diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml
index ec0bd2f5fe8..4e3c4443b9e 100644
--- a/.github/workflows/dev.lock.yml
+++ b/.github/workflows/dev.lock.yml
@@ -3,6 +3,11 @@
 #   gh aw compile
 # For more information: https://github.com/githubnext/gh-aw/blob/main/.github/instructions/github-agentic-workflows.instructions.md
 #
+# Resolved workflow manifest:
+#   Imports:
+#     - shared/mcp/drain3.md
+#     - shared/mcp/gh-aw.md
+#
 # Job Dependency Graph:
 # ```mermaid
 # graph LR
@@ -1411,6 +1416,10 @@ jobs:
         run: |
           mkdir -p $(dirname "$GITHUB_AW_PROMPT")
           cat > $GITHUB_AW_PROMPT << 'EOF'
+          
+          
+          
+          
           Write a poem in 3 emojis about the last pull request and publish an issue.
           
           EOF
@@ -1745,11 +1754,12 @@ jobs:
           BASH_DEFAULT_TIMEOUT_MS: "60000"
           BASH_MAX_TIMEOUT_MS: "60000"
           GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }}
-          GITHUB_AW_SAFE_OUTPUTS_CONFIG: "{\"create_issue\":{\"max\":1},\"missing_tool\":{}}"
-          GITHUB_PERSONAL_ACCESS_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
-          GITHUB_STEP_SUMMARY: ${{ env.GITHUB_STEP_SUMMARY }}
-          GITHUB_TOKEN: ${{ secrets.COPILOT_CLI_TOKEN  }}
-          XDG_CONFIG_HOME: /home/runner
+      - name: Clean up network proxy hook files
+        if: always()
+        run: |
+          rm -rf .claude/hooks/network_permissions.py || true
+          rm -rf .claude/hooks || true
+          rm -rf .claude || true
       - name: Upload Safe Outputs
         if: always()
         uses: actions/upload-artifact@v4
@@ -3515,7 +3525,7 @@ jobs:
         env:
           WORKFLOW_NAME: "Dev"
           WORKFLOW_DESCRIPTION: "No description provided"
-          WORKFLOW_MARKDOWN: "Write a poem in 3 emojis about the last pull request and publish an issue.\n"
+          WORKFLOW_MARKDOWN: "<!--\n\nDrain3 MCP Server\nLog template mining and pattern extraction tool\n\nDrain3 is an online log template miner that extracts structured patterns from \nunstructured log files. This MCP server provides tools for indexing log files, \nquerying patterns, and listing extracted templates.\n\nDocumentation: https://github.com/logpai/Drain3\n\nThis shared configuration provides a local HTTP MCP server that runs Drain3\nfor log analysis and template extraction. The server uses streaming JSONL\nresponses for progressive results.\n\nAvailable tools:\n  - index_file: Stream-mine templates from a log file and persist snapshot\n    Parameters:\n      - path: Path to the log file to analyze\n      - encoding: File encoding (default: utf-8)\n      - max_lines: Maximum lines to process (optional)\n    Returns: Streaming JSONL events (start, progress, template, summary)\n\n  - query_file: Match a log line against previously indexed templates\n    Parameters:\n      - path: Path to the indexed log file\n      - text: Log line text to match\n    Returns: Matching cluster information (cluster_id, size, template)\n\n  - list_templates: List all extracted templates from an indexed file\n    Parameters:\n      - path: Path to the indexed log file\n      - limit: Maximum number of templates to return (optional)\n    Returns: Streaming JSONL events for each template\n\nConfiguration:\n  The server can be configured via environment variables in the workflow:\n  - DRAIN3_SIM_TH: Similarity threshold (default: 0.4)\n  - DRAIN3_DEPTH: Tree depth (default: 4)\n  - DRAIN3_MAX_CHILDREN: Maximum children per node (default: 100)\n  - DRAIN3_MAX_CLUSTERS: Maximum clusters (default: 0 = unlimited)\n  - STREAM_FLUSH_EVERY: Progress event frequency (default: 500 lines)\n  - STREAM_SLEEP: Throttle between flushes in seconds (default: 0)\n\nSetup:\n  1. Include in Your Workflow:\n     imports:\n       - shared/mcp/drain3.md\n\n  2. The server will be automatically installed and started on localhost:8766\n\nExample Usage:\n  Analyze GitHub Actions workflow logs to identify common error patterns\n  and failure templates. Index a log file, then query specific error messages\n  to find which cluster they belong to.