From c6e0ea971bdd0ef6d2a64a1f524e87c605f14f61 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 22 Jan 2026 14:56:15 +0000
Subject: [PATCH 1/3] Initial plan


From b4a702f3cea5d0b341dff503d08daf0b25168586 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 22 Jan 2026 15:08:45 +0000
Subject: [PATCH 2/3] Initial investigation: safe-inputs stateful mode issue

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 .github/workflows/copilot-pr-merged-report.lock.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml
index aa07efb9be..9fc70e0185 100644
--- a/.github/workflows/copilot-pr-merged-report.lock.yml
+++ b/.github/workflows/copilot-pr-merged-report.lock.yml
@@ -532,7 +532,7 @@ jobs:
               event_name: context.eventName,
               staged: false,
               network_mode: "defaults",
-              allowed_domains: ["api.github.com","defaults","github"],
+              allowed_domains: ["defaults","github","api.github.com"],
               firewall_enabled: true,
               awf_version: "v0.10.0",
               awmg_version: "v0.0.76",

From 42b3ae7e46a36e99cbc103b2adaa4654188d0cb8 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 22 Jan 2026 15:14:10 +0000
Subject: [PATCH 3/3] Fix safe-inputs stateful mode issue - change to stateless

- Changed safe-inputs MCP HTTP server to use stateless mode
- Root cause: Gateway expects stateless HTTP servers by default
- Fix: Set stateless: true in generateSafeInputsMCPServerScript
- Recompiled all workflow lock files with the change

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 .github/workflows/copilot-pr-merged-report.lock.yml  | 2 +-
 .github/workflows/daily-performance-summary.lock.yml | 2 +-
 .github/workflows/daily-regulatory.lock.yml          | 2 +-
 .github/workflows/smoke-claude.lock.yml              | 2 +-
 .github/workflows/smoke-codex.lock.yml               | 2 +-
 .github/workflows/smoke-copilot.lock.yml             | 2 +-
 .github/workflows/smoke-opencode.lock.yml            | 2 +-
 pkg/workflow/safe_inputs_generator.go                | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml
index 9fc70e0185..2e26bfa9c1 100644
--- a/.github/workflows/copilot-pr-merged-report.lock.yml
+++ b/.github/workflows/copilot-pr-merged-report.lock.yml
@@ -395,7 +395,7 @@ jobs:
             const apiKey = process.env.GH_AW_SAFE_INPUTS_API_KEY || "";
             startHttpServer(configPath, {
               port: port,
-              stateless: false,
+              stateless: true,
               logDir: "/opt/gh-aw/safe-inputs/logs"
             }).catch(error => {
               console.error("Failed to start safe-inputs HTTP server:", error);
diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml
index 4efb2ef289..f081540eb4 100644
--- a/.github/workflows/daily-performance-summary.lock.yml
+++ b/.github/workflows/daily-performance-summary.lock.yml
@@ -596,7 +596,7 @@ jobs:
             const apiKey = process.env.GH_AW_SAFE_INPUTS_API_KEY || "";
             startHttpServer(configPath, {
               port: port,
-              stateless: false,
+              stateless: true,
               logDir: "/opt/gh-aw/safe-inputs/logs"
             }).catch(error => {
               console.error("Failed to start safe-inputs HTTP server:", error);
diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml
index 3d2460cf41..4b61521a9b 100644
--- a/.github/workflows/daily-regulatory.lock.yml
+++ b/.github/workflows/daily-regulatory.lock.yml
@@ -528,7 +528,7 @@ jobs:
             const apiKey = process.env.GH_AW_SAFE_INPUTS_API_KEY || "";
             startHttpServer(configPath, {
               port: port,
-              stateless: false,
+              stateless: true,
               logDir: "/opt/gh-aw/safe-inputs/logs"
             }).catch(error => {
               console.error("Failed to start safe-inputs HTTP server:", error);
diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml
index 0d55c5d8a6..017b43725f 100644
--- a/.github/workflows/smoke-claude.lock.yml
+++ b/.github/workflows/smoke-claude.lock.yml
@@ -544,7 +544,7 @@ jobs:
             const apiKey = process.env.GH_AW_SAFE_INPUTS_API_KEY || "";
             startHttpServer(configPath, {
               port: port,
-              stateless: false,
+              stateless: true,
               logDir: "/opt/gh-aw/safe-inputs/logs"
             }).catch(error => {
               console.error("Failed to start safe-inputs HTTP server:", error);
diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml
index da1c9a1448..e0ba9c1d13 100644
--- a/.github/workflows/smoke-codex.lock.yml
+++ b/.github/workflows/smoke-codex.lock.yml
@@ -571,7 +571,7 @@ jobs:
             const apiKey = process.env.GH_AW_SAFE_INPUTS_API_KEY || "";
             startHttpServer(configPath, {
               port: port,
-              stateless: false,
+              stateless: true,
               logDir: "/opt/gh-aw/safe-inputs/logs"
             }).catch(error => {
               console.error("Failed to start safe-inputs HTTP server:", error);
diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml
index f0fc504243..e0de754485 100644
--- a/.github/workflows/smoke-copilot.lock.yml
+++ b/.github/workflows/smoke-copilot.lock.yml
@@ -561,7 +561,7 @@ jobs:
             const apiKey = process.env.GH_AW_SAFE_INPUTS_API_KEY || "";
             startHttpServer(configPath, {
               port: port,
-              stateless: false,
+              stateless: true,
               logDir: "/opt/gh-aw/safe-inputs/logs"
             }).catch(error => {
               console.error("Failed to start safe-inputs HTTP server:", error);
diff --git a/.github/workflows/smoke-opencode.lock.yml b/.github/workflows/smoke-opencode.lock.yml
index 53e54a3e6e..72cfd84053 100644
--- a/.github/workflows/smoke-opencode.lock.yml
+++ b/.github/workflows/smoke-opencode.lock.yml
@@ -517,7 +517,7 @@ jobs:
             const apiKey = process.env.GH_AW_SAFE_INPUTS_API_KEY || "";
             startHttpServer(configPath, {
               port: port,
-              stateless: false,
+              stateless: true,
               logDir: "/opt/gh-aw/safe-inputs/logs"
             }).catch(error => {
               console.error("Failed to start safe-inputs HTTP server:", error);
diff --git a/pkg/workflow/safe_inputs_generator.go b/pkg/workflow/safe_inputs_generator.go
index 35b6849cf6..ba842639b1 100644
--- a/pkg/workflow/safe_inputs_generator.go
+++ b/pkg/workflow/safe_inputs_generator.go
@@ -160,7 +160,7 @@ const apiKey = process.env.GH_AW_SAFE_INPUTS_API_KEY || "";
 // Start the HTTP server
 startHttpServer(configPath, {
   port: port,
-  stateless: false,
+  stateless: true,
   logDir: "/opt/gh-aw/safe-inputs/logs"
 }).catch(error => {
   console.error("Failed to start safe-inputs HTTP server:", error);