diff --git a/.github/workflows/bot-detection.lock.yml b/.github/workflows/bot-detection.lock.yml
index 1583e368877..644ae860f72 100644
--- a/.github/workflows/bot-detection.lock.yml
+++ b/.github/workflows/bot-detection.lock.yml
@@ -165,7 +165,7 @@ jobs:
               staged: false,
               allowed_domains: ["defaults"],
               firewall_enabled: true,
-              awf_version: "v0.16.2",
+              awf_version: "v0.16.3",
               awmg_version: "",
               steps: {
                 firewall: "squid"
@@ -189,7 +189,7 @@ jobs:
       - name: Install GitHub Copilot CLI
         run: /opt/gh-aw/actions/install_copilot_cli.sh 0.0.409
       - name: Install awf binary
-        run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.16.2
+        run: bash /opt/gh-aw/actions/install_awf_binary.sh v0.16.3
       - name: Determine automatic lockdown mode for GitHub MCP server
         id: determine-automatic-lockdown
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
@@ -198,7 +198,7 @@ jobs:
             const determineAutomaticLockdown = require('/opt/gh-aw/actions/determine_automatic_lockdown.cjs');
             await determineAutomaticLockdown(github, context, core);
       - name: Download container images
-        run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.16.2 ghcr.io/github/gh-aw-firewall/squid:0.16.2 ghcr.io/github/gh-aw-mcpg:v0.1.4 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine
+        run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.16.3 ghcr.io/github/gh-aw-firewall/squid:0.16.3 ghcr.io/github/gh-aw-mcpg:v0.1.4 ghcr.io/github/github-mcp-server:v0.30.3 node:lts-alpine
       - name: Write Safe Outputs Config
         run: |
           mkdir -p /opt/gh-aw/safeoutputs
@@ -721,7 +721,7 @@ jobs:
         timeout-minutes: 10
         run: |
           set -o pipefail
-          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.16.2 --skip-pull \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.snapcraft.io,archive.ubuntu.com,azure.archive.ubuntu.com,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,github.com,host.docker.internal,json-schema.org,json.schemastore.org,keyserver.ubuntu.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,ppa.launchpad.net,raw.githubusercontent.com,registry.npmjs.org,s.symcb.com,s.symcd.com,security.ubuntu.com,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.16.3 --skip-pull \
             -- '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_AGENT_COPILOT:+ --model "$GH_AW_MODEL_AGENT_COPILOT"}' \
             2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
diff --git a/pkg/workflow/claude_tools.go b/pkg/workflow/claude_tools.go
index b3768fe5d0a..46de4db36f6 100644
--- a/pkg/workflow/claude_tools.go
+++ b/pkg/workflow/claude_tools.go
@@ -389,9 +389,7 @@ func (e *ClaudeEngine) computeAllowedClaudeToolsString(tools map[string]any, saf
 	// Sort the allowed tools alphabetically for consistent output
 	sort.Strings(allowedTools)
 
-	if log.Enabled() {
-		claudeToolsLog.Printf("Generated allowed tools string with %d tools", len(allowedTools))
-	}
+	claudeToolsLog.Printf("Generated allowed tools string with %d tools", len(allowedTools))
 
 	return strings.Join(allowedTools, ",")
 }
diff --git a/pkg/workflow/compiler.go b/pkg/workflow/compiler.go
index 060f2b92580..5eabf775b5a 100644
--- a/pkg/workflow/compiler.go
+++ b/pkg/workflow/compiler.go
@@ -517,9 +517,7 @@ func (c *Compiler) CompileWorkflowData(workflowData *WorkflowData, markdownPath
 	// Track compilation time for performance monitoring
 	startTime := time.Now()
 	defer func() {
-		if log.Enabled() {
-			log.Printf("Compilation completed in %v", time.Since(startTime))
-		}
+		log.Printf("Compilation completed in %v", time.Since(startTime))
 	}()
 
 	// Reset the step order tracker for this compilation
diff --git a/pkg/workflow/concurrency_validation.go b/pkg/workflow/concurrency_validation.go
index a5a952d00e1..5de2944581a 100644
--- a/pkg/workflow/concurrency_validation.go
+++ b/pkg/workflow/concurrency_validation.go
@@ -131,9 +131,7 @@ func validateExpressionSyntax(group string) error {
 	expressionPattern := regexp.MustCompile(`\$\{\{([^}]*)\}\}`)
 	matches := expressionPattern.FindAllStringSubmatch(group, -1)
 