\n\n  ```\n  Use the drain3 tool to index the workflow log file at /tmp/workflow.log\n  and extract error patterns. Then query a specific error message to find\n  its template cluster.\n  ```\n\nConnection Type:\n  This configuration uses a local HTTP MCP server running Python with FastMCP 2.0.\n  The server runs with `transport=\"http\"` which must be started by executing the\n  Python script directly (not via `fastmcp run` which defaults to stdio transport).\n  Responses stream as JSONL (JSON Lines) for progressive results.\n\nState Persistence:\n  Drain3 snapshots are stored in ${{ github.workspace }}/.drain3/ directory.\n  Each indexed file gets its own snapshot file for quick reloading.\n\nTroubleshooting:\n  Server Failed to Start:\n  - Verify Python 3.11+ is available\n  - Check that port 8766 is not in use\n  - Review server logs for dependency installation issues\n  \n  Index/Query Errors:\n  - Ensure file paths are absolute or relative to workspace\n  - Check that the file was indexed before querying\n  - Verify file permissions are readable\n\nUsage:\n  imports:\n    - shared/mcp/drain3.md\n\n-->\n\n\n\nWrite a poem in 3 emojis about the last pull request and publish an issue.\n"
         with:
           script: |
             const fs = require('fs');
diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml
index d99ae450d8d..6e2dee88df5 100644
--- a/.github/workflows/tidy.lock.yml
+++ b/.github/workflows/tidy.lock.yml
@@ -1347,8 +1347,14 @@ jobs:
           - Only fix test failures that are clearly related to your formatting/linting changes
           - Do not attempt to fix unrelated test failures
           
-          ### 7. Create or Update Pull Request
-          If any changes were made during the above steps:
+          ### 7. Exclude Workflow Files
+          Before creating or updating a pull request, exclude any changes to files in `.github/workflows/`:
+          - Run `git restore .github/workflows/` to discard any changes to workflow files
+          - This ensures that only code changes (not workflow compilation artifacts) are included in the PR
+          - The tidy workflow should focus on code quality, not workflow updates
+          
+          ### 8. Create or Update Pull Request
+          If any changes were made during the above steps (after excluding workflow files):
           - **If an existing tidy PR was found in step 0**: Use the `push_to_pull_request_branch` tool to push changes to that existing PR branch
           - **If no existing tidy PR was found**: Use the `create_pull_request` tool to create a new pull request
           - Provide a clear title describing what was tidied (e.g., "Fix linting issues and update formatting")
@@ -1358,6 +1364,7 @@ jobs:
           
           ## Important Guidelines
           
+          - **Exclude Workflow Files**: NEVER commit changes to files under `.github/workflows/` - always run `git restore .github/workflows/` before creating/updating PRs
           - **Reuse Existing PRs**: Always prefer updating an existing tidy PR over creating a new one
           - **Safety First**: Only make changes that are clearly needed for formatting, linting, or compilation
           - **Test Validation**: Always run tests after making changes  
@@ -1688,6 +1695,7 @@ jobs:
         # --allow-tool shell(git checkout:*)
         # --allow-tool shell(git commit:*)
         # --allow-tool shell(git merge:*)
+        # --allow-tool shell(git restore:*)
         # --allow-tool shell(git rm:*)
         # --allow-tool shell(git status)
         # --allow-tool shell(git switch:*)
@@ -1706,7 +1714,7 @@ jobs:
         run: |
           set -o pipefail
           COPILOT_CLI_INSTRUCTION=$(cat /tmp/gh-aw/aw-prompts/prompt.txt)
