[cli-tools-test] audit: debug initialization logs leaked in MCP error response for invalid run IDs #19469
Description
Problem Description
When the audit tool is called with an invalid or non-existent run ID via the MCP server, the error response includes verbose internal debug/initialization log output mixed with the actual error message. The real error is buried at the end of a wall of diagnostic output, making it hard to identify the actual problem.
Tool
- Tool:
audit - Interface: agentic-workflows MCP server
Steps to Reproduce
- Call the
agenticworkflowsMCP tool'sauditcommand with a non-existent run ID (e.g.,99999999999)
Expected Behavior
A clean error message like:
✗ workflow run 99999999999 not found. Please verify the run ID is correct and that you have access to the repository
```
## Actual Behavior
The error response from the MCP server includes internal debug initialization logs preceding the actual error:
```
McpError: MCP error -32603: calling "tools/call": failed to audit workflow run: workflow:script_registry Creating new script registry +151ns
workflow:domains Loading ecosystem domains from embedded JSON +760µs
workflow:domains Loaded 31 ecosystem categories +161µs
workflow:expression_patterns Initializing expression pattern regex compilation +911µs
workflow:js Script registration completed (embedded scripts removed) +724µs
workflow:permissions_validation Loading GitHub toolsets permissions from embedded JSON +429µs
workflow:permissions_validation Loaded 19 GitHub toolsets from JSON +159µs
workflow:runtime_definitions Initializing runtime definitions: total_runtimes=11 +590µs
workflow:runtime_definitions Built command to runtime mapping: total_commands=30 +8µs
workflow:runtime_definitions Built action repo to runtime mapping: total_actions=11 +4µs
workflow:scripts Script registration completed (embedded scripts removed) +498µs
cli:mcp Creating MCP command with subcommands +562µs
cli:secrets_command Creating secrets command with subcommands +658µs
workflow:version Setting compiler version: 99b2107 +1ms
workflow:version Setting release build flag: false +5µs
cli:audit Starting audit for workflow run: runID=99999999999, owner=, repo=, jobID=0, stepNumber=0 +916µs
cli:audit Using output directory: /tmp/gh-aw/aw-mcp/logs/run-99999999999 +14µs
workflow:github_cli Using gh CLI via go-gh/v2 for command: gh [api repos/{owner}/{repo}/actions/runs/99999999999 ...] +2ms
workflow:github_cli GH_TOKEN not set, using GITHUB_TOKEN for gh CLI +42µs
✗ failed to fetch run metadata: workflow run 99999999999 not found. Please verify the run ID is correct and that you have access to the repository
The debug logger initialization messages (using the logger package with pkg:filename namespace format) are being captured from stderr and included verbatim in the MCP error message.
Root Cause
The MCP server appears to capture the binary's stderr output and include it in the error message. When debug logging is active (or when initialization logs are emitted unconditionally), these get bundled into the error response returned to the caller.
Environment
- Repository: github/gh-aw
- Run ID: 22648129225
- Date: 2026-03-03
- Testing via: Daily CLI Tools Exploratory Tester
Impact
- Severity: Medium
- Frequency: Always (reproducible with any invalid run ID)
- Workaround: Scroll to the end of the error message to find the actual error
The issue degrades developer experience when troubleshooting audit failures, as the actual error is obscured by internal diagnostic output. It also exposes internal implementation details (module names, timing data) to end users.
Suggested Fix
Either:
- Ensure the MCP server only includes the final error message (not full stderr output) when propagating errors to callers, or
- Suppress debug initialization logs from stderr when the binary is not explicitly in debug mode (i.e.,
DEBUGenv var not set)
Generated by Daily CLI Tools Exploratory Tester · ◷
- expires on Mar 10, 2026, 11:55 PM UTC