ci: disable threat detection in all workflows

[lpcox]

Summary

Disables the AI-powered threat detection phase in all 24 workflows that use safe-outputs.

Changes

Added threat-detection: enabled: false under safe-outputs: in every workflow .md file, then recompiled all lock files.

Impact

• 24 workflow .md files updated with the configuration
• 26 lock files recompiled — the threat detection job and its setup steps are removed
• ~5K lines removed from compiled lock files (the detection job, its setup, and parsing steps)

Files changed

All .github/workflows/*.md files that had a safe-outputs: block, plus their corresponding .lock.yml files.

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	85.85%	85.95%	📈 +0.10%
Statements	85.76%	85.85%	📈 +0.09%
Functions	87.54%	87.54%	➡️ +0.00%
Branches	78.56%	78.61%	📈 +0.05%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	86.3% → 86.6% (+0.36%)	85.9% → 86.2% (+0.35%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This PR aims to disable the “threat detection” phase for agentic workflows that use safe-outputs, by adding safe-outputs.threat-detection.enabled: false to workflow source .md files and recompiling the corresponding .lock.yml workflows so the detection job (and its gating) is removed.

Changes:

• Added safe-outputs.threat-detection.enabled: false to multiple workflow .md definitions.
• Recompiled compiled workflow .lock.yml files to remove the detection job and related needs.detection gating.
• Regenerated the maintenance workflow and updated the actions lockfile entries.

Show a summary per file

File	Description
.github/workflows/update-release-notes.md	Disables threat detection in safe-outputs config for this workflow.
.github/workflows/update-release-notes.lock.yml	Removes the compiled detection job and dependency gating.
.github/workflows/test-coverage-improver.md	Disables threat detection in safe-outputs config.
.github/workflows/test-coverage-improver.lock.yml	Removes the compiled detection job and dependency gating.
.github/workflows/smoke-services.md	Disables threat detection in safe-outputs config.
.github/workflows/smoke-copilot.md	Disables threat detection in safe-outputs config.
.github/workflows/smoke-codex.md	Disables threat detection in safe-outputs config.
.github/workflows/smoke-claude.md	Disables threat detection in safe-outputs config.
.github/workflows/smoke-chroot.md	Disables threat detection in safe-outputs config.
.github/workflows/smoke-chroot.lock.yml	Removes the compiled detection job and dependency gating.
.github/workflows/shared/secret-audit.md	Shared Secret Digger component; prompt text refactor (and currently the place to disable detection for Secret Digger workflows).
.github/workflows/security-review.md	Disables threat detection in safe-outputs config.
.github/workflows/security-guard.md	Disables threat detection in safe-outputs config.
.github/workflows/secret-digger-copilot.md	Adjusts Secret Digger Copilot workflow settings (timeout/content).
.github/workflows/secret-digger-copilot.lock.yml	Reflects Secret Digger Copilot workflow recompilation (timeout/env updates).
.github/workflows/plan.md	Disables threat detection in safe-outputs config.
.github/workflows/plan.lock.yml	Removes the compiled detection job and dependency gating.
.github/workflows/pelis-agent-factory-advisor.md	Disables threat detection in safe-outputs config.
.github/workflows/issue-monster.md	Disables threat detection in safe-outputs config.
.github/workflows/issue-monster.lock.yml	Removes the compiled detection job and dependency gating.
.github/workflows/issue-duplication-detector.md	Disables threat detection in safe-outputs config.
.github/workflows/firewall-issue-dispatcher.md	Disables threat detection in safe-outputs config.
.github/workflows/firewall-issue-dispatcher.lock.yml	Removes the compiled detection job and dependency gating.
.github/workflows/doc-maintainer.md	Disables threat detection in safe-outputs config.
.github/workflows/doc-maintainer.lock.yml	Removes the compiled detection job and dependency gating.
.github/workflows/dependency-security-monitor.md	Disables threat detection in safe-outputs config.
.github/workflows/dependency-security-monitor.lock.yml	Removes the compiled detection job and dependency gating.
.github/workflows/copilot-token-usage-analyzer.md	Disables threat detection in safe-outputs config.
.github/workflows/copilot-token-usage-analyzer.lock.yml	Removes the compiled detection job and dependency gating.
.github/workflows/copilot-token-optimizer.md	Disables threat detection in safe-outputs config.
.github/workflows/copilot-token-optimizer.lock.yml	Removes the compiled detection job and dependency gating.
.github/workflows/cli-flag-consistency-checker.md	Disables threat detection in safe-outputs config.
.github/workflows/cli-flag-consistency-checker.lock.yml	Removes the compiled detection job and dependency gating.
.github/workflows/claude-token-usage-analyzer.md	Disables threat detection in safe-outputs config.
.github/workflows/claude-token-usage-analyzer.lock.yml	Removes the compiled detection job and dependency gating.
.github/workflows/claude-token-optimizer.md	Disables threat detection in safe-outputs config.
.github/workflows/claude-token-optimizer.lock.yml	Removes the compiled detection job and dependency gating.
.github/workflows/ci-doctor.md	Disables threat detection in safe-outputs config.
.github/workflows/ci-cd-gaps-assessment.md	Disables threat detection in safe-outputs config.
.github/workflows/ci-cd-gaps-assessment.lock.yml	Removes the compiled detection job and dependency gating.
.github/workflows/build-test.md	Disables threat detection in safe-outputs config.
.github/workflows/build-test.lock.yml	Removes the compiled detection job and dependency gating.
.github/workflows/agentics-maintenance.yml	Regenerated maintenance workflow; adds dispatch inputs and new operational jobs.
.github/aw/actions-lock.json	Adds lock entry for github/gh-aw-actions/setup-cli@v0.68.0.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 48/54 changed files
• Comments generated: 2

[Copilot]

The PR description says only workflow .md files and their compiled .lock.yml files were changed, but this PR also updates the generated maintenance workflow. Please update the PR description to include this (or split it out) so reviewers know to audit these operational changes as well.