-          copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/.copilot/logs/ --allow-tool 'github(download_workflow_run_artifact)' --allow-tool 'github(get_code_scanning_alert)' --allow-tool 'github(get_commit)' --allow-tool 'github(get_dependabot_alert)' --allow-tool 'github(get_discussion)' --allow-tool 'github(get_discussion_comments)' --allow-tool 'github(get_file_contents)' --allow-tool 'github(get_issue)' --allow-tool 'github(get_issue_comments)' --allow-tool 'github(get_job_logs)' --allow-tool 'github(get_label)' --allow-tool 'github(get_latest_release)' --allow-tool 'github(get_me)' --allow-tool 'github(get_notification_details)' --allow-tool 'github(get_pull_request)' --allow-tool 'github(get_pull_request_comments)' --allow-tool 'github(get_pull_request_diff)' --allow-tool 'github(get_pull_request_files)' --allow-tool 'github(get_pull_request_review_comments)' --allow-tool 'github(get_pull_request_reviews)' --allow-tool 'github(get_pull_request_status)' --allow-tool 'github(get_release_by_tag)' --allow-tool 'github(get_secret_scanning_alert)' --allow-tool 'github(get_tag)' --allow-tool 'github(get_workflow_run)' --allow-tool 'github(get_workflow_run_logs)' --allow-tool 'github(get_workflow_run_usage)' --allow-tool 'github(list_branches)' --allow-tool 'github(list_code_scanning_alerts)' --allow-tool 'github(list_commits)' --allow-tool 'github(list_dependabot_alerts)' --allow-tool 'github(list_discussion_categories)' --allow-tool 'github(list_discussions)' --allow-tool 'github(list_issue_types)' --allow-tool 'github(list_issues)' --allow-tool 'github(list_label)' --allow-tool 'github(list_notifications)' --allow-tool 'github(list_pull_requests)' --allow-tool 'github(list_releases)' --allow-tool 'github(list_secret_scanning_alerts)' --allow-tool 'github(list_starred_repositories)' --allow-tool 'github(list_sub_issues)' --allow-tool 'github(list_tags)' --allow-tool 'github(list_workflow_jobs)' --allow-tool 'github(list_workflow_run_artifacts)' --allow-tool 'github(list_workflow_runs)' --allow-tool 'github(list_workflows)' --allow-tool 'github(pull_request_read)' --allow-tool 'github(search_code)' --allow-tool 'github(search_issues)' --allow-tool 'github(search_orgs)' --allow-tool 'github(search_pull_requests)' --allow-tool 'github(search_repositories)' --allow-tool 'github(search_users)' --allow-tool safe_outputs --allow-tool 'shell(cat)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(git add:*)' --allow-tool 'shell(git branch:*)' --allow-tool 'shell(git checkout:*)' --allow-tool 'shell(git commit:*)' --allow-tool 'shell(git merge:*)' --allow-tool 'shell(git rm:*)' --allow-tool 'shell(git status)' --allow-tool 'shell(git switch:*)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(make:*)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --allow-all-paths --prompt "$COPILOT_CLI_INSTRUCTION" 2>&1 | tee /tmp/gh-aw/agent-stdio.log
+          copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/.copilot/logs/ --allow-tool 'github(download_workflow_run_artifact)' --allow-tool 'github(get_code_scanning_alert)' --allow-tool 'github(get_commit)' --allow-tool 'github(get_dependabot_alert)' --allow-tool 'github(get_discussion)' --allow-tool 'github(get_discussion_comments)' --allow-tool 'github(get_file_contents)' --allow-tool 'github(get_issue)' --allow-tool 'github(get_issue_comments)' --allow-tool 'github(get_job_logs)' --allow-tool 'github(get_label)' --allow-tool 'github(get_latest_release)' --allow-tool 'github(get_me)' --allow-tool 'github(get_notification_details)' --allow-tool 'github(get_pull_request)' --allow-tool 'github(get_pull_request_comments)' --allow-tool 'github(get_pull_request_diff)' --allow-tool 'github(get_pull_request_files)' --allow-tool 'github(get_pull_request_review_comments)' --allow-tool 'github(get_pull_request_reviews)' --allow-tool 'github(get_pull_request_status)' --allow-tool 'github(get_release_by_tag)' --allow-tool 