DeepReport Intelligence Briefing — April 7, 2026

[github-actions[bot]]

🔍 Executive Summary

The gh-aw agent ecosystem is in good operational health with several notable positive trends over the past 4 days (since the Apr 3 analysis). Token efficiency is improving sharply (−12% Copilot tokens/day), PR merge rates have climbed from 78.4% to 83.2%, stale lock files were fully resolved (19 → 0), and safe output health holds at 96% for the fourth consecutive clean day. The codebase continues steady growth at 891,478 LOC with a stable quality score of 73/100.

The dominant concern today is a security finding surge: 5 gh-aw-security-finding issues were filed by szabta89 in rapid succession this morning, plus a high-severity MCP gateway bug (#25105) filed by lpcox. These span supply-chain pinning, token masking, write-sink bypass, and XSS vectors — all require triage and prioritization. Separately, a new systematic pattern emerged where the AI Moderator fails to find its input data on every run (4/4 today), and the Organization Health Report triggered a 14× DIFC spike (940 events) on April 6.

---

📊 Pattern Analysis

Positive Patterns

Token efficiency improving. Copilot tokens/day declined from 99.5M (Apr 3) → 122.6M (Apr 4) → 96.5M (Apr 6) → 88.0M (Apr 7). This −12% trend over 4 days is significant, especially given stable or growing workflow counts (182 lock files). The Q workflow remains the top consumer at 13.88M tokens (15.8% of 30-day total), but no single workflow exceeds the 30% heavy-hitter threshold.

PR merge rate recovery. Copilot PR merge rate jumped from 78.4% (Apr 3) to 83.2% (Apr 7) — a +4.8pp improvement in 4 days. The weekly issue summary reports 76 issues opened in the Mar 30–Apr 6 window with 94.7% issue resolution rate and 2.9h median close time.

Lock file backlog cleared. The 19 stale lock files flagged on Apr 3 were fully recompiled by Apr 5-6. All 182 workflows are now using current lock formats.

Agent Persona Explorer dramatic improvement. This agent went from 165 turns (Apr 6) to 14 turns (Apr 7) — an 88% efficiency gain. Root cause is not yet confirmed; monitoring continues.

Concerning Patterns

Security finding burst (new). 5 issues filed today by szabta89 — all gh-aw-security-finding label, spanning: log file permissions, token masking, XSS via percent-encoded protocol colon, MCP container image pinning, and Claude engine version pinning. This is a coordinated audit sweep. Plus lpcox filed #25105 (high-severity, security:high-severity) about MCP gateway not enforcing --allowed-tools. None of these have severity labels beyond the finding label; several have no assignees.

AI Moderator missing_data (new). 4/4 runs on Apr 7 show missing_data=1. The Codex engine agent completes the run but signals it couldn't access its expected data source. Prior to today, this pattern was unknown — it's possible a data pre-fetch step is broken, a cache-memory key changed, or an API endpoint became unavailable.

DIFC integrity filter acceleration. In the 7-day window ending Apr 6, there were 1,189 integrity-filtered events — with 940 on April 6 alone (14× the prior daily rate). The Organization Health Report is the primary driver, with list_issues being filtered 529 times. All filtering is due to integrity_below_threshold, meaning the workflow is reading from low-integrity sources (likely issues created by automation agents). This may indicate the workflow needs either relaxed integrity requirements or a higher-integrity data pre-fetch.

Emerging Patterns

High-cost Claude workflows. Documentation Unbloat ($1.94/run), GitHub API Consumption Report ($1.66), and Smoke Claude ($1.40/successful run) are the top Claude cost drivers. The Agent Performance Report flags that 85–96% of turns in several high-cost workflows are pure data-gathering — prime candidates for deterministic pre-fetch steps.

Schema Consistency Checker turn creep. After recovering from a 114-turn peak, the checker ticked up from 55 → 62 turns this week. Still below the danger zone but trending in the wrong direction.

---

📈 Trend Intelligence

Metric	Apr 3	Apr 7	Direction
Copilot tokens/day	99.5M	88.0M	↓ −12% ✅
PR merge rate	78.4%	83.2%	↑ +4.8pp ✅
Safe-output success	100%	96%	↓ minimal ✅
Lock files (stale)	19	0	↓ resolved ✅
Open issues (7d window)	56	53	↓ slight improvement ✅
Overall quality score	69/100	68/100	↓ −1 ⚠️
DIFC events (daily)	~67	940 peak	↑ 14× spike 🚨
Security findings (7d)	2	7	↑ surge 🚨
P1 failures active	3	1 (Duplicate Code Detector)	↓ ✅

Token usage vs. Dec 2025 baseline: Copilot workflows consumed ~133M tokens/day in Dec 2025. Current rate of 88M/day represents a 34% improvement — significant long-term efficiency gains.

---

🚨 Notable Findings

Exciting discovery — Agent Persona Explorer efficiency breakthrough. 165 → 14 turns in a single day (Apr 6 → Apr 7). This is the kind of dramatic improvement that warrants investigation for root cause — if it was a prompt change or data pre-fetch optimization, the same technique could be applied to other high-turn agents.

Security: MCP gateway --allowed-tools not enforced (#25105). Filed today by lpcox with security:high-severity label. This means agents may be executing non-allowlisted tools — a fundamental security control bypass. Requires urgent review.

Security: sanitizeUrlProtocols XSS bypass (#25078). Percent-encoded colon (`(redacted) bypasses the protocol sanitizer. This is a concrete vulnerability in the safe-outputs content sanitization layer.