[github-actions]

Smoke Test Results

• ✅ GitHub MCP: "perf: optimize secret-digger-copilot token usage" / "refactor: use gh aw logs for token analysis workflows"
• ✅ Playwright: GitHub page title contains "GitHub"
• ✅ File Write: /tmp/gh-aw/agent/smoke-test-claude-24271368226.txt created
• ✅ Bash: File verified via cat

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🔥 Smoke Test Results

Test	Result
GitHub MCP (list_pull_requests)	✅ Returned PR #1887 "perf: optimize secret-digger-copilot token usage"
GitHub.com connectivity (HTTP)	✅ HTTP 200
File write/read	✅ /tmp/gh-aw/agent/smoke-test-copilot-24271368224.txt verified

Overall: PASS 🎉

PR by @lpcox · no assignees

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test: GitHub Actions Services Connectivity ✅

Check	Result
Redis PING (host.docker.internal:6379)	✅ PONG
PostgreSQL pg_isready (host.docker.internal:5432)	✅ accepting connections
PostgreSQL SELECT 1 (db: smoketest, user: postgres)	✅ returns 1

All checks passed. (redis-cli unavailable; Redis verified via Python socket.)

🔌 Service connectivity validated by Smoke Services

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.14.1	v20.20.2	❌
Go	go1.22.12	go1.22.12	✅

Overall: ❌ Not all versions match — Python and Node.js versions differ between host and chroot.

Tested by Smoke Chroot

[github-actions]

Smoke Test Results (Run 24271368198)

• 1. GitHub MCP last 2 merged PRs: ✅ perf: optimize secret-digger-copilot token usage; refactor: use gh aw logs for token analysis workflows
• 2. safeinputs-gh pr list ...: ❌ safeinputs-gh tool unavailable in this environment
• 3. Playwright github.com title contains "GitHub": ✅
• 4. Tavily search "GitHub Agentic Workflows Firewall": ❌ Tavily MCP unavailable
• 5. File write /tmp/gh-aw/agent/smoke-test-codex-24271368198.txt: ✅
• 6. Bash cat readback: ✅
• 7. Discussion query + mystical discussion comment: ❌ discussion query/write path unavailable
• 8. npm ci && npm run build: ✅
     Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Security Review: Threat Detection Disabled Across All Workflows

Finding: Removal of prompt-injection defense layer

This PR removes the AI-powered threat detection phase from all 24 agentic workflows by setting threat-detection: enabled: false in each workflow's safe-outputs block.

What the removed code does

The threat detection job (removed ~193 lines per workflow, ~5K lines total) runs as a separate GitHub Actions job between the main agent job and the safe-outputs application. It:

1. Checks if detection is needed — inspects output_types and has_patch outputs from the agent job
2. Clears MCP configuration — removes mcp-servers.json so the detection agent cannot call external tools
3. Copies agent artifacts — collects the agent's prompt.txt, agent_output.json, .patch files, and .bundle files into an isolated directory
4. Runs an isolated AI analysis — executes setup_threat_detection.cjs via AWF sandbox to analyze the agent's proposed outputs for security threats (prompt injection, malicious patches, etc.)
5. Guards safe-outputs execution — the detection result gates whether the safe-outputs job proceeds

# From build-test.lock.yml (main branch) — this entire block is removed:
# --- Threat Detection ---
- name: Check if detection needed
  id: detection_guard
  if: always()
  env:
    OUTPUT_TYPES: ${{ needs.agent.outputs.output_types }}
    HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
  run: |
    if [[ -n "$OUTPUT_TYPES" || "$HAS_PATCH" == "true" ]]; then
      echo "run_detection=true" >> "$GITHUB_OUTPUT"
    ...
- name: Prepare threat detection files
  if: always() && steps.detection_guard.outputs.run_detection == 'true'
  run: |
    cp /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/threat-detection/aw-prompts/
    cp /tmp/gh-aw/agent_output.json /tmp/gh-aw/threat-detection/
    for f in /tmp/gh-aw/aw-*.patch; do cp "$f" /tmp/gh-aw/threat-detection/; done
    for f in /tmp/gh-aw/aw-*.bundle; do cp "$f" /tmp/gh-aw/threat-detection/; done
- name: Setup threat detection
  uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
  with:
    script: |
      const { main } = require('.../setup_threat_detection.cjs');
      await main();

Security implication

These 24 workflows process untrusted external input (PR bodies, issue titles/descriptions, comments). Threat detection is the primary automated defense against prompt injection attacks that could cause an agent to:

• Post unauthorized or malicious comments to PRs/issues
• Apply code patches that introduce vulnerabilities into the AWF product
• Exfiltrate repository context via allowed network channels

Since this repository implements a network security firewall, a successful prompt injection that introduces a vulnerability into AWF source code is particularly high-impact.

Questions for reviewers

• What is the reason for disabling threat detection? (The PR body does not explain.)
• Is this a temporary measure, or intended to be permanent?
• If there is a technical issue with the threat detection feature, is a targeted fix preferable to disabling it across all workflows?
• Are there compensating controls that fill this gap?

Suggested action: If threat detection must be disabled, consider doing so only for the specific workflows where it is causing problems, rather than all 24. If this is permanent, document the rationale and any compensating controls.

Generated by Security Guard for issue #1892 · ● 171.6K · ◷

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #1892 · ● 735.2K · ◷