'github(get_secret_scanning_alert)' --allow-tool 'github(get_tag)' --allow-tool 'github(get_workflow_run)' --allow-tool 'github(get_workflow_run_logs)' --allow-tool 'github(get_workflow_run_usage)' --allow-tool 'github(list_branches)' --allow-tool 'github(list_code_scanning_alerts)' --allow-tool 'github(list_commits)' --allow-tool 'github(list_dependabot_alerts)' --allow-tool 'github(list_discussion_categories)' --allow-tool 'github(list_discussions)' --allow-tool 'github(list_issue_types)' --allow-tool 'github(list_issues)' --allow-tool 'github(list_label)' --allow-tool 'github(list_notifications)' --allow-tool 'github(list_pull_requests)' --allow-tool 'github(list_releases)' --allow-tool 'github(list_secret_scanning_alerts)' --allow-tool 'github(list_starred_repositories)' --allow-tool 'github(list_sub_issues)' --allow-tool 'github(list_tags)' --allow-tool 'github(list_workflow_jobs)' --allow-tool 'github(list_workflow_run_artifacts)' --allow-tool 'github(list_workflow_runs)' --allow-tool 'github(list_workflows)' --allow-tool 'github(pull_request_read)' --allow-tool 'github(search_code)' --allow-tool 'github(search_issues)' --allow-tool 'github(search_orgs)' --allow-tool 'github(search_pull_requests)' --allow-tool 'github(search_repositories)' --allow-tool 'github(search_users)' --allow-tool safe_outputs --allow-tool 'shell(cat)' --allow-tool 'shell(date)' --allow-tool 'shell(echo)' --allow-tool 'shell(git add:*)' --allow-tool 'shell(git branch:*)' --allow-tool 'shell(git checkout:*)' --allow-tool 'shell(git commit:*)' --allow-tool 'shell(git merge:*)' --allow-tool 'shell(git restore:*)' --allow-tool 'shell(git rm:*)' --allow-tool 'shell(git status)' --allow-tool 'shell(git switch:*)' --allow-tool 'shell(grep)' --allow-tool 'shell(head)' --allow-tool 'shell(ls)' --allow-tool 'shell(make:*)' --allow-tool 'shell(pwd)' --allow-tool 'shell(sort)' --allow-tool 'shell(tail)' --allow-tool 'shell(uniq)' --allow-tool 'shell(wc)' --allow-tool 'shell(yq)' --allow-tool write --allow-all-paths --prompt "$COPILOT_CLI_INSTRUCTION" 2>&1 | tee /tmp/gh-aw/agent-stdio.log
         env:
           COPILOT_AGENT_RUNNER_TYPE: STANDALONE
           GITHUB_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json
@@ -4210,7 +4218,7 @@ jobs:
         env:
           WORKFLOW_NAME: "Tidy"
           WORKFLOW_DESCRIPTION: "No description provided"
-          WORKFLOW_MARKDOWN: "# Code Tidying Agent\n\nYou are a code maintenance agent responsible for keeping the codebase clean, formatted, and properly linted. Your task is to format, lint, fix issues, recompile workflows, run tests, and create or update a pull request if changes are needed.\n\n## Your Mission\n\nPerform the following steps in order:\n\n### 0. Check for Existing Tidy Pull Request\nBefore starting any work, check if there's already an open pull request for tidying:\n- Search for open pull requests that have BOTH:\n  - Title starting with \"[tidy]\" prefix\n  - The \"automation\" label attached\n- If an existing tidy PR meeting these criteria is found, note its branch name and number for reuse\n- Only PRs that match BOTH criteria should be considered for reuse\n\n### 1. Format Code\nRun `make fmt` to format all Go code according to the project standards.\n\n### 2. Lint Code  \nRun `make lint` to check for linting issues across the entire codebase (Go and JavaScript).\n\n### 3. Fix Linting Issues\nIf any linting issues are found, analyze and fix them:\n- Review the linting output carefully\n- Make the necessary code changes to address each issue\n- Focus on common issues like unused variables, imports, formatting problems\n- Be conservative - only fix clear, obvious issues\n\n### 4. Format and Lint Again\nAfter fixing issues:\n- Run `make fmt` again to ensure formatting is correct\n- Run `make lint` again to verify all issues are resolved\n\n### 5. Recompile Workflows\nRun `make recompile` to recompile all agentic workflow files and ensure they are up to date.