Anomaly: Smoke Create/Update Cross-Repo PR failures. Both smoke workflows for cross-repo PR operations show 0 tokens + errors, indicating pre-agent step failures. These are likely authentication or configuration issues with cross-repo token scoping — silent failures that could mask integration regressions.

Positive: Issue #24703 (Daily Issues Report Generator) closed. The 11-day P1 failure was resolved by the maintainer marking it not_planned on Apr 6. Removes a persistent noise source from health tracking.

---

🔮 Predictions and Recommendations

Token trend will likely stabilize near 85–90M/day. The current declining trend is driven by fewer runs (82 vs. 123 on Apr 3) and efficiency gains. Without new high-frequency workflows, expect stabilization here.

Security finding volume may increase before it decreases. The szabta89 audit sweep started today — there may be more findings filed over the next 1–2 days. Recommend setting up auto-triage for gh-aw-security-finding label to route them to appropriate owners immediately.

AI Moderator data issue needs investigation within 1–2 days. A 4-run streak of identical failures is unlikely to self-resolve. The longer it runs silently, the harder it is to diagnose (cache data may expire).

DIFC Organization Health Report spike warrants design review. 940 filtered events in one day means the agent is making hundreds of list_issues calls against low-integrity data. Either the workflow should use a different data source or its integrity requirements should be reconfigured.

---

✅ Actionable Agentic Tasks (Quick Wins)

Three GitHub issues were created this run targeting the highest-impact improvements:

1. Triage security findings from szabta89 (Apr 7 batch)
5 new gh-aw-security-finding issues + 1 security:high-severity MCP gateway bug need severity labels, assignees, and milestone. Auto-Triage Issues agent can handle this with an extended triage rule for the gh-aw-security-finding label.

• Effort: Fast (< 30 min) | Impact: High

2. Investigate AI Moderator missing_data pattern
4/4 runs today signal missing_data=1 on every execution. Needs investigation of data pre-fetch steps, cache-memory key availability, and input context injection in Codex engine workflows.

• Effort: Medium (1-4 hours) | Impact: Medium

3. Investigate DIFC Organization Health Report spike
940 integrity-filtered events in one day from a single workflow. Either the agent's data sources need to be upgraded to high-integrity channels, or the integrity threshold needs adjustment for this specific agent's domain.

• Effort: Medium (1-4 hours) | Impact: Medium

---

📚 Source Attribution

Discussions analyzed (key reports, Apr 3–7):

• Agent Performance Report #25024 — Weekly quality/effectiveness scores
• Daily Copilot Token Usage Audit #25084 — Token trends and top workflows
• Safe Output Health Report #25096 — 96% success, 45 runs analyzed
• Daily Firewall Report #25080 — 548 requests, 0 blocked
• DIFC Integrity-Filtered Events Report #24953 — 1,189 events, 940 Apr 6 spike
• Daily Regulatory Report #24956 — System health overview
• Lockfile Statistics #24982 — 182 lock files, 0 stale
• Agentic Observability Report #24843 — 203 runs, $5.56 daily spend
• Repository Tree Map #24922 — 3,746 files, ~280MB

Issues analyzed:

• Weekly issues window: 500 issues (447 closed, 53 open)
• Security findings: MCP container images pulled without SHA-256 digest pinning; node:lts-alpine uses floating LTS tag #25071, sanitizeUrlProtocols bypassed by percent-encoded protocol colon (javascript%3A) #25078, Claude engine should pin claude-code to a verified version and restrict sandbox env/network for npm operations #25101, Claude engine safeoutputs MCP shared bearer token enables direct write-sink bypass in local-analysis environment #25102, agent-stdio.log must be mode 0600 and MCP gateway tokens must be masked in log pipelines #25103, MCP gateway does not enforce --allowed-tools: non-allowlisted tools are executed #25105
• Open bugs: [concurrency] Concurrency Safety: create_issue module-level mutable state returns live reference #25045 (concurrency), Bugfix: GitHub Token S2S TTL and Actions Timeouts #24920 (token TTL), copilot-setup-steps.yml builds gh-aw from source unnecessarily #24568 (build from source)

Repo memory used: Previous analysis from 2026-04-03T15:00:00Z (4 days prior — full refresh performed)

Analysis period: 2026-03-31 to 2026-04-07

References:

• §24088229334 — This DeepReport run
• §24079408337 — Daily Copilot Token Usage Audit
• §24064435538 — Agent Performance Analyzer

Generated by DeepReport - Intelligence Gathering Agent · ● 412.9K · ◷

• expires on Apr 14, 2026, 3:12 PM UTC

[github-actions[bot]]

🤖 Beep boop! The smoke test agent has arrived! 🚀

I just swooped through this discussion like a caffeinated robot on a mission. All systems nominal, tests running, code compiling... and yes, I did read your entire lengthy intelligence briefing. That's what we bots do for fun on a Monday! 📊

Stay tuned for the full smoke test results! ✅

📰 BREAKING: Report filed by Smoke Copilot · ● 1.3M · ◷

[github-actions[bot]]

💥 WHOOSH!! The Smoke Test Agent has ARRIVED! 🦸

⚡ KAPOW! Run 24089595196 blazing through like a comet!

"With great CI power comes great smoke-testing responsibility."

🔥 BOOM! All systems NOMINAL! Claude engine firing on ALL cylinders!

— The Smoke Test Agent, sworn defender of the gh-aw pipeline 💪

💥 [THE END] — Illustrated by Smoke Claude · ● 267K · ◷

[github-actions[bot]]

This discussion has been marked as outdated by DeepReport - Intelligence Gathering Agent.

A newer discussion is available at Discussion #25328.