### 🔴 safeoutputs MCP Server Crash — Missing Module (2 failures, transient)

Both jsweep ([§22471041111](https://github.com/github/gh-aw/actions/runs/22471041111)) and Scout ([§22471640820](https://github.com/github/gh-aw/actions/runs/22471640820)) failed in the agent job due to a Node.js module resolution error:

```
Error: Cannot find module './repo_helpers.cjs'
Require stack:
  - /opt/gh-aw/safeoutputs/safe_outputs_handlers.cjs
  - /opt/gh-aw/safeoutputs/safe_outputs_mcp_server_http.cjs
  - /opt/gh-aw/safeoutputs/mcp-server.cjs

Both occurred before 04:00 UTC. Subsequent runs (Scout at 04:36 UTC, Daily Documentation Updater at 04:18 UTC) succeeded — suggesting a transient deployment gap where repo_helpers.cjs was temporarily missing. Worth investigating if a deployment was in progress during that window.

---

Missing Tools Analysis

Tool	Count	Workflow Affected	Reason
noop	1	Duplicate Code Detector	Tool not included in workflow's allowed safe-output list
create_pull_request (safeoutputs)	1	Daily Documentation Updater	Backend error: context is not defined
GitHub MCP tools (list_issues, get_repository)	1	GitHub Remote MCP Auth Test	MCP toolsets unavailable in runner — tools not loaded

Note on noop missing: Duplicate Code Detector explicitly reported needing to call noop (no duplicates found) but the tool wasn't in its allowed list. This is a workflow misconfiguration — noop should be available to all workflows as a no-op completion signal.

---

MCP Server Analysis

MCP Server Usage Details

Server	Requests	Errors	Notes
github	41	0	Healthy — issue_read, pull_request_read, search queries
safeoutputs	15	3	3 errors — create_pull_request failures
serena	17	0	Used by Daily Documentation Updater
tavily	2	0	Search tool — used in 1 workflow

safeoutputs error detail: create_pull_request was called 3 times, all failing with "context is not defined" backend error. The Daily Documentation Updater successfully committed docs changes to branch docs/update-android-arm64-stem-commands-2026-02-27 but could not open a PR.

---

Firewall Analysis

• Total Requests: 550
• Allowed Requests: 292 (53%)
• Blocked Requests: 258 (47%)

Request Breakdown by Workflow

Workflow	Allowed	Blocked	Rate
Chroma Issue Indexer	80	65	55% allowed
Contribution Check	61	41	60% allowed
Daily Documentation Updater	60	44	58% allowed
Duplicate Code Detector	25	35	42% allowed
GitHub Remote MCP Auth Test	32	20	62% allowed
Copilot PR Prompt Analysis	18	32	36% allowed
Scout	16	21	43% allowed

All blocked requests are logged under domain "-" which represents non-external network calls (internal GitHub Actions infrastructure). All actual AI API calls to api.anthropic.com, api.githubcopilot.com, api.openai.com, and raw.githubusercontent.com were allowed. No unexpected blocked domains detected.

---

Performance Metrics

Workflow	Tokens	Est. Cost	Turns	Duration
Duplicate Code Detector (Codex)	26,513,409	—	17	6.0m
Chroma Issue Indexer	2,444,667	—	—	7.2m
Daily Documentation Updater (Claude)	2,488,541	$2.15	57	6.0m
Contribution Check	1,574,770	—	—	5.8m
Scout (success)	699,399	$0.87	16	4.7m
GitHub Remote MCP Auth Test	863,923	—	—	4.1m
Copilot PR Prompt Analysis	548,714	—	—	5.6m

High token alert: Duplicate Code Detector consumed 26.5M tokens — ~75% of all tokens in the 24h window. This is significantly higher than other workflows. Consider reviewing its scope or adding token limits.

---

Recommendations

1. [Critical] Configure GH_AW_GITHUB_TOKEN for Issue Monster — 3 consecutive failures will continue until the lockdown mode secret is set. Run: gh aw secrets set GH_AW_GITHUB_TOKEN --value "YOUR_FINE_GRAINED_PAT"

2. [High] Investigate repo_helpers.cjs deployment — The transient safeoutputs MCP crash (jsweep + Scout before 04:00 UTC) suggests repo_helpers.cjs was missing during a deployment window. Ensure the module is consistently included in safeoutputs deployments.

3. [High] Fix create_pull_request backend error — The "context is not defined" error in the safeoutputs MCP backend is blocking Daily Documentation Updater from creating PRs. The doc changes are stranded on branch docs/update-android-arm64-stem-commands-2026-02-27.

4. [Medium] Add noop to Duplicate Code Detector's allowed tools — The workflow correctly identified nothing to do but couldn't call noop. All workflows should have noop available as a fallback completion signal.

5. [Medium] Review Duplicate Code Detector token consumption — At 26.5M tokens per run (Codex), this workflow dominates token usage. Consider scoping it to specific file patterns or adding early-exit conditions.

6. [Low] Investigate GitHub Remote MCP Auth Test — MCP toolsets unavailable in runner may indicate an auth or configuration issue with the remote MCP server test setup.

---

Historical Context

This is the first audit entry in repo memory. No historical baseline available yet. Subsequent audits will compare against this baseline.

Baseline established:

• Success rate: 58.3% (target: >85%)
• Total daily tokens: 35.1M
• Total daily cost (tracked): $3.02
• Active failure patterns: 4

---

Next Steps

• Set GH_AW_GITHUB_TOKEN secret for Issue Monster lockdown mode
• Review repo_helpers.cjs deployment packaging for safeoutputs MCP
• Fix create_pull_request "context is not defined" backend error
• Add noop to Duplicate Code Detector safe-output tool allowlist
• Review Duplicate Code Detector token budget

References:

• §22473547444 — Issue Monster (lockdown failure)
• §22471041111 — jsweep (safeoutputs MCP crash)
• §22472570756 — Daily Documentation Updater (missing create_pull_request)

AI generated by Agentic Workflow Audit Agent

• expires on Feb 28, 2026, 5:52 AM UTC

[pelikhan]

/plan

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-02-28T05:52:45.557Z.

Closed by Workflow