\n\n### 6. Run Tests\nRun `make test` to ensure your changes don't break anything. If tests fail:\n- Analyze the test failures\n- Only fix test failures that are clearly related to your formatting/linting changes\n- Do not attempt to fix unrelated test failures\n\n### 7. Create or Update Pull Request\nIf any changes were made during the above steps:\n- **If an existing tidy PR was found in step 0**: Use the `push_to_pull_request_branch` tool to push changes to that existing PR branch\n- **If no existing tidy PR was found**: Use the `create_pull_request` tool to create a new pull request\n- Provide a clear title describing what was tidied (e.g., \"Fix linting issues and update formatting\")\n- In the PR description, summarize what changes were made and why\n- Include details about any specific issues that were fixed\n- If updating an existing PR, mention that this is an update with new tidy changes\n\n## Important Guidelines\n\n- **Reuse Existing PRs**: Always prefer updating an existing tidy PR over creating a new one\n- **Safety First**: Only make changes that are clearly needed for formatting, linting, or compilation\n- **Test Validation**: Always run tests after making changes  \n- **Minimal Changes**: Don't make unnecessary modifications to working code\n- **Clear Communication**: Explain what you changed and why in the pull request\n- **Skip if Clean**: If no changes are needed, simply report that everything is already tidy\n\n## Environment Setup\n\nThe repository has all necessary tools installed:\n- Go toolchain with gofmt, golangci-lint\n- Node.js with prettier for JavaScript formatting\n- All dependencies are already installed\n\nStart by checking for existing tidy pull requests, then proceed with the tidying process.\n"
+          WORKFLOW_MARKDOWN: "# Code Tidying Agent\n\nYou are a code maintenance agent responsible for keeping the codebase clean, formatted, and properly linted. Your task is to format, lint, fix issues, recompile workflows, run tests, and create or update a pull request if changes are needed.\n\n## Your Mission\n\nPerform the following steps in order:\n\n### 0. Check for Existing Tidy Pull Request\nBefore starting any work, check if there's already an open pull request for tidying:\n- Search for open pull requests that have BOTH:\n  - Title starting with \"[tidy]\" prefix\n  - The \"automation\" label attached\n- If an existing tidy PR meeting these criteria is found, note its branch name and number for reuse\n- Only PRs that match BOTH criteria should be considered for reuse\n\n### 1. Format Code\nRun `make fmt` to format all Go code according to the project standards.\n\n### 2. Lint Code  \nRun `make lint` to check for linting issues across the entire codebase (Go and JavaScript).\n\n### 3. Fix Linting Issues\nIf any linting issues are found, analyze and fix them:\n- Review the linting output carefully\n- Make the necessary code changes to address each issue\n- Focus on common issues like unused variables, imports, formatting problems\n- Be conservative - only fix clear, obvious issues\n\n### 4. Format and Lint Again\nAfter fixing issues:\n- Run `make fmt` again to ensure formatting is correct\n- Run `make lint` again to verify all issues are resolved\n\n### 5. Recompile Workflows\nRun `make recompile` to recompile all agentic workflow files and ensure they are up to date.