Conversation
…constraint - Add direct API bypass as explicit problem category in Background - Add Step 3.6 with detection guidance and improved bash patterns for bypass detection - Update W-1 classification in Step 4 with cause/fix guidance - Update issue template with Agent Invoked + Firewall Blocks columns - Update Recommendations template to include bypass investigation steps - Import shared/mcp-api-routing.md from audit workflow - Create new shared/mcp-api-routing.md with reusable MCP-only routing constraints Agent-Logs-Url: https://github.com/github/gh-aw-mcpg/sessions/6baa7f9f-1b11-420a-854b-d4807a1be407 Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds integrity-audit guidance and reusable workflow prompt constraints to detect and prevent agent attempts to bypass the MCP Gateway (direct GitHub/external network calls), improving DIFC enforceability and auditability.
Changes:
- Introduces a reusable imported constraint (
shared/mcp-api-routing.md) to prohibit direct GitHub/external API calls and reinforce MCP-tool-only routing. - Extends the Integrity Filtering Audit workflow to explicitly detect and classify direct API bypass attempts using log-grep heuristics and updated reporting templates.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/shared/mcp-api-routing.md | New importable constraint text to discourage direct network/API calls and explain DIFC implications. |
| .github/workflows/integrity-filtering-audit.md | Imports the new constraint and expands the audit procedure + issue template to detect/classify direct API bypass attempts. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 3
|
|
||
| **All GitHub API calls MUST be made exclusively through the MCP Gateway's GitHub | ||
| MCP server tools.** Direct network access to `api.github.com`, `github.com`, or | ||
| any external service is not permitted and will be blocked by the network firewall. |
There was a problem hiding this comment.
The statement that direct access to api.github.com/github.com "will be blocked by the network firewall" isn’t consistently true in this repo (some workflows explicitly allow these domains, e.g. shared/gh.md allows api.github.com). Suggest rewording to reflect policy/constraint (e.g., "not permitted / will be flagged") rather than guaranteeing a firewall block, so the guidance stays accurate across workflows.
| any external service is not permitted and will be blocked by the network firewall. | |
| any external service is not permitted; attempts to bypass MCP routing may be | |
| flagged or blocked depending on workflow policy. |
| imports: | ||
| - shared/mcp-api-routing.md |
There was a problem hiding this comment.
Importing shared/mcp-api-routing.md makes this workflow explicitly require MCP tools for GitHub API access, but the procedure in this same document instructs using gh run list / gh run download (direct GitHub API calls). This creates conflicting guidance for the agent. Consider updating the procedure to use the GitHub MCP server tools for listing runs/downloading artifacts, or adjust the imported constraint to explicitly allow the needed gh usage for this audit workflow.
| imports: | |
| - shared/mcp-api-routing.md |
| grep -iE 'BLOCK|DENY|firewall' "$TMPDIR"/*/mcp-logs/*.log 2>/dev/null \ | ||
| | grep -oE '(api\.github\.com|github\.com|chatgpt\.com|openai\.com|[a-z0-9.-]+\.[a-z]{2,})' \ |
There was a problem hiding this comment.
The firewall-block summarization command extracts "domains" using a very broad regex ([a-z0-9.-]+\.[a-z]{2,}) which will also match non-domains commonly present in logs (e.g., file names like mcp-gateway.log, rpc-messages.jsonl, etc.), producing noisy/misleading counts. Suggest tightening extraction to hostnames from URLs (e.g., extract after https?://) or matching the firewall log’s structured destination field if available.
| grep -iE 'BLOCK|DENY|firewall' "$TMPDIR"/*/mcp-logs/*.log 2>/dev/null \ | |
| | grep -oE '(api\.github\.com|github\.com|chatgpt\.com|openai\.com|[a-z0-9.-]+\.[a-z]{2,})' \ | |
| # Extract only URL hostnames to avoid counting filenames or other dotted log tokens as domains | |
| grep -iE 'BLOCK|DENY|firewall' "$TMPDIR"/*/mcp-logs/*.log 2>/dev/null \ | |
| | grep -oE 'https?://[^/[:space:]]+' \ | |
| | sed -E 's#^https?://##; s#:[0-9]+$##' \ |
The 2026-04-03 integrity audit flagged the AI Moderator workflow making 3 direct network calls to
api.github.com,github.com, andchatgpt.com, bypassing the MCP Gateway entirely — breaking DIFC enforcement and making data access unauditable.integrity-filtering-audit.mddifc-proxy: truemissing, weak prompt, misconfigurednetwork.allowed) and fix pointershared/mcp-api-routing.mdso the audit agent itself is subject to the same constraintshared/mcp-api-routing.md(new)Reusable prompt constraint importable by any workflow (
imports: - shared/mcp-api-routing.md). Covers:curl/gh api/fetchtoapi.github.comor external AI services