-	if log.Enabled() {
-		concurrencyValidationLog.Printf("Found %d expression(s) to validate", len(matches))
-	}
+	concurrencyValidationLog.Printf("Found %d expression(s) to validate", len(matches))
 
 	for _, match := range matches {
 		if len(match) < 2 {
diff --git a/pkg/workflow/expression_builder.go b/pkg/workflow/expression_builder.go
index d0fc64d4399..1780a9791f8 100644
--- a/pkg/workflow/expression_builder.go
+++ b/pkg/workflow/expression_builder.go
@@ -58,9 +58,7 @@ func BuildOr(left ConditionNode, right ConditionNode) ConditionNode {
 
 // BuildAnd creates an AND node combining two conditions
 func BuildAnd(left ConditionNode, right ConditionNode) ConditionNode {
-	if log.Enabled() {
-		expressionBuilderLog.Print("Building AND condition node")
-	}
+	expressionBuilderLog.Print("Building AND condition node")
 	return &AndNode{Left: left, Right: right}
 }
 
@@ -84,9 +82,7 @@ func BuildReactionCondition() ConditionNode {
 	}
 	terms = append(terms, pullRequestCondition)
 
-	if log.Enabled() {
-		expressionBuilderLog.Printf("Created disjunction with %d event type terms", len(terms))
-	}
+	expressionBuilderLog.Printf("Created disjunction with %d event type terms", len(terms))
 
 	// Use DisjunctionNode to avoid deep nesting
 	return &DisjunctionNode{Terms: terms}
diff --git a/pkg/workflow/markdown_security_scanner.go b/pkg/workflow/markdown_security_scanner.go
index f1865aec06e..97b9d4b2907 100644
--- a/pkg/workflow/markdown_security_scanner.go
+++ b/pkg/workflow/markdown_security_scanner.go
@@ -87,9 +87,7 @@ func ScanMarkdownSecurity(content string) []SecurityFinding {
 
 	// Strip frontmatter and get the line offset for correct line number reporting
 	markdownBody, lineOffset := stripFrontmatter(content)
-	if log.Enabled() {
-		markdownSecurityLog.Printf("Stripped frontmatter: %d line(s) removed, scanning %d bytes of markdown", lineOffset, len(markdownBody))
-	}
+	markdownSecurityLog.Printf("Stripped frontmatter: %d line(s) removed, scanning %d bytes of markdown", lineOffset, len(markdownBody))
 
 	var findings []SecurityFinding
 
@@ -197,9 +195,7 @@ func scanUnicodeAbuse(content string) []SecurityFinding {
 	var findings []SecurityFinding
 	lines := strings.Split(content, "\n")
 
-	if log.Enabled() {
-		markdownSecurityLog.Printf("Scanning %d line(s) for unicode abuse", len(lines))
-	}
+	markdownSecurityLog.Printf("Scanning %d line(s) for unicode abuse", len(lines))
 
 	for lineNum, line := range lines {
 		lineNo := lineNum + 1
diff --git a/pkg/workflow/redact_secrets.go b/pkg/workflow/redact_secrets.go
index 5460ba64266..0406ecf616d 100644
--- a/pkg/workflow/redact_secrets.go
+++ b/pkg/workflow/redact_secrets.go
@@ -45,9 +45,7 @@ func CollectSecretReferences(yamlContent string) []string {
 	// Sort for consistent output
 	SortStrings(secrets)
 
-	if log.Enabled() {
-		secretMaskingLog.Printf("Found %d unique secret reference(s) in workflow", len(secrets))
-	}
+	secretMaskingLog.Printf("Found %d unique secret reference(s) in workflow", len(secrets))
 
 	return secrets
 }
diff --git a/pkg/workflow/safe_outputs_config.go b/pkg/workflow/safe_outputs_config.go
index b4afae62c94..a28950ad368 100644
--- a/pkg/workflow/safe_outputs_config.go
+++ b/pkg/workflow/safe_outputs_config.go
@@ -18,9 +18,7 @@ func (c *Compiler) extractSafeOutputsConfig(frontmatter map[string]any) *SafeOut
 
 	if output, exists := frontmatter["safe-outputs"]; exists {
 		if outputMap, ok := output.(map[string]any); ok {
-			if log.Enabled() {
-				safeOutputsConfigLog.Printf("Processing safe-outputs configuration with %d top-level keys", len(outputMap))
-			}
+			safeOutputsConfigLog.Printf("Processing safe-outputs configuration with %d top-level keys", len(outputMap))
 			config = &SafeOutputsConfig{}
 
 			// Handle create-issue