\n\n### 6. Run Tests\nRun `make test` to ensure your changes don't break anything. If tests fail:\n- Analyze the test failures\n- Only fix test failures that are clearly related to your formatting/linting changes\n- Do not attempt to fix unrelated test failures\n\n### 7. Exclude Workflow Files\nBefore creating or updating a pull request, exclude any changes to files in `.github/workflows/`:\n- Run `git restore .github/workflows/` to discard any changes to workflow files\n- This ensures that only code changes (not workflow compilation artifacts) are included in the PR\n- The tidy workflow should focus on code quality, not workflow updates\n\n### 8. Create or Update Pull Request\nIf any changes were made during the above steps (after excluding workflow files):\n- **If an existing tidy PR was found in step 0**: Use the `push_to_pull_request_branch` tool to push changes to that existing PR branch\n- **If no existing tidy PR was found**: Use the `create_pull_request` tool to create a new pull request\n- Provide a clear title describing what was tidied (e.g., \"Fix linting issues and update formatting\")\n- In the PR description, summarize what changes were made and why\n- Include details about any specific issues that were fixed\n- If updating an existing PR, mention that this is an update with new tidy changes\n\n## Important Guidelines\n\n- **Exclude Workflow Files**: NEVER commit changes to files under `.github/workflows/` - always run `git restore .github/workflows/` before creating/updating PRs\n- **Reuse Existing PRs**: Always prefer updating an existing tidy PR over creating a new one\n- **Safety First**: Only make changes that are clearly needed for formatting, linting, or compilation\n- **Test Validation**: Always run tests after making changes  \n- **Minimal Changes**: Don't make unnecessary modifications to working code\n- **Clear Communication**: Explain what you changed and why in the pull request\n- **Skip if Clean**: If no changes are needed, simply report that everything is already tidy\n\n## Environment Setup\n\nThe repository has all necessary tools installed:\n- Go toolchain with gofmt, golangci-lint\n- Node.js with prettier for JavaScript formatting\n- All dependencies are already installed\n\nStart by checking for existing tidy pull requests, then proceed with the tidying process.\n"
         with:
           script: |
             const fs = require('fs');
diff --git a/.github/workflows/tidy.md b/.github/workflows/tidy.md
index 4e807088457..3ab76d23168 100644
--- a/.github/workflows/tidy.md
+++ b/.github/workflows/tidy.md
@@ -30,7 +30,7 @@ tools:
   github:
     allowed: [list_pull_requests, pull_request_read]
   edit:
-  bash: ["make:*"]
+  bash: ["make:*", "git restore:*", "git status"]
 
 safe-outputs:
   create-pull-request:
@@ -99,8 +99,14 @@ Run `make test` to ensure your changes don't break anything. If tests fail:
 - Only fix test failures that are clearly related to your formatting/linting changes
 - Do not attempt to fix unrelated test failures
 
-### 7. Create or Update Pull Request
-If any changes were made during the above steps:
+### 7. Exclude Workflow Files
+Before creating or updating a pull request, exclude any changes to files in `.github/workflows/`:
+- Run `git restore .github/workflows/` to discard any changes to workflow files
+- This ensures that only code changes (not workflow compilation artifacts) are included in the PR
+- The tidy workflow should focus on code quality, not workflow updates
+
+### 8. Create or Update Pull Request
+If any changes were made during the above steps (after excluding workflow files):
 - **If an existing tidy PR was found in step 0**: Use the `push_to_pull_request_branch` tool to push changes to that existing PR branch
 - **If no existing tidy PR was found**: Use the `create_pull_request` tool to create a new pull request
 - Provide a clear title describing what was tidied (e.g., "Fix linting issues and update formatting")
@@ -110,6 +116,7 @@ If any changes were made during the above steps:
 
 ## Important Guidelines
 
+- **Exclude Workflow Files**: NEVER commit changes to files under `.github/workflows/` - always run `git restore .github/workflows/` before creating/updating PRs
 - **Reuse Existing PRs**: Always prefer updating an existing tidy PR over creating a new one
 - **Safety First**: Only make changes that are clearly needed for formatting, linting, or compilation
 - **Test Validation**: Always run tests after making changes