Context
The daily integrity filtering audit (#2578) identified two problems that need fixes in gh-aw-mcpg. Both have existing code fixes that haven't been released yet.
Problem 1: Schema fetch is fatally dependent on network — HTTP 429 kills gateway startup
Severity: 🔴 Gateway won't start
The gateway fetches the JSON config schema from raw.githubusercontent.com on every cold start. If that request gets rate-limited (HTTP 429), the gateway crashes immediately with no retry or fallback. This caused the audit workflow itself to fail in run 23590096205 (see #2571).
Root cause: internal/config/validation_schema.go — fetchAndFixSchema() makes a single HTTP GET with no retry logic and no fallback. A 429 is treated identically to a permanent error.
Fix options (in priority order):
- Add retry with exponential backoff for transient HTTP errors (429, 503, 5xx) — 3 attempts with 1s/2s/4s delays
- Embed the schema via
go:embed as a fallback — zero network dependency for the common case
- Make schema validation non-fatal — log a warning and skip validation if schema can't be fetched
Problem 2: Secrecy-blocked items mislabeled as "integrity" violations in agent-facing notice
Severity: 🟡 Misleading guidance
When items are filtered for secrecy reasons (e.g., private repo artifacts), the [Filtered] notice still says:
"🔒 Integrity filter blocked 2 items" ... "To allow these resources, lower min-integrity"
This is wrong — lowering min-integrity has no effect on secrecy blocks. The notice should say "secrecy policy" for secrecy violations and not suggest min-integrity as the fix.
Root cause: The buildDIFCFilteredNotice() function in internal/server/difc_log.go didn't distinguish secrecy from integrity violations.
Status: PR #2518 fixes this by adding IsSecrecyViolation to FilteredItemDetail and using the correct policy label ("secrecy policy" / "integrity policy" / "access policy"). Needs merge + release.
Note: The footer template (> 🔒 Integrity filter blocked N items ...) is generated by the gateway_difc_filtered.cjs script in gh-aw, not by the gateway itself. That script also needs updating to use the correct label based on violation type. This is a separate fix in github/gh-aw.
Problem 3: Released container image (v0.2.2) predates secrecy fix for public repos
Severity: 🟡 Audit workflow blocked
The audit agent runs against github/gh-aw (a public repo) but can't download artifacts or read job logs because actions_get and get_job_logs are labeled secrecy: ["secret"] unconditionally.
Status: PR #2463 (merged Mar 24) fixed this — these tools now use apply_repo_visibility_secrecy() so public repo artifacts have empty secrecy labels. But the latest container image (v0.2.2) predates this fix. A new release is needed.
Action Items
Context
The daily integrity filtering audit (#2578) identified two problems that need fixes in
gh-aw-mcpg. Both have existing code fixes that haven't been released yet.Problem 1: Schema fetch is fatally dependent on network — HTTP 429 kills gateway startup
Severity: 🔴 Gateway won't start
The gateway fetches the JSON config schema from
raw.githubusercontent.comon every cold start. If that request gets rate-limited (HTTP 429), the gateway crashes immediately with no retry or fallback. This caused the audit workflow itself to fail in run 23590096205 (see #2571).Root cause:
internal/config/validation_schema.go—fetchAndFixSchema()makes a single HTTP GET with no retry logic and no fallback. A 429 is treated identically to a permanent error.Fix options (in priority order):
go:embedas a fallback — zero network dependency for the common caseProblem 2: Secrecy-blocked items mislabeled as "integrity" violations in agent-facing notice
Severity: 🟡 Misleading guidance
When items are filtered for secrecy reasons (e.g., private repo artifacts), the
[Filtered]notice still says:This is wrong — lowering
min-integrityhas no effect on secrecy blocks. The notice should say "secrecy policy" for secrecy violations and not suggestmin-integrityas the fix.Root cause: The
buildDIFCFilteredNotice()function ininternal/server/difc_log.godidn't distinguish secrecy from integrity violations.Status: PR #2518 fixes this by adding
IsSecrecyViolationtoFilteredItemDetailand using the correct policy label ("secrecy policy" / "integrity policy" / "access policy"). Needs merge + release.Note: The footer template (
> 🔒 Integrity filter blocked N items ...) is generated by thegateway_difc_filtered.cjsscript in gh-aw, not by the gateway itself. That script also needs updating to use the correct label based on violation type. This is a separate fix ingithub/gh-aw.Problem 3: Released container image (v0.2.2) predates secrecy fix for public repos
Severity: 🟡 Audit workflow blocked
The audit agent runs against
github/gh-aw(a public repo) but can't download artifacts or read job logs becauseactions_getandget_job_logsare labeledsecrecy: ["secret"]unconditionally.Status: PR #2463 (merged Mar 24) fixed this — these tools now use
apply_repo_visibility_secrecy()so public repo artifacts have empty secrecy labels. But the latest container image (v0.2.2) predates this fix. A new release is needed.Action Items
gateway_difc_filtered.cjsingithub/gh-awto use correct secrecy/integrity label